Metadata dev (#66)

* update contribution doc

* Add support for launch template metadata options.

* Update README.

* Remove dynamic block. Do not supply any defaults.

* Bump min TF to 1.3. Update input variable. Add dynamic block. Update changelog.

* final changes for merge to main

---------

Co-authored-by: Joshua Bird <jbird@auditboard.com>

.gitignore

@@ -3,3 +3,6 @@ terraform.tfstate.backup
 .gitignore
 .vscode/
 to_do.md
+.pluralith/
+.terraform/
+.terraform.lock.hcl

CONTRIBUTING

@@ -4,6 +4,10 @@ I am always happy to consider contributions to the code offered here. Please fee
 
 I generally try to avoid breaking changes and changes to default behaviour except e.g. where versions have become deprecated. New options that don't change default behaviour are welcome.
 
-All proposed code changes must be tested before submission! I don't have a formal test suite so I'm afraid it is a case of testing changes manually with deployment, log in successfully, etc. 
+All proposed code changes must be tested before submission! I don't have a formal test suite so I'm afraid it is a case of testing changes manually with deployment, log in successfully, etc. I will generally test with Open Tofu current version as a starting point using the `/examples` here with varioations to test any conditional logic.
+
+If the feature change is significant then it may be worth considering adding another example deployment to test it.
+
+Please also update `changelog.md` with `TBD`
 
 Thanks

README.md

@@ -1,6 +1,6 @@
 # This Terraform deploys a stateless containerised sshd bastion service on AWS with IAM based authentication:
 
-This module requires Terraform >/=1.2.0 Older versions were previously supported going back to Terraform 0.11.x with module version to ~> v4.0
+This module requires Terraform >/=1.3.0 Older versions were previously supported going back to Terraform 0.11.x with module version to ~> v4.0
 
 **N.B. If you are using a newer version of this module when you have an older version deployed, please review the changelog!**
 
@@ -263,18 +263,19 @@ name = "${var.environment_name}-${data.aws_region.current.name}-${var.vpc}-basti
 
 These have been generated with [terraform-docs](https://github.com/segmentio/terraform-docs)
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
-| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | 2.2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | n/a |
 
 ## Modules
 
@@ -331,6 +332,7 @@ No modules.
 | <a name="input_bastion_ebs_size"></a> [bastion\_ebs\_size](#input\_bastion\_ebs\_size) | Size of EBS attached to the bastion instance | `number` | `8` | no |
 | <a name="input_bastion_host_name"></a> [bastion\_host\_name](#input\_bastion\_host\_name) | The hostname to give to the bastion instance | `string` | `""` | no |
 | <a name="input_bastion_instance_types"></a> [bastion\_instance\_types](#input\_bastion\_instance\_types) | List of ec2 types for the bastion host, used by aws\_launch\_template (first from the list) and in aws\_autoscaling\_group | `list` | <pre>[<br>  "t3.small",<br>  "t3.medium",<br>  "t3.large"<br>]</pre> | no |
+| <a name="input_bastion_metadata_options"></a> [bastion\_metadata\_options](#input\_bastion\_metadata\_options) | Passthrough for aws\_launch\_template.metadata\_options. **Don't** apply `http_*` options if you're not sure what you're doing! | <pre>object({<br>    http_endpoint               = optional(string)<br>    http_tokens                 = optional(string)<br>    http_put_response_hop_limit = optional(number)<br>    http_protocol_ipv6          = optional(string)<br>    instance_metadata_tags      = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_bastion_service_host_key_name"></a> [bastion\_service\_host\_key\_name](#input\_bastion\_service\_host\_key\_name) | AWS ssh key *.pem to be used for ssh access to the bastion service host | `string` | `""` | no |
 | <a name="input_bastion_service_port"></a> [bastion\_service\_port](#input\_bastion\_service\_port) | Port for containerised ssh daemon | `number` | `22` | no |
 | <a name="input_bastion_vpc_name"></a> [bastion\_vpc\_name](#input\_bastion\_vpc\_name) | define the last part of the hostname, by default this is the vpc ID with magic default value of 'vpc\_id' but you can pass a custom string, or an empty value to omit this | `string` | `"vpc_id"` | no |

changelog.md

@@ -1,3 +1,8 @@
+# 8.2
+
+- **Feature:** EC2 instances can be supplied metadata options through `var.bastion_metadata_options`
+- **Change:** Increment required terraform version to >= 1.3.0
+
 # 8.1
 
 - **Feature:** Make default permissive outbound security group rule creation conditional: `var.custom_outbound_security_group` `type = bool`. Historic behaviour is followed by default

examples/custom-outbound-security-group/README.md

@@ -30,7 +30,7 @@ ssh -p 443 user@load_balancer_dns_output_value
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 

examples/custom-outbound-security-group/versions.tf

@@ -1,6 +1,6 @@
 
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.3.0"
   required_providers {
     aws = {
       source = "hashicorp/aws"

examples/full-with-public-ip/README.md

@@ -8,7 +8,7 @@ This example shows a complete setup for a new `bastion` service with all needed
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 

examples/full-with-public-ip/versions.tf

@@ -1,6 +1,6 @@
 
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.3.0"
   required_providers {
     aws = {
       source = "hashicorp/aws"

main.tf

@@ -59,6 +59,19 @@ resource "aws_launch_template" "bastion-service-host" {
     }
   }
 
+  # Hide the `metadata_options` block if it's empty
+  dynamic "metadata_options" {
+    for_each = length(compact(values(var.bastion_metadata_options))) > 0 ? { bastion_metadata_options = var.bastion_metadata_options } : {}
+
+    content {
+      http_endpoint               = try(var.bastion_metadata_options.http_endpoint, null)
+      http_tokens                 = try(var.bastion_metadata_options.http_tokens, null)
+      http_put_response_hop_limit = try(var.bastion_metadata_options.http_put_response_hop_limit, null)
+      http_protocol_ipv6          = try(var.bastion_metadata_options.http_protocol_ipv6, null)
+      instance_metadata_tags      = try(var.bastion_metadata_options.instance_metadata_tags, null)
+    }
+  }
+
   lifecycle {
     create_before_destroy = true
   }

variables.tf

@@ -237,4 +237,16 @@ variable "bastion_service_port" {
   type        = number
   description = "Port for containerised ssh daemon"
   default     = 22
-}
+}
+
+variable "bastion_metadata_options" {
+  type = object({
+    http_endpoint               = optional(string)
+    http_tokens                 = optional(string)
+    http_put_response_hop_limit = optional(number)
+    http_protocol_ipv6          = optional(string)
+    instance_metadata_tags      = optional(string)
+  })
+  description = "Passthrough for aws_launch_template.metadata_options. **Don't** apply `http_*` options if you're not sure what you're doing!"
+  default     = {}
+}

versions.tf

@@ -1,6 +1,6 @@
 
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.3.0"
   required_providers {
     aws = {
       source = "hashicorp/aws"