rd/aws_instance and rd/aws_launch_template: Add support for metadata_options

[stefansundin]

This adds support to set the Metadata Options options for an EC2 instance. TL;DR: opt-in to a more secure metadata service.

Documentation:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
• https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
• https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

I am hopeful that they will add support for this to launch templates as well, but it seems like this has not happened yet. We can wait a few weeks to see if it comes out after reInvent.

Please let me know what you want to be changed. I'm not sure to what extent you want this to be tested. I've been testing this a bit and it is working well. I was unsure if you wanted the state attribute to be made available?

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

resource/aws_instance: Add support for `metadata_options` parameter
data-source/aws_instance: Add `metadata_options` attributes
resource/aws_launch_template: Add support for `metadata_options` parameter
data-source/aws_launch_template: Add `metadata_options` attributes

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSInstance_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSInstance_basic -timeout 120m
=== RUN   TestAccAWSInstance_basic
=== PAUSE TestAccAWSInstance_basic
=== CONT  TestAccAWSInstance_basic
--- PASS: TestAccAWSInstance_basic (162.39s)
PASS
ok    github.com/terraform-providers/terraform-provider-aws/aws 164.053s

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSInstanceDataSource_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSInstanceDataSource_basic -timeout 120m
=== RUN   TestAccAWSInstanceDataSource_basic
=== PAUSE TestAccAWSInstanceDataSource_basic
=== CONT  TestAccAWSInstanceDataSource_basic
--- PASS: TestAccAWSInstanceDataSource_basic (253.76s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	255.474s

[stefansundin]

It was confirmed in the SEC310 reInvent session that launch template support is due in the next few weeks: https://youtu.be/2B5bhZzayjI?t=1966

[stefansundin]

It seems that the launch template support was launched without being announced anywhere (at least not as far as I could see). I just looked for it in the API docs today, and I saw that it had been added. I spent some time to add the launch template support, so I think this PR is ready for review now.

My launch_template test is failing with this error:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSLaunchTemplate_data'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSLaunchTemplate_data -timeout 120m
=== RUN   TestAccAWSLaunchTemplate_data
=== PAUSE TestAccAWSLaunchTemplate_data
=== CONT  TestAccAWSLaunchTemplate_data
--- FAIL: TestAccAWSLaunchTemplate_data (15.84s)
    testing.go:640: Step 0 error: Check failed: Check 13/20 error: aws_launch_template.test: Attribute 'metadata_options.#' expected "1", got "0"
FAIL
FAIL  github.com/terraform-providers/terraform-provider-aws/aws 17.508s
FAIL
make: *** [testacc] Error 1

I suspect this is because the metadata options are "pending" before fully applied to the launch template? It may be an error (i.e. copy-paste from the EC2 instances API), since there's something called LaunchTemplateInstanceMetadataOptionsStatePending in the SDK docs. It doesn't make a whole lot of sense to me since it shouldn't need to update a running thing, just publish a new version of the launch template.

Anyway, let me know what to do here. Thanks.

[bflad]

Hey @stefansundin 👋 Thank you for submitting this. I left some initial feedback below. Please take a look and reach out if you have any questions or do not have time to implement the items.

[bflad]

When using d.Set() with aggregate types (TypeList, TypeSet, TypeMap), we should perform error checking to prevent issues where the code is not properly able to set the Terraform state. e.g.

Suggested change

	d.Set("metadata_options", metadataOptions)
	if err := d.Set("metadata_options", metadataOptions); err != nil {
	return fmt.Errorf("error setting metadata_options: %s", err)
	}

The existing code may not be working since the map elements have pointer types, which can be fixed by wrapping the response fields with aws.StringValue(), aws.Int64Value(), etc.

[bflad]

Instead of modifying an existing test function and test configuration, can you please create a new test and configuration so we can ensure there are no regressions with existing functionality? Copy-paste-modify is fine. Thanks. 👍

[bflad]

Instead of introducing new difference suppression, we may want to instead mark attributes that need this with Computed: true instead.

[bflad]

In some unrelated testing today, it appears EC2 Instances can include this in their API response by default. Instead of requiring all operators to always include this new configuration, we should mark this attribute with Computed: true.

[bflad]

See note above about potentially replacing Default and DiffSuppressFunc here with Computed: true instead.

[bflad]

See note above about potentially replacing Default and DiffSuppressFunc here with Computed: true instead.

[bflad]

Same note here regarding error checking. It may be easier to instead make this into a "flatten" function to be shared, e.g.

func flattenEc2InstanceMetadataOptions(opts *ec2.MetadataOptions) []interface{} {
	if opts == nil {
		return nil
	}

	m := map[string]interface{}{
		"http_endpoint":               aws.StringValue(opts.HttpEndpoint),
		"http_put_response_hop_limit": aws.Int64Value(opts.HttpPutResponseHopLimit),
		"http_tokens":                 aws.StringValue(opts.HttpTokens),
	}

	return []interface{}{m}
}

// ...

if err := d.Set("metadata_options", flattenEc2InstanceMetadataOptions(instance.MetadataOptions)); err != nil {
	return fmt.Errorf("error setting metadata_options: %s", err)
}

[bflad]

Similar to creating a flatten function above, the inverse expand function could be created and used in the multiple places with this logic:

func expandEc2InstanceMetadataOptions(l []interface{}) *ec2.MetadataOptions {
	m, ok := l[0].(map[string]interface{})

	if !ok {
		return nil
	}

	opts := &ec2.InstanceMetadataOptionsRequest{
		HttpEndpoint: aws.String(m["http_endpoint"].(string)),
	}

	if m["http_endpoint"].(string) == ec2.InstanceMetadataEndpointStateEnabled {
		// These parameters are not allowed unless HttpEndpoint is enabled

		if v, ok := m["http_tokens"].(string); ok && v != "" {
			opts.HttpTokens = aws.String(v)
		}

		if v, ok := m["http_put_response_hop_limit"].(int); ok && v != 0 {
			opts.HttpPutResponseHopLimit = aws.Int64(int64(v))
		}
	}

	return opts
}

// ...

MetadataOptions: expandEc2InstanceMetadataOptions(d.Get("metadata_options").([]interface{})),

[bflad]

Please create a new test function and test configuration so we can verify existing testing for regressions.

[bflad]

Same here about creating a separate test function and configuration.

[ewbankkit]

Closes #10949.
Closes #11794.

[ewbankkit]

@stefansundin Will you have a chance to address the review comments?
I have interest in using this functionality and can help out/complete if necessary.
Thanks.

[ewbankkit]

@stefansundin I have addressed @bflad's review comments via #12491.
Thanks.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!