rd/aws_instance and rd/aws_launch_template: Add support for metadata_options

aws/data_source_aws_instance.go

@@ -279,6 +279,26 @@ func dataSourceAwsInstance() *schema.Resource {
 					},
 				},
 			},
+			"metadata_options": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"http_endpoint": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"http_tokens": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"http_put_response_hop_limit": {
+							Type:     schema.TypeInt,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"disable_api_termination": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -486,5 +506,15 @@ func instanceDescriptionAttributes(d *schema.ResourceData, instance *ec2.Instanc
 		return fmt.Errorf("error setting credit_specification: %s", err)
 	}
 
+	if instance.MetadataOptions != nil {
+		mo := make(map[string]interface{})
+		mo["http_endpoint"] = instance.MetadataOptions.HttpEndpoint
+		mo["http_tokens"] = instance.MetadataOptions.HttpTokens
+		mo["http_put_response_hop_limit"] = instance.MetadataOptions.HttpPutResponseHopLimit
+		var metadataOptions []map[string]interface{}
+		metadataOptions = append(metadataOptions, mo)
+		d.Set("metadata_options", metadataOptions)
+	}
+
 	return nil
 }

aws/data_source_aws_instance_test.go

@@ -23,6 +23,9 @@ func TestAccAWSInstanceDataSource_basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(datasourceName, "ami", resourceName, "ami"),
 					resource.TestCheckResourceAttrPair(datasourceName, "tags.%", resourceName, "tags.%"),
 					resource.TestCheckResourceAttrPair(datasourceName, "instance_type", resourceName, "instance_type"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata_options.0.http_endpoint", resourceName, "metadata_options.0.http_endpoint"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata_options.0.http_tokens", resourceName, "metadata_options.0.http_tokens"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata_options.0.http_put_response_hop_limit", resourceName, "metadata_options.0.http_put_response_hop_limit"),
 					resource.TestMatchResourceAttr(datasourceName, "arn", regexp.MustCompile(`^arn:[^:]+:ec2:[^:]+:\d{12}:instance/i-.+`)),
 					resource.TestCheckNoResourceAttr(datasourceName, "user_data_base64"),
 				),
@@ -450,6 +453,11 @@ resource "aws_instance" "test" {
   # us-west-2
   ami = "ami-4fccb37f"
   instance_type = "m1.small"
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens = "optional"
+    http_put_response_hop_limit = 10
+  }
   tags = {
     Name = "HelloWorld"
   }

aws/data_source_aws_launch_template.go

@@ -202,6 +202,26 @@ func dataSourceAwsLaunchTemplate() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"metadata_options": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"http_endpoint": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"http_tokens": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"http_put_response_hop_limit": {
+							Type:     schema.TypeInt,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"monitoring": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -444,6 +464,10 @@ func dataSourceAwsLaunchTemplateRead(d *schema.ResourceData, meta interface{}) e
 		return fmt.Errorf("error setting instance_market_options: %s", err)
 	}
 
+	if err := d.Set("metadata_options", getMetadataOptions(ltData.MetadataOptions)); err != nil {
+		return fmt.Errorf("error setting metadata_options: %s", err)
+	}
+
 	if err := d.Set("monitoring", getMonitoring(ltData.Monitoring)); err != nil {
 		return fmt.Errorf("error setting monitoring: %s", err)
 	}

aws/diff_suppress_funcs.go

@@ -132,3 +132,10 @@ func suppressRoute53ZoneNameWithTrailingDot(k, old, new string, d *schema.Resour
 	}
 	return strings.TrimSuffix(old, ".") == strings.TrimSuffix(new, ".")
 }
+
+func suppressMetadataOptionsHttpEndpointDisabled(k, old, new string, d *schema.ResourceData) bool {
+	// Suppress diff if http_endpoint is disabled
+	i := strings.LastIndexByte(k, '.')
+	state := d.Get(k[:i+1] + "http_endpoint").(string)
+	return state == "disabled"
+}

aws/resource_aws_instance.go

@@ -518,6 +518,36 @@ func resourceAwsInstance() *schema.Resource {
 					},
 				},
 			},
+
+			"metadata_options": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"http_endpoint": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Default:      ec2.InstanceMetadataEndpointStateEnabled,
+							ValidateFunc: validation.StringInSlice([]string{ec2.InstanceMetadataEndpointStateEnabled, ec2.InstanceMetadataEndpointStateDisabled}, false),
+						},
+						"http_tokens": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							Default:          ec2.HttpTokensStateOptional,
+							ValidateFunc:     validation.StringInSlice([]string{ec2.HttpTokensStateOptional, ec2.HttpTokensStateRequired}, false),
+							DiffSuppressFunc: suppressMetadataOptionsHttpEndpointDisabled,
+						},
+						"http_put_response_hop_limit": {
+							Type:             schema.TypeInt,
+							Optional:         true,
+							Default:          1,
+							ValidateFunc:     validation.IntBetween(1, 64),
+							DiffSuppressFunc: suppressMetadataOptionsHttpEndpointDisabled,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -566,6 +596,7 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 		CreditSpecification:               instanceOpts.CreditSpecification,
 		CpuOptions:                        instanceOpts.CpuOptions,
 		TagSpecifications:                 tagSpecifications,
+		MetadataOptions:                   instanceOpts.MetadataOptions,
 	}
 
 	_, ipv6CountOk := d.GetOk("ipv6_address_count")
@@ -712,6 +743,16 @@ func resourceAwsInstanceRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("cpu_threads_per_core", instance.CpuOptions.ThreadsPerCore)
 	}
 
+	if instance.MetadataOptions != nil {
+		mo := make(map[string]interface{})
+		mo["http_endpoint"] = instance.MetadataOptions.HttpEndpoint
+		mo["http_tokens"] = instance.MetadataOptions.HttpTokens
+		mo["http_put_response_hop_limit"] = instance.MetadataOptions.HttpPutResponseHopLimit
+		var metadataOptions []map[string]interface{}
+		metadataOptions = append(metadataOptions, mo)
+		d.Set("metadata_options", metadataOptions)
+	}
+
 	d.Set("ami", instance.ImageId)
 	d.Set("instance_type", instance.InstanceType)
 	d.Set("key_name", instance.KeyName)
@@ -1200,6 +1241,27 @@ func resourceAwsInstanceUpdate(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	if d.HasChange("metadata_options") && !d.IsNewResource() {
+		if v, ok := d.GetOk("metadata_options"); ok {
+			if mo, ok := v.([]interface{})[0].(map[string]interface{}); ok {
+				log.Printf("[DEBUG] Modifying metadata options for Instance (%s)", d.Id())
+				input := &ec2.ModifyInstanceMetadataOptionsInput{
+					InstanceId:   aws.String(d.Id()),
+					HttpEndpoint: aws.String(mo["http_endpoint"].(string)),
+				}
+				if mo["http_endpoint"].(string) == ec2.InstanceMetadataEndpointStateEnabled {
+					// These parameters are not allowed unless HttpEndpoint is enabled
+					input.HttpTokens = aws.String(mo["http_tokens"].(string))
+					input.HttpPutResponseHopLimit = aws.Int64(int64(mo["http_put_response_hop_limit"].(int)))
+				}
+				_, err := conn.ModifyInstanceMetadataOptions(input)
+				if err != nil {
+					return fmt.Errorf("Error updating metadata options: %s", err)
+				}
+			}
+		}
+	}
+
 	// TODO(mitchellh): wait for the attributes we modified to
 	// persist the change...
 
@@ -1798,6 +1860,7 @@ type awsInstanceOpts struct {
 	UserData64                        *string
 	CreditSpecification               *ec2.CreditSpecificationRequest
 	CpuOptions                        *ec2.CpuOptionsRequest
+	MetadataOptions                   *ec2.InstanceMetadataOptionsRequest
 }
 
 func buildAwsInstanceOpts(
@@ -1838,6 +1901,19 @@ func buildAwsInstanceOpts(
 		opts.InstanceInitiatedShutdownBehavior = aws.String(v)
 	}
 
+	if v, ok := d.GetOk("metadata_options"); ok {
+		if mo, ok := v.([]interface{})[0].(map[string]interface{}); ok {
+			opts.MetadataOptions = &ec2.InstanceMetadataOptionsRequest{
+				HttpEndpoint: aws.String(mo["http_endpoint"].(string)),
+			}
+			if mo["http_endpoint"].(string) == ec2.InstanceMetadataEndpointStateEnabled {
+				// These parameters are not allowed unless HttpEndpoint is enabled
+				opts.MetadataOptions.HttpTokens = aws.String(mo["http_tokens"].(string))
+				opts.MetadataOptions.HttpPutResponseHopLimit = aws.Int64(int64(mo["http_put_response_hop_limit"].(int)))
+			}
+		}
+	}
+
 	opts.Monitoring = &ec2.RunInstancesMonitoringEnabled{
 		Enabled: aws.Bool(d.Get("monitoring").(bool)),
 	}

aws/resource_aws_instance_test.go

@@ -290,6 +290,9 @@ func TestAccAWSInstance_basic(t *testing.T) {
 						resourceName,
 						"arn",
 						regexp.MustCompile(`^arn:[^:]+:ec2:[^:]+:\d{12}:instance/i-.+`)),
+					resource.TestCheckResourceAttr(resourceName, "metadata_options.0.http_endpoint", "enabled"),
+					resource.TestCheckResourceAttr(resourceName, "metadata_options.0.http_tokens", "optional"),
+					resource.TestCheckResourceAttr(resourceName, "metadata_options.0.http_put_response_hop_limit", "10"),
 				),
 			},
 			{
@@ -2814,6 +2817,12 @@ resource "aws_instance" "test" {
   instance_type   = "m1.small"
   security_groups = ["${aws_security_group.tf_test_test.name}"]
   user_data       = "foo:-with-character's"
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens = "optional"
+    http_put_response_hop_limit = 10
+  }
 }
 `, rInt)
 }

aws/resource_aws_launch_template.go

@@ -337,6 +337,36 @@ func resourceAwsLaunchTemplate() *schema.Resource {
 				},
 			},
 
+			"metadata_options": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"http_endpoint": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Default:      ec2.LaunchTemplateInstanceMetadataEndpointStateEnabled,
+							ValidateFunc: validation.StringInSlice([]string{ec2.LaunchTemplateInstanceMetadataEndpointStateEnabled, ec2.LaunchTemplateInstanceMetadataEndpointStateDisabled}, false),
+						},
+						"http_tokens": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							Default:          ec2.LaunchTemplateHttpTokensStateOptional,
+							ValidateFunc:     validation.StringInSlice([]string{ec2.LaunchTemplateHttpTokensStateOptional, ec2.LaunchTemplateHttpTokensStateRequired}, false),
+							DiffSuppressFunc: suppressMetadataOptionsHttpEndpointDisabled,
+						},
+						"http_put_response_hop_limit": {
+							Type:             schema.TypeInt,
+							Optional:         true,
+							Default:          1,
+							ValidateFunc:     validation.IntBetween(1, 64),
+							DiffSuppressFunc: suppressMetadataOptionsHttpEndpointDisabled,
+						},
+					},
+				},
+			},
+
 			"monitoring": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -675,6 +705,10 @@ func resourceAwsLaunchTemplateRead(d *schema.ResourceData, meta interface{}) err
 		return fmt.Errorf("error setting license_specification: %s", err)
 	}
 
+	if err := d.Set("metadata_options", getMetadataOptions(ltData.MetadataOptions)); err != nil {
+		return fmt.Errorf("error setting metadata_options: %s", err)
+	}
+
 	if err := d.Set("monitoring", getMonitoring(ltData.Monitoring)); err != nil {
 		return fmt.Errorf("error setting monitoring: %s", err)
 	}
@@ -906,6 +940,19 @@ func getLicenseSpecifications(licenseSpecifications []*ec2.LaunchTemplateLicense
 	return s
 }
 
+func getMetadataOptions(metadataOptions *ec2.LaunchTemplateInstanceMetadataOptions) []interface{} {
+	s := []interface{}{}
+	if metadataOptions != nil {
+		mo := map[string]interface{}{
+			"http_endpoint":               aws.StringValue(metadataOptions.HttpEndpoint),
+			"http_tokens":                 aws.StringValue(metadataOptions.HttpTokens),
+			"http_put_response_hop_limit": aws.Int64Value(metadataOptions.HttpPutResponseHopLimit),
+		}
+		s = append(s, mo)
+	}
+	return s
+}
+
 func getMonitoring(m *ec2.LaunchTemplatesMonitoring) []interface{} {
 	s := []interface{}{}
 	if m != nil {
@@ -1133,6 +1180,22 @@ func buildLaunchTemplateData(d *schema.ResourceData) (*ec2.RequestLaunchTemplate
 		opts.LicenseSpecifications = licenseSpecifications
 	}
 
+	if v, ok := d.GetOk("metadata_options"); ok {
+		m := v.([]interface{})
+		if len(m) > 0 && m[0] != nil {
+			mo := m[0].(map[string]interface{})
+			metadataOptions := &ec2.LaunchTemplateInstanceMetadataOptionsRequest{
+				HttpEndpoint: aws.String(mo["http_endpoint"].(string)),
+			}
+			if mo["http_endpoint"].(string) == ec2.LaunchTemplateInstanceMetadataEndpointStateEnabled {
+				// These parameters are not allowed unless HttpEndpoint is enabled
+				metadataOptions.HttpTokens = aws.String(mo["http_tokens"].(string))
+				metadataOptions.HttpPutResponseHopLimit = aws.Int64(int64(mo["http_put_response_hop_limit"].(int)))
+			}
+			opts.MetadataOptions = metadataOptions
+		}
+	}
+
 	if v, ok := d.GetOk("monitoring"); ok {
 		m := v.([]interface{})
 		if len(m) > 0 && m[0] != nil {

aws/resource_aws_launch_template_test.go

@@ -249,6 +249,7 @@ func TestAccAWSLaunchTemplate_data(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "instance_type"),
 					resource.TestCheckResourceAttrSet(resourceName, "kernel_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "key_name"),
+					resource.TestCheckResourceAttr(resourceName, "metadata_options.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "monitoring.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "network_interfaces.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "network_interfaces.0.security_groups.#", "1"),
@@ -978,6 +979,12 @@ resource "aws_launch_template" "test" {
 
   key_name = "test"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens = "optional"
+    http_put_response_hop_limit = 10
+  }
+
   monitoring {
     enabled = true
   }

website/docs/d/instance.html.markdown

@@ -112,5 +112,9 @@ interpolation.
 * `host_id` - The Id of the dedicated host the instance will be assigned to.
 * `vpc_security_group_ids` - The associated security groups in a non-default VPC.
 * `credit_specification` - The credit specification of the Instance.
+* `metadata_options` - The metadata options of the Instance.
+  * `http_endpoint` - The state of the metadata service: `enabled`, `disabled`.
+  * `http_tokens` - If session tokens are required: `optional`, `required`.
+  * `http_put_response_hop_limit` - The desired HTTP PUT response hop limit for instance metadata requests.
 
 [1]: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html

website/docs/d/launch_template.html.markdown

@@ -51,6 +51,10 @@ In addition to all arguments above, the following attributes are exported:
 * `instance_type` - The type of the instance.
 * `kernel_id` - The kernel ID.
 * `key_name` - The key name to use for the instance.
+* `metadata_options` - The metadata options for the instance.
+  * `http_endpoint` - The state of the metadata service: `enabled`, `disabled`.
+  * `http_tokens` - If session tokens are required: `optional`, `required`.
+  * `http_put_response_hop_limit` - The desired HTTP PUT response hop limit for instance metadata requests.
 * `monitoring` - The monitoring option for the instance.
 * `network_interfaces` - Customize network interfaces to be attached at instance boot time. See [Network
   Interfaces](#network-interfaces) below for more details.