New resource: aws_ec2_instance_metadata_defaults

[christophetd]

Description

AWS recently released a new API to set the default IMDS behavior globally at the region level, instead of at the EC2 instance level as before. This is extremely useful for practitioners who wish to use "secure defaults" to ensure that instances launched in that region enforce IMDSv2, which is a strongly recommended security practice.

Sample usage:

resource "aws_ec2_instance_metadata_defaults" "test" {
  http_tokens                 = "required" # non-default
  instance_metadata_tags      = "disabled"
  http_endpoint               = "enabled"
  http_put_response_hop_limit = 1
}

I had to bump the AWS SDK v2 version to get support for GetInstanceMetadataDefaults / ModifyInstanceMetadataDefaults. In addition to acceptance tests, I have also tested this implementation locally with a few scenarios and it worked as expected.

Relations

Closes #36577

References

User Guide
Announcement
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataDefaults.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceMetadataDefaults.html

Output from Acceptance Testing

$ make testacc TESTS=TestAccEC2InstanceMetadataDefaults PKG=ec2
=== RUN   TestAccEC2InstanceMetadataDefaults_basic
--- PASS: TestAccEC2InstanceMetadataDefaults_basic (16.44s)
=== RUN   TestAccEC2InstanceMetadataDefaults_partial
--- PASS: TestAccEC2InstanceMetadataDefaults_partial (13.80s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	35.422s
...

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

Thank you for your contribution! 🚀

Please note that typically Go dependency changes are handled in this repository by dependabot or the maintainers. This is to prevent pull request merge conflicts and further delay reviews of contributions. Remove any changes to the go.mod or go.sum files and commit them into this pull request.

Additional details:

• Check open pull requests with the dependencies label to view other dependency updates.
• If this pull request includes an update the AWS Go SDK (or any other dependency) version, only updates submitted via dependabot will be merged. This pull request will need to remove these changes and will need to be rebased after the existing dependency update via dependabot has been merged for this pull request to be reviewed.
• If this pull request is for supporting a new AWS service:
  • Ensure the new AWS service changes are following the Contributing Guide section on new services, in particular that the dependency addition and initial provider support are in a separate pull request from other changes (e.g. new resources). Contributions not following this item will not be reviewed until the changes are split.
  • If this pull request is already a separate pull request from the above item, you can ignore this message.

[christophetd]

@ewbankkit should be ready to review!

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccEC2InstanceMetadataDefaults_serial' PKG=ec2 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/ec2/... -v -count 1 -parallel 20  -run=TestAccEC2InstanceMetadataDefaults_serial -timeout 360m
=== RUN   TestAccEC2InstanceMetadataDefaults_serial
=== PAUSE TestAccEC2InstanceMetadataDefaults_serial
=== CONT  TestAccEC2InstanceMetadataDefaults_serial
=== RUN   TestAccEC2InstanceMetadataDefaults_serial/basic
=== RUN   TestAccEC2InstanceMetadataDefaults_serial/disappears
=== RUN   TestAccEC2InstanceMetadataDefaults_serial/empty
--- PASS: TestAccEC2InstanceMetadataDefaults_serial (46.24s)
    --- PASS: TestAccEC2InstanceMetadataDefaults_serial/basic (27.85s)
    --- PASS: TestAccEC2InstanceMetadataDefaults_serial/disappears (16.16s)
    --- PASS: TestAccEC2InstanceMetadataDefaults_serial/empty (2.23s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	58.241s

[ewbankkit]

@christophetd Thanks for the contribution 🎉 👏.

[christophetd]

GetInstanceMetadataDefaults always return something (even if no defaults were explicitely set through ModifyInstanceMetadataDefaults), so I think this check is not necessary FWIW

[github-actions]

This functionality has been released in v5.43.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.