Allow requiring IMDSv2 on Node Group instances

When creating a new Node Group, one can specify if they need EC2 instances to enforce IMDSv2. This is a SOC2 compliance requirement.
thoughtbot · Oct 3, 2024 · 6429a90 · 6429a90
1 parent 8f8c1f4
commit 6429a90
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/aws/cluster/main.tf b/aws/cluster/main.tf
@@ -44,6 +44,7 @@ module "node_groups" {
   capacity_type   = each.value.capacity_type
   cluster         = module.eks_cluster.instance
   instance_types  = each.value.instance_types
+  enforce_imdsv2  = each.value.enforce_imdsv2
   labels          = var.labels
   max_size        = each.value.max_size
   max_unavailable = each.value.max_unavailable

diff --git a/aws/cluster/modules/eks-node-group/main.tf b/aws/cluster/modules/eks-node-group/main.tf
@@ -8,6 +8,15 @@ resource "aws_eks_node_group" "this" {
   node_role_arn   = var.role.arn
   subnet_ids      = [each.value.id]
 
+  dynamic "launch_template" {
+    for_each = var.enforce_imdsv2 ? [aws_launch_template.this[0]] : []
+
+    content {
+      id      = launch_template.value.id
+      version = launch_template.value.latest_version
+    }
+  }
+
   scaling_config {
     desired_size = local.min_size_per_node_group
     max_size     = local.max_size_per_node_group
@@ -31,6 +40,14 @@ resource "aws_eks_node_group" "this" {
   }
 }
 
+resource "aws_launch_template" "this" {
+  count = var.enforce_imdsv2 ? 1 : 0
+
+  metadata_options {
+    http_tokens = "required"
+  }
+}
+
 locals {
   min_size_per_node_group = ceil(var.min_size / 2)
   max_size_per_node_group = ceil(var.max_size / 2)

diff --git a/aws/cluster/modules/eks-node-group/variables.tf b/aws/cluster/modules/eks-node-group/variables.tf
@@ -69,3 +69,9 @@ variable "max_unavailable" {
   description = "Maximum number of nodes that can be unavailable during a rolling update"
   default     = 1
 }
+
+variable "enforce_imdsv2" {
+  type        = bool
+  description = "Whether to enforce IMDSv2 on the launch template"
+  default     = false
+}
diff --git a/aws/cluster/variables.tf b/aws/cluster/variables.tf
@@ -44,6 +44,7 @@ variable "node_groups" {
   type = map(object({
     capacity_type   = optional(string, "ON_DEMAND")
     instance_types  = list(string),
+    enforce_imdsv2  = optional(bool, false)
     max_size        = number
     max_unavailable = optional(number, 3)
     min_size        = number