terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

http_tokens=required may cause Access Denied error if you are using an older SDK version after the change to IMDSv2

Open pasali opened this issue 3 years ago β€’ 1 comments

Versions

  • Module version [Required]: 18.29.0
  • Terraform version: Terraform v1.2.6
  • Provider version(s): provider registry.terraform.io/hashicorp/aws v4.9.0

Reproduction Code [Required]

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/57bb667f20e072bb1a6ca1ffa9beef6052895acb/node_groups.tf#L3-L5 Setting http_tokens=required is forcing usage of IMDSv2 and if your SDK is not update to use IMDSv2, your app going to have access problems with AWS services. In my case it was S3.

Expected behavior

I think the default value should be optional for a safe migration from 17.x.x to 18.x.x

pasali avatar Sep 22 '22 14:09 pasali

I think the default value should be optional for a safe migration from 17.x.x to 18.x.x

A breaking change is -> breaking. Changes were made in v18 for specific reasons, one of which was to improve the default security posture of the module. It is easier to create modules and resources with a weaker security posture because access and permissions are more permissive, but this is not something we want to promote with users. The re-write of the module in v18 was done in such a way that access and permissions can be opened up and/or relaxed since its much easier for users to open up additional security groups rules or relax IMDS endpoint settings, etc.

bryantbiggs avatar Sep 23 '22 12:09 bryantbiggs

I see your point but i think IMDS settings tend to be go unnoticed than any other changes to module. You can clearly see whats changed in security groups rules but this setting can be missed. It maybe helpful if IMDS endpoint setting changes could be mentioned in migration documentation.

pasali avatar Sep 26 '22 07:09 pasali

if you feel the upgrade guide would benefit, PRs are welcome. however, the code itself won't be changing at this time. thank you!

bryantbiggs avatar Sep 26 '22 13:09 bryantbiggs

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 08 '22 02:11 github-actions[bot]