feat: Add httpPutResponseHopLimit to ASG and EC2 props (#1916)

* add httpPutResponseHopLimit to asg and ec2 props * add test to confirm that hop limit prop affects synthed template
guardian · Jul 4, 2023 · 1b026c3 · 1b026c3
1 parent 404b801
commit 1b026c3
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/src/constructs/autoscaling/asg.ts b/src/constructs/autoscaling/asg.ts
@@ -38,6 +38,7 @@ export interface GuAutoScalingGroupProps
   additionalSecurityGroups?: ISecurityGroup[];
   targetGroup?: ApplicationTargetGroup;
   withoutImdsv2?: boolean;
+  httpPutResponseHopLimit?: number;
 }
 
 /**
@@ -80,6 +81,7 @@ export class GuAutoScalingGroup extends GuAppAwareConstruct(AutoScalingGroup) {
       userData: userDataLike,
       vpc,
       withoutImdsv2 = false,
+      httpPutResponseHopLimit,
     } = props;
 
     // Ensure min and max are defined in the same way. Throwing an `Error` when necessary. For example when min is defined via a Mapping, but max is not.
@@ -111,6 +113,7 @@ export class GuAutoScalingGroup extends GuAppAwareConstruct(AutoScalingGroup) {
       requireImdsv2: !withoutImdsv2,
       userData,
       role,
+      httpPutResponseHopLimit,
     });
 
     // Add Wazuh & additional consumer specified Security Groups

diff --git a/src/patterns/ec2-app/base.test.ts b/src/patterns/ec2-app/base.test.ts
@@ -941,3 +941,30 @@ it("allows a custom healthcheck", function () {
     HealthyThresholdCount: 5,
   });
 });
+
+it("can specify instance metadata hop limit", function () {
+  const stack = simpleGuStackForTesting();
+  new GuEc2App(stack, {
+    applicationPort: 3000,
+    app: "test-gu-ec2-app",
+    access: { scope: AccessScope.PUBLIC },
+    instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.MEDIUM),
+    monitoringConfiguration: { noMonitoring: true },
+    userData: "#!/bin/dev foobarbaz",
+    certificateProps: {
+      domainName: "domain-name-for-your-application.example",
+    },
+    scaling: {
+      minimumInstances: 1,
+    },
+    instanceMetadataHopLimit: 2,
+  });
+  Template.fromStack(stack).hasResourceProperties("AWS::EC2::LaunchTemplate", {
+    LaunchTemplateData: {
+      MetadataOptions: {
+        HttpPutResponseHopLimit: 2,
+        HttpTokens: "required",
+      },
+    },
+  });
+});
diff --git a/src/patterns/ec2-app/base.ts b/src/patterns/ec2-app/base.ts
@@ -274,6 +274,13 @@ export interface GuEc2AppProps extends AppIdentity {
    * Specify custom healthcheck
    */
   healthcheck?: ALBHealthCheck;
+
+  /**
+   * Set http put response hop limit for the launch template.
+   * It can be necessary to raise this value from the default of 1
+   * for example when sharing the instance profile with a docker container running on the instance.
+   */
+  instanceMetadataHopLimit?: number;
 }
 
 function restrictedCidrRanges(ranges: IPeer[]) {
@@ -327,6 +334,7 @@ export class GuEc2App extends Construct {
       vpc = GuVpc.fromIdParameter(scope, AppIdentity.suffixText({ app }, "VPC")),
       privateSubnets = GuVpc.subnetsFromParameter(scope, { type: SubnetType.PRIVATE, app }),
       publicSubnets = GuVpc.subnetsFromParameter(scope, { type: SubnetType.PUBLIC, app }),
+      instanceMetadataHopLimit,
     } = props;
 
     super(scope, app); // The assumption is `app` is unique
@@ -374,6 +382,7 @@ export class GuEc2App extends Construct {
       vpcSubnets: { subnets: privateSubnets },
       ...(blockDevices && { blockDevices }),
       imageRecipe,
+      httpPutResponseHopLimit: instanceMetadataHopLimit,
     });
 
     // This allows automatic shipping of instance Cloud Init logs when using the