Merge https://github.com/cisagov/skeleton-tf-module into lineage/skeleton

jsf9k · jsf9k · commit 8f6f7dba357c · 2025-08-13T20:41:03.000Z
diff --git a/.gitignore b/.gitignore
@@ -9,7 +9,6 @@ __pycache__
 
 ## Terraform ##
 .terraform
-.terraform.lock.hcl
 terraform.tfstate
 terraform.tfstate.backup
 *.tfvars
diff --git a/examples/basic_usage/.terraform.lock.hcl b/examples/basic_usage/.terraform.lock.hcl
diff --git a/examples/basic_usage/README.md b/examples/basic_usage/README.md
@@ -14,13 +14,13 @@ Note that this example may create resources which cost money. Run
 | Name | Version |
 |------|---------|
 | terraform | ~> 1.1 |
-| aws | ~> 4.9 |
+| aws | ~> 6.7 |
 
 ## Providers ##
 
 | Name | Version |
 |------|---------|
-| aws | ~> 4.9 |
+| aws | ~> 6.7 |
 
 ## Modules ##
 
diff --git a/examples/basic_usage/main.tf b/examples/basic_usage/main.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  # Our primary provider uses our terraform role
+  # Our primary provider uses our Terraform role
   assume_role {
     role_arn     = var.tf_role_arn
     session_name = "terraform-example"
diff --git a/examples/basic_usage/versions.tf b/examples/basic_usage/versions.tf
@@ -3,18 +3,11 @@ terraform {
   # major version currently being used.  This practice will help us
   # avoid unwelcome surprises.
   required_providers {
-    # Version 4.9 of the Terraform AWS provider made changes to the S3 bucket
-    # refactor that is in place for versions 4.0-4.8 of the provider. With v4.9
-    # only non-breaking changes and deprecation notices are introduced. Using
-    # this version will simplify migration to the new, broken out AWS S3 bucket
-    # configuration resources. Please see
-    # https://github.com/hashicorp/terraform-provider-aws/pull/23985
-    # for more information about the changes in v4.9 and
-    # https://www.hashicorp.com/blog/terraform-aws-provider-4-0-refactors-s3-bucket-resource
-    # for more information about the S3 bucket refactor.
+    # We have verified that our code works with version 6.7 of this
+    # Terraform provider.
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.9"
+      version = "~> 6.7"
     }
   }
 
diff --git a/main.tf b/main.tf
@@ -44,6 +44,18 @@ resource "aws_instance" "example" {
   instance_type     = "t3.micro"
   subnet_id         = var.subnet_id
 
+  # AWS Instance Metadata Service (IMDS) options
+  metadata_options {
+    # Enable IMDS (this is the default value)
+    http_endpoint = "enabled"
+    # Restrict put responses from IMDS to a single hop (this is the
+    # default value).  This effectively disallows the retrieval of an
+    # IMDSv2 token via this machine from anywhere else.
+    http_put_response_hop_limit = 1
+    # Require IMDS tokens AKA require the use of IMDSv2
+    http_tokens = "required"
+  }
+
   # The tag or tags specified here will be merged with the provider's
   # default tags.
   tags = {
