upd: update policies 190, 520

Improved accuracy of filters

Author: anna-shcherbak

policies/ecc-aws-490-ec2_token_hop_limit_check.yml

@@ -16,6 +16,9 @@ policies:
           - type: value
             key: State.Name
             value: terminated
+      - type: value
+        key: MetadataOptions.HttpEndpoint
+        value: enabled
       - not:
           - type: value
             key: MetadataOptions.HttpPutResponseHopLimit

policies/ecc-aws-520-autoscaling_launch_config_hop_limit.yml

@@ -12,6 +12,9 @@ policies:
       Auto Scaling launch configuration hop limit is greater than 1
     resource: launch-config
     filters:
+      - type: value
+        key: MetadataOptions.HttpEndpoint
+        value: enabled
       - type: value
         key: MetadataOptions.HttpPutResponseHopLimit
         op: gt

terraform/ecc-aws-490-ec2_token_hop_limit_check/green/ec2.tf

@@ -2,7 +2,7 @@ resource "aws_instance" "this" {
   ami              = data.aws_ami.this.id
   instance_type    = "t2.micro"
   metadata_options {
-    http_endpoint               = "enabled"
+    http_endpoint = "enabled"
   }
 
 

terraform/ecc-aws-490-ec2_token_hop_limit_check/green2/ec2.tf

@@ -0,0 +1,22 @@
+resource "aws_instance" "this" {
+  ami              = data.aws_ami.this.id
+  instance_type    = "t2.micro"
+  metadata_options {
+    http_endpoint = "disabled"
+    # `http_put_response_hop_limit` - Defaults to 1
+  }
+  
+
+  tags = {
+    Name = "490_instance_green2"
+  }
+}
+
+data "aws_ami" "this" {
+  most_recent = true
+  owners = ["amazon"]
+  filter {
+    name = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+}

terraform/ecc-aws-490-ec2_token_hop_limit_check/green2/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-490-ec2_token_hop_limit_check"
+      ComplianceStatus = "Green2"
+    }
+  }
+}

terraform/ecc-aws-490-ec2_token_hop_limit_check/green2/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-490-ec2_token_hop_limit_check/green2/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json

@@ -4,8 +4,7 @@
 		{
 			"Effect": "Allow",
 			"Action": [
-				"ec2:DescribeInstances",
-				"ec2:DescribeTags"
+				"ec2:DescribeInstances"
 			],
 			"Resource": "*"
 		}

terraform/ecc-aws-490-ec2_token_hop_limit_check/red/ec2.tf

@@ -3,7 +3,7 @@ resource "aws_instance" "this" {
   instance_type    = "t2.micro"
   metadata_options {
     http_endpoint               = "enabled"
-    http_put_response_hop_limit = 5 
+    http_put_response_hop_limit = 2
   }
 
 

terraform/ecc-aws-520-autoscaling_launch_config_hop_limit/green2/asg.tf

@@ -0,0 +1,20 @@
+resource "aws_launch_configuration" "this" {
+  name_prefix                 = "520_launch_configuration_green2"
+  image_id                    = data.aws_ami.this.id
+  instance_type               = "t2.micro"
+  metadata_options {
+    http_endpoint               = "disabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = "5"
+  }
+}
+
+data "aws_ami" "this" {
+  most_recent = true
+  owners      = ["amazon"]
+  
+  filter {
+    name = "name"
+	values = ["amzn2-ami-hvm*"]
+  }
+}