aws - ec2 - set-metadata-access - include instance tags option (#7772)

c7n/resources/ec2.py

@@ -1139,22 +1139,34 @@ class SetMetadataServerAccess(BaseAction):
              - type: set-metadata-access
                endpoint: disabled
 
+       policies:
+         - name: ec2-enable-metadata-tags
+           resource: ec2
+           filters:
+             - MetadataOptions.InstanceMetadataTags: disabled
+           actions:
+             - type: set-metadata-access
+               metadata-tags: enabled
+
     Reference: https://amzn.to/2XOuxpQ
     """
 
     AllowedValues = {
         'HttpEndpoint': ['enabled', 'disabled'],
         'HttpTokens': ['required', 'optional'],
+        'InstanceMetadataTags': ['enabled', 'disabled'],
         'HttpPutResponseHopLimit': list(range(1, 65))
     }
 
     schema = type_schema(
         'set-metadata-access',
         anyOf=[{'required': ['endpoint']},
                {'required': ['tokens']},
+               {'required': ['metadatatags']},
                {'required': ['hop-limit']}],
         **{'endpoint': {'enum': AllowedValues['HttpEndpoint']},
            'tokens': {'enum': AllowedValues['HttpTokens']},
+           'metadata-tags': {'enum': AllowedValues['InstanceMetadataTags']},
            'hop-limit': {'type': 'integer', 'minimum': 1, 'maximum': 64}}
     )
     permissions = ('ec2:ModifyInstanceMetadataOptions',)
@@ -1163,6 +1175,7 @@ def get_params(self):
         return filter_empty({
             'HttpEndpoint': self.data.get('endpoint'),
             'HttpTokens': self.data.get('tokens'),
+            'InstanceMetadataTags': self.data.get('metadata-tags'),
             'HttpPutResponseHopLimit': self.data.get('hop-limit')})
 
     def process(self, resources):

docs/source/aws/examples/ec2ModifyInstanceMetadataOptions.rst

@@ -0,0 +1,74 @@
+EC2 - Modify Instance Metadata Options
+======================================
+
+The following examples allow you to enforce Instance metadata options over EC2 instances.
+to learn more about Instance Metadata option please visit: 
+https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataOptions.html
+
+To filter the list of instances you can choose any combination of Ec2 mwtadate-instances elements.
+
+ As of now below options are available:
+
+  - HttpEndpoint
+
+    - Valid Values: disabled | enabled
+    - Action value: HttpEndpoint
+
+  - HttpPutResponseHopLimit
+
+    - Possible values: Integers from 1 to 64
+    - Action value: HttpPutResponseHopLimit
+
+  - HttpTokens
+
+    - Valid Values: optional | required
+    - Action value: tokens
+
+  - InstanceMetadataTags
+
+    - Valid Values: disabled | enabled
+    - Action value: metadata-tags
+
+Examples:
++++++++++
+
+  .. code-block:: yaml
+
+      policies:
+        - name: ec2-require-imdsv2
+          resource: ec2
+          description: |
+            Finds all instances with optional HttpTokens and change the policy to Requied.
+          filters:
+            - MetadataOptions.HttpTokens: optional
+          actions:
+            - type: set-metadata-access
+              tokens: required
+
+       policies:
+         - name: ec2-disable-imds
+           resource: ec2
+           description: |
+            Finds all instacnes with Enabled httpsendpoint and change it to disabled.
+            By default this option must be enabled therefore, please make sure before disabling this option.
+           filters:
+             - MetadataOptions.HttpEndpoint: enabled
+           actions:
+             - type: set-metadata-access
+               endpoint: disabled 
+
+       policies:
+         - name: ec2-disable-imds
+           resource: ec2
+           description: |
+           Finds all the instances with disables Instance Meta Data Tags and enable them. 
+           filters:
+             - MetadataOptions.InstanceMetadataTags: disabled
+           actions:
+             - type: set-metadata-access
+               metadata-tags: enabled
+
+
+Intance MetaDate Tags Reference: https://amzn.to/2XOuxpQ
+
+Custodian Filters reference: https://cloud-custodian.github.io/cloud-custodian/docs/filters.html