metadata_options default not working properly in Launch Template

[phils]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.24

• provider.aws v2.55.0

Affected Resource(s)

• aws_launch_template
  (maybe others using metadata options too)

Terraform Configuration Files

resource "aws_launch_template" "lt" {
  name                   = "test-lt"
  image_id               = var.ami
  instance_type          = var.instance_type
  user_data              = base64encode(data.template_file.userdata.rendered)
  key_name               = var.key_name
  vpc_security_group_ids = [aws_security_group.blah.id]

  metadata_options {
    http_tokens = "required"
  }
}

Expected Behavior

LT with metadata options as requested

Actual Behavior

Error: InvalidParameterValue: A value of ‘’ is not valid for http-endpoint. Valid values are ‘enabled’ or ‘disabled’.

This seems to be a common issue with launch template actions in terraform AWS Provider. When leaving items to 'default', I believe you must omit the variable altogether in the AWS API call, rather than sending blank string value.

Steps to Reproduce

metadata_options where http_endpoint is not specified in the tf code.

References

#12491

• #0000

[phils]

@ewbankkit FYI - appreciate your work on this code but might need a small tweak

[ewbankkit]

@phils Thanks for opening this issue.
The new metadata_options attribute is defined as Computed: true for backwards compatibility reasons: #11076 (comment), which is why we have no Default value here.

[stefansundin]

@phils

In this case you must specify http_endpoint = "enabled". In my opinion that attribute should be Required: true, but it is not currently.

resource "aws_launch_template" "lt" {
  name                   = "test-lt"
  image_id               = var.ami
  instance_type          = var.instance_type
  user_data              = base64encode(data.template_file.userdata.rendered)
  key_name               = var.key_name
  vpc_security_group_ids = [aws_security_group.blah.id]

  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}

[bharath-123]

I think the documentation should be updated in this case. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options says http_endpoint is optional which is misleading.

[justinretzolk]

Hey @phils 👋 Thank you for taking the time to file this. Given that there's been a number of AWS Provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?

[RyPeck]

@justinretzolk I just experienced this behavior creating a aws_instance Resource Type using the v3.62.0 AWS Provider.

[gurchik]

Just ran into this as well with v3.62.0.

Some additional info:

$ aws ec2 describe-launch-template-versions --launch-template-id $MY_ID
{
    "LaunchTemplateVersions": [
        {
            "LaunchTemplateId": "redacted",
            "LaunchTemplateName": "redacted",
            "VersionNumber": 1,
            "CreateTime": "2021-01-17T03:19:50+00:00",
            "CreatedBy": "redacted",
            "DefaultVersion": true,
            "LaunchTemplateData": {
                "IamInstanceProfile": {
                    "Arn": "redacted"
                },
                "BlockDeviceMappings": [
                    {
                        "DeviceName": "/dev/xvda",
                        "Ebs": {
                            "Encrypted": false,
                            "VolumeSize": 256,
                            "VolumeType": "gp2"
                        }
                    }
                ],
                "NetworkInterfaces": [
                    {
                        "DeviceIndex": 0,
                        "Groups": [
                            "redacted",
                        ]
                    }
                ],
                "ImageId": "redacted",
                "InstanceType": "m5.large",
                "KeyName": "redacted",
                "UserData": "redacted",
                "MetadataOptions": {
                    "HttpTokens": "optional",
                    "HttpPutResponseHopLimit": 2
                }
            }
        }
    ]
}

I added the following to my Terraform:

metadata_options {
    http_endpoint = "enabled"
}

And that fixed it.

Unrelated: if you look at my output for describe-launch-template-versions you can see HttpPutResponseHopLimit is set to 2, but I do not set any value for metadata_options.http_put_response_hop_limit so you'd expect it to try to change this to the default value of 1 but it doesn't appear in the plan and running a plan that changes an unrelated attribute (say, the metadata_options.http_endpoint), when I run describe-launch-template-versions a second time it still shows 2. So I believe there is an unrelated bug where this is not being changed properly.

[dinoshauer]

Just ran into this for aws_instance.metadata_options.http_endpoint as well with hashicorp/aws at 4.15.0

[kylet21]

My team also just ran into this issue. Can we at least get an update in the documentation that says, "http_endpoint = "enabled" must be set if you want to set any other options in the metadata_options block"?

[rodecapd]

My team also just ran into this issue. Can we at least get an update in the documentation that says, "http_endpoint = "enabled" must be set if you want to set any other options in the metadata_options block"?

Same here using provider v4.47 and terraform-aws-modules/eks/aws v19.5.1.
I've been trying to set
metadata_options {
http_token = "optional"
}
and it didn't work until I added "http_endpoint = "enabled"

[lvthillo]

@ewbankkit

@phils Thanks for opening this issue. The new metadata_options attribute is defined as Computed: true for backwards compatibility reasons: #11076 (comment), which is why we have no Default value here.

I'm only seeing this now (after PR creation)... Not sure if this backwards compatibility is still required?

[justinretzolk]

Hey all 👋 Thank you very much for taking the time to raise this! This was addressed with #30545, which was included in version 5.0.0 of the provider. With that in mind, we'll close this issue. If you experience additional issues with the provider, please do open a new issue to let us know.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.