From 0e850b60bcf4f7333e14f03a2a05fae08e63db5b Mon Sep 17 00:00:00 2001 From: yugarora Date: Thu, 5 Jun 2025 14:09:52 +0530 Subject: [PATCH] I've added support for disabling legacy IMDS endpoints in the OCI builder. This introduces a new boolean option, , to the OCI builder configuration. When you set this to true, the launched OCI instance will be configured to disable the legacy IMDSv1 endpoints. This enhances security by enforcing the use of IMDSv2. --- builder/oci/config.go | 1 + builder/oci/driver_oci.go | 7 +++++++ docs/builders/oci.mdx | 2 ++ 3 files changed, 10 insertions(+) diff --git a/builder/oci/config.go b/builder/oci/config.go index f9f9a1f..6b7e5b0 100644 --- a/builder/oci/config.go +++ b/builder/oci/config.go @@ -118,6 +118,7 @@ type Config struct { Shape string `mapstructure:"shape"` ShapeConfig FlexShapeConfig `mapstructure:"shape_config"` BootVolumeSizeInGBs int64 `mapstructure:"disk_size"` + InstanceOptionsAreLegacyImdsEndpointsDisabled *bool `mapstructure:"instance_options_are_legacy_imds_endpoints_disabled" required:"false"` // Metadata optionally contains custom metadata key/value pairs provided in the // configuration. While this can be used to set metadata["user_data"] the explicit diff --git a/builder/oci/driver_oci.go b/builder/oci/driver_oci.go index 9918130..d2dd9f9 100644 --- a/builder/oci/driver_oci.go +++ b/builder/oci/driver_oci.go @@ -161,6 +161,12 @@ func (d *driverOCI) CreateInstance(ctx context.Context, publicKey string) (strin InstanceSourceDetails.BootVolumeSizeInGBs = &d.cfg.BootVolumeSizeInGBs } + // Build instance options + instanceOptions := core.InstanceOptions{} + if d.cfg.InstanceOptionsAreLegacyImdsEndpointsDisabled != nil { + instanceOptions.AreLegacyImdsEndpointsDisabled = d.cfg.InstanceOptionsAreLegacyImdsEndpointsDisabled + } + // Build instance details instanceDetails := core.LaunchInstanceDetails{ AvailabilityDomain: &d.cfg.AvailabilityDomain, @@ -172,6 +178,7 @@ func (d *driverOCI) CreateInstance(ctx context.Context, publicKey string) (strin Shape: &d.cfg.Shape, SourceDetails: InstanceSourceDetails, Metadata: metadata, + InstanceOptions: &instanceOptions, } if d.cfg.ShapeConfig.Ocpus != nil { diff --git a/docs/builders/oci.mdx b/docs/builders/oci.mdx index 74155da..b4fd02c 100644 --- a/docs/builders/oci.mdx +++ b/docs/builders/oci.mdx @@ -165,6 +165,8 @@ or configured for the default OCI CLI authenticaton profile. - `instance_name` (string) - The name to assign to the instance used for the image creation process. If not set a name of the form `instanceYYYYMMDDhhmmss` will be used. +- `instance_options_are_legacy_imds_endpoints_disabled` (boolean) - If this is set to true, legacy IMDSv1 endpoints will be disabled on the instance. Defaults to `false`. + - `instance_tags` (map of strings) - Add one or more freeform tags to the instance used for the image creation process.