Feature/increase metadata hop limit

README.md

@@ -215,6 +215,7 @@ When users are added to the docker group, they need to log out and back in for t
 | `docker_user_groups`       | List of users to add to the docker group. Default is ['ec2-user'].                                                                     | `list(string)`| `["ec2-user"]` |    no    |
 | `docker_restart_instance`  | Whether to restart the instance after Docker installation to ensure group membership changes take effect.                              | `bool`        | `false`     |    no    |
 | `docker_security_acknowledgment` | Set to 'I understand the security implications' to acknowledge that users in the docker group effectively have root privileges.   | `string`      | `null`      |    no    |
+| `metadata_http_put_response_hop_limit` | The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Default is 1 (most secure). For Docker containers to access instance metadata, a minimum of 2 is required. For docker-in-docker scenarios, 3 or higher might be needed. | `number`      | `1`         |    no    |
 | `azure_devops_agent_version` | Azure DevOps agent version (e.g., '4.254.0').                                                                                        | `string`      | `"4.254.0"` |    no    |
 | `attach_security_group_ids`| List of additional Security Group IDs to attach.                                                                                       | `list(string)`| `[]`        |    no    |
 | `tags`                     | Map of additional tags for resources.                                                                                                  | `map(string)` | `{}`        |    no    |

asg_launch_template.tf

@@ -31,7 +31,7 @@ resource "aws_launch_template" "agent_lt" {
   metadata_options {
     http_endpoint               = "enabled"
     http_tokens                = "required"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
     instance_metadata_tags      = "enabled"
   }
 

example/main.tf

@@ -56,6 +56,7 @@ module "agent_provider" {
   # docker_user_groups = ["ec2-user"] # List of users to add to the docker group
   # docker_restart_instance = true # Whether to restart the instance after Docker installation
   # docker_security_acknowledgment = "I understand the security implications" # Required when install_docker is true
+  # metadata_http_put_response_hop_limit = 2 # Set to 2 or higher when using Docker to allow containers to access instance metadata
 
   #--------------------------------------------------------------
   # Additional Configuration

variables.tf

@@ -156,6 +156,12 @@ variable "docker_security_acknowledgment" {
   }
 }
 
+variable "metadata_http_put_response_hop_limit" {
+  description = "The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Default is 1 (most secure). For Docker containers to access instance metadata, a minimum of 2 is required. For docker-in-docker scenarios, 3 or higher might be needed."
+  type        = number
+  default     = 1
+}
+
 variable "azure_devops_agent_version" {
   description = "Version of the Azure DevOps agent to install (e.g., '4.254.0'). Find versions at https://github.com/microsoft/azure-pipelines-agent/releases"
   type        = string