I've added support for disabling legacy IMDS endpoints in the OCI builder.

yugarora · yugarora · commit 0e850b60bcf4 · 2025-06-05T14:09:52.000+05:30
This introduces a new boolean option, , to the OCI builder configuration.

When you set this to true, the launched OCI instance will be configured to disable the legacy IMDSv1 endpoints. This enhances security by enforcing the use of IMDSv2.
diff --git a/builder/oci/config.go b/builder/oci/config.go
@@ -118,6 +118,7 @@ type Config struct {
 	Shape                   string                            `mapstructure:"shape"`
 	ShapeConfig             FlexShapeConfig                   `mapstructure:"shape_config"`
 	BootVolumeSizeInGBs     int64                             `mapstructure:"disk_size"`
+	InstanceOptionsAreLegacyImdsEndpointsDisabled *bool `mapstructure:"instance_options_are_legacy_imds_endpoints_disabled" required:"false"`
 
 	// Metadata optionally contains custom metadata key/value pairs provided in the
 	// configuration. While this can be used to set metadata["user_data"] the explicit
diff --git a/builder/oci/driver_oci.go b/builder/oci/driver_oci.go
@@ -161,6 +161,12 @@ func (d *driverOCI) CreateInstance(ctx context.Context, publicKey string) (strin
 		InstanceSourceDetails.BootVolumeSizeInGBs = &d.cfg.BootVolumeSizeInGBs
 	}
 
+	// Build instance options
+	instanceOptions := core.InstanceOptions{}
+	if d.cfg.InstanceOptionsAreLegacyImdsEndpointsDisabled != nil {
+		instanceOptions.AreLegacyImdsEndpointsDisabled = d.cfg.InstanceOptionsAreLegacyImdsEndpointsDisabled
+	}
+
 	// Build instance details
 	instanceDetails := core.LaunchInstanceDetails{
 		AvailabilityDomain: &d.cfg.AvailabilityDomain,
@@ -172,6 +178,7 @@ func (d *driverOCI) CreateInstance(ctx context.Context, publicKey string) (strin
 		Shape:              &d.cfg.Shape,
 		SourceDetails:      InstanceSourceDetails,
 		Metadata:           metadata,
+		InstanceOptions:    &instanceOptions,
 	}
 
 	if d.cfg.ShapeConfig.Ocpus != nil {
diff --git a/docs/builders/oci.mdx b/docs/builders/oci.mdx
@@ -165,6 +165,8 @@ or configured for the default OCI CLI authenticaton profile.
 - `instance_name` (string) - The name to assign to the instance used for the image creation process.
   If not set a name of the form `instanceYYYYMMDDhhmmss` will be used.
 
+- `instance_options_are_legacy_imds_endpoints_disabled` (boolean) - If this is set to true, legacy IMDSv1 endpoints will be disabled on the instance. Defaults to `false`.
+
 - `instance_tags` (map of strings) - Add one or more freeform tags to the instance used for the
   image creation process.
 
