feat(ec2): allow imdsv2 usage on bastion host (#18955)

Allow user to use Instance Metadata Service Version 2 (IMDSv2) on Bastion Host.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: nikovirtala

packages/@aws-cdk/aws-ec2/lib/bastion-host.ts

@@ -97,6 +97,13 @@ export interface BastionHostLinuxProps {
    * @default - default options
    */
   readonly initOptions?: ApplyCloudFormationInitOptions;
+
+  /**
+   * Whether IMDSv2 should be required on this instance
+   *
+   * @default - false
+   */
+  readonly requireImdsv2?: boolean;
 }
 
 /**
@@ -147,14 +154,17 @@ export class BastionHostLinux extends Resource implements IInstance {
    * @attribute
    */
   public readonly instancePrivateDnsName: string;
+
   /**
    * @attribute
    */
   public readonly instancePrivateIp: string;
+
   /**
    * @attribute
    */
   public readonly instancePublicDnsName: string;
+
   /**
    * @attribute
    */
@@ -178,6 +188,7 @@ export class BastionHostLinux extends Resource implements IInstance {
       blockDevices: props.blockDevices ?? undefined,
       init: props.init,
       initOptions: props.initOptions,
+      requireImdsv2: props.requireImdsv2 ?? false,
     });
     this.instance.addToRolePolicy(new PolicyStatement({
       actions: [

packages/@aws-cdk/aws-ec2/test/bastion-host.test.ts

@@ -160,4 +160,25 @@ describe('bastion host', () => {
       },
     });
   });
+
+  test('imdsv2 is required', () => {
+    //GIVEN
+    const stack = new Stack();
+    const vpc = new Vpc(stack, 'VPC');
+
+    //WHEN
+    new BastionHostLinux(stack, 'Bastion', {
+      vpc,
+      requireImdsv2: true,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::EC2::LaunchTemplate', {
+      LaunchTemplateData: {
+        MetadataOptions: {
+          HttpTokens: 'required',
+        },
+      },
+    });
+  });
 });