stephenpearson · justintsteele · Jul 18, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jul 1, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # kitchen-oci CHANGELOG
 
+# 2.0.0
+- feat: set default value for `are_legacy_imds_endpoints_disabled` to `true`
+  > BREAKING CHANGE: This overrides the default value to `true` in accordance with latest [OCI secuirty guidelines](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm)
+
 # 1.28.0
 - feat: add instance_options to compute instance type
 

diff --git a/README.md b/README.md
@@ -121,11 +121,10 @@ These settings are optional:
      - `volume_id`, If you wish to clone your volume from an existing volume set this to the source volume's ID. They must be in the same Availability Domain.
    - `nsg_ids`, The option to connect up to 5 Network Security Groups to compute instance.
    - `custom_metadata`, Add metadata to the compute instance request
-   - `instance_options`, A hash of optional mutable instance options.
-     Initially, the only option [supported in the Ruby SDK](https://docs.oracle.com/en-us/iaas/tools/ruby/latest/OCI/Core/Models/InstanceOptions.html)
-     is `are_legacy_imds_endpoints_disabled`.
-     Customers who have [migrated to IMDSv2](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm#upgrading-v2) 
-     should set this to `true`
+   - `instance_options`, A hash of optional mutable instance options.\
+     Available options [supported in the Ruby SDK](https://docs.oracle.com/en-us/iaas/tools/ruby/latest/OCI/Core/Models/InstanceOptions.html)
+     - `are_legacy_imds_endpoints_disabled`, Boolean (default: `true`)\
+        > Customers who have not [migrated to IMDSv2](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm#upgrading-v2) will need to set this to `false`. [[more](#imdsv2)]
    - `all_plugins_disabled`, Whether Oracle Cloud Agent can run all the available plugins (default: `false`)
    - `management_disabled`, Whether Oracle Cloud Agent can run all the available management plugins (default: `false`)
    - `monitoring_disabled`, Whether Oracle Cloud Agent can gather performance metrics and monitor the instance using the monitoring plugins (default: `false`)
@@ -407,6 +406,19 @@ driver:
       vpus_per_gb: 30
 ```
 
+## IMDSv2
+In accordance with [OCI security guidelines](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm), the driver is disabling the IMDSv1 endpoint by default. This overrides the current default setting
+in OCI and could cause issues with [unsupported images](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm#upgrading-v2__supported-images). In the event legacy IMDS support is required,
+the option can be provided to the driver:
+
+```yml
+---
+driver:
+  name: oci
+  instance_options:
+    are_legacy_imds_endpoints_disabled: false
+```
+
 ## Windows Support
 
 When launching Oracle provided Windows images, it may be helpful to allow kitchen-oci to inject powershell to configure WinRM and to set a randomized password that does not need to be changed on first login.  If the `setup_winrm` parameter is set to true then the following steps will happen:

diff --git a/lib/kitchen/driver/oci/instance/compute.rb b/lib/kitchen/driver/oci/instance/compute.rb
@@ -83,7 +83,7 @@ def instance_source_via_image
 
           # Adds the instance options property to the launch details.
           def instance_options
-            return if config[:instance_options].empty?
+            config[:instance_options].merge!(are_legacy_imds_endpoints_disabled: true) unless config[:instance_options].key?(:are_legacy_imds_endpoints_disabled)
 
             launch_details.instance_options = OCI::Core::Models::InstanceOptions.new(config[:instance_options])
           end

diff --git a/lib/kitchen/driver/oci_version.rb b/lib/kitchen/driver/oci_version.rb
@@ -22,6 +22,6 @@ module Driver
     # Version string for Oracle OCI Kitchen driver
     #
     # @author Stephen Pearson (<[email protected]>)
-    OCI_VERSION = "1.28.0"
+    OCI_VERSION = "2.0.0"
   end
 end
diff --git a/spec/spec_helper/compute_helper.rb b/spec/spec_helper/compute_helper.rb
@@ -23,7 +23,7 @@
   include_context "oci"
   include_context "net"
 
-  let(:compute_driver_config) { base_driver_config.merge!({ capacity_reservation_id: capacity_reservation }) }
+  let(:compute_driver_config) { base_driver_config.merge!(capacity_reservation_id: capacity_reservation) }
   let(:instance_ocid) { "ocid1.instance.oc1.fake.aaaaaaaaaabcdefghijklmnopqrstuvwxyz12345" }
   let(:instance_metadata) do
     {
@@ -58,6 +58,7 @@
         is_management_disabled: false,
         are_all_plugins_disabled: false
       )
+      l.instance_options = OCI::Core::Models::InstanceOptions.new(are_legacy_imds_endpoints_disabled: true)
     end
   end
 
@@ -86,6 +87,7 @@
         is_management_disabled: false,
         are_all_plugins_disabled: false
       )
+      l.instance_options = OCI::Core::Models::InstanceOptions.new(are_legacy_imds_endpoints_disabled: true)
     end
   end