security: Enforce IMDSv2 on EC2 launch template (CKV_AWS_79) (#31)

* security: Enforce IMDSv2 on EC2 launch template (CKV_AWS_79)

Remediation for Checkov security check CKV_AWS_79 and CISA Near-Term
Essential Security (NES) requirement for EC2 instance metadata protection.

Changes:
- Add metadata_options block to aws_launch_template.sensor_launch_template
- Set http_tokens = 'required' to enforce IMDSv2 (session-oriented)
- Set http_put_response_hop_limit = 1 to limit metadata service access
- Keep http_endpoint = 'enabled' to maintain metadata availability

Security Benefits:
- Prevents SSRF attacks against instance metadata service
- Requires PUT request before GET (session tokens)
- Aligns with AWS security best practices
- Satisfies CISA NES control requirements

References:
- https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- https://www.cisa.gov/resources-tools/resources/near-term-essential-security-nes

Testing:
Verified with checkov security scanner before and after change.
No functional impact - IMDSv2 is backward compatible with AWS SDKs.

* refactor: Simplify metadata_options to match bastion module

- Remove redundant http_put_response_hop_limit (defaults to 1)
- Match existing pattern in modules/bastion/instance.tf
- Still passes CKV_AWS_79 security check

---------

Co-authored-by: Ricky Lin <ricky@Rickys-MacBook-Pro.local>

Author: corelight-ricky

launch_template.tf

@@ -14,6 +14,12 @@ resource "aws_launch_template" "sensor_launch_template" {
     }
   }
 
+  # CKV_AWS_79: Enforce IMDSv2 (Instance Metadata Service Version 2)
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   block_device_mappings {
     device_name = var.sensor_launch_template_volume_name