Migrate IMDSv1 request to IMDSv2

Author: jourdan-west

certs/templates/user_data.tpl

@@ -1,6 +1,14 @@
 #cloud-config
 runcmd:
-  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
+  # Fetch IMDSv2 token
+  - |
+    TOKEN=$(curl -H "X-aws-ec2-metadata-token-ttl-seconds: 60" -X PUT "http://169.254.169.254/latest/api/token")
+    echo "IMDSv2 token fetched: $TOKEN"
+
+  # Use the token to make a metadata request
+  - |
+    INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s "http://169.254.169.254/latest/meta-data/instance-id")
+    echo "Instance ID: $INSTANCE_ID"
   - echo "OPENVPN_CERT_SOURCE=s3://${replace(s3_bucket,"/(/)+$/","")}/${replace(s3_bucket_prefix,"/^(/)+|(/)+$/","")}" > /etc/openvpn/get-openvpn-certs.env
   - if [ -n "${vpc_dns_ip}" ]; then echo "push \"dhcp-option DNS ${vpc_dns_ip}\"" >> /etc/openvpn/server.conf;fi
   - echo 'crl-verify /etc/openvpn/keys/crl.pem' >> /etc/openvpn/server.conf

docker-openvpn-server/cluster/templates/user_data.tpl

@@ -6,7 +6,14 @@ runcmd:
   - curl -s -O https://bootstrap.pypa.io/get-pip.py && python get-pip.py
   - /usr/local/bin/pip install awscli && ln -sf /usr/local/bin/aws /usr/bin/
 
-  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
+   # Fetch IMDSv2 token
+  - |
+    TOKEN=$(curl -H "X-aws-ec2-metadata-token-ttl-seconds: 60" -X PUT "http://169.254.169.254/latest/api/token")
+    echo "IMDSv2 token fetched: $TOKEN"
+
+  # Use the token to make a metadata request
+  - |
+    INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s "http://169.254.169.254/latest/meta-data/instance-id")
   - docker pull ${openvpn_docker_image}:${openvpn_docker_tag}
   - mkdir -p /opt/openvpn
   - touch /opt/openvpn/.env && chmod 700 /opt/openvpn/.env
@@ -27,5 +34,4 @@ runcmd:
 
   - docker run -d --name openvpn --env-file=/opt/openvpn/.env --cap-add=NET_ADMIN --device=/dev/net/tun -v /opt/openvpn/:/etc/openvpn/ -v /var/run/openvpn/:/var/run/openvpn -p 1194:1194/tcp ${openvpn_docker_image}:${openvpn_docker_tag} /start_server.sh
   - if [ ${assign_eip} = 'true' ]; then for eip in `aws ec2 describe-tags --region=${region} --filters  "Name=resource-type,Values=elastic-ip" "Name=value,Values=${stack_item_label}" | jq -r '.Tags[].ResourceId'`; do if [ `aws ec2 describe-addresses --allocation-id $${eip} --region=${region} | jq -r '.Addresses[].InstanceId'` = 'null' ]; then echo "$${eip} is available, assigning it to current instance";aws ec2 associate-address --instance-id "$${INSTANCE_ID}" --allocation-id $${eip} --region=${region};else echo "$${eip} is taken";fi; done;fi
-
 output : { all : '| tee -a /var/log/cloud-init-output.log' }