DEVOPS-4320 | Migrate cloud-config IMDSv1 requests to IMDSv2

jourdan-west · web-flow · commit 3b044ce127f8 · 2025-04-09T11:50:32.000-05:00
diff --git a/certs/templates/user_data.tpl b/certs/templates/user_data.tpl
@@ -1,6 +1,14 @@
 #cloud-config
 runcmd:
-  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
+  # Fetch IMDSv2 token
+  - |
+    TOKEN=$(curl -H "X-aws-ec2-metadata-token-ttl-seconds: 60" -X PUT "http://169.254.169.254/latest/api/token")
+    echo "IMDSv2 token fetched: $TOKEN"
+
+  # Use the token to make a metadata request
+  - |
+    INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s "http://169.254.169.254/latest/meta-data/instance-id")
+    echo "Instance ID: $INSTANCE_ID"
   - echo "OPENVPN_CERT_SOURCE=s3://${replace(s3_bucket,"/(/)+$/","")}/${replace(s3_bucket_prefix,"/^(/)+|(/)+$/","")}" > /etc/openvpn/get-openvpn-certs.env
   - if [ -n "${vpc_dns_ip}" ]; then echo "push \"dhcp-option DNS ${vpc_dns_ip}\"" >> /etc/openvpn/server.conf;fi
   - echo 'crl-verify /etc/openvpn/keys/crl.pem' >> /etc/openvpn/server.conf
diff --git a/docker-openvpn-server/cluster/templates/user_data.tpl b/docker-openvpn-server/cluster/templates/user_data.tpl
@@ -6,7 +6,14 @@ runcmd:
   - curl -s -O https://bootstrap.pypa.io/get-pip.py && python get-pip.py
   - /usr/local/bin/pip install awscli && ln -sf /usr/local/bin/aws /usr/bin/
 
-  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
+   # Fetch IMDSv2 token
+  - |
+    TOKEN=$(curl -H "X-aws-ec2-metadata-token-ttl-seconds: 60" -X PUT "http://169.254.169.254/latest/api/token")
+    echo "IMDSv2 token fetched: $TOKEN"
+
+  # Use the token to make a metadata request
+  - |
+    INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s "http://169.254.169.254/latest/meta-data/instance-id")
   - docker pull ${openvpn_docker_image}:${openvpn_docker_tag}
   - mkdir -p /opt/openvpn
   - touch /opt/openvpn/.env && chmod 700 /opt/openvpn/.env
