From 8f10d0eb1e33d38ab6e89015a903620c54edd7c1 Mon Sep 17 00:00:00 2001

From: Oyvind Albrigtsen <oalbrigt@redhat.com>

Date: Fri, 13 Nov 2020 16:36:20 +0100

Subject: [PATCH] AWS agents: add support for IMDSv2

---

 heartbeat/aws-vpc-move-ip    | 5 +++--

 heartbeat/aws-vpc-route53.in | 3 ++-

 heartbeat/awseip             | 9 +++++----

 heartbeat/awsvip             | 7 ++++---

 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip

index 72a89ecb1..cbb629b00 100755

--- a/heartbeat/aws-vpc-move-ip

+++ b/heartbeat/aws-vpc-move-ip

@@ -215,7 +215,8 @@ ec2ip_validate() {

 		return $OCF_ERR_CONFIGURED

 	fi

-	EC2_INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"

+	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

+	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")

 	if [ -z "${EC2_INSTANCE_ID}" ]; then

 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"

@@ -329,7 +330,7 @@ ec2ip_get_instance_eni() {

 	fi

 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"

-	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id"

+	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""

 	ocf_log debug "executing command: $cmd"

 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"

 	rc=$?

diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in

index b06b93726..4fb17019b 100644

--- a/heartbeat/aws-vpc-route53.in

+++ b/heartbeat/aws-vpc-route53.in

@@ -347,7 +347,8 @@ r53_monitor() {

 _get_ip() {

 	case $OCF_RESKEY_ip in

 		local|public)

-			IPADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4)";;

+			TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

+			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;

 		*.*.*.*)

 			IPADDRESS="${OCF_RESKEY_ip}";;

 	esac

diff --git a/heartbeat/awseip b/heartbeat/awseip

index 445a03666..de1967774 100755

--- a/heartbeat/awseip

+++ b/heartbeat/awseip

@@ -149,12 +149,12 @@ awseip_start() {

     awseip_monitor && return $OCF_SUCCESS

     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then

-        NETWORK_INTERFACES_MACS="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/)"

+        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")

         for MAC in ${NETWORK_INTERFACES_MACS}; do

-            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s |

+            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |

                 grep -q "^${PRIVATE_IP_ADDRESS}$"

             if [ $? -eq 0 ]; then

-                NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id)"

+                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")

             fi

         done

         $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \

@@ -244,7 +244,8 @@ AWSCLI="${OCF_RESKEY_awscli}"

 ELASTIC_IP="${OCF_RESKEY_elastic_ip}"

 ALLOCATION_ID="${OCF_RESKEY_allocation_id}"

 PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"

-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"

+TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

+INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")

 case $__OCF_ACTION in

     start)

diff --git a/heartbeat/awsvip b/heartbeat/awsvip

index 3eb31e6ae..8050107e8 100755

--- a/heartbeat/awsvip

+++ b/heartbeat/awsvip

@@ -206,9 +206,10 @@ esac

 AWSCLI="${OCF_RESKEY_awscli}"

 SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"

-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"

-MAC_ADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/mac)"

-NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id)"

+TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

+INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")

+MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")

+NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")

 case $__OCF_ACTION in

     start)