deployment: Use IMDSv2 in aws deployments

2024-02-29 20:24:39 +01:00 · 2024-02-29 20:24:39 +01:00 · aac79ef80f
parent 4face2e556
commit aac79ef80f
4 changed files with 43 additions and 6 deletions
--- a/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template
+++ b/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template
@ -194,6 +194,16 @@ Conditions:

 Resources:

+  LaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+        LaunchTemplateName: IMDSV2
+        LaunchTemplateData:
+          MetadataOptions:
+            HttpEndpoint: enabled
+            HttpPutResponseHopLimit: 1
+            HttpTokens: required
+
  OpenviduServer:
    Type: 'AWS::EC2::Instance'
    Metadata:
@ -210,7 +220,8 @@ Resources:
                INXDB_MEASUREMENT=server

                OV_VERSION=OPENVIDU_VERSION
-                EC2_AVAIL_ZONE=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
+                TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+                EC2_AVAIL_ZONE=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/availability-zone)
                EC2_REGION=$(echo "$EC2_AVAIL_ZONE" | sed 's/[a-z]$//')

                curl -i -XPOST "http://$INXDB_URL:8086/write?db=$INXDB_DB" \
@ -246,7 +257,8 @@ Resources:
                  sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=${PublicElasticIP}/" $WORKINGDIR/.env
                else
                  [ ! -d "/usr/share/openvidu" ] && mkdir -p /usr/share/openvidu
-                  PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+                  TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+                  PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname)
                  sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=$PublicHostname/" $WORKINGDIR/.env
                  echo $PublicHostname > /usr/share/openvidu/old-host-name
                fi
@ -279,7 +291,8 @@ Resources:

                # Get new amazon URL
                OldPublicHostname=$(cat /usr/share/openvidu/old-host-name)
-                PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+                TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+                PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname)
                sed -i "s/$OldPublicHostname/$PublicHostname/" $WORKINGDIR/.env
                echo $PublicHostname > /usr/share/openvidu/old-host-name

@ -292,6 +305,9 @@ Resources:
              group: "root"
    Properties:
      ImageId: !GetAtt CloudformationLambdaInvoke.ImageId
+      LaunchTemplate:
+        LaunchTemplateName: IMDSV2
+        Version: 1
      InstanceType: !Ref InstanceType
      SecurityGroups:
        - !Ref WebServerSecurityGroup
--- a/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template
+++ b/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template
@ -732,6 +732,10 @@ Resources:
    Properties:
      LaunchTemplateName: !Join [ "-", [ !Ref 'AWS::StackName', 'ASGMediaNodeLaunchTemplate'] ]
      LaunchTemplateData:
+        MetadataOptions:
+          HttpEndpoint: enabled
+          HttpPutResponseHopLimit: 1
+          HttpTokens: required
        SecurityGroupIds:
          - !GetAtt MediaNodeSecurityGroup.GroupId
        ImageId: !GetAtt LambdaOnCreateInvoke.MediaNodeImageId
@ -987,6 +991,10 @@ Resources:
    Properties:
      LaunchTemplateName: !Join [ "-", [ !Ref 'AWS::StackName', 'ASGMasterNodeLaunchConfiguration'] ]
      LaunchTemplateData:
+        MetadataOptions:
+          HttpEndpoint: enabled
+          HttpPutResponseHopLimit: 1
+          HttpTokens: required
        SecurityGroupIds:
          - !GetAtt OpenViduSecurityGroup.GroupId
        IamInstanceProfile:
--- a/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template
+++ b/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template
@ -131,6 +131,7 @@ Resources:
                #!/bin/bash -x

                WORKINGDIR=/opt/openvidu
+                TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
                ASG_DATA=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data)
                AWS_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`
                AWS_REGION="`echo \"$AWS_AVAIL_ZONE\" | sed 's/[a-z]$//'`"
--- a/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template
+++ b/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template
@ -547,6 +547,16 @@ Resources:
    UpdateReplacePolicy: Retain
    Condition: CreateS3Bucket

+  LaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+        LaunchTemplateName: IMDSV2
+        LaunchTemplateData:
+          MetadataOptions:
+            HttpEndpoint: enabled
+            HttpPutResponseHopLimit: 1
+            HttpTokens: required
+
  OpenViduServer:
    Type: AWS::EC2::Instance
    Metadata:
@ -573,6 +583,7 @@ Resources:
                #!/bin/bash -xe

                WORKINGDIR=/opt/openvidu
+                TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

                # Pro License
                sed -i "s/OPENVIDU_PRO_LICENSE=/OPENVIDU_PRO_LICENSE=${OpenViduLicense}/" $WORKINGDIR/.env
@ -590,7 +601,7 @@ Resources:
                  sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=${PublicElasticIP}/" $WORKINGDIR/.env
                else
                  [ ! -d "/usr/share/openvidu" ] && mkdir -p /usr/share/openvidu
-                  PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+                  PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname)
                  sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=$PublicHostname/" $WORKINGDIR/.env
                  echo $PublicHostname > /usr/share/openvidu/old-host-name
                fi
@ -623,7 +634,7 @@ Resources:
                fi

                # Replace vars AWS
-                INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
+                INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
                sed -i "s/#AWS_DEFAULT_REGION=/AWS_DEFAULT_REGION=${AWS::Region}/" $WORKINGDIR/.env
                sed -i "s/#AWS_IMAGE_ID=/AWS_IMAGE_ID=${kmsAmi}/" $WORKINGDIR/.env
                sed -i "s/#AWS_INSTANCE_TYPE=/AWS_INSTANCE_TYPE=${AwsInstanceTypeKMS}/" $WORKINGDIR/.env
@ -695,7 +706,8 @@ Resources:

                # Get new amazon URL
                OldPublicHostname=$(cat /usr/share/openvidu/old-host-name)
-                PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+                TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+                PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname)
                sed -i "s/$OldPublicHostname/$PublicHostname/" $WORKINGDIR/.env
                echo $PublicHostname > /usr/share/openvidu/old-host-name