From aac79ef80fc9c8bc0cd03e9ee5a9639b9ad5e19c Mon Sep 17 00:00:00 2001 From: cruizba Date: Thu, 29 Feb 2024 20:24:39 +0100 Subject: [PATCH] deployment: Use IMDSv2 in aws deployments --- .../ce/aws/CF-OpenVidu.yaml.template | 22 ++++++++++++++++--- .../aws/CF-OpenVidu-Enterprise.yaml.template | 8 +++++++ .../cfn-crete-ov-aws-asg-ami.yaml.template | 1 + .../pro/aws/CF-OpenVidu-Pro.yaml.template | 18 ++++++++++++--- 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template b/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template index c15fd0f5..038104e8 100644 --- a/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template +++ b/openvidu-server/deployments/ce/aws/CF-OpenVidu.yaml.template @@ -194,6 +194,16 @@ Conditions: Resources: + LaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: IMDSV2 + LaunchTemplateData: + MetadataOptions: + HttpEndpoint: enabled + HttpPutResponseHopLimit: 1 + HttpTokens: required + OpenviduServer: Type: 'AWS::EC2::Instance' Metadata: @@ -210,7 +220,8 @@ Resources: INXDB_MEASUREMENT=server OV_VERSION=OPENVIDU_VERSION - EC2_AVAIL_ZONE=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + EC2_AVAIL_ZONE=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/availability-zone) EC2_REGION=$(echo "$EC2_AVAIL_ZONE" | sed 's/[a-z]$//') curl -i -XPOST "http://$INXDB_URL:8086/write?db=$INXDB_DB" \ @@ -246,7 +257,8 @@ Resources: sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=${PublicElasticIP}/" $WORKINGDIR/.env else [ ! -d "/usr/share/openvidu" ] && mkdir -p /usr/share/openvidu - PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname) + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname) sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=$PublicHostname/" $WORKINGDIR/.env echo $PublicHostname > /usr/share/openvidu/old-host-name fi @@ -279,7 +291,8 @@ Resources: # Get new amazon URL OldPublicHostname=$(cat /usr/share/openvidu/old-host-name) - PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname) + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname) sed -i "s/$OldPublicHostname/$PublicHostname/" $WORKINGDIR/.env echo $PublicHostname > /usr/share/openvidu/old-host-name @@ -292,6 +305,9 @@ Resources: group: "root" Properties: ImageId: !GetAtt CloudformationLambdaInvoke.ImageId + LaunchTemplate: + LaunchTemplateName: IMDSV2 + Version: 1 InstanceType: !Ref InstanceType SecurityGroups: - !Ref WebServerSecurityGroup diff --git a/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template b/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template index a979b320..88d35fbd 100644 --- a/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template +++ b/openvidu-server/deployments/enterprise/aws/CF-OpenVidu-Enterprise.yaml.template @@ -732,6 +732,10 @@ Resources: Properties: LaunchTemplateName: !Join [ "-", [ !Ref 'AWS::StackName', 'ASGMediaNodeLaunchTemplate'] ] LaunchTemplateData: + MetadataOptions: + HttpEndpoint: enabled + HttpPutResponseHopLimit: 1 + HttpTokens: required SecurityGroupIds: - !GetAtt MediaNodeSecurityGroup.GroupId ImageId: !GetAtt LambdaOnCreateInvoke.MediaNodeImageId @@ -987,6 +991,10 @@ Resources: Properties: LaunchTemplateName: !Join [ "-", [ !Ref 'AWS::StackName', 'ASGMasterNodeLaunchConfiguration'] ] LaunchTemplateData: + MetadataOptions: + HttpEndpoint: enabled + HttpPutResponseHopLimit: 1 + HttpTokens: required SecurityGroupIds: - !GetAtt OpenViduSecurityGroup.GroupId IamInstanceProfile: diff --git a/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template b/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template index b62e4a41..81505947 100644 --- a/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template +++ b/openvidu-server/deployments/enterprise/aws/cfn-crete-ov-aws-asg-ami.yaml.template @@ -131,6 +131,7 @@ Resources: #!/bin/bash -x WORKINGDIR=/opt/openvidu + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") ASG_DATA=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data) AWS_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone` AWS_REGION="`echo \"$AWS_AVAIL_ZONE\" | sed 's/[a-z]$//'`" diff --git a/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template b/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template index af7c5042..a7302ced 100644 --- a/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template +++ b/openvidu-server/deployments/pro/aws/CF-OpenVidu-Pro.yaml.template @@ -547,6 +547,16 @@ Resources: UpdateReplacePolicy: Retain Condition: CreateS3Bucket + LaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: IMDSV2 + LaunchTemplateData: + MetadataOptions: + HttpEndpoint: enabled + HttpPutResponseHopLimit: 1 + HttpTokens: required + OpenViduServer: Type: AWS::EC2::Instance Metadata: @@ -573,6 +583,7 @@ Resources: #!/bin/bash -xe WORKINGDIR=/opt/openvidu + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Pro License sed -i "s/OPENVIDU_PRO_LICENSE=/OPENVIDU_PRO_LICENSE=${OpenViduLicense}/" $WORKINGDIR/.env @@ -590,7 +601,7 @@ Resources: sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=${PublicElasticIP}/" $WORKINGDIR/.env else [ ! -d "/usr/share/openvidu" ] && mkdir -p /usr/share/openvidu - PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname) + PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname) sed -i "s/DOMAIN_OR_PUBLIC_IP=/DOMAIN_OR_PUBLIC_IP=$PublicHostname/" $WORKINGDIR/.env echo $PublicHostname > /usr/share/openvidu/old-host-name fi @@ -623,7 +634,7 @@ Resources: fi # Replace vars AWS - INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id) + INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id) sed -i "s/#AWS_DEFAULT_REGION=/AWS_DEFAULT_REGION=${AWS::Region}/" $WORKINGDIR/.env sed -i "s/#AWS_IMAGE_ID=/AWS_IMAGE_ID=${kmsAmi}/" $WORKINGDIR/.env sed -i "s/#AWS_INSTANCE_TYPE=/AWS_INSTANCE_TYPE=${AwsInstanceTypeKMS}/" $WORKINGDIR/.env @@ -695,7 +706,8 @@ Resources: # Get new amazon URL OldPublicHostname=$(cat /usr/share/openvidu/old-host-name) - PublicHostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname) + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + PublicHostname=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname) sed -i "s/$OldPublicHostname/$PublicHostname/" $WORKINGDIR/.env echo $PublicHostname > /usr/share/openvidu/old-host-name