fix(experimental-ec2-pattern): Obtain instance id more reliably

The `ec2metadata` command was failing with a 401 with AMIable CODE in deployTools account: ```console root@ip-10-248-51-213:/var/lib/cloud/instance# ec2metadata --instance-id Traceback (most recent call last): File "/usr/bin/ec2metadata", line 249, in <module> main() File "/usr/bin/ec2metadata", line 245, in main display(metaopts, burl, prefix) File "/usr/bin/ec2metadata", line 192, in display value = m.get(metaopt) File "/usr/bin/ec2metadata", line 177, in get return self._get('meta-data/' + metaopt) File "/usr/bin/ec2metadata", line 137, in _get resp = urllib_request.urlopen(urllib_request.Request(url)) File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.8/urllib/request.py", line 531, in open response = meth(req, response) File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response response = self.parent.error( File "/usr/lib/python3.8/urllib/request.py", line 569, in error return self._call_chain(*args) File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain result = func(*args) File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default raise HTTPError(req.full_url, code, msg, hdrs, fp) urllib.error.HTTPError: HTTP Error 401: Unautho ``` This service uses IMDSv2. A 401 response usually happens when a request is made without a token. However `ec2metadata` does exchange a token. Switch to a more reliable mechanism. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html.
guardian · Sep 14, 2024 · b4801a0 · b4801a0
1 parent 19baa82
commit b4801a0
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap
@@ -920,7 +920,8 @@ aws s3 cp 's3://",
 dpkg -i /test-gu-ec2-app/test-gu-ec2-app-123.deb
 # GuEc2AppExperimental UserData Start
 
-      INSTANCE_ID=$(ec2metadata --instance-id)
+      TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+      INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" "http://169.254.169.254/latest/meta-data/instance-id")
 
       STATE=$(aws elbv2 describe-target-health         --target-group-arn ",
                   {

diff --git a/src/experimental/patterns/ec2-app.ts b/src/experimental/patterns/ec2-app.ts
@@ -262,16 +262,14 @@ export class GuEc2AppExperimental extends GuEc2App {
     AsgRollingUpdatePolicy.getInstance(scope).attachToRole(role);
 
     /*
-    `ec2metadata` is available via `cloud-utils` installed on all Canonical Ubuntu AMIs.
-    See https://github.com/canonical/cloud-utils.
-
     `aws` is available via AMIgo baked AMIs.
     See https://github.com/guardian/amigo/tree/main/roles/aws-tools.
      */
     userData.addCommands(
       `# ${GuEc2AppExperimental.name} UserData Start`,
       `
-      INSTANCE_ID=$(ec2metadata --instance-id)
+      TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+      INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" "http://169.254.169.254/latest/meta-data/instance-id")
 
       STATE=$(aws elbv2 describe-target-health \
         --target-group-arn ${targetGroup.targetGroupArn} \