Fix Cookbook for EC2 Instance Metadata Service IMDSV2 configuration (SSRF patch)

[wilkosz]

Agenda

Update all service calls to EC2 metadata to use IMDSV2 spec:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

EC2 metadata service IMDSV1 introduced quite a few vulnerabilities: https://hackerone.com/reports/508459

Fix

• add proc to retrieve token (could also have been on the client but not used elsewhere)
• use retrieved token (single hop? -> EC2 Configuration) to call metadata service

Rollout

If this doesn't get rolled out Macroplant may maintain a publicly available version.

[joekiller]

Thank you for your contribution. I hope it works!

[joekiller]

I'll try to push a release soon

[joekiller]

@wilkosz what was the target platform you tested this on?

the tests seem out of date.

Also did you fix master vs re_2.8? I think re_2.8 is kinda the defacto right now because master got trashed hard and I forked it until I could fix master and alas this project depends on the community to do anything at this period.

https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os-linux.html

[compuguy]

You may want to make a note of the re_2.8 branch being stable vs master in the Readme.md @joekiller.

[wilkosz]

@wilkosz what was the target platform you tested this on?

the tests seem out of date.

Also did you fix master vs re_2.8? I think re_2.8 is kinda the defacto right now because master got trashed hard and I forked it until I could fix master and alas this project depends on the community to do anything at this period.

https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os-linux.html

We are currently using this revision on our production builds at macroplant. The big issue we are facing is that all upstream packages are not imdsV2 configured so we have some hacky fixes for our opsworks_ruby startup