Enable IMDSv2 on all instances

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
opensearch-project · Aug 30, 2023 · 95aef43 · 95aef43
1 parent d532a92
commit 95aef43
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 11 deletions.
diff --git a/lib/infra/infra-stack.ts b/lib/infra/infra-stack.ts
@@ -5,35 +5,35 @@ The OpenSearch Contributors require contributions made to
 this file be licensed under the Apache-2.0 license or a
 compatible open source license. */
 
+import {
+  CfnOutput, RemovalPolicy, Stack, StackProps, Tags,
+} from 'aws-cdk-lib';
+import {
+  AutoScalingGroup, BlockDeviceVolume, EbsDeviceVolumeType, Signals,
+} from 'aws-cdk-lib/aws-autoscaling';
 import {
   AmazonLinuxCpuType,
   AmazonLinuxGeneration,
   CloudFormationInit,
+  ISecurityGroup,
+  IVpc,
   InitCommand,
   InitElement,
   InitPackage,
   Instance,
   InstanceClass,
   InstanceSize,
   InstanceType,
-  ISecurityGroup,
-  IVpc,
   MachineImage,
   SubnetType,
 } from 'aws-cdk-lib/aws-ec2';
+import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets';
 import { ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
-import {
-  AutoScalingGroup, BlockDeviceVolume, EbsDeviceVolumeType, Signals,
-} from 'aws-cdk-lib/aws-autoscaling';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
-import {
-  CfnOutput, RemovalPolicy, Stack, StackProps, Tags,
-} from 'aws-cdk-lib';
-import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
-import { join } from 'path';
 import { readFileSync } from 'fs';
 import { dump, load } from 'js-yaml';
-import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets';
+import { join } from 'path';
 import { CloudwatchAgent } from '../cloudwatch/cloudwatch-agent';
 import { nodeConfig } from '../opensearch-config/node-config';
 import { RemoteStoreResources } from './remote-store-resources';
@@ -153,6 +153,7 @@ export class InfraStack extends Stack {
         initOptions: {
           ignoreFailures: false,
         },
+        requireImdsv2: true,
       });
       Tags.of(singleNodeInstance).add('role', 'client');
 
@@ -204,6 +205,7 @@ export class InfraStack extends Stack {
           initOptions: {
             ignoreFailures: false,
           },
+          requireImdsv2: true,
           signals: Signals.waitForAll(),
         });
         Tags.of(managerNodeAsg).add('role', 'manager');
@@ -237,6 +239,7 @@ export class InfraStack extends Stack {
         initOptions: {
           ignoreFailures: false,
         },
+        requireImdsv2: true,
         signals: Signals.waitForAll(),
       });
       Tags.of(seedNodeAsg).add('role', 'manager');
@@ -264,6 +267,7 @@ export class InfraStack extends Stack {
         initOptions: {
           ignoreFailures: false,
         },
+        requireImdsv2: true,
         signals: Signals.waitForAll(),
       });
       Tags.of(dataNodeAsg).add('role', 'data');
@@ -294,6 +298,7 @@ export class InfraStack extends Stack {
           initOptions: {
             ignoreFailures: false,
           },
+          requireImdsv2: true,
           signals: Signals.waitForAll(),
         });
         Tags.of(clientNodeAsg).add('cluster', scope.stackName);
@@ -325,6 +330,7 @@ export class InfraStack extends Stack {
           initOptions: {
             ignoreFailures: false,
           },
+          requireImdsv2: true,
           signals: Signals.waitForAll(),
         });
 

diff --git a/test/os-cluster.test.ts b/test/os-cluster.test.ts
@@ -71,6 +71,11 @@ test('Test Resources with security disabled multi-node default instance types',
       Ref: 'managerNodeAsgInstanceProfile1415C2CF',
     },
   });
+  infraTemplate.hasResourceProperties('AWS::AutoScaling::LaunchConfiguration', {
+    MetadataOptions: {
+      HttpTokens: 'required',
+    },
+  });
 });
 
 test('Test Resources with security enabled multi-node with existing Vpc with user provided data and ml instance types', () => {
@@ -144,6 +149,11 @@ test('Test Resources with security enabled multi-node with existing Vpc with use
       Ref: 'mlNodeAsgInstanceProfileFF393D8C',
     },
   });
+  infraTemplate.hasResourceProperties('AWS::AutoScaling::LaunchConfiguration', {
+    MetadataOptions: {
+      HttpTokens: 'required',
+    },
+  });
 });
 
 test('Test Resources with security enabled single-node cluster', () => {
@@ -307,6 +317,11 @@ test('Test multi-node cluster with only data-nodes', () => {
       },
     ],
   });
+  infraTemplate.hasResourceProperties('AWS::AutoScaling::LaunchConfiguration', {
+    MetadataOptions: {
+      HttpTokens: 'required',
+    },
+  });
 });
 
 test('Test multi-node cluster with remote-store enabled', () => {