-
Notifications
You must be signed in to change notification settings - Fork 151
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Do not skip metadata API check by default (#3960)
This PR explores reverting the default `aws:skipMetadataApiCheck=false` setting to enable the provider to be able to seamlessly authenticate against an IMDS(v2) endpoints in the AWS environment. It appears that doing so no longer slows down the provider startup time perceptibly. The way I tested the speed delta was by measuring local empty preview of an AWS s3 Bucket using AWS_PROFILE authentication with local <-> us-east-1 there is no perceptible difference. Fixes: #1692 An integration test is added that exercises `pulumi preview` on an EC2 instance with IMDSv2 and asserts that the provider can authenticate successfully. Background: - #873 - #1288
- Loading branch information
Showing
17 changed files
with
297 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
name: imds-v2 | ||
runtime: yaml | ||
description: Test the ability of pulumi-aws to authenticate on an EC2 instance with IMDSv2 enabled | ||
|
||
backend: | ||
url: file://./pulumi-state | ||
|
||
config: | ||
localProviderBuild: | ||
type: string | ||
|
||
pulumi:tags: | ||
value: | ||
pulumi:template: aws-yaml | ||
|
||
variables: | ||
ec2ami: | ||
fn::invoke: | ||
function: aws:ec2:getAmi | ||
arguments: | ||
filters: | ||
- name: name | ||
values: ["al2023*x86_64*"] | ||
owners: | ||
- amazon | ||
mostRecent: true | ||
return: id | ||
|
||
instanceType: t2.medium | ||
policyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" # example policy | ||
|
||
resources: | ||
|
||
segroup: | ||
type: aws:ec2:SecurityGroup | ||
properties: | ||
ingress: | ||
- protocol: tcp | ||
fromPort: 80 | ||
toPort: 80 | ||
cidrBlocks: ["0.0.0.0/0"] | ||
- protocol: tcp | ||
fromPort: 22 | ||
toPort: 22 | ||
cidrBlocks: ["0.0.0.0/0"] | ||
egress: | ||
- fromPort: 0 | ||
toPort: 0 | ||
protocol: '-1' | ||
cidrBlocks: | ||
- 0.0.0.0/0 | ||
ipv6CidrBlocks: | ||
- ::/0 | ||
|
||
priv-key: | ||
type: tls:PrivateKey | ||
properties: | ||
algorithm: RSA | ||
rsaBits: 2048 | ||
|
||
key-pair: | ||
type: aws:ec2/keyPair:KeyPair | ||
properties: | ||
publicKey: ${priv-key.publicKeyOpenssh} | ||
|
||
my-role: | ||
type: aws:iam/role:Role | ||
properties: | ||
assumeRolePolicy: | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": {"Service": "ec2.amazonaws.com"}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
my-role-policy-attachment: | ||
type: aws:iam/rolePolicyAttachment:RolePolicyAttachment | ||
properties: | ||
role: ${my-role.name} | ||
policyArn: ${policyArn} | ||
|
||
my-instance-profile: | ||
type: aws:iam/instanceProfile:InstanceProfile | ||
properties: | ||
role: ${my-role.name} | ||
|
||
inst: | ||
type: aws:ec2/instance:Instance | ||
properties: | ||
ami: ${ec2ami} | ||
instanceType: ${instanceType} | ||
iamInstanceProfile: ${my-instance-profile.name} | ||
keyName: ${key-pair.keyName} | ||
# Enable and enforce IMDSv2 | ||
metadataOptions: | ||
httpTokens: required | ||
httpEndpoint: enabled | ||
httpPutResponseHopLimit: 1 | ||
vpcSecurityGroupIds: | ||
- ${segroup} | ||
userData: | | ||
#!/bin/bash | ||
# Reconfigure SSHD - workaround for pulumi Command issues | ||
cat /etc/ssh/ssh_config >/tmp/sshd_config | ||
echo "AcceptEnv PULUMI_COMMAND_STDOUT" >> /tmp/sshd_config | ||
echo "AcceptEnv PULUMI_COMMAND_STDERR" >> /tmp/sshd_config | ||
sudo cp /tmp/sshd_config /etc/ssh/sshd_config || echo "FAILED to set sshd_config" | ||
rm /tmp/sshd_config | ||
file-copy: | ||
type: command:remote:CopyFile | ||
properties: | ||
connection: | ||
host: ${inst.publicIp} | ||
user: ec2-user # The default user for Amazon Linux AMI | ||
privateKey: ${priv-key.privateKeyOpenssh} | ||
localPath: remote-program/Pulumi.yaml | ||
remotePath: "/tmp/Pulumi.yaml" | ||
options: | ||
ignoreChanges: | ||
- connection | ||
|
||
provider-copy: | ||
type: command:remote:CopyFile | ||
properties: | ||
connection: | ||
host: ${inst.publicIp} | ||
user: ec2-user # The default user for Amazon Linux AMI | ||
privateKey: ${priv-key.privateKeyOpenssh} | ||
localPath: ${localProviderBuild} | ||
remotePath: "/tmp/pulumi-resource-aws" | ||
options: | ||
ignoreChanges: | ||
- connection | ||
|
||
install-cmd: | ||
type: command:remote:Command | ||
properties: | ||
create: | | ||
echo "========" | ||
curl -fsSL https://get.pulumi.com | sh | ||
export PATH="/home/ec2-user/.pulumi/bin:$PATH" | ||
echo "========" | ||
pulumi version | ||
echo "========" | ||
connection: | ||
host: ${inst.publicIp} | ||
user: ec2-user # The default user for Amazon Linux AMI | ||
privateKey: ${priv-key.privateKeyOpenssh} | ||
options: | ||
ignoreChanges: | ||
- connection | ||
dependsOn: | ||
- ${file-copy} | ||
|
||
init-cmd: | ||
type: command:remote:Command | ||
properties: | ||
create: | | ||
cd /tmp | ||
mkdir ./pulumi-state | ||
export PULUMI_CONFIG_PASSPHRASE=123456 | ||
export PATH="/tmp:$PATH" | ||
export PATH="/home/ec2-user/.pulumi/bin:$PATH" | ||
chmod a+x /tmp/pulumi-resource-aws | ||
pulumi version # ensure in PATH | ||
pulumi-resource-aws --help # ensure in PATH | ||
pulumi stack init dev | ||
pulumi stack select dev | ||
pulumi config | ||
pulumi preview | ||
# SSH connection details to the remote machine | ||
connection: | ||
host: ${inst.publicIp} | ||
user: ec2-user # The default user for Amazon Linux AMI | ||
privateKey: ${priv-key.privateKeyOpenssh} | ||
options: | ||
ignoreChanges: | ||
- connection | ||
dependsOn: | ||
- ${install-cmd} | ||
- ${provider-copy} | ||
|
||
outputs: | ||
instanceId: ${inst.id} | ||
publicIp: ${inst.publicIp} | ||
commandOut: ${init-cmd.stdout} |
Oops, something went wrong.