tf/userdata: Use IMDSv2 tokens

The Fedora 40 AMIs require IMDSv2. Our `kubeadm-join` script therefore needs to fetch the auth token and include it with metada requests.
2024-11-03 12:24:09 -06:00 · 2024-11-03 12:24:09 -06:00 · f531b03e7c
parent 0ec109b088
commit f531b03e7c
2 changed files with 16 additions and 8 deletions
--- a/terraform/terraform.tfstate
+++ b/terraform/terraform.tfstate
@ -1,7 +1,7 @@
 {
  "version": 4,
  "terraform_version": "1.6.2",
-  "serial": 110,
+  "serial": 112,
  "lineage": "a100be74-c98e-0769-2d6a-bf6a2c5f3ebf",
  "outputs": {},
  "resources": [
@ -107,9 +107,9 @@
          "schema_version": 0,
          "attributes": {
            "account_id": "566967686773",
-            "arn": "arn:aws:sts::566967686773:assumed-role/dynk8s-terraform/aws-go-sdk-1730658663754942671",
+            "arn": "arn:aws:sts::566967686773:assumed-role/dynk8s-terraform/aws-go-sdk-1730658679873394534",
            "id": "566967686773",
-            "user_id": "AROAYIAPIKZ25DFDOYZHT:aws-go-sdk-1730658663754942671"
+            "user_id": "AROAYIAPIKZ25DFDOYZHT:aws-go-sdk-1730658679873394534"
          },
          "sensitive_attributes": []
        }
@ -380,7 +380,7 @@
            "capacity_reservation_specification": [],
            "cpu_options": [],
            "credit_specification": [],
-            "default_version": 30,
+            "default_version": 31,
            "description": "",
            "disable_api_stop": false,
            "disable_api_termination": false,
@ -403,7 +403,7 @@
            "instance_type": "c7gd.xlarge",
            "kernel_id": "",
            "key_name": "dustin@rosalina",
-            "latest_version": 30,
+            "latest_version": 31,
            "license_specification": [],
            "maintenance_options": [],
            "metadata_options": [],
@ -427,7 +427,7 @@
            "tags": {},
            "tags_all": {},
            "update_default_version": true,
-            "user_data": "I2Nsb3VkLWNvbmZpZwpib290Y21kOgotIFsgbG4sIC1zZiwgL3J1bi9zeXN0ZW1kL3Jlc29sdmUvc3R1Yi1yZXNvbHYuY29uZiwgL2V0Yy9yZXNvbHYuY29uZiBdCgpwYWNrYWdlczoKLSBjcmktbwotIGNyaS10b29scwotIGV0aHRvb2wKLSBpcHRhYmxlcy1uZnQKLSBpc2NzaS1pbml0aWF0b3ItdXRpbHMKLSBrdWJlcm5ldGVzLWt1YmVhZG0KLSBrdWJlcm5ldGVzLW5vZGUKLSBydW5jCi0gd2lyZWd1YXJkLXRvb2xzCgp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2RuZi9kbmYuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBpbnN0YWxsX3dlYWtfZGVwcz1GYWxzZQogIGFwcGVuZDogdHJ1ZQotIHBhdGg6IC9ldGMvbW9kdWxlcy1sb2FkLmQvazhzLmNvbmYKICBjb250ZW50OiB8KwogICAgYnJfbmV0ZmlsdGVyCi0gcGF0aDogL2V0Yy9zeXNjdGwuZC9rOHMuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBuZXQuYnJpZGdlLmJyaWRnZS1uZi1jYWxsLWlwdGFibGVzID0gMQogICAgbmV0LmJyaWRnZS5icmlkZ2UtbmYtY2FsbC1pcDZ0YWJsZXMgPSAxCiAgICBuZXQuaXB2NC5pcF9mb3J3YXJkID0gMQotIHBhdGg6IC92YXIvbGliL2Nsb3VkL3NjcmlwdHMvcGVyLWluc3RhbmNlL2t1YmVhZG0tam9pbgogIHBlcm1pc3Npb25zOiAnMDc1NScKICBjb250ZW50OiB8KwogICAgIyEvYmluL3NoCgogICAgQkFTRV9VUkw9aHR0cHM6Ly9keW5rOHMtcHJvdmlzaW9uZXIucHlyb2N1ZmZsaW5rLm5ldAoKICAgIGluc3RhbmNlX2lkPSQoY3VybCAtcyAxNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCkKICAgIGF6PSQoY3VybCAtcyAxNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9wbGFjZW1lbnQvYXZhaWxhYmlsaXR5LXpvbmUpCgogICAgY3VybCAtZnMgIiR7QkFTRV9VUkx9Ii93aXJlZ3VhcmQvY29uZmlnLyR7aW5zdGFuY2VfaWR9IFwKICAgICAgICAtbyAvZXRjL3dpcmVndWFyZC93ZzAuY29uZiB8fCBleGl0CiAgICBzeXN0ZW1jdGwgZW5hYmxlIC0tbm93IHdnLXF1aWNrQHdnMCB8fCBleGl0CgogICAgcmVzb2x2ZWN0bCByZXZlcnQgZXRoMAoKICAgIG1vZHByb2JlIGJyX25ldGZpbHRlciB8fCBleGl0CiAgICBzeXNjdGwgLXcgLWYgL2V0Yy9zeXNjdGwuZC9rOHMuY29uZiB8fCBleGl0CgogICAgc3dhcG9mZiAtYSB8fCBleGl0CiAgICB0b3VjaCAvZXRjL3N5c3RlbWQvenJhbS1nZW5lcmF0b3IuY29uZiB8fCBleGl0CiAgICBzeXN0ZW1jdGwgZGFlbW9uLXJlbG9hZCB8fCBleGl0CiAgICBzeXN0ZW1jdGwgc3RvcCAnc3lzdGVtZC16cmFtLXNldHVwQConIHx8IGV4aXQKCiAgICBpZiBbIC1iIC9kZXYvbnZtZTFuMSBdOyB0aGVuCiAgICAgIHByaW50ZiAnJXMgJXMgJXMgJXMgMCAwXG4nIFwKICAgICAgICAvZGV2L252bWUxbjEgXAogICAgICAgIC92YXIvbGliL2t1YmVsZXQgXAogICAgICAgIGV4dDQgXAogICAgICAgIG5vYXRpbWUseC1zeXN0ZW1kLm1ha2Vmcyxub2ZhaWwgXAogICAgICAgID4+IC9ldGMvZnN0YWIKICAgICAgc3lzdGVtY3RsIGRhZW1vbi1yZWxvYWQKICAgICAgc3lzdGVtY3RsIHN0YXJ0IHZhci1saWIta3ViZWxldC5tb3VudAogICAgZmkKCiAgICBzeXN0ZW1jdGwgZW5hYmxlIGNyaW8gaXNjc2lkIGt1YmVsZXQgfHwgZXhpdAogICAgc3lzdGVtY3RsIHN0YXJ0IGNyaW8gaXNjc2lkIHx8IGV4aXQKCiAgICBpbnRlcm5hbF9pcD0kKAogICAgICBpcCBhZGRyZXNzIHNob3cgZGV2IHdnMCBwcmltYXJ5IHwgXAogICAgICBzZWQgLXJuICdzLy4qaW5ldCAoWzAtOS5dKykuKi9cMS9wJwogICAgKQoKICAgIGNhdCA+IGxvbmdob3JuLWlzc3VlNDk4OC5jaWwgPDxFT0YKICAgIChhbGxvdyBpc2NzaWRfdCBzZWxmIChjYXBhYmlsaXR5IChkYWNfb3ZlcnJpZGUpKSkKICAgIEVPRgogICAgc2Vtb2R1bGUgLWkgbG9uZ2hvcm4taXNzdWU0OTg4LmNpbAoKICAgIHJtIC1mIC9ldGMvY25pL25ldC5kLzEwMC1jcmlvLWJyaWRnZS5jb25mbGlzdAoKICAgIGNhdCA+IC9ydW4vam9pbmNvbmZpZ3VyYXRpb24gPDxFT0YKICAgIGFwaVZlcnNpb246IGt1YmVhZG0uazhzLmlvL3YxYmV0YTMKICAgIGtpbmQ6IEpvaW5Db25maWd1cmF0aW9uCiAgICBub2RlUmVnaXN0cmF0aW9uOgogICAgICB0YWludHM6CiAgICAgIC0ga2V5OiBkdTV0MW4ubWUvamVua2lucwogICAgICAgIGVmZmVjdDogTm9TY2hlZHVsZQogICAgICBrdWJlbGV0RXh0cmFBcmdzOgogICAgICAgIHByb3ZpZGVyLWlkOiBhd3M6Ly8vJHthen0vJHtpbnN0YW5jZV9pZH0KICAgICAgICBub2RlLWlwOiAke2ludGVybmFsX2lwfQogICAgICAgIGNvbmZpZzogL3Zhci9saWIva3ViZWxldC9jb25maWcueWFtbAogICAgZGlzY292ZXJ5OgogICAgICBmaWxlOgogICAgICAgIGt1YmVDb25maWdQYXRoOiAke0JBU0VfVVJMfS9rdWJlYWRtL2t1YmVjb25maWcvJHtpbnN0YW5jZV9pZH0KICAgIEVPRgogICAga3ViZWFkbSBqb2luIC0tY29uZmlnPS9ydW4vam9pbmNvbmZpZ3VyYXRpb24KCnJ1bmNtZDoKLSBbIGRuZiwgcmVtb3ZlLCAteSwgenJhbS1nZW5lcmF0b3IgXQo=",
+            "user_data": "I2Nsb3VkLWNvbmZpZwpib290Y21kOgotIFsgbG4sIC1zZiwgL3J1bi9zeXN0ZW1kL3Jlc29sdmUvc3R1Yi1yZXNvbHYuY29uZiwgL2V0Yy9yZXNvbHYuY29uZiBdCgpwYWNrYWdlczoKLSBjcmktbwotIGNyaS10b29scwotIGV0aHRvb2wKLSBpcHRhYmxlcy1uZnQKLSBpc2NzaS1pbml0aWF0b3ItdXRpbHMKLSBrdWJlcm5ldGVzLWt1YmVhZG0KLSBrdWJlcm5ldGVzLW5vZGUKLSBydW5jCi0gd2lyZWd1YXJkLXRvb2xzCgp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2RuZi9kbmYuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBpbnN0YWxsX3dlYWtfZGVwcz1GYWxzZQogIGFwcGVuZDogdHJ1ZQotIHBhdGg6IC9ldGMvbW9kdWxlcy1sb2FkLmQvazhzLmNvbmYKICBjb250ZW50OiB8KwogICAgYnJfbmV0ZmlsdGVyCi0gcGF0aDogL2V0Yy9zeXNjdGwuZC9rOHMuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBuZXQuYnJpZGdlLmJyaWRnZS1uZi1jYWxsLWlwdGFibGVzID0gMQogICAgbmV0LmJyaWRnZS5icmlkZ2UtbmYtY2FsbC1pcDZ0YWJsZXMgPSAxCiAgICBuZXQuaXB2NC5pcF9mb3J3YXJkID0gMQotIHBhdGg6IC92YXIvbGliL2Nsb3VkL3NjcmlwdHMvcGVyLWluc3RhbmNlL2t1YmVhZG0tam9pbgogIHBlcm1pc3Npb25zOiAnMDc1NScKICBjb250ZW50OiB8KwogICAgIyEvYmluL3NoCgogICAgQkFTRV9VUkw9aHR0cHM6Ly9keW5rOHMtcHJvdmlzaW9uZXIucHlyb2N1ZmZsaW5rLm5ldAoKICAgIGltZHNfdG9rZW49JChjdXJsIDE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvYXBpL3Rva2VuIFwKICAgICAgLVggUFVUIFwKICAgICAgLUggJ1gtYXdzLWVjMi1tZXRhZGF0YS10b2tlbi10dGwtc2Vjb25kczogMzYwMCcKICAgICkKICAgIGluc3RhbmNlX2lkPSQoY3VybCAtcyAxNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCBcCiAgICAgIC1IICJYLWF3cy1lYzItbWV0YWRhdGEtdG9rZW46ICR7aW1kc190b2tlbn0iCiAgICApCiAgICBhej0kKGN1cmwgLXMgMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEvcGxhY2VtZW50L2F2YWlsYWJpbGl0eS16b25lIFwKICAgICAgLUggIlgtYXdzLWVjMi1tZXRhZGF0YS10b2tlbjogJHtpbWRzX3Rva2VufSIKICAgICkKCiAgICBjdXJsIC1mcyAiJHtCQVNFX1VSTH0iL3dpcmVndWFyZC9jb25maWcvJHtpbnN0YW5jZV9pZH0gXAogICAgICAgIC1vIC9ldGMvd2lyZWd1YXJkL3dnMC5jb25mIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBlbmFibGUgLS1ub3cgd2ctcXVpY2tAd2cwIHx8IGV4aXQKCiAgICByZXNvbHZlY3RsIHJldmVydCBldGgwCgogICAgbW9kcHJvYmUgYnJfbmV0ZmlsdGVyIHx8IGV4aXQKICAgIHN5c2N0bCAtdyAtZiAvZXRjL3N5c2N0bC5kL2s4cy5jb25mIHx8IGV4aXQKCiAgICBzd2Fwb2ZmIC1hIHx8IGV4aXQKICAgIHRvdWNoIC9ldGMvc3lzdGVtZC96cmFtLWdlbmVyYXRvci5jb25mIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBkYWVtb24tcmVsb2FkIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBzdG9wICdzeXN0ZW1kLXpyYW0tc2V0dXBAKicgfHwgZXhpdAoKICAgIGlmIFsgLWIgL2Rldi9udm1lMW4xIF07IHRoZW4KICAgICAgcHJpbnRmICclcyAlcyAlcyAlcyAwIDBcbicgXAogICAgICAgIC9kZXYvbnZtZTFuMSBcCiAgICAgICAgL3Zhci9saWIva3ViZWxldCBcCiAgICAgICAgZXh0NCBcCiAgICAgICAgbm9hdGltZSx4LXN5c3RlbWQubWFrZWZzLG5vZmFpbCBcCiAgICAgICAgPj4gL2V0Yy9mc3RhYgogICAgICBzeXN0ZW1jdGwgZGFlbW9uLXJlbG9hZAogICAgICBzeXN0ZW1jdGwgc3RhcnQgdmFyLWxpYi1rdWJlbGV0Lm1vdW50CiAgICBmaQoKICAgIHN5c3RlbWN0bCBlbmFibGUgY3JpbyBpc2NzaWQga3ViZWxldCB8fCBleGl0CiAgICBzeXN0ZW1jdGwgc3RhcnQgY3JpbyBpc2NzaWQgfHwgZXhpdAoKICAgIGludGVybmFsX2lwPSQoCiAgICAgIGlwIGFkZHJlc3Mgc2hvdyBkZXYgd2cwIHByaW1hcnkgfCBcCiAgICAgIHNlZCAtcm4gJ3MvLippbmV0IChbMC05Ll0rKS4qL1wxL3AnCiAgICApCgogICAgY2F0ID4gbG9uZ2hvcm4taXNzdWU0OTg4LmNpbCA8PEVPRgogICAgKGFsbG93IGlzY3NpZF90IHNlbGYgKGNhcGFiaWxpdHkgKGRhY19vdmVycmlkZSkpKQogICAgRU9GCiAgICBzZW1vZHVsZSAtaSBsb25naG9ybi1pc3N1ZTQ5ODguY2lsCgogICAgcm0gLWYgL2V0Yy9jbmkvbmV0LmQvMTAwLWNyaW8tYnJpZGdlLmNvbmZsaXN0CgogICAgY2F0ID4gL3J1bi9qb2luY29uZmlndXJhdGlvbiA8PEVPRgogICAgYXBpVmVyc2lvbjoga3ViZWFkbS5rOHMuaW8vdjFiZXRhMwogICAga2luZDogSm9pbkNvbmZpZ3VyYXRpb24KICAgIG5vZGVSZWdpc3RyYXRpb246CiAgICAgIHRhaW50czoKICAgICAgLSBrZXk6IGR1NXQxbi5tZS9qZW5raW5zCiAgICAgICAgZWZmZWN0OiBOb1NjaGVkdWxlCiAgICAgIGt1YmVsZXRFeHRyYUFyZ3M6CiAgICAgICAgcHJvdmlkZXItaWQ6IGF3czovLy8ke2F6fS8ke2luc3RhbmNlX2lkfQogICAgICAgIG5vZGUtaXA6ICR7aW50ZXJuYWxfaXB9CiAgICAgICAgY29uZmlnOiAvdmFyL2xpYi9rdWJlbGV0L2NvbmZpZy55YW1sCiAgICBkaXNjb3Zlcnk6CiAgICAgIGZpbGU6CiAgICAgICAga3ViZUNvbmZpZ1BhdGg6ICR7QkFTRV9VUkx9L2t1YmVhZG0va3ViZWNvbmZpZy8ke2luc3RhbmNlX2lkfQogICAgRU9GCiAgICBrdWJlYWRtIGpvaW4gLS1jb25maWc9L3J1bi9qb2luY29uZmlndXJhdGlvbgoKcnVuY21kOgotIFsgZG5mLCByZW1vdmUsIC15LCB6cmFtLWdlbmVyYXRvciBdCg==",
            "vpc_security_group_ids": []
          },
          "sensitive_attributes": [],
--- a/terraform/userdata.yml
+++ b/terraform/userdata.yml
@ -33,8 +33,16 @@ write_files:

    BASE_URL=https://dynk8s-provisioner.pyrocufflink.net

-    instance_id=$(curl -s 169.254.169.254/latest/meta-data/instance-id)
-    az=$(curl -s 169.254.169.254/latest/meta-data/placement/availability-zone)
+    imds_token=$(curl 169.254.169.254/latest/api/token \
+      -X PUT \
+      -H 'X-aws-ec2-metadata-token-ttl-seconds: 3600'
+    )
+    instance_id=$(curl -s 169.254.169.254/latest/meta-data/instance-id \
+      -H "X-aws-ec2-metadata-token: ${imds_token}"
+    )
+    az=$(curl -s 169.254.169.254/latest/meta-data/placement/availability-zone \
+      -H "X-aws-ec2-metadata-token: ${imds_token}"
+    )

    curl -fs "${BASE_URL}"/wireguard/config/${instance_id} \
        -o /etc/wireguard/wg0.conf || exit