From 0fb1d755bdd3878a17cefb268e26913eb80cd7ff Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@curii.com>
Date: Wed, 28 Feb 2024 12:26:03 -0500
Subject: [PATCH] 21552: Require IMDSv2 on ec2 compute instances.

As described at
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---
 lib/cloud/ec2/ec2.go      | 6 ++++++
 lib/cloud/ec2/ec2_test.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/lib/cloud/ec2/ec2.go b/lib/cloud/ec2/ec2.go
index 07a146d99f..9a3f784b51 100644
--- a/lib/cloud/ec2/ec2.go
+++ b/lib/cloud/ec2/ec2.go
@@ -251,6 +251,12 @@ func (instanceSet *ec2InstanceSet) Create(
 				ResourceType: aws.String("instance"),
 				Tags:         ec2tags,
 			}},
+		MetadataOptions: &ec2.InstanceMetadataOptionsRequest{
+			// Require IMDSv2, as described at
+			// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html
+			HttpEndpoint: aws.String(ec2.InstanceMetadataEndpointStateEnabled),
+			HttpTokens:   aws.String(ec2.HttpTokensStateRequired),
+		},
 		UserData: aws.String(base64.StdEncoding.EncodeToString([]byte("#!/bin/sh\n" + initCommand + "\n"))),
 	}
 
diff --git a/lib/cloud/ec2/ec2_test.go b/lib/cloud/ec2/ec2_test.go
index 4b83005896..d342f0fb30 100644
--- a/lib/cloud/ec2/ec2_test.go
+++ b/lib/cloud/ec2/ec2_test.go
@@ -277,6 +277,12 @@ func (*EC2InstanceSetSuite) TestCreate(c *check.C) {
 	if *live == "" {
 		c.Check(ap.client.(*ec2stub).describeKeyPairsCalls, check.HasLen, 1)
 		c.Check(ap.client.(*ec2stub).importKeyPairCalls, check.HasLen, 1)
+
+		runcalls := ap.client.(*ec2stub).runInstancesCalls
+		if c.Check(runcalls, check.HasLen, 1) {
+			c.Check(runcalls[0].MetadataOptions.HttpEndpoint, check.DeepEquals, aws.String("enabled"))
+			c.Check(runcalls[0].MetadataOptions.HttpTokens, check.DeepEquals, aws.String("required"))
+		}
 	}
 }
 
-- 
2.30.2