Switch to v2 of the Instance Metadata Service API

[cornet]

Update all calls to use IMDSv2[1] which is a session-based rather than just simple request-response. This requires 2 changes:

• Obtaining a session token from /latest/api/token
• Passing this token in a X-aws-ec2-metadata-token header when making requests.

IMDSv2 is enabled by default and AWS Foundation Security Best Practices recommends v1 not be used due to a number of potential security vulnerabilities[2].

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html [2] https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-8

[brikis98]

@bwhaley If you are going to dive into https://github.com/gruntwork-io/terraform-aws-openvpn/pull/132, might be worth looking into this one too! See also https://gruntwork.atlassian.net/browse/IAC-1847.

@cornet Thanks for the PRs! To provide some context, IMDSv2 is on our backlog, and one of the things we'll need to figure out is what practices / patterns we want to adopt around it. E.g., We may want to capture the best practices with IMDSv2 in this bash-commons repo (similar to your PR), and then update all our other repos to use bash-commons (many already do, but some, that came before bash-commons existed, do not).

[bwhaley]

Thanks @brikis98 for the context, and @cornet for the PRs! Given the dependencies and downstream impacts this will take a little time to review, but it's now in my queue.

[cornet]

Hey - just wondering if there is any update on this or when it's likely that IMDSv2 will be tackled ?

[ellisonc]

Thanks for the PR, this is accomplished by the following PR