testsys-launcher: add imdsv2-only hack

Since there isn't an easy way to force IMDSv2 on instances launched by the ASG, you can just run this script to restrict IMDS on the nodes.
bottlerocket-os · Aug 30, 2023 · 1c9eb53 · 1c9eb53
1 parent f13b7cf
commit 1c9eb53
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/deploy/testsys-launcher/hack/imdsv2-only.sh b/deploy/testsys-launcher/hack/imdsv2-only.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# The following is a convenience script that can be used to require IMDSv2
+
+instances=$(aws ec2 describe-instances \
+    --filters "Name=tag-value,Values=testsys" "Name=instance-state-code,Values=16" \
+    --query "Reservations[*].Instances[*].[InstanceId]" \
+    --output text)
+
+for instance in ${instances}; do
+    aws ec2 modify-instance-metadata-options \
+        --instance-id "${instance}" \
+        --http-tokens required \
+        --http-endpoint enabled
+done
+