[await-tags] Provide authentication to instance metadata API

[davidfurey]

What does this change?

Calls to the instance metadata API without authentication are no longer accepted. Adding the token effectively updates this from using IMDSv1 to IMDSv2. This should resolve FSBP EC2.8 for a number of services in the editorial tools space.

NB- this role is still deprecated, but it is quicker to upgrade it for FSBP compliance than to convince ourselves that it isn't needed

How to test

• Bake the editorial-tools-focal-java11-ARM-WITH-cdk-base recipe
• Redeploy workflow archiver
• Check logs and see that AWS Tags not found after 1 minute does not appear but AWS tags loaded does
• Check https://metrics.gutools.co.uk/d/de156avqnutj4d/am-i-using-imdsv1-or-imdsv2?orgId=1&refresh=5s&var-AwsAccount=lpcN6XMMz&var-AwsAccountId=753338109777&var-Stack=workflow&var-Stage=PROD&var-App=archiver&var-ASG=workflow-PROD-ProleAutoscalingGroup-EHT3JYOHS8NF&var-RiffRaffProject=&from=now-30d&to=now to see that no calls are made to IMDSv1

What is the value of this?

Resolves FSBP EC2.8

Have we considered potential risks?

This script is already broken because the existing INSTANCE_ID call fails, so this PR cannot make things worse.

[jorgeazevedo]

Nice one, I think this should work! I ran the curl calls in a real instance and they behaved as expected

[davidfurey]

Thanks for the review!

[emdash-ie]

Have started bake 114 of editorial-tools-focal-java11-ARM-WITH-cdk-base to test that this works as we expect.

[emdash-ie]

Bake finished, deploying archiver to CODE now.

[emdash-ie]

The change doesn’t appear to have fixed the tag lookup, it seems: the logs still show the message “AWS tags not found after 1 minute”. Will check for usages of the IMDSv1 API though, as that should still have come down even if the script isn’t working.

[emdash-ie]

It looks like archiver in CODE is still using the old AMI (bake 113). I think my deploy was insufficient, possibly I needed to deploy the cloudformation?

[emdash-ie]

Apparently it can take time for AMIs to be visible in the right account, but a normal deploy should be fine once it is visible. I have confirmed that the right AMI is visible, and started a new deploy. Hopefully this one should do it!

[emdash-ie]

The logs look good this time: https://logs.gutools.co.uk/s/editorial-tools/app/r/s/49bKq

[emdash-ie]

The metric also looks good: there’s a datapoint for MetadataNoTokenRejected at 16:40 which is from the previous deploy, but none after that.