Enable imdsv2 on all the packer build template

Question

Enable imdsv2 on all the packer build template

Closed this issue 6 months ago · 2 comments

We need to enable imdsv2 on all packer build template:
https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/

In version 1.9.0, packer plans to move bundled plugins out. They stopped updating dependencies of packer-plugin-amazon and it is version 1.2.1 since 1.8.7: https://github.com/hashicorp/packer/blob/v1.8.7/go.mod#L26 or older.

We need 1.2.2 to support imdsv2 here:
https://github.com/hashicorp/packer-plugin-amazon/releases/tag/v1.2.2

Would need to update the packer plugin directly with packer plugins install command and use 1.2.2 amazon plugin.

Thanks.

Answer 1 · 2024-07-08T23:02:22.000Z

Apparently this is for the ec2 instance that prepare the AMI to be imdsv2:

      "metadata_options": {
        "http_endpoint": "enabled",
        "http_tokens": "required",
        "http_put_response_hop_limit": 1
      },

This is for the newly created AMI to be imdsv2 by default and cant be switched to imdsv1:

      "imds_support": "v2.0",

Since we already have imdsv2 forcefully enabled here:

      metadataTokensRequired: true,

https://github.com/opensearch-project/opensearch-ci/blob/main/lib/compute/agent-node-config.ts#L184

We are good to not enforcing AMI to be imdsv2 only, but rather ask all the provisions to be imdsv2 enforced.
So that in cases where we want to fall back to imdsv1, we can still do that later.

We can always rebuild the AMI to force imdsv2 on the image.

We will keep the packer plugin amazon to be default 1.2.1 for now.

Thanks.

Answer 2 · 2024-07-10T21:52:20.000Z

Resolved now.

Thanks.