ELB Add / Remove: AWS IMDSv2 (#1683)

trapsuutjies · web-flow · commit 31836f4cec36 · 2026-05-13T09:20:47.000+12:00
* Use IMDSv2 token to fetch instance ID

Update AWS ELBv2 Octopus PowerShell step to request an IMDSv2 token. This improves compatibility and security for instances that require IMDSv2.

* Update Get Instance ID from IMDSv1 to IMDSv2

* Update script metadata for IMDSv2 implementation.
diff --git a/step-templates/aws-add-remove-elbv2.json b/step-templates/aws-add-remove-elbv2.json
@@ -3,12 +3,12 @@
   "Name": "AWS - Add or Remove instance from ELBv2",
   "Description": "Add or Remove the current instance from an ELBv2 Target Group.",
   "ActionType": "Octopus.Script",
-  "Version": 6,
+  "Version": 7,
   "Properties": {
     "Octopus.Action.Script.Syntax": "PowerShell",
     "Octopus.Action.Script.ScriptSource": "Inline",
     "Octopus.Action.RunOnServer": "false",
-    "Octopus.Action.Script.ScriptBody": "$accessKey = $OctopusParameters['accessKey']\n$secretKey = $OctopusParameters['secretKey']\n$region = $OctopusParameters['region']\n\n$targetGroupArn = $OctopusParameters['targetGroupArn']\n\n$action = $OctopusParameters['action']\n\n$checkInterval = $OctopusParameters['checkInterval']\n$maxChecks = $OctopusParameters['maxChecks']\n\n$awsProfile = (get-date -Format '%y%d%M-%H%m').ToString() # random\n\nif (Get-Module | Where-Object { $_.Name -like \"AWSPowerShell*\" }) {\n\tWrite-Host \"AWS PowerShell module is already loaded.\"\n} else {\n\t$awsModule = Get-Module -ListAvailable | Where-Object {  $_.Name -like \"AWSPowerShell*\" }\n\tif (!($awsModule)) {\n    \tWrite-Error \"AWSPowerShell / AWSPowerShell.NetCore not found\"\n        return\n    } else {\n    \tImport-Module $awsModule.Name\n        Write-Host \"Imported Module: $($awsModule.Name)\"\n    }\n}\n\nfunction GetCurrentInstanceId\n{\n    Write-Host \"Getting instance id\"\n\n\t$response = Invoke-RestMethod -Uri \"http://169.254.169.254/latest/meta-data/instance-id\" -Method Get\n\n\tif ($response)\n\t{\n\t\t$instanceId = $response\n\t}\n\telse\n\t{\n\t\tWrite-Error -Message \"Returned Instance ID does not appear to be valid\"\n\t\tExit 1\n\t}\n\n\t$response\n}\n\nfunction GetTarget\n{\n    $instanceId = GetCurrentInstanceId\n\n    $target = New-Object -TypeName Amazon.ElasticLoadBalancingV2.Model.TargetDescription\n    $target.Id = $instanceId\n    \n    Write-Host \"Current instance id: $instanceId\"\n\n    return $target\n}\n\nfunction GetInstanceState\n{\n\t$state = (Get-ELB2TargetHealth -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region).TargetHealth.State\n\n\tWrite-Host \"Current instance state: $state\"\n\n\treturn $state\n}\n\nfunction WaitForState\n{\n    param([string]$expectedState)\n\n    $instanceState = GetInstanceState -arn $targetGroupArn -target $target\n\n    if ($instanceState -eq $expectedState)\n    {\n        return\n    }\n\n    $checkCount = 0\n\n    Write-Host \"Waiting for instance state to be $expectedState\"\n    Write-Host \"Maximum Checks: $maxChecks\"\n    Write-Host \"Check Interval: $checkInterval\"\n\n    while ($instanceState -ne $expectedState -and $checkCount -le $maxChecks)\n    {\t\n\t    $checkCount += 1\n\t\n\t    Write-Host \"Waiting for $checkInterval seconds for instance state to be $expectedState\"\n\t    Start-Sleep -Seconds $checkInterval\n\t\n\t    if ($checkCount -le $maxChecks)\n\t    {\n\t\t    Write-Host \"$checkCount/$maxChecks Attempts\"\n\t    }\n\t\n\t    $instanceState = GetInstanceState\n    }\n\n    if ($instanceState -ne $expectedState)\n    {\n\t    Write-Error -Message \"Instance state is not $expectedState, giving up.\"\n\t    Exit 1\n    }\n}\n\nfunction DeregisterInstance\n{\n    Write-Host \"Deregistering instance from $targetGroupArn\"\n    Unregister-ELB2Target -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region\n    WaitForState -expectedState \"unused\"\n    Write-Host \"Instance deregistered\"\n}\n\nfunction RegisterInstance\n{\n    Write-Host \"Registering instance with $targetGroupArn\"\n    Try {\n    \tRegister-ELB2Target -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region\n    } Catch {\n    \tWrite-Host $Error[0]\n    }\n    WaitForState -expectedState \"healthy\"\n    Write-Host \"Instance registered\"\n}\n\n$target = GetTarget\n\nswitch ($action)\n{\n    \"deregister\" { DeregisterInstance }\n    \"register\" { RegisterInstance }\n}",
+    "Octopus.Action.Script.ScriptBody": "$accessKey = $OctopusParameters['accessKey']\n$secretKey = $OctopusParameters['secretKey']\n$region = $OctopusParameters['region']\n\n$targetGroupArn = $OctopusParameters['targetGroupArn']\n\n$action = $OctopusParameters['action']\n\n$checkInterval = $OctopusParameters['checkInterval']\n$maxChecks = $OctopusParameters['maxChecks']\n\n$awsProfile = (get-date -Format '%y%d%M-%H%m').ToString() # random\n\nif (Get-Module | Where-Object { $_.Name -like \"AWSPowerShell*\" }) {\n\tWrite-Host \"AWS PowerShell module is already loaded.\"\n} else {\n\t$awsModule = Get-Module -ListAvailable | Where-Object {  $_.Name -like \"AWSPowerShell*\" }\n\tif (!($awsModule)) {\n    \tWrite-Error \"AWSPowerShell / AWSPowerShell.NetCore not found\"\n        return\n    } else {\n    \tImport-Module $awsModule.Name\n        Write-Host \"Imported Module: $($awsModule.Name)\"\n    }\n}\n\nfunction GetCurrentInstanceId\n{\n    Write-Host \"Getting instance id\"\n\n    # Get IMDSv2 token\n    $tokenUri = \"http://169.254.169.254/latest/api/token\"\n    $token = Invoke-RestMethod -Uri $tokenUri -Method Put -Headers @{\"X-aws-ec2-metadata-token-ttl-seconds\" = \"60\"}\n    \n    # Use token to get instance id\n\t$instanceIdResponse = Invoke-RestMethod -Uri \"http://169.254.169.254/latest/meta-data/instance-id\" -Method Get -Headers @{\"X-aws-ec2-metadata-token\" = $token}\n\n\tif ($instanceIdResponse) {\n\t\tWrite-Host \"Got instance ID\"\n\t\t$instanceId = $instanceIdResponse\n\t}\n\telse\n\t{\n\t\tWrite-Error -Message \"Returned Instance ID does not appear to be valid\"\n\t\tExit 1\n\t}\n\n\t$instanceIdResponse\n}\n\nfunction GetTarget\n{\n    $instanceId = GetCurrentInstanceId\n\n    $target = New-Object -TypeName Amazon.ElasticLoadBalancingV2.Model.TargetDescription\n    $target.Id = $instanceId\n    \n    Write-Host \"Current instance id: $instanceId\"\n\n    return $target\n}\n\nfunction GetInstanceState\n{\n\t$state = (Get-ELB2TargetHealth -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region).TargetHealth.State\n\n\tWrite-Host \"Current instance state: $state\"\n\n\treturn $state\n}\n\nfunction WaitForState\n{\n    param([string]$expectedState)\n\n    $instanceState = GetInstanceState -arn $targetGroupArn -target $target\n\n    if ($instanceState -eq $expectedState)\n    {\n        return\n    }\n\n    $checkCount = 0\n\n    Write-Host \"Waiting for instance state to be $expectedState\"\n    Write-Host \"Maximum Checks: $maxChecks\"\n    Write-Host \"Check Interval: $checkInterval\"\n\n    while ($instanceState -ne $expectedState -and $checkCount -le $maxChecks)\n    {\t\n\t    $checkCount += 1\n\t\n\t    Write-Host \"Waiting for $checkInterval seconds for instance state to be $expectedState\"\n\t    Start-Sleep -Seconds $checkInterval\n\t\n\t    if ($checkCount -le $maxChecks)\n\t    {\n\t\t    Write-Host \"$checkCount/$maxChecks Attempts\"\n\t    }\n\t\n\t    $instanceState = GetInstanceState\n    }\n\n    if ($instanceState -ne $expectedState)\n    {\n\t    Write-Error -Message \"Instance state is not $expectedState, giving up.\"\n\t    Exit 1\n    }\n}\n\nfunction DeregisterInstance\n{\n    Write-Host \"Deregistering instance from $targetGroupArn\"\n    Unregister-ELB2Target -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region\n    WaitForState -expectedState \"unused\"\n    Write-Host \"Instance deregistered\"\n}\n\nfunction RegisterInstance\n{\n    Write-Host \"Registering instance with $targetGroupArn\"\n    Try {\n    \tRegister-ELB2Target -TargetGroupArn $targetGroupArn -Target $target -AccessKey $accessKey -SecretKey $secretKey -Region $region\n    } Catch {\n    \tWrite-Host $Error[0]\n    }\n    WaitForState -expectedState \"healthy\"\n    Write-Host \"Instance registered\"\n}\n\n$target = GetTarget\n\nswitch ($action)\n{\n    \"deregister\" { DeregisterInstance }\n    \"register\" { RegisterInstance }\n}",
     "Octopus.Action.Script.ScriptFileName": null,
     "Octopus.Action.Package.FeedId": null,
     "Octopus.Action.Package.PackageId": null
@@ -93,11 +93,11 @@
       "Links": {}
     }
   ],
-  "LastModifiedOn": "2022-05-16T07:30:05.303Z",
-  "LastModifiedBy": "phillip-haydon",
+  "LastModifiedOn": "2026-05-12T07:30:05.303Z",
+  "LastModifiedBy": "trapsuutjies",
   "$Meta": {
-    "ExportedAt": "2022-05-16T07:30:05.303Z",
-    "OctopusVersion": "2022.1.2584",
+    "ExportedAt": "2026-05-12T07:30:05.303Z",
+    "OctopusVersion": "2025.4.10453",
     "Type": "ActionTemplate"
   },
   "Category": "aws"
