Update EC2 template to use IMDSv2 as IMDSv1 is deprecated (#274)

RohitJha-aws · web-flow · commit 27fb95425bb0 · 2025-07-15T08:37:44.000+02:00
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,4 +1,4 @@
 [bumpversion]
-current_version = 3.5.2
+current_version = 3.5.3
 commit = True
 tag = False
diff --git a/.cfnlintrc b/.cfnlintrc
@@ -9,3 +9,5 @@ ignore_templates:
 ignore_checks:
   # Supress "This code may only work with `package` cli command as the property <xyz> is a string".
   - W3002
+  # Suppress false positive where Ref on SecurityGroup incorrectly flagged as Name instead of ID
+  - E1041
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -30,7 +30,7 @@ repos:
 
 # CloudFormation
 - repo: https://github.com/aws-cloudformation/cfn-lint
-  rev: v1.20.2
+  rev: v1.37.2
   hooks:
   - id: cfn-lint-rc
     files: code/solutions/.*\.(ya?ml|template)$
@@ -55,20 +55,20 @@ repos:
 
     # Python
 - repo: https://github.com/pycqa/pylint
-  rev: v3.3.2
+  rev: v3.3.7
   hooks:
     - id: pylint
       args:
         - --errors-only
         - --disable=E0401
 
 - repo: https://github.com/psf/black
-  rev: 24.10.0
+  rev: 25.1.0
   hooks:
     - id: black
 
 - repo: https://github.com/PyCQA/isort
-  rev: 5.13.2
+  rev: 6.0.1
   hooks:
     - id: isort
       args: ["--profile", "black"]
diff --git a/code/solutions/cross-stacks/ec2.yaml b/code/solutions/cross-stacks/ec2.yaml
@@ -60,23 +60,40 @@ Resources:
                 <body>
                   <center>
                     <?php
-                    # Get the instance ID from meta-data and store it in the $instance_id variable
+                    # Get session token for IMDSv2
+                    $token_url = "http://169.254.169.254/latest/api/token";
+                    $context = stream_context_create([
+                        "http" => [
+                            "method" => "PUT",
+                            "header" => "X-aws-ec2-metadata-token-ttl-seconds: 21600"
+                        ]
+                    ]);
+                    $token = file_get_contents($token_url, false, $context);
+
+                    # Create context with token for metadata requests
+                    $metadata_context = stream_context_create([
+                        "http" => [
+                            "header" => "X-aws-ec2-metadata-token: " . $token
+                        ]
+                    ]);
+
+                    # Get the instance ID from meta-data
                     $url = "http://169.254.169.254/latest/meta-data/instance-id";
-                    $instance_id = file_get_contents($url);
-                    # Get the instance's availability zone from metadata and store it in the $zone variable
+                    $instance_id = file_get_contents($url, false, $metadata_context);
+                    # Get the instance's availability zone from metadata
                     $url = "http://169.254.169.254/latest/meta-data/placement/availability-zone";
-                    $zone = file_get_contents($url);
-                    # Get the instance AMI ID and store it in the $ami_id variable
+                    $zone = file_get_contents($url, false, $metadata_context);
+                    # Get the instance AMI ID
                     $url = "http://169.254.169.254/latest/meta-data/ami-id";
-                    $ami_id = file_get_contents($url);
+                    $ami_id = file_get_contents($url, false, $metadata_context);
                     ?>
                     <h2>EC2 Instance ID: <?php echo $instance_id ?></h2>
                     <h2>Availability Zone: <?php echo $zone ?></h2>
                     <h2>AMI ID: <?php echo $ami_id ?></h2>
                   </center>
                 </body>
                 </html>
-              mode: 000644
+              mode: 644
               owner: apache
               group: apache
             /etc/cfn/cfn-hup.conf:
@@ -85,7 +102,7 @@ Resources:
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
-              mode: 000400
+              mode: 400
               owner: root
               group: root
             /etc/cfn/hooks.d/cfn-auto-reloader.conf:
@@ -116,6 +133,10 @@ Resources:
         - InstanceType
       SecurityGroupIds:
         - !Ref WebServerSecurityGroup
+      MetadataOptions:
+        HttpTokens: required
+        HttpPutResponseHopLimit: 1
+        HttpEndpoint: enabled
       Tags:
         - Key: Name
           Value: !Join
diff --git a/code/workspace/cross-stacks/ec2.yaml b/code/workspace/cross-stacks/ec2.yaml
@@ -72,23 +72,40 @@ Resources:
                 <body>
                   <center>
                     <?php
-                    # Get the instance ID from meta-data and store it in the $instance_id variable
+                    # Get session token for IMDSv2
+                    $token_url = "http://169.254.169.254/latest/api/token";
+                    $context = stream_context_create([
+                        "http" => [
+                            "method" => "PUT",
+                            "header" => "X-aws-ec2-metadata-token-ttl-seconds: 21600"
+                        ]
+                    ]);
+                    $token = file_get_contents($token_url, false, $context);
+
+                    # Create context with token for metadata requests
+                    $metadata_context = stream_context_create([
+                        "http" => [
+                            "header" => "X-aws-ec2-metadata-token: " . $token
+                        ]
+                    ]);
+
+                    # Get the instance ID from meta-data
                     $url = "http://169.254.169.254/latest/meta-data/instance-id";
-                    $instance_id = file_get_contents($url);
-                    # Get the instance's availability zone from metadata and store it in the $zone variable
+                    $instance_id = file_get_contents($url, false, $metadata_context);
+                    # Get the instance's availability zone from metadata
                     $url = "http://169.254.169.254/latest/meta-data/placement/availability-zone";
-                    $zone = file_get_contents($url);
-                    # Get the instance AMI ID and store it in the $ami_id variable
+                    $zone = file_get_contents($url, false, $metadata_context);
+                    # Get the instance AMI ID
                     $url = "http://169.254.169.254/latest/meta-data/ami-id";
-                    $ami_id = file_get_contents($url);
+                    $ami_id = file_get_contents($url, false, $metadata_context);
                     ?>
                     <h2>EC2 Instance ID: <?php echo $instance_id ?></h2>
                     <h2>Availability Zone: <?php echo $zone ?></h2>
                     <h2>AMI ID: <?php echo $ami_id ?></h2>
                   </center>
                 </body>
                 </html>
-              mode: 000644
+              mode: 644
               owner: apache
               group: apache
             /etc/cfn/cfn-hup.conf:
@@ -125,6 +142,10 @@ Resources:
       InstanceType: !FindInMap [EnvironmentToInstanceType, !Ref EnvironmentType, InstanceType]
       SecurityGroupIds:
         - !Ref WebServerSecurityGroup
+      MetadataOptions:
+        HttpTokens: required
+        HttpPutResponseHopLimit: 1
+        HttpEndpoint: enabled
       Tags:
         - Key: Name
           Value: !Join [ ' ', [ !Ref EnvironmentType, Web Server ] ]
