From ef1628747ec0305311a32f623dc7de64692eec40 Mon Sep 17 00:00:00 2001
From: stedelahunty <stedelahunty1@gmail.com>
Date: Wed, 13 Oct 2021 17:05:22 +0100
Subject: [PATCH] fix: Update launch template to use metadata service v2
 (#1278)

* Update launch template to use metadata service v2, Update bootstrap script to generate v2 token

* add -f flag to curl commands to better deal with failures
---
 modules/runners/main.tf                            | 6 ++++++
 modules/runners/templates/install-config-runner.sh | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index f36ec06b05..1728e260d0 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -57,6 +57,12 @@ resource "aws_launch_template" "runner" {
     }
   }
 
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.runner.name
   }
diff --git a/modules/runners/templates/install-config-runner.sh b/modules/runners/templates/install-config-runner.sh
index 4bc42d2d72..a1147303b1 100644
--- a/modules/runners/templates/install-config-runner.sh
+++ b/modules/runners/templates/install-config-runner.sh
@@ -1,7 +1,8 @@
 cd /home/$USER_NAME
 mkdir actions-runner && cd actions-runner
 
-REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+TOKEN=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 180")
+REGION=$(curl -f -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 
 aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz --region $REGION
 tar xzf ./actions-runner.tar.gz
@@ -9,8 +10,7 @@ rm -rf actions-runner.tar.gz
 
 ${arm_patch}
 
-INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-
+INSTANCE_ID=$(curl -f -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id)
 
 echo wait for configuration
 while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do