Always set HttpTokens to optional

This commit forces MetadataOptions->HttpTokens to always be set to 'optional' by senza, as we want to still be able to use IMDSv1, while base AMIs enforce v2 and ebs packer still doesn't allow this to be redefined.
zalando-stups · Mar 27, 2023 · 60f771d · 60f771d
1 parent 6c53449
commit 60f771d
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/senza/components/auto_scaling_group.py b/senza/components/auto_scaling_group.py
@@ -11,7 +11,7 @@
 from senza.utils import ensure_keys
 
 # properties evaluated by Senza
-SENZA_PROPERTIES = frozenset(["SecurityGroups", "Tags"])
+SENZA_PROPERTIES = frozenset(["SecurityGroups", "Tags", "MetadataOptions"])
 
 # additional CF properties which can be overwritten
 ADDITIONAL_PROPERTIES = {
@@ -78,6 +78,9 @@ def component_auto_scaling_group(
                 "AssociatePublicIpAddress", False
             ),
             "EbsOptimized": configuration.get("EbsOptimized", False),
+            "MetadataOptions": {
+                "HttpTokens": "optional"  # we want to still be able to use IMDSv1
+            },
         },
     }
 

diff --git a/tests/test_components.py b/tests/test_components.py
@@ -743,6 +743,50 @@ def test_component_auto_scaling_group_optional_metric_type():
     assert "FooNetworkAlarmHigh" not in result["Resources"]
 
 
+def test_component_auto_scaling_hardcoded_metadata_http_tokens():
+    # we have MetadataOptions->HttpTokens 'optional' enforcement hardcoded
+    definition = {"Resources": {}}
+    configurations = [
+        {
+            'Name': 'Foo',
+            'InstanceType': 't2.micro',
+            'Image': 'foo',
+        },
+        {
+            'Name': 'Foo',
+            'InstanceType': 't2.micro',
+            'Image': 'foo',
+            'MetadataOptions': {
+                'HttpTokens': 'required',
+            }
+        },
+        {
+            'Name': 'Foo',
+            'InstanceType': 't2.micro',
+            'Image': 'foo',
+            'MetadataOptions': {
+                'HttpTokens': 'optional',
+                'HttpPutResponseHopLimit': 42,
+            }
+        },
+    ]
+
+    args = MagicMock()
+    args.region = "foo"
+    info = {
+        'StackName': 'FooStack',
+        'StackVersion': 'FooVersion'
+    }
+
+    for configuration in configurations:
+        result = component_auto_scaling_group(definition, configuration, args, info, False, MagicMock())
+
+        err_msg = "Failed configuration: {}".format(str(configuration))
+        assert result["Resources"]["FooConfig"]["Properties"]["MetadataOptions"]["HttpTokens"] == \
+            "optional", err_msg
+        assert len(result["Resources"]["FooConfig"]["Properties"]["MetadataOptions"]) == 1, err_msg
+
+
 def test_to_iso8601_duration():
     with pytest.raises(click.UsageError):
         to_iso8601_duration("")