fix for 1127 Rsyslog IMDSv2 (#1161)

rjjaegeraws · web-flow · commit 4e72decc3aea · 2023-06-20T11:11:59.000-04:00
* update rsyslog script for IMDSv2

* update script

* update rsyslog to IMDSv2
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.SSM-Patching-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.SSM-Patching-example.json
@@ -1311,7 +1311,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.example.json b/reference-artifacts/SAMPLE_CONFIGS/config.example.json
@@ -1278,7 +1278,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json
@@ -1251,7 +1251,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json
@@ -1239,7 +1239,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json
@@ -1234,7 +1234,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json
@@ -1228,7 +1228,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json
@@ -1502,7 +1502,7 @@
           "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
           "rsyslog-instance-type": "t3.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
-          "rsyslog-enforce-imdsv2": false,
+          "rsyslog-enforce-imdsv2": true,
           "rsyslog-root-volume-size": 100,
           "rsyslog-max-instance-age": 7
         }
diff --git a/src/lib/cdk-constructs/src/vpc/asg.ts b/src/lib/cdk-constructs/src/vpc/asg.ts
@@ -121,7 +121,7 @@ export class RsysLogAutoScalingGroup extends Construct {
       ],
     });
 
-    let rsyslogUserData = `#!/bin/bash\necho "[v8-stable]\nname=Adiscon CentOS-6 - local packages for \\$basearch\nbaseurl=http://rpms.adiscon.com/v8-stable/epel-6/\\$basearch\nenabled=0\ngpgcheck=0\ngpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon\nprotect=1" >> /etc/yum.repos.d/rsyslog.repo\nyum update -y\nyum install -y rsyslog --enablerepo=v8-stable --setopt=v8-stable.priority=1\nchkconfig rsyslog on\naws s3 cp s3://${props.centralBucketName}/rsyslog/rsyslog.conf /etc/rsyslog.conf\nservice rsyslog restart\nwget https://s3.${cdk.Aws.REGION}.amazonaws.com/amazoncloudwatch-agent-${cdk.Aws.REGION}/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm\nrpm -U ./amazon-cloudwatch-agent.rpm\ninstanceid=$(curl http://169.254.169.254/latest/meta-data/instance-id)\necho "{\\"logs\\": {\\"logs_collected\\": {\\"files\\": {\\"collect_list\\": [{\\"file_path\\": \\"/var/log/messages\\",\\"log_group_name\\": \\"${props.logGroupName}\\",\\"log_stream_name\\": \\"$instanceid\\"}]}}}}" >> /opt/aws/amazon-cloudwatch-agent/bin/config.json\n/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -s -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json`;
+    let rsyslogUserData = `#!/bin/bash\necho "[v8-stable]\nname=Adiscon CentOS-6 - local packages for \\$basearch\nbaseurl=http://rpms.adiscon.com/v8-stable/epel-6/\\$basearch\nenabled=0\ngpgcheck=0\ngpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon\nprotect=1" >> /etc/yum.repos.d/rsyslog.repo\nyum update -y\nyum install -y rsyslog --enablerepo=v8-stable --setopt=v8-stable.priority=1\nchkconfig rsyslog on\naws s3 cp s3://${props.centralBucketName}/rsyslog/rsyslog.conf /etc/rsyslog.conf\nservice rsyslog restart\nwget https://s3.${cdk.Aws.REGION}.amazonaws.com/amazoncloudwatch-agent-${cdk.Aws.REGION}/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm\nrpm -U ./amazon-cloudwatch-agent.rpm\nTOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")\ninstanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id)\necho "{\\"logs\\": {\\"logs_collected\\": {\\"files\\": {\\"collect_list\\": [{\\"file_path\\": \\"/var/log/messages\\",\\"log_group_name\\": \\"${props.logGroupName}\\",\\"log_stream_name\\": \\"$instanceid\\"}]}}}}" >> /opt/aws/amazon-cloudwatch-agent/bin/config.json\n/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -s -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json`;
 
     if (props.userData) {
       /* eslint-disable no-template-curly-in-string */

Original file line number	Diff line number	Diff line change
`@@ -1311,7 +1311,7 @@`
`1311`	`1311`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1312`	`1312`	`"rsyslog-instance-type": "t3.large",`
`1313`	`1313`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1314`		`- "rsyslog-enforce-imdsv2": false,`
	`1314`	`+ "rsyslog-enforce-imdsv2": true,`
`1315`	`1315`	`"rsyslog-root-volume-size": 100,`
`1316`	`1316`	`"rsyslog-max-instance-age": 7`
`1317`	`1317`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1278,7 +1278,7 @@`
`1278`	`1278`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1279`	`1279`	`"rsyslog-instance-type": "t3.large",`
`1280`	`1280`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1281`		`- "rsyslog-enforce-imdsv2": false,`
	`1281`	`+ "rsyslog-enforce-imdsv2": true,`
`1282`	`1282`	`"rsyslog-root-volume-size": 100,`
`1283`	`1283`	`"rsyslog-max-instance-age": 7`
`1284`	`1284`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1251,7 +1251,7 @@`
`1251`	`1251`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1252`	`1252`	`"rsyslog-instance-type": "t3.large",`
`1253`	`1253`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1254`		`- "rsyslog-enforce-imdsv2": false,`
	`1254`	`+ "rsyslog-enforce-imdsv2": true,`
`1255`	`1255`	`"rsyslog-root-volume-size": 100,`
`1256`	`1256`	`"rsyslog-max-instance-age": 7`
`1257`	`1257`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1239,7 +1239,7 @@`
`1239`	`1239`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1240`	`1240`	`"rsyslog-instance-type": "t3.large",`
`1241`	`1241`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1242`		`- "rsyslog-enforce-imdsv2": false,`
	`1242`	`+ "rsyslog-enforce-imdsv2": true,`
`1243`	`1243`	`"rsyslog-root-volume-size": 100,`
`1244`	`1244`	`"rsyslog-max-instance-age": 7`
`1245`	`1245`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1234,7 +1234,7 @@`
`1234`	`1234`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1235`	`1235`	`"rsyslog-instance-type": "t3.large",`
`1236`	`1236`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1237`		`- "rsyslog-enforce-imdsv2": false,`
	`1237`	`+ "rsyslog-enforce-imdsv2": true,`
`1238`	`1238`	`"rsyslog-root-volume-size": 100,`
`1239`	`1239`	`"rsyslog-max-instance-age": 7`
`1240`	`1240`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1228,7 +1228,7 @@`
`1228`	`1228`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1229`	`1229`	`"rsyslog-instance-type": "t3.large",`
`1230`	`1230`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1231`		`- "rsyslog-enforce-imdsv2": false,`
	`1231`	`+ "rsyslog-enforce-imdsv2": true,`
`1232`	`1232`	`"rsyslog-root-volume-size": 100,`
`1233`	`1233`	`"rsyslog-max-instance-age": 7`
`1234`	`1234`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1502,7 +1502,7 @@`
`1502`	`1502`	`"ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",`
`1503`	`1503`	`"rsyslog-instance-type": "t3.large",`
`1504`	`1504`	`"rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",`
`1505`		`- "rsyslog-enforce-imdsv2": false,`
	`1505`	`+ "rsyslog-enforce-imdsv2": true,`
`1506`	`1506`	`"rsyslog-root-volume-size": 100,`
`1507`	`1507`	`"rsyslog-max-instance-age": 7`
`1508`	`1508`	`}`