feat(runner): allow linux starter-runner script to retrieve labels without with IMDSv2 tags option (#2764)

* Add metadata_tags as a var to default script

* Check for metadata tags service on linux

* fix metadata_options var

* Move metadata_tags var to start_runner template

* fix for reading config via SDK
- Fix start script to read ssm config tag via SDK
- Update multi runner example, one runner is now using SDK instead of meta data tags

---------

Co-authored-by: Niek Palm <[email protected]>
Co-authored-by: Niek Palm <[email protected]>

Author: MGSousa

Diff for: examples/multi-runner/main.tf

@@ -120,6 +120,13 @@ module "multi-runner" {
       fifo                = true
       delay_webhook_event = 0
       runner_config = {
+        # Test retrieving tag information via AWS API (Cli)
+        runner_metadata_options = {
+          instance_metadata_tags      = "disabled"
+          http_endpoint               = "enabled"
+          http_tokens                 = "optional"
+          http_put_response_hop_limit = 1
+        }
         runner_os                       = "linux"
         runner_architecture             = "x64"
         create_service_linked_role_spot = true

Diff for: modules/runners/main.tf

@@ -144,8 +144,10 @@ resource "aws_launch_template" "runner" {
       S3_LOCATION_RUNNER_DISTRIBUTION = local.s3_location_runner_distribution
       RUNNER_ARCHITECTURE             = var.runner_architecture
     })
-    post_install    = var.userdata_post_install
-    start_runner    = templatefile(local.userdata_start_runner[var.runner_os], {})
+    post_install = var.userdata_post_install
+    start_runner = templatefile(local.userdata_start_runner[var.runner_os], {
+      metadata_tags = var.metadata_options != null ? var.metadata_options.instance_metadata_tags : "enabled"
+    })
     ghes_url        = var.ghes_url
     ghes_ssl_verify = var.ghes_ssl_verify
 

Diff for: modules/runners/templates/start-runner.sh

@@ -13,12 +13,20 @@ echo "Retrieved REGION from AWS API ($region)"
 instance_id=$(curl -f -H "X-aws-ec2-metadata-token: $token" -v http://169.254.169.254/latest/meta-data/instance-id)
 echo "Retrieved INSTANCE_ID from AWS API ($instance_id)"
 
+%{ if metadata_tags == "enabled" }
 environment=$(curl -f -H "X-aws-ec2-metadata-token: $token" -v http://169.254.169.254/latest/meta-data/tags/instance/ghr:environment)
-echo "Retrieved ghr:environment tag - ($environment)"
-
 ssm_config_path=$(curl -f -H "X-aws-ec2-metadata-token: $token" -v http://169.254.169.254/latest/meta-data/tags/instance/ghr:ssm_config_path)
-echo "Retrieved ghr:ssm_config_path tag - ($ssm_config_path)"
 
+%{ else }
+tags=$(aws ec2 describe-tags --region "$region" --filters "Name=resource-id,Values=$instance_id")
+echo "Retrieved tags from AWS API ($tags)"
+
+environment=$(echo "$tags" | jq -r '.Tags[]  | select(.Key == "ghr:environment") | .Value')
+ssm_config_path=$(echo "$tags" | jq -r '.Tags[]  | select(.Key == "ghr:ssm_config_path") | .Value')
+%{ endif }
+
+echo "Retrieved ghr:environment tag - ($environment)"
+echo "Retrieved ghr:ssm_config_path tag - ($ssm_config_path)"
 
 parameters=$(aws ssm get-parameters-by-path --path "$ssm_config_path" --region "$region" --query "Parameters[*].{Name:Name,Value:Value}")
 echo "Retrieved parameters from AWS SSM ($parameters)"