fix: Update launch template to use metadata service v2 (#1278)

* Update launch template to use metadata service v2, Update bootstrap script to generate v2 token

* add -f flag to curl commands to better deal with failures

Author: stedelahunty

Diff for: modules/runners/main.tf

@@ -57,6 +57,12 @@ resource "aws_launch_template" "runner" {
     }
   }
 
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.runner.name
   }

Diff for: modules/runners/templates/install-config-runner.sh

@@ -1,16 +1,16 @@
 cd /home/$USER_NAME
 mkdir actions-runner && cd actions-runner
 
-REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+TOKEN=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 180")
+REGION=$(curl -f -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 
 aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz --region $REGION
 tar xzf ./actions-runner.tar.gz
 rm -rf actions-runner.tar.gz
 
 ${arm_patch}
 
-INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-
+INSTANCE_ID=$(curl -f -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id)
 
 echo wait for configuration
 while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do