From 895d80940584f6151cd17d35cf4d2d2a120e329a Mon Sep 17 00:00:00 2001
From: David Adams <daveadams@gmail.com>
Date: Thu, 19 Aug 2021 14:57:04 -0500
Subject: [PATCH] Local TLS usage updates and IMDSv2 (#6)

* Make Vault usable by any local user

Previously in order to use `vault status` or `vault operator` commmands
as a non-root user, you had to work around two issues.

One, the /opt/vault/tls directory is set to mode 0700 by the Vault
package postinst script. This made the vault-ca.pem file unreachable
by any user other than `vault` or `root`.

Two, the /etc/profile.d/vault.sh file sets the VAULT_CLIENT_CERT and
VAULT_CLIENT_KEY env vars, and the key file is (correctly) set to allow
only the `vault` user to read it. However, since client TLS is not
required to run operator commands, these values do not need to be set.

This commit fixes these issues by:
* Setting /opt/vault/tls mode to 0755
* Removing unused env vars from /etc/profile.d/vault.sh

* Fix indentation in vault.hcl

* Use IMDSv2 metadata service

Since 2019[1], EC2 has provided a more secure protocol for interacting
with the local metadata service. This protocol requires fetching a
token via a PUT request, and then using that token in an HTTP header
for subsequent GET requests to the metadata API. This adds significant
protection from a variety of SSRF attacks which could expose instance
profile credentials or other internal metadata.

This commit enables requiring the HTTP token via the EC2 Launch
Template resouce, and updates the install_vault.sh script to fetch
and use the IMDSv2 token for its metadata requests.

[1] https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

* Update CHANGELOG and README

* edit CHANGELOG

Co-authored-by: Omar Khawaja <khawaja910@gmail.com>
---
 CHANGELOG.md                                  | 12 +++++++++--
 README.md                                     |  2 +-
 .../user_data/templates/install_vault.sh.tpl  | 20 ++++++++++---------
 modules/vm/main.tf                            |  5 +++++
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3010816..f77ecd5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,17 @@
-## 0.1.0 (July 28, 2021)
+## 0.1.2 (August 19, 2021)
 
-* Initial release
+* Update TLS directory permissions
+* Remove client cert and key from profile script
+* Update indentation in configuration file
+* Enable EC2 IMDSv2 tokens in launch template
+* Support using EC2 IMDSv2 in user-data script
 
 ## 0.1.1 (August 13, 2021)
 
 * Update config and file permissions to match Deployment Guide
 * Update disk specs to new Reference Architecture recommendations
 * Update default version to 1.8.1
+
+## 0.1.0 (July 28, 2021)
+
+* Initial release
diff --git a/README.md b/README.md
index 97e3fb7..613a168 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ provider "aws" {
 
 module "vault-ent" {
   source  = "hashicorp/vault-ent-starter/aws"
-  version = "0.1.1"
+  version = "0.1.2"
 
   # prefix for tagging/naming AWS resources
   resource_name_prefix = "test"
diff --git a/modules/user_data/templates/install_vault.sh.tpl b/modules/user_data/templates/install_vault.sh.tpl
index fbd43c6..0502a44 100644
--- a/modules/user_data/templates/install_vault.sh.tpl
+++ b/modules/user_data/templates/install_vault.sh.tpl
@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 
-export instance_id="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
-export local_ipv4="$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)"
+imds_token=$( curl -Ss -H "X-aws-ec2-metadata-token-ttl-seconds: 30" -XPUT 169.254.169.254/latest/api/token )
+instance_id=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/instance-id )
+local_ipv4=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/local-ipv4 )
 
 # install package
 
@@ -16,6 +17,9 @@ timedatectl set-timezone UTC
 # removing any default installation files from /opt/vault/tls/
 rm -rf /opt/vault/tls/*
 
+# /opt/vault/tls should be readable by all users of the system
+chmod 0755 /opt/vault/tls
+
 # vault-key.pem should be readable by the vault group only
 touch /opt/vault/tls/vault-key.pem
 chown root:vault /opt/vault/tls/vault-key.pem
@@ -56,11 +60,11 @@ cluster_addr = "https://$local_ipv4:8201"
 api_addr = "https://$local_ipv4:8200"
 
 listener "tcp" {
- address     = "0.0.0.0:8200"
- tls_disable = false
- tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
- tls_key_file       = "/opt/vault/tls/vault-key.pem"
- tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
+  address            = "0.0.0.0:8200"
+  tls_disable        = false
+  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
+  tls_key_file       = "/opt/vault/tls/vault-key.pem"
+  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
 }
 
 seal "awskms" {
@@ -84,6 +88,4 @@ echo "Setup Vault profile"
 cat <<PROFILE | sudo tee /etc/profile.d/vault.sh
 export VAULT_ADDR="https://127.0.0.1:8200"
 export VAULT_CACERT="/opt/vault/tls/vault-ca.pem"
-export VAULT_CLIENT_CERT="/opt/vault/tls/vault-cert.pem"
-export VAULT_CLIENT_KEY="/opt/vault/tls/vault-key.pem"
 PROFILE
diff --git a/modules/vm/main.tf b/modules/vm/main.tf
index 1986887..4763faa 100644
--- a/modules/vm/main.tf
+++ b/modules/vm/main.tf
@@ -139,6 +139,11 @@ resource "aws_launch_template" "vault" {
   iam_instance_profile {
     name = var.aws_iam_instance_profile
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "aws_autoscaling_group" "vault" {