Include IAM role and info in ec2 data (issue #1524)

Signed-off-by: KC Braunschweig <[email protected]>
chef · Oct 8, 2020 · 369bfb7 · 369bfb7
1 parent 6be2a1a
commit 369bfb7
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 21 deletions.
diff --git a/.expeditor/verify.pipeline.yml b/.expeditor/verify.pipeline.yml
@@ -26,14 +26,6 @@ steps:
       docker:
         image: ruby:2.7-buster
 
-- label: run-specs-ruby-2.5
-  command:
-    - .expeditor/run_linux_tests.sh rspec
-  expeditor:
-    executor:
-      docker:
-        image: ruby:2.5-buster
-
 - label: run-specs-ruby-2.6
   command:
     - .expeditor/run_linux_tests.sh rspec

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,17 @@
 # Change Log
 
-<!-- latest_release 16.6.1 -->
-## [v16.6.1](https://github.com/chef/ohai/tree/v16.6.1) (2020-10-03)
+<!-- latest_release 16.6.2 -->
+## [v16.6.2](https://github.com/chef/ohai/tree/v16.6.2) (2020-10-08)
 
 #### Merged Pull Requests
-- Windows support for Passwd plugin [#1516](https://github.com/chef/ohai/pull/1516) ([jaymzh](https://github.com/jaymzh))
+- Remove ruby 2.5 from CI. [#1526](https://github.com/chef/ohai/pull/1526) ([phiggins](https://github.com/phiggins))
 <!-- latest_release -->
 
 <!-- release_rollup since=16.5.6 -->
 ### Changes not yet released to rubygems.org
 
 #### Merged Pull Requests
+- Remove ruby 2.5 from CI. [#1526](https://github.com/chef/ohai/pull/1526) ([phiggins](https://github.com/phiggins)) <!-- 16.6.2 -->
 - Windows support for Passwd plugin [#1516](https://github.com/chef/ohai/pull/1516) ([jaymzh](https://github.com/jaymzh)) <!-- 16.6.1 -->
 - Detect Azure when DHCP domain is set to reddog.microsoft.com [#1521](https://github.com/chef/ohai/pull/1521) ([jasonwbarnett](https://github.com/jasonwbarnett)) <!-- 16.6.0 -->
 <!-- release_rollup -->

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-16.6.1
+16.6.2
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb
@@ -122,11 +122,17 @@ def looks_like_ec2?
       fetch_metadata.each do |k, v|
         # fetch_metadata returns IAM security credentials, including the IAM user's
         # secret access key. We'd rather not have ohai send this information
-        # to the server.
-        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
-        next if k == "iam" && !hint?("iam")
-
-        ec2[k] = v
+        # to the server. If the instance is associated with an IAM role we grab
+        # only the "info" key and the IAM role name.
+        # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
+        if k == "iam" && !hint?("iam")
+          ec2[:iam] = v.select { |key, value| key == "info" }
+          if v["security-credentials"] && v["security-credentials"].keys.length == 1
+            ec2[:iam]["role_name"] = v["security-credentials"].keys[0]
+          end
+        else
+          ec2[k] = v
+        end
       end
       ec2[:userdata] = fetch_userdata
       ec2[:account_id] = fetch_dynamic_data["accountId"]

diff --git a/lib/ohai/version.rb b/lib/ohai/version.rb
@@ -18,5 +18,5 @@
 
 module Ohai
   OHAI_ROOT = File.expand_path(__dir__)
-  VERSION = "16.6.1".freeze
+  VERSION = "16.6.2".freeze
 end
diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb
@@ -240,13 +240,16 @@
         allow(plugin).to receive(:hint?).with("iam").and_return(false)
       end
 
-      it "parses ec2 iam/ directory and NOT collect iam/security-credentials/" do
+      it "parses ec2 iam/ directory and collect info and role_name and NOT collect iam/security-credentials/" do
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/")
           .and_return(double("Net::HTTP Response", body: "iam/", code: "200"))
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/iam/")
-          .and_return(double("Net::HTTP Response", body: "security-credentials/", code: "200"))
+          .and_return(double("Net::HTTP Response", body: "info\nsecurity-credentials/", code: "200"))
+        expect(@http_client).to receive(:get)
+          .with("/2012-01-12/meta-data/iam/info")
+          .and_return(double("Net::HTTP Response", body: "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2020-10-08T20:47:08Z\",\n  \"InstanceProfileArn\" : \"arn:aws:iam::111111111111:instance-profile/my_profile\",\n  \"InstanceProfileId\" : \"AAAAAAAAAAAAAAAAAAAAA\"\n}", code: "200"))
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/iam/security-credentials/")
           .and_return(double("Net::HTTP Response", body: "MyRole", code: "200"))
@@ -263,7 +266,9 @@
         plugin.run
 
         expect(plugin[:ec2]).not_to be_nil
-        expect(plugin[:ec2]["iam"]).to be_nil
+        expect(plugin[:ec2]["iam"]["info"]["InstanceProfileId"]).to eql "AAAAAAAAAAAAAAAAAAAAA"
+        expect(plugin[:ec2]["iam"]["security-credentials"]).to be_nil
+        expect(plugin[:ec2]["iam"]["role_name"]).to eql "MyRole"
       end
     end