Feat: Migrate EC2 Plugin Resource Detector from IMDSv1 to IMDSv2 #1408
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -30,8 +30,12 @@ class AwsEc2Detector implements Detector { | |
| * See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html | ||
| * for documentation about the AWS instance identity document endpoint. | ||
| */ | ||
| readonly HTTP_HEADER = 'http://'; | ||
| readonly AWS_IDMS_ENDPOINT = '169.254.169.254'; | ||
|
There was a problem hiding this comment. Maybe There was a problem hiding this comment. Nice suggestion! There was a problem hiding this comment. It's IMDS (Instance Metadata Service) ;) There was a problem hiding this comment. Thank you for pointing out! Will modify this |
||
| readonly AWS_INSTANCE_TOKEN_DOCUMENT_PATH = '/latest/api/token'; | ||
| readonly AWS_INSTANCE_IDENTITY_DOCUMENT_PATH = | ||
| '/latest/dynamic/instance-identity/document'; | ||
| readonly AWS_INSTANCE_HOST_DOCUMENT_PATH = '/latest/meta-data/hostname'; | ||
|
|
||
| /** | ||
| * Attempts to connect and obtain an AWS instance Identity document. If the | ||
|
|
@@ -44,41 +48,86 @@ class AwsEc2Detector implements Detector { | |
| */ | ||
| async detect(config: ResourceDetectionConfigWithLogger): Promise<Resource> { | ||
| try { | ||
| const token = await this._fetchToken(); | ||
| const { | ||
| accountId, | ||
| instanceId, | ||
| instanceType, | ||
| region, | ||
| availabilityZone, | ||
| } = await this._fetchIdentity(token); | ||
| const hostname = await this._fetchHost(token); | ||
|
|
||
| return new Resource({ | ||
| [CLOUD_RESOURCE.PROVIDER]: 'aws', | ||
| [CLOUD_RESOURCE.ACCOUNT_ID]: accountId, | ||
| [CLOUD_RESOURCE.REGION]: region, | ||
| [CLOUD_RESOURCE.ZONE]: availabilityZone, | ||
| [HOST_RESOURCE.ID]: instanceId, | ||
| [HOST_RESOURCE.TYPE]: instanceType, | ||
| [HOST_RESOURCE.NAME]: hostname, | ||
|
There was a problem hiding this comment. Name and hostname are the same? There was a problem hiding this comment. Yes, at least in Java implementation they take Name and hostname as the same: https://github.com/open-telemetry/opentelemetry-java/blob/master/sdk_extensions/aws_v1_support/src/main/java/io/opentelemetry/sdk/extensions/trace/aws/resource/Ec2Resource.java#L192 There was a problem hiding this comment. The main reason for this is not knowing how to populate this :) I filed an issue to ask about why there are two similar fields |
||
| [HOST_RESOURCE.HOSTNAME]: hostname, | ||
| }); | ||
| } catch (e) { | ||
| config.logger.debug(`AwsEc2Detector failed: ${e.message}`); | ||
| return Resource.empty(); | ||
| } | ||
| } | ||
|
|
||
| private async _fetchToken(): Promise<string> { | ||
| const options = { | ||
| host: this.AWS_IDMS_ENDPOINT, | ||
| path: this.AWS_INSTANCE_TOKEN_DOCUMENT_PATH, | ||
| method: 'PUT', | ||
|
There was a problem hiding this comment. Why is this There was a problem hiding this comment. This is part of AWS IDMSv2 standard, we need to do |
||
| timeout: 1000, | ||
| headers: { | ||
| 'X-aws-ec2-metadata-token-ttl-seconds': '60', | ||
obecny marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| }, | ||
| }; | ||
| return await this._fetchString(options); | ||
| } | ||
|
|
||
| private async _fetchIdentity(token: string): Promise<any> { | ||
| const options = { | ||
| host: this.AWS_IDMS_ENDPOINT, | ||
| path: this.AWS_INSTANCE_IDENTITY_DOCUMENT_PATH, | ||
| method: 'GET', | ||
| timeout: 1000, | ||
| headers: { | ||
| 'X-aws-ec2-metadata-token': token, | ||
obecny marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| }, | ||
| }; | ||
| const identity = await this._fetchString(options); | ||
| return JSON.parse(identity); | ||
| } | ||
|
|
||
| private async _fetchHost(token: string): Promise<string> { | ||
| const options = { | ||
| host: this.AWS_IDMS_ENDPOINT, | ||
| path: this.AWS_INSTANCE_HOST_DOCUMENT_PATH, | ||
| method: 'GET', | ||
| timeout: 1000, | ||
obecny marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| headers: { | ||
| 'X-aws-ec2-metadata-token': token, | ||
obecny marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| }, | ||
| }; | ||
| return await this._fetchString(options); | ||
| } | ||
|
|
||
| /** | ||
| * Establishes an HTTP connection to AWS instance document url. | ||
| * If the application is running on an EC2 instance, we should be able | ||
| * to get back a valid JSON document. Parses that document and stores | ||
| * the identity properties in a local map. | ||
| */ | ||
| private async _fetchString(options: http.RequestOptions): Promise<string> { | ||
| return new Promise((resolve, reject) => { | ||
| const timeoutId = setTimeout(() => { | ||
| req.abort(); | ||
| reject(new Error('EC2 metadata api request timed out.')); | ||
| }, 1000); | ||
|
|
||
| const req = http.request(options, res => { | ||
| clearTimeout(timeoutId); | ||
| const { statusCode } = res; | ||
| res.setEncoding('utf8'); | ||
|
|
@@ -87,7 +136,7 @@ class AwsEc2Detector implements Detector { | |
| res.on('end', () => { | ||
| if (statusCode && statusCode >= 200 && statusCode < 300) { | ||
| try { | ||
| resolve(rawData); | ||
| } catch (e) { | ||
| reject(e); | ||
| } | ||
|
|
@@ -102,6 +151,7 @@ class AwsEc2Detector implements Detector { | |
| clearTimeout(timeoutId); | ||
| reject(err); | ||
| }); | ||
| req.end(); | ||
| }); | ||
| } | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably not a great name since HTTP Header already has its own meaning. It looks like you're looking for the URL Scheme.
It looks like this is also only used in tests, so why is it defined here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh here is a historical problem. Initially we use Url in order to connect with AWS identity document. And current version we use host and path separately.
I will move this constant to test code, thank you for pointing out!