[Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata suppor…

[francescayeye]

…t on aws

Enanchment

What does this PR do?

Fetches IMDSv2 token in add_cloud_metadata processor for AWS and send it with the proper header to the identity url request

Why is it important?

It adds support for IMDSv2 on AWS enforcing security standard

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
  - [ ] I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Run any beat built from this adding add_cloud_metadata processor an an EC2 instance with only IMDSv2 enabled and ensure that metadata request doesn't fail with a 401

Related issues

Closes #22101

Use cases

Screenshots

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @aspacca? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[mergify]

This pull request does not have a backport label. Could you fix it @aspacca? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-10-13T08:35:50.189+0000

• Duration: 149 min 56 sec

• Commit: fc33e85

Test stats 🧪

Test	Results
Failed	0
Passed	53757
Skipped	5346
Total	59103

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b Libbeat-Security-Enable-IMDSv2-support upstream/Libbeat-Security-Enable-IMDSv2-support
git merge upstream/master
git push upstream Libbeat-Security-Enable-IMDSv2-support

[kaiyan-sheng]

Overall looks good to me, just several small comments.

[kaiyan-sheng]

Suggested change

	const ec2InstanceIMDSv2TokenURI = "/latest/api/token"
	const (
	ec2InstanceIdentityURI = "/2014-02-25/dynamic/instance-identity/document"
	ec2InstanceIMDSv2TokenURI = "/latest/api/token"
	ec2InstanceIMDSv2TokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
	ec2InstanceIMDSv2TokenTTLValue = "21600"
	ec2InstanceIMDSv2TokenURI = "/latest/api/token"
	)

[kaiyan-sheng]

remove the empty space

[kaiyan-sheng]

Suggested change

	logger.Warnf("error while getting IMDSv2 token: %s. No token in the metadata request will be used.", err)
	logger.Warnf("error when load TLS config for getting IMDSv2 token: %s. No token in the metadata request will be used.", err)

[kaiyan-sheng]

All the warning log messages are the same in the function. What do you think about adding more detail in the warning messages?