From 2ffdfa14341f734b7edf68e778b7b0e51d9f865b Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Wed, 6 Dec 2017 17:21:55 -0500
Subject: [PATCH] Add systemd unit to disable the AWS metadata service by
 routing all requests to 1.1.1.1

While this isn't strictly a security issue, it *appears* to be and we got audited as such, so just turn it off

Fixes https://jira.coreos.com/browse/QS-83
---
 buildman/templates/cloudconfig.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/buildman/templates/cloudconfig.yaml b/buildman/templates/cloudconfig.yaml
index 774ce1707..f7da0e9ea 100644
--- a/buildman/templates/cloudconfig.yaml
+++ b/buildman/templates/cloudconfig.yaml
@@ -19,6 +19,11 @@ ssh_authorized_keys:
 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs9jVbzOkDg60i+TGkETit/K9h8iBkwapRa2XURJzdYKcE27fYueX37mOdTBVCi3phOV4cWzkjRwtQBz7KCMBqrr1gLaIsuUIqeFpskTuTr9k7XgZqZ6QpECrqDy9HgCLdZO40sYCOvpw+GzehlsZPZEHRROotXCKc3k98Vlb8+1QPa4s5iZrIIdFyq3ZyhoupcN2nIwMh0GnkvgwS2DymGeLd8tziI8+ti8dxWSvgILaPplv2JTf/iqRsE3xtbtjE0tSf8VyfTLIBv+hyW79Hvaf/pvrsADwJf43IWmdOwHpYNhqR/kvx6j0LkPfxWq+rtXG3Q4JqWi4nZz5w3VTH1KImMBGil2sK1AiCwEUSQzQs2apTivfTy25HFLtje6qB8ZkvelK2lOGI62gdWiOOknYn3VpfMdrPDLGNoTnntrcG/UbJoa911IxilP4idbUxXQdyIzYr6BJJccCFiLVECPHoOaDsZ0abkBvrewp+1hqsvL7zRs4EvbI7Cfvcnf9hZd+n20Bp250GbcH0HD4/9d2DMIU6c6rAjmglPfVmyphcRruWdyCZz+ps9cfpVCQSSGSnbGS7T3M4VIXrCtjNZ7Fv7YIJ8EXWlhkNEfOYuy/lhfvyMLrp5abg5HkXSgOA3kfyitLnBN/lJODSUguDPmpo7tyjplEFQ70LYxJczw== EvB Key
 
 write_files:
+- path: /root/disable-aws-metadata.sh
+  permission: '0655'
+  content: |
+    iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1
+
 - path: /etc/docker/daemon.json
   permission: '0644'
   content: |
@@ -76,6 +81,20 @@ coreos:
                      after_units=['quay-builder.service']
                      ) | indent(4) }}
     {%- endif %}
+    - name: disable-aws-metadata.service
+      command: start
+      enable: yes
+      content: |
+        [Unit]
+        Description=Disable AWS metadata service
+        Before=network-pre.target
+        Wants=network-pre.target
+        [Service]
+        Type=oneshot
+        ExecStart=/root/disable-aws-metadata.sh
+        RemainAfterExit=yes
+        [Install]
+        WantedBy=multi-user.target
     - name: machine-lifetime.service
       command: start
       enable: yes