mondoohq
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎providers/os/id/awsec2/awsec2.go‎
Lines changed: 2 additions & 0 deletions b/‎providers/os/id/awsec2/awsec2.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎providers/os/id/awsec2/metadata_cmd.go‎
Lines changed: 66 additions & 89 deletions b/‎providers/os/id/awsec2/metadata_cmd.go‎
Lines changed: 66 additions & 89 deletions
diff --git a/‎providers/os/id/awsec2/metadata_local.go‎
Lines changed: 12 additions & 3 deletions b/‎providers/os/id/awsec2/metadata_local.go‎
Lines changed: 12 additions & 3 deletions
@@ -319,6 +319,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/smarty/assertions v1.15.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
 
@@ -18,8 +18,10 @@ type Identity struct {
 	InstanceName string
 	AccountID    string
 }
+
 type InstanceIdentifier interface {
 	Identify() (Identity, error)
+	RawMetadata() (any, error)
 }
 
 func Resolve(conn shared.Connection, pf *inventory.Platform) (InstanceIdentifier, error) {
 
@@ -5,8 +5,9 @@ package awsec2
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"io"
 	"strings"
 
@@ -15,35 +16,16 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/cockroachdb/errors"
+	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
 	"go.mondoo.com/cnquery/v11/providers/os/connection/shared"
-	"go.mondoo.com/cnquery/v11/providers/os/resources/powershell"
+	"go.mondoo.com/cnquery/v11/providers/os/id/metadata"
 )
 
 const (
-	identityUrl = `-H "X-aws-ec2-metadata-token: %s" -v http://169.254.169.254/latest/dynamic/instance-identity/document`
-	tokenUrl    = `-H "X-aws-ec2-metadata-token-ttl-seconds: 21600" -X PUT "http://169.254.169.254/latest/api/token"`
-	tagNameUrl  = `-H "X-aws-ec2-metadata-token: %s" -v http://169.254.169.254/latest/meta-data/tags/instance/Name`
-
-	identityUrlWindows = `
-$Headers = @{
-    "X-aws-ec2-metadata-token" = %s
-}
-Invoke-RestMethod -TimeoutSec 1 -Headers $Headers -URI http://169.254.169.254/latest/dynamic/instance-identity/document -UseBasicParsing | ConvertTo-Json
-`
-
-	tokenUrlWindows = `
-$Headers = @{
-    "X-aws-ec2-metadata-token-ttl-seconds" = "21600"
-}
-Invoke-RestMethod -Method Put -Uri "http://169.254.169.254/latest/api/token" -Headers $Headers -TimeoutSec 1 -UseBasicParsing
-`
-	tagNameUrlWindows = `
-$Headers = @{
-    "X-aws-ec2-metadata-token" = %s
-}
-Invoke-RestMethod -Method Put -Uri "http://169.254.169.254/latest/meta-data/tags/instance/Name" -Headers $Headers -TimeoutSec 1 -UseBasicParsing
-`
+	identityURLPath = "dynamic/instance-identity/document"
+	metadataURLPath = "meta-data/"
+	tagNameURLPath  = "meta-data/tags/instance/Name"
 )
 
 func NewCommandInstanceMetadata(conn shared.Connection, pf *inventory.Platform, config *aws.Config) *CommandInstanceMetadata {
@@ -58,13 +40,26 @@ type CommandInstanceMetadata struct {
 	conn     shared.Connection
 	platform *inventory.Platform
 	config   *aws.Config
+
+	// used internally to avoid fetching a token multiple times
+	token string
+}
+
+func (m *CommandInstanceMetadata) RawMetadata() (any, error) {
+	return metadata.Crawl(m, metadataURLPath)
+}
+
+func (m *CommandInstanceMetadata) GetMetadataValue(path string) (string, error) {
+	return m.curlDocument(path)
 }
 
 func (m *CommandInstanceMetadata) Identify() (Identity, error) {
 	instanceDocument, err := m.instanceIdentityDocument()
 	if err != nil {
 		return Identity{}, err
 	}
+	log.Debug().Str("instance_document", instanceDocument).Msg("identity")
+
 	// parse into struct
 	doc := imds.InstanceIdentityDocument{}
 	if err := json.NewDecoder(strings.NewReader(instanceDocument)).Decode(&doc); err != nil {
@@ -102,81 +97,63 @@ func (m *CommandInstanceMetadata) Identify() (Identity, error) {
 	}, nil
 }
 
-type metadataType int
-
-const (
-	document metadataType = iota
-	instanceNameTag
-)
+func (m *CommandInstanceMetadata) curlDocument(metadataPath string) (string, error) {
+	token, err := m.getToken()
+	if err != nil {
+		return "", err
+	}
 
-func (m *CommandInstanceMetadata) curlDocument(metadataType metadataType) (string, error) {
+	var commandString string
 	switch {
 	case m.platform.IsFamily(inventory.FAMILY_UNIX):
-		cmd, err := m.conn.RunCommand("curl " + tokenUrl)
-		if err != nil {
-			return "", err
-		}
-		data, err := io.ReadAll(cmd.Stdout)
-		if err != nil {
-			return "", err
-		}
-		tokenString := strings.TrimSpace(string(data))
-
-		commandScript := ""
-		switch metadataType {
-		case document:
-			commandScript = "curl " + fmt.Sprintf(identityUrl, tokenString)
-		case instanceNameTag:
-			commandScript = "curl " + fmt.Sprintf(tagNameUrl, tokenString)
-		}
-
-		cmd, err = m.conn.RunCommand(commandScript)
-		if err != nil {
-			return "", err
-		}
-		data, err = io.ReadAll(cmd.Stdout)
-		if err != nil {
-			return "", err
-		}
-
-		return strings.TrimSpace(string(data)), nil
+		commandString = unixMetadataCmdString(token, metadataPath)
 	case m.platform.IsFamily(inventory.FAMILY_WINDOWS):
-		tokenPwshEncoded := powershell.Encode(tokenUrlWindows)
-		cmd, err := m.conn.RunCommand(tokenPwshEncoded)
-		if err != nil {
-			return "", err
-		}
-		data, err := io.ReadAll(cmd.Stdout)
-		if err != nil {
-			return "", err
-		}
-		tokenString := strings.TrimSpace(string(data))
-
-		commandScript := ""
-		switch metadataType {
-		case document:
-			commandScript = powershell.Encode(fmt.Sprintf(identityUrlWindows, tokenString))
-		case instanceNameTag:
-			commandScript = powershell.Encode(fmt.Sprintf(tagNameUrlWindows, tokenString))
-		}
+		commandString = windowsMetadataCmdString(token, metadataPath)
+	default:
+		return "", errors.New("your platform is not supported by aws metadata identifier resource")
+	}
 
-		cmd, err = m.conn.RunCommand(commandScript)
-		if err != nil {
-			return "", err
-		}
-		data, err = io.ReadAll(cmd.Stdout)
-		if err != nil {
-			return "", err
-		}
+	log.Debug().Str("command_string", commandString).Msg("running os command")
+	cmd, err := m.conn.RunCommand(commandString)
+	if err != nil {
+		return "", err
+	}
+	log.Debug().Str("hash", hashCmd(commandString)).Msg("executed")
+	data, err := io.ReadAll(cmd.Stdout)
+	log.Debug().Msg("read")
+	return strings.TrimSpace(string(data)), err
+}
+
+func hashCmd(message string) string {
+	hash := sha256.New()
+	hash.Write([]byte(message))
+	return hex.EncodeToString(hash.Sum(nil))
+}
+func (m *CommandInstanceMetadata) getToken() (string, error) {
+	if m.token != "" {
+		return m.token, nil
+	}
 
-		return strings.TrimSpace(string(data)), nil
+	var commandString string
+	switch {
+	case m.platform.IsFamily(inventory.FAMILY_UNIX):
+		commandString = unixTokenCmdString()
+	case m.platform.IsFamily(inventory.FAMILY_WINDOWS):
+		commandString = windowsTokenCmdString()
 	default:
 		return "", errors.New("your platform is not supported by aws metadata identifier resource")
 	}
+
+	cmd, err := m.conn.RunCommand(commandString)
+	if err != nil {
+		return "", err
+	}
+	data, err := io.ReadAll(cmd.Stdout)
+	return strings.TrimSpace(string(data)), err
 }
 
 func (m *CommandInstanceMetadata) instanceNameTag() (string, error) {
-	res, err := m.curlDocument(instanceNameTag)
+	res, err := m.curlDocument(tagNameURLPath)
 	if err != nil {
 		return "", err
 	}
@@ -187,5 +164,5 @@ func (m *CommandInstanceMetadata) instanceNameTag() (string, error) {
 }
 
 func (m *CommandInstanceMetadata) instanceIdentityDocument() (string, error) {
-	return m.curlDocument(document)
+	return m.curlDocument(identityURLPath)
 }
@@ -10,6 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"go.mondoo.com/cnquery/v11/providers/os/id/metadata"
 
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 )
@@ -25,6 +26,15 @@ type LocalEc2InstanceMetadata struct {
 	config aws.Config
 }
 
+func (m *LocalEc2InstanceMetadata) RawMetadata() (any, error) {
+	return metadata.Crawl(m, "")
+}
+
+func (m *LocalEc2InstanceMetadata) GetMetadataValue(path string) (string, error) {
+	client := imds.NewFromConfig(m.config)
+	return m.getMetadataValue(client, path)
+}
+
 func (m *LocalEc2InstanceMetadata) Identify() (Identity, error) {
 	metadata := imds.NewFromConfig(m.config)
 	ec2svc := ec2.NewFromConfig(m.config)
@@ -68,7 +78,7 @@ func (m *LocalEc2InstanceMetadata) Identify() (Identity, error) {
 
 // gets the metadata at the relative specified path. The base path is /latest/meta-data
 // so the path param needs to only specify which metadata path is requested
-func (m *LocalEc2InstanceMetadata) getMetadataValue(client *imds.Client, path string) (value string, err error) {
+func (m *LocalEc2InstanceMetadata) getMetadataValue(client *imds.Client, path string) (string, error) {
 	output, err := client.GetMetadata(context.TODO(), &imds.GetMetadataInput{
 		Path: path,
 	})
@@ -80,6 +90,5 @@ func (m *LocalEc2InstanceMetadata) getMetadataValue(client *imds.Client, path st
 	if err != nil {
 		return "", err
 	}
-	resp := string(bytes)
-	return resp, err
+	return string(bytes), nil
 }
Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,10 @@ type Identity struct {`
`18`	`18`	`InstanceName string`
`19`	`19`	`AccountID string`
`20`	`20`	`}`
	`21`	`+`
`21`	`22`	`type InstanceIdentifier interface {`
`22`	`23`	`Identify() (Identity, error)`
	`24`	`+ RawMetadata() (any, error)`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`func Resolve(conn shared.Connection, pf *inventory.Platform) (InstanceIdentifier, error) {`