#!/bin/bash
#
# By default we block untrusted users from accessing the AWS metadata service
# but we want to monitor various metadata from the zabbix agent, so allow agent
# access, for now we only support our standard firewalld setup (ie not direct
# iptables)


FIREWALL_CHAIN="AWS-Metadata"
IPTABLES_BASE=(-m owner --uid-owner zabbix -j RETURN -m comment --comment "Don't block zabbix access to the AWS metadata service")

if systemctl is-enabled firewalld; then
	if firewall-cmd --direct --get-chains ipv4 filter | grep -q $FIREWALL_CHAIN; then
		firewall-cmd --permanent --direct --add-rule ipv4 filter ${FIREWALL_CHAIN} 100 "${IPTABLES_BASE[@]}" >/dev/null 2>&1
		if systemctl is-active firewalld; then
			firewall-cmd --reload
		fi
	fi
fi

