Support IMDSv2 on windows e2e runners (#26629)

e2e/terraform/provision-infra/compute.tf

@@ -59,6 +59,10 @@ resource "aws_instance" "client_windows_2022" {
   count                  = var.client_count_windows_2022
   iam_instance_profile   = data.aws_iam_instance_profile.nomad_e2e_cluster.name
   availability_zone      = var.availability_zone
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 
   user_data = file("${path.module}/userdata/windows-2022.ps1")
 

e2e/terraform/provision-infra/userdata/windows-2022.ps1

@@ -136,9 +136,11 @@ md "C:\Users\Administrator\.ssh\"
 $myKey = "C:\Users\Administrator\.ssh\authorized_keys"
 $adminKey = "C:\ProgramData\ssh\administrators_authorized_keys"
 
-Invoke-RestMethod `
-  -Uri "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key" `
-  -Outfile $myKey
+# Manually save the private key from instance metadata
+$ImdsToken = Invoke-RestMethod -Uri 'http://169.254.169.254/latest/api/token' -Method 'PUT' -Headers @{'X-aws-ec2-metadata-token-ttl-seconds' = 5400} -UseBasicParsing
+
+$ImdsHeaders = @{'X-aws-ec2-metadata-token' = $ImdsToken}
+Invoke-RestMethod -Uri 'http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key' -Headers $ImdsHeaders -UseBasicParsing -Outfile $myKey
 
 cp $myKey $adminKey
 
@@ -147,6 +149,8 @@ icacls $adminKey /inheritance:r
 icacls $adminKey /grant BUILTIN\Administrators:`(F`)
 icacls $adminKey /grant SYSTEM:`(F`)
 
+# Ensure the SSH agent pulls in the new key.
+Restart-Service -Name ssh-agent
 
 # -------------------------------------------
 # Disable automatic updates so we don't get restarts in the middle of tests