feat: add option to disable access to cloud metadata services

docs/usage/self-hosted-configuration.md

@@ -904,6 +904,12 @@ This is currently applicable to `npm` only, and only used in cases where bugs in
 If enabled emoji shortcodes are replaced with their Unicode equivalents.
 For example: `:warning:` will be replaced with `⚠️`.
 
+## useCloudMetadataServices
+
+Some cloud providers offer services to receive metadata about the current instance, for example [AWS Instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-instance-metadata.html)
+or [GCP VM metadata](https://cloud.google.com/compute/docs/metadata/overview).
+Use this option to control whether Renovate should try to access these services.
+
 ## username
 
 You may need to set a `username` if you:

lib/config/options/index.ts

@@ -21,6 +21,14 @@ const options: RenovateOptions[] = [
     default: false,
     globalOnly: true,
   },
+  {
+    name: 'useCloudMetadataServices',
+    description:
+      'If `false`, Renovate does not try to access cloud metadata services.',
+    type: 'boolean',
+    default: true,
+    globalOnly: true,
+  },
   {
     name: 'allowPostUpgradeCommandTemplating',
     description:

lib/config/types.ts

@@ -116,6 +116,7 @@ export interface GlobalOnlyConfig {
   repositories?: RenovateRepository[];
   platform?: PlatformId;
   endpoint?: string;
+  useCloudMetadataServices?: boolean;
 }
 
 // Config options used within the repository worker, but not user configurable

lib/workers/global/initialize.spec.ts

@@ -79,4 +79,27 @@ describe('workers/global/initialize', () => {
       await expect(globalInitialize(config)).toResolve();
     });
   });
+
+  describe('configureThirdPartyLibraries()', () => {
+    beforeEach(() => {
+      delete process.env.AWS_EC2_METADATA_DISABLED;
+      delete process.env.METADATA_SERVER_DETECTION;
+    });
+
+    it('sets env vars when cloud metadata services disabled', async () => {
+      const config: RenovateConfig = { useCloudMetadataServices: false };
+      git.validateGitVersion.mockResolvedValueOnce(true);
+      await expect(globalInitialize(config)).toResolve();
+      expect(process.env.AWS_EC2_METADATA_DISABLED).toBe('true');
+      expect(process.env.METADATA_SERVER_DETECTION).toBe('none');
+    });
+
+    it('does not set env vars when cloud metadata services enabled', async () => {
+      const config: RenovateConfig = { useCloudMetadataServices: true };
+      git.validateGitVersion.mockResolvedValueOnce(true);
+      await expect(globalInitialize(config)).toResolve();
+      expect(process.env.AWS_EC2_METADATA_DISABLED).toBeUndefined();
+      expect(process.env.METADATA_SERVER_DETECTION).toBeUndefined();
+    });
+  });
 });

lib/workers/global/initialize.ts

@@ -64,6 +64,14 @@ function setGlobalHostRules(config: RenovateConfig): void {
   }
 }
 
+function configureThirdPartyLibraries(config: AllConfig): void {
+  if (!config.useCloudMetadataServices) {
+    logger.debug('Disabling the use of cloud metadata services');
+    process.env.AWS_EC2_METADATA_DISABLED = 'true'; // See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list
+    process.env.METADATA_SERVER_DETECTION = 'none'; // See https://cloud.google.com/nodejs/docs/reference/gcp-metadata/latest#environment-variables
+  }
+}
+
 export async function globalInitialize(
   config_: AllConfig,
 ): Promise<RenovateConfig> {
@@ -76,6 +84,7 @@ export async function globalInitialize(
   limitCommitsPerRun(config);
   setEmojiConfig(config);
   setGlobalHostRules(config);
+  configureThirdPartyLibraries(config);
   await initMergeConfidence();
   return config;
 }