├── ec2_simple
    ├── files
    │   ├── import_users.cron
    │   ├── import_users.sh
    │   ├── authorized_keys_command.sh
    │   └── install.sh
    ├── aws.tf
    ├── resources
    │   ├── iam_assume_role_policy.json
    │   └── iam_role_policy.template.json
    ├── secret.sample.tfvars
    ├── Makefile
    ├── iam.tf
    ├── security.tf
    ├── variables.tf
    └── ec2.tf
├── ec2_vpc
    ├── files
    │   ├── import_users.cron
    │   ├── import_users.sh
    │   ├── authorized_keys_command.sh
    │   └── install.sh
    ├── aws.tf
    ├── resources
    │   ├── iam_assume_role_policy.json
    │   └── iam_role_policy.template.json
    ├── secret.sample.tfvars
    ├── Makefile
    ├── iam.tf
    ├── variables.tf
    ├── ec2.tf
    └── security.tf
├── ec2_simple_nokey
    ├── files
    │   ├── import_users.cron
    │   ├── authorized_keys_command.sh
    │   ├── import_users.sh
    │   └── install.sh
    ├── aws.tf
    ├── secret.sample.tfvars
    ├── resources
    │   ├── iam_assume_role_policy.json
    │   ├── instance_user_data.sh
    │   └── iam_role_policy.template.json
    ├── Makefile
    ├── iam.tf
    ├── security.tf
    ├── ec2.tf
    └── variables.tf
├── ec2_vpc_nokey
    ├── files
    │   ├── import_users.cron
    │   ├── import_users.sh
    │   ├── authorized_keys_command.sh
    │   └── install.sh
    ├── aws.tf
    ├── secret.sample.tfvars
    ├── resources
    │   ├── iam_assume_role_policy.json
    │   ├── instance_user_data.sh
    │   └── iam_role_policy.template.json
    ├── Makefile
    ├── iam.tf
    ├── ec2.tf
    ├── variables.tf
    └── security.tf
├── .gitignore
├── docs
    ├── sequence.png
    ├── aws-entities-1.png
    └── aws-entities-2.png
├── LICENSE
└── README.md


/ec2_simple/files/import_users.cron:
--------------------------------------------------------------------------------
1 | */10 * * * * root /opt/import_users.sh


--------------------------------------------------------------------------------
/ec2_vpc/files/import_users.cron:
--------------------------------------------------------------------------------
1 | */10 * * * * root /opt/import_users.sh


--------------------------------------------------------------------------------
/ec2_simple_nokey/files/import_users.cron:
--------------------------------------------------------------------------------
1 | */10 * * * * root /opt/import_users.sh


--------------------------------------------------------------------------------
/ec2_vpc_nokey/files/import_users.cron:
--------------------------------------------------------------------------------
1 | */10 * * * * root /opt/import_users.sh


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | secret.tfvars
2 | .idea/
3 | *.iml
4 | terraform.tfstate*
5 | *.tfplan


--------------------------------------------------------------------------------
/docs/sequence.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zendesk/aws-ec2-ssh-sync/master/docs/sequence.png


--------------------------------------------------------------------------------
/docs/aws-entities-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zendesk/aws-ec2-ssh-sync/master/docs/aws-entities-1.png


--------------------------------------------------------------------------------
/docs/aws-entities-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zendesk/aws-ec2-ssh-sync/master/docs/aws-entities-2.png


--------------------------------------------------------------------------------
/ec2_vpc/aws.tf:
--------------------------------------------------------------------------------
1 | 
2 | provider "aws" {
3 |   access_key = "${var.aws_access_key}"
4 |   secret_key = "${var.aws_secret_key}"
5 |   region = "${var.aws_region}"
6 | }
7 | 


--------------------------------------------------------------------------------
/ec2_simple/aws.tf:
--------------------------------------------------------------------------------
1 | 
2 | provider "aws" {
3 |   access_key = "${var.aws_access_key}"
4 |   secret_key = "${var.aws_secret_key}"
5 |   region = "${var.aws_region}"
6 | }
7 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/aws.tf:
--------------------------------------------------------------------------------
1 | 
2 | provider "aws" {
3 |   access_key = "${var.aws_access_key}"
4 |   secret_key = "${var.aws_secret_key}"
5 |   region = "${var.aws_region}"
6 | }
7 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/aws.tf:
--------------------------------------------------------------------------------
1 | 
2 | provider "aws" {
3 |   access_key = "${var.aws_access_key}"
4 |   secret_key = "${var.aws_secret_key}"
5 |   region = "${var.aws_region}"
6 | }
7 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/secret.sample.tfvars:
--------------------------------------------------------------------------------
1 | # Copy this to secrets.tfvars to setup your own credentials
2 | 
3 | aws_access_key="PUT_YOUR_ACCESS_KEY"
4 | aws_secret_key="PUT_YOUR_SECRET_KEY"
5 | aws_account="PUT_YOUR_AWS_ACCOUNT"
6 | aws_region="us-east-1"
7 | private_key_name="mykey"
8 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/secret.sample.tfvars:
--------------------------------------------------------------------------------
1 | # Copy this to secrets.tfvars to setup your own credentials
2 | 
3 | aws_access_key="PUT_YOUR_ACCESS_KEY"
4 | aws_secret_key="PUT_YOUR_SECRET_KEY"
5 | aws_account="PUT_YOUR_AWS_ACCOUNT"
6 | aws_region="us-east-1"
7 | private_key_name="mykey"
8 | private_key_path="/Users/bob/.ssh/ec2Key"


--------------------------------------------------------------------------------
/ec2_vpc/resources/iam_assume_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Principal": {
 7 |         "Service": [
 8 |           "ec2.amazonaws.com"
 9 |         ]
10 |       },
11 |       "Action": [
12 |         "sts:AssumeRole"
13 |       ]
14 |     }
15 |   ]
16 | }


--------------------------------------------------------------------------------
/ec2_simple/files/import_users.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | aws iam list-users --query "Users[].[UserName]" --output text | while read User; do
 4 |   if id -u "$User" >/dev/null 2>&1; then
 5 |     echo "$User exists"
 6 |   else
 7 |     /usr/sbin/adduser "$User"
 8 |     echo "$User ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$User"
 9 |   fi
10 | done
11 | 


--------------------------------------------------------------------------------
/ec2_simple/resources/iam_assume_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Principal": {
 7 |         "Service": [
 8 |           "ec2.amazonaws.com"
 9 |         ]
10 |       },
11 |       "Action": [
12 |         "sts:AssumeRole"
13 |       ]
14 |     }
15 |   ]
16 | }


--------------------------------------------------------------------------------
/ec2_vpc/files/import_users.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | aws iam list-users --query "Users[].[UserName]" --output text | while read User; do
 4 |   if id -u "$User" >/dev/null 2>&1; then
 5 |     echo "$User exists"
 6 |   else
 7 |     /usr/sbin/adduser "$User"
 8 |     echo "$User ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$User"
 9 |   fi
10 | done
11 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/resources/iam_assume_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Principal": {
 7 |         "Service": [
 8 |           "ec2.amazonaws.com"
 9 |         ]
10 |       },
11 |       "Action": [
12 |         "sts:AssumeRole"
13 |       ]
14 |     }
15 |   ]
16 | }


--------------------------------------------------------------------------------
/ec2_simple_nokey/resources/iam_assume_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Principal": {
 7 |         "Service": [
 8 |           "ec2.amazonaws.com"
 9 |         ]
10 |       },
11 |       "Action": [
12 |         "sts:AssumeRole"
13 |       ]
14 |     }
15 |   ]
16 | }


--------------------------------------------------------------------------------
/ec2_vpc_nokey/files/import_users.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | aws iam list-users --query "Users[].[UserName]" --output text | while read User; do
 4 |   if id -u "$User" >/dev/null 2>&1; then
 5 |     echo "$User exists"
 6 |   else
 7 |     /usr/sbin/adduser "$User"
 8 |     echo "$User ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$User"
 9 |   fi
10 | done
11 | 


--------------------------------------------------------------------------------
/ec2_simple/secret.sample.tfvars:
--------------------------------------------------------------------------------
 1 | # Copy this to secrets.tfvars to setup your own credentials
 2 | 
 3 | aws_access_key="PUT_YOUR_ACCESS_KEY"
 4 | aws_secret_key="PUT_YOUR_SECRET_KEY"
 5 | aws_account="PUT_YOUR_AWS_ACCOUNT"
 6 | aws_region="us-east-1"
 7 | # Name of the ec2 keypair for that region
 8 | private_key_name="mykey"
 9 | # Path to the private key on your hard drive
10 | private_key_path="/Users/bob/.ssh/ec2Key"


--------------------------------------------------------------------------------
/ec2_vpc/secret.sample.tfvars:
--------------------------------------------------------------------------------
 1 | # Copy this to secrets.tfvars to setup your own credentials
 2 | 
 3 | aws_access_key="PUT_YOUR_ACCESS_KEY"
 4 | aws_secret_key="PUT_YOUR_SECRET_KEY"
 5 | aws_account="PUT_YOUR_AWS_ACCOUNT"
 6 | aws_region="us-east-1"
 7 | # Name of the ec2 keypair for that region
 8 | private_key_name="mykey"
 9 | # Path to the private key on your hard drive
10 | private_key_path="/Users/bob/.ssh/ec2Key"


--------------------------------------------------------------------------------
/ec2_simple/files/authorized_keys_command.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | if [ -z "$1" ]; then
 4 |   exit 1
 5 | fi
 6 | 
 7 | aws iam list-ssh-public-keys --user-name "$1" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId; do
 8 |   aws iam get-ssh-public-key --user-name "$1" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
 9 | done
10 | 


--------------------------------------------------------------------------------
/ec2_vpc/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all plan apply destroy refresh
 2 | 
 3 | all: plan apply
 4 | 
 5 | refresh:
 6 | 	terraform refresh -var-file secret.tfvars
 7 | 
 8 | plan:
 9 | 	terraform plan -var-file secret.tfvars -out terraform.tfplan
10 | 
11 | apply:
12 | 	terraform apply -var-file secret.tfvars
13 | 
14 | destroy:
15 | 	terraform plan -destroy -var-file secret.tfvars -out terraform.tfplan
16 | 	terraform apply terraform.tfplan


--------------------------------------------------------------------------------
/ec2_vpc/files/authorized_keys_command.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | if [ -z "$1" ]; then
 4 |   exit 1
 5 | fi
 6 | 
 7 | aws iam list-ssh-public-keys --user-name "$1" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId; do
 8 |   aws iam get-ssh-public-key --user-name "$1" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
 9 | done
10 | 


--------------------------------------------------------------------------------
/ec2_simple/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all plan apply destroy refresh
 2 | 
 3 | all: plan apply
 4 | 
 5 | refresh:
 6 | 	terraform refresh -var-file secret.tfvars
 7 | 
 8 | plan:
 9 | 	terraform plan -var-file secret.tfvars -out terraform.tfplan
10 | 
11 | apply:
12 | 	terraform apply -var-file secret.tfvars
13 | 
14 | destroy:
15 | 	terraform plan -destroy -var-file secret.tfvars -out terraform.tfplan
16 | 	terraform apply terraform.tfplan


--------------------------------------------------------------------------------
/ec2_vpc_nokey/files/authorized_keys_command.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | if [ -z "$1" ]; then
 4 |   exit 1
 5 | fi
 6 | 
 7 | aws iam list-ssh-public-keys --user-name "$1" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId; do
 8 |   aws iam get-ssh-public-key --user-name "$1" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
 9 | done
10 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all plan apply destroy refresh
 2 | 
 3 | all: plan apply
 4 | 
 5 | refresh:
 6 | 	terraform refresh -var-file secret.tfvars
 7 | 
 8 | plan:
 9 | 	terraform plan -var-file secret.tfvars -out terraform.tfplan
10 | 
11 | apply:
12 | 	terraform apply -var-file secret.tfvars
13 | 
14 | destroy:
15 | 	terraform plan -destroy -var-file secret.tfvars -out terraform.tfplan
16 | 	terraform apply terraform.tfplan


--------------------------------------------------------------------------------
/ec2_simple_nokey/files/authorized_keys_command.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | if [ -z "$1" ]; then
 4 |   exit 1
 5 | fi
 6 | 
 7 | aws iam list-ssh-public-keys --user-name "$1" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId
 8 | do
 9 |   aws iam get-ssh-public-key --user-name "$1" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
10 | done
11 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all plan apply destroy refresh
 2 | 
 3 | all: plan apply
 4 | 
 5 | refresh:
 6 | 	terraform refresh -var-file secret.tfvars
 7 | 
 8 | plan:
 9 | 	terraform plan -var-file secret.tfvars -out terraform.tfplan
10 | 
11 | apply:
12 | 	terraform apply -var-file secret.tfvars
13 | 
14 | destroy:
15 | 	terraform plan -destroy -var-file secret.tfvars -out terraform.tfplan
16 | 	terraform apply terraform.tfplan


--------------------------------------------------------------------------------
/ec2_simple_nokey/files/import_users.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | aws iam list-users --query "Users[].[UserName]" --output text | while read User; do
 4 |   if id -u "$User" >/dev/null 2>&1; then
 5 |     echo "$User exists"
 6 |   else
 7 |     source /etc/os-release
 8 |     if [ "$NAME" == "Ubuntu" ] || [ "$NAME" == "Debian GNU/Linux" ]; then
 9 |       /usr/sbin/useradd -m "$User" -s /bin/bash
10 |     elif [ "$NAME" == "Amazon Linux AMI" ]; then
11 |       /usr/sbin/adduser "$User"
12 |     fi
13 |     echo "$User ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$User"
14 |   fi
15 | done
16 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/resources/instance_user_data.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install Git
 4 | sudo yum install -y git
 5 | 
 6 | # Fetch setup files from Github over HTTPS. You can choose any other secure way to fetch your setup files
 7 | cd /tmp
 8 | mkdir setup
 9 | cd setup/
10 | git init
11 | git remote add -f origin https://github.com/sportebois/aws-ec2-ssh-sync.git
12 | git config core.sparseCheckout true
13 | #echo "ec2_vpc_nokey/files/" >> .git/info/sparse-checkout
14 | echo "ec2_vpc/files/" >> .git/info/sparse-checkout
15 | git pull --depth=1 origin master
16 | 
17 | # Then run the setup
18 | #cd ec2_vpc_nokey/files
19 | cd ec2_vpc/files
20 | chmod +x *.sh
21 | sudo ./install.sh
22 | 


--------------------------------------------------------------------------------
/ec2_simple/files/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install PIP to be able to install the AWS Cli (later used to get the ssh keys)
 4 | #curl -O https://bootstrap.pypa.io/get-pip.py
 5 | #sudo python27 get-pip.py
 6 | #sudo /usr/local/bin/pip install awscli
 7 | 
 8 | sudo yum update -y
 9 | sudo yum install aws-cli -y
10 | 
11 | sudo cp authorized_keys_command.sh /opt/authorized_keys_command.sh
12 | sudo cp import_users.sh /opt/import_users.sh
13 | 
14 | sudo sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
15 | sudo sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
16 | 
17 | # Refresh users frequently
18 | sudo cp import_users.cron /etc/cron.d/import_users
19 | sudo chmod 0644 /etc/cron.d/import_users
20 | 
21 | # Run it immediately
22 | sudo /opt/import_users.sh
23 | 
24 | sudo service sshd restart
25 | 


--------------------------------------------------------------------------------
/ec2_vpc/files/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install PIP to be able to install the AWS Cli (later used to get the ssh keys)
 4 | #curl -O https://bootstrap.pypa.io/get-pip.py
 5 | #sudo python27 get-pip.py
 6 | #sudo /usr/local/bin/pip install awscli
 7 | 
 8 | sudo yum update -y
 9 | sudo yum install aws-cli -y
10 | 
11 | sudo cp authorized_keys_command.sh /opt/authorized_keys_command.sh
12 | sudo cp import_users.sh /opt/import_users.sh
13 | 
14 | sudo sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
15 | sudo sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
16 | 
17 | # Refresh users frequently
18 | sudo cp import_users.cron /etc/cron.d/import_users
19 | sudo chmod 0644 /etc/cron.d/import_users
20 | 
21 | # Run it immediately
22 | sudo /opt/import_users.sh
23 | 
24 | sudo service sshd restart
25 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/files/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install PIP to be able to install the AWS Cli (later used to get the ssh keys)
 4 | #curl -O https://bootstrap.pypa.io/get-pip.py
 5 | #sudo python27 get-pip.py
 6 | #sudo /usr/local/bin/pip install awscli
 7 | 
 8 | sudo yum update -y
 9 | sudo yum install aws-cli -y
10 | 
11 | sudo cp authorized_keys_command.sh /opt/authorized_keys_command.sh
12 | sudo cp import_users.sh /opt/import_users.sh
13 | 
14 | sudo sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
15 | sudo sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
16 | 
17 | # Refresh users frequently
18 | sudo cp import_users.cron /etc/cron.d/import_users
19 | sudo chmod 0644 /etc/cron.d/import_users
20 | 
21 | # Run it immediately
22 | sudo /opt/import_users.sh
23 | 
24 | sudo service sshd restart
25 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/files/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install AWS Cli
 4 | source /etc/os-release
 5 | if [ "$NAME" == "Ubuntu" ] || [ "$NAME" == "Debian GNU/Linux" ]; then
 6 |   ssh_service="ssh"
 7 |   sudo apt-get update
 8 |   sudo apt-get -y install python-pip
 9 |   sudo pip install awscli
10 | elif [ "$NAME" == "Amazon Linux AMI" ]; then
11 |   ssh_service="sshd"
12 |   sudo yum update -y
13 |   sudo yum install aws-cli -y
14 | fi
15 | 
16 | sudo cp authorized_keys_command.sh /opt/authorized_keys_command.sh
17 | sudo cp import_users.sh /opt/import_users.sh
18 | 
19 | sudo echo -e "\nAuthorizedKeysCommand /opt/authorized_keys_command.sh" >> /etc/ssh/sshd_config
20 | sudo echo -e "\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
21 | 
22 | # Refresh users frequently
23 | sudo cp import_users.cron /etc/cron.d/import_users
24 | sudo chmod 0644 /etc/cron.d/import_users
25 | 
26 | # Run it immediately
27 | sudo /opt/import_users.sh
28 | 
29 | sudo service $ssh_service restart
30 | 


--------------------------------------------------------------------------------
/ec2_vpc/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # Caveat: AWS instance profiles only allows 1 role/1 profile
 3 | # "Roles in an instance profile: 1 (each instance profile can contain only 1 role)"
 4 | # Learn more: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
 5 | 
 6 | 
 7 | resource "aws_iam_role" "ssh" {
 8 |   name = "ssh"
 9 |   assume_role_policy = "${file("resources/iam_assume_role_policy.json")}"
10 | }
11 | 
12 | 
13 | resource "aws_iam_role_policy" "ssh" {
14 |   name = "ssh"
15 |   role = "${aws_iam_role.ssh.id}"
16 |   policy = "${data.template_file.iam_role_policy.rendered}"
17 | }
18 | 
19 | 
20 | resource "aws_iam_instance_profile" "ssh_test_demo" {
21 |   name = "ssh_test_demo"
22 |   roles = ["${aws_iam_role.ssh.name}"]
23 | }
24 | 
25 | 
26 | # The policy json has some dynamic content, like our AWS account.
27 | data "template_file" "iam_role_policy" {
28 |   template = "${file("resources/iam_role_policy.template.json")}"
29 | 
30 |   vars {
31 |     aws_account = "${var.aws_account}"
32 |   }
33 | }
34 | 


--------------------------------------------------------------------------------
/ec2_simple/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # Caveat: AWS instance profiles oonly allows 1 role/1 profile
 3 | # "Roles in an instance profile: 1 (each instance profile can contain only 1 role)"
 4 | # Learn more: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
 5 | 
 6 | 
 7 | resource "aws_iam_role" "ssh" {
 8 |   name = "ssh"
 9 |   assume_role_policy = "${file("resources/iam_assume_role_policy.json")}"
10 | }
11 | 
12 | 
13 | resource "aws_iam_role_policy" "ssh" {
14 |   name = "ssh"
15 |   role = "${aws_iam_role.ssh.id}"
16 |   policy = "${data.template_file.iam_role_policy.rendered}"
17 | }
18 | 
19 | 
20 | resource "aws_iam_instance_profile" "ssh_test_demo" {
21 |   name = "ssh_test_demo"
22 |   roles = ["${aws_iam_role.ssh.name}"]
23 | }
24 | 
25 | 
26 | # The policy json has some dynamic content, like our AWS account.
27 | data "template_file" "iam_role_policy" {
28 |   template = "${file("resources/iam_role_policy.template.json")}"
29 | 
30 |   vars {
31 |     aws_account = "${var.aws_account}"
32 |   }
33 | }
34 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # Caveat: AWS instance profiles oonly allows 1 role/1 profile
 3 | # "Roles in an instance profile: 1 (each instance profile can contain only 1 role)"
 4 | # Learn more: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
 5 | 
 6 | 
 7 | resource "aws_iam_role" "ssh" {
 8 |   name = "ssh"
 9 |   assume_role_policy = "${file("resources/iam_assume_role_policy.json")}"
10 | }
11 | 
12 | 
13 | resource "aws_iam_role_policy" "ssh" {
14 |   name = "ssh"
15 |   role = "${aws_iam_role.ssh.id}"
16 |   policy = "${data.template_file.iam_role_policy.rendered}"
17 | }
18 | 
19 | 
20 | resource "aws_iam_instance_profile" "ssh_test_demo" {
21 |   name = "ssh_test_demo"
22 |   roles = ["${aws_iam_role.ssh.name}"]
23 | }
24 | 
25 | 
26 | # The policy json has some dynamic content, like our AWS account.
27 | data "template_file" "iam_role_policy" {
28 |   template = "${file("resources/iam_role_policy.template.json")}"
29 | 
30 |   vars {
31 |     aws_account = "${var.aws_account}"
32 |   }
33 | }
34 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # Caveat: AWS instance profiles oonly allows 1 role/1 profile
 3 | # "Roles in an instance profile: 1 (each instance profile can contain only 1 role)"
 4 | # Learn more: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
 5 | 
 6 | 
 7 | resource "aws_iam_role" "ssh" {
 8 |   name = "ssh"
 9 |   assume_role_policy = "${file("resources/iam_assume_role_policy.json")}"
10 | }
11 | 
12 | 
13 | resource "aws_iam_role_policy" "ssh" {
14 |   name = "ssh"
15 |   role = "${aws_iam_role.ssh.id}"
16 |   policy = "${data.template_file.iam_role_policy.rendered}"
17 | }
18 | 
19 | 
20 | resource "aws_iam_instance_profile" "ssh_test_demo" {
21 |   name = "ssh_test_demo"
22 |   roles = ["${aws_iam_role.ssh.name}"]
23 | }
24 | 
25 | 
26 | # The policy json has some dynamic content, like our AWS account.
27 | data "template_file" "iam_role_policy" {
28 |   template = "${file("resources/iam_role_policy.template.json")}"
29 | 
30 |   vars {
31 |     aws_account = "${var.aws_account}"
32 |   }
33 | }
34 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/resources/instance_user_data.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install Git
 4 | source /etc/os-release
 5 | if [ "$NAME" == "Ubuntu" ] || [ "$NAME" == "Debian GNU/Linux" ]; then
 6 |   sudo apt-get -y install git
 7 | elif [ "$NAME" == "Amazon Linux AMI" ]; then
 8 |   sudo yum install -y git
 9 | fi
10 | 
11 | # Fetch setup files from Github over HTTPS. You can choose any other secure way to fetch your setup files
12 | cd /tmp
13 | mkdir setup
14 | cd setup/
15 | git init
16 | git remote add -f origin https://github.com/sportebois/aws-ec2-ssh-sync.git
17 | git config core.sparseCheckout true
18 | echo "ec2_simple_nokey/files/" >> .git/info/sparse-checkout
19 | git pull --depth=1 origin master
20 | 
21 | # Then run the setup
22 | cd ec2_simple_nokey/files
23 | chmod +x *.sh
24 | sudo ./install.sh
25 | 
26 | # In some real ECS use, you'd might want to add the following lines and use a Terraform template_file (or directly the value)
27 | # Make sure the instance has the correct cluster registered
28 | # echo ECS_CLUSTER=${ecs_cluster_name} >> /etc/ecs/ecs.config
29 | 


--------------------------------------------------------------------------------
/ec2_simple/security.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | # --- A security group is needed only to be able to connect to our instance
 4 | resource "aws_security_group" "ssh_test_demo" {
 5 |   name = "ssh_test_demo"
 6 |   description = "Allow all inbound traffic"
 7 | 
 8 |   // Note: For ecs usage, Https outboud traffic to ssm.us-east-1.amazonaws.com and https://ecs.us-east-1.amazonaws.com must be allowed
 9 | 
10 |   # SSH config
11 |   ingress {
12 |     from_port = 22
13 |     to_port   = 22
14 |     protocol  = "tcp"
15 |     cidr_blocks = "${var.admin_public_ips}"
16 |   }
17 | 
18 |   # Web traffic
19 |   ingress {
20 |     from_port = 443
21 |     to_port   = 443
22 |     protocol  = "tcp"
23 |     cidr_blocks = ["0.0.0.0/0"]
24 |   }
25 | 
26 |   ingress {
27 |     from_port = 80
28 |     to_port   = 80
29 |     protocol  = "tcp"
30 |     cidr_blocks = ["0.0.0.0/0"]
31 |   }
32 | 
33 |   egress {
34 |       from_port = 0
35 |       to_port = 0
36 |       protocol = "-1"
37 |       cidr_blocks = ["0.0.0.0/0"]
38 |   }
39 | 
40 |   tags {
41 |     Scope = "ssh_test_demo"
42 |   }
43 | }
44 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/security.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | # --- A security group is needed only to be able to connect to our instance
 4 | resource "aws_security_group" "ssh_test_demo" {
 5 |   name = "ssh_test_demo"
 6 |   description = "Allow all inbound traffic"
 7 | 
 8 |   // Note: For ecs usage, Https outbound traffic to ssm.us-east-1.amazonaws.com and https://ecs.us-east-1.amazonaws.com must be allowed
 9 | 
10 |   # SSH config
11 |   ingress {
12 |     from_port = 22
13 |     to_port   = 22
14 |     protocol  = "tcp"
15 |     cidr_blocks = "${var.admin_public_ips}"
16 |   }
17 | 
18 |   # Web traffic
19 |   ingress {
20 |     from_port = 443
21 |     to_port   = 443
22 |     protocol  = "tcp"
23 |     cidr_blocks = ["0.0.0.0/0"]
24 |   }
25 | 
26 |   ingress {
27 |     from_port = 80
28 |     to_port   = 80
29 |     protocol  = "tcp"
30 |     cidr_blocks = ["0.0.0.0/0"]
31 |   }
32 | 
33 |   egress {
34 |       from_port = 0
35 |       to_port = 0
36 |       protocol = "-1"
37 |       cidr_blocks = ["0.0.0.0/0"]
38 |   }
39 | 
40 |   tags {
41 |     Scope = "ssh_test_demo"
42 |   }
43 | }
44 | 


--------------------------------------------------------------------------------
/ec2_simple/variables.tf:
--------------------------------------------------------------------------------
 1 | # Do not change the values here, but rather place them in secret.tfvars (gitignored) or in another tfvars file to pass to Terraform
 2 | 
 3 | variable "aws_access_key" {
 4 |   description = "A valid AWS ACCESS KEY"
 5 |   type = "string"
 6 | }
 7 | 
 8 | variable "aws_secret_key" {
 9 |   description = "A valid AWS SECRET KEY"
10 |   type = "string"
11 | }
12 | 
13 | variable "aws_account" {
14 |   description = "Your AWS Account number"
15 |   type = "string"
16 | }
17 | 
18 | variable "aws_region" {
19 |   type = "string"
20 |   default = "us-east-1"
21 | }
22 | 
23 | variable "private_key_name" {
24 |   description = "Name of the EC2 private key to use to provision the instances in that region."
25 |   type = "string"
26 | }
27 | 
28 | variable "private_key_path" {
29 |   description = "Path to the private key registred to EC2 keypair with the name put in private_key_name"
30 |   type = "string"
31 | }
32 | 
33 | variable "admin_public_ips" {
34 |   description = "List of public IPs to grant access to the EC2 instances"
35 |   type = "list"
36 |   default = [
37 |     "0.0.0.0/0"
38 |   ]
39 | }
40 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2016-2019 Sébastien Portebois
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/ec2.tf:
--------------------------------------------------------------------------------
 1 | # --- Some instance to run our services onto
 2 | 
 3 | resource "aws_instance" "ssh_test_demo" {
 4 | 
 5 |   ami = "${lookup(var.aws_ami, var.aws_region)}"
 6 |   availability_zone = "${lookup(var.aws_availability_zone, var.aws_region)}"
 7 | 
 8 |   # Check http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html for the ami ids for each region
 9 |   # If we really want to handle multiple regions, this should come from a Map
10 |   instance_type = "t2.micro"
11 | 
12 |   iam_instance_profile = "${aws_iam_instance_profile.ssh_test_demo.name}"
13 | 
14 |   security_groups = ["${aws_security_group.ssh_test_demo.name}"]
15 | 
16 |   # Default key for ec2 user ssh access
17 |   key_name = "${var.private_key_name}"
18 | 
19 |   user_data = "${file("resources/instance_user_data.sh")}"
20 | 
21 |   tags {
22 |     Name = "ssh_test_demo"
23 |   }
24 | }
25 | 
26 | 
27 | # --- Define some output to easily get the public IP
28 | 
29 | output "ec2_instance_public_dns" {
30 |   value = "${aws_instance.ssh_test_demo.public_dns}"
31 | }
32 | output "ec2_instance_public_ip" {
33 |   value = "${aws_instance.ssh_test_demo.public_ip}"
34 | }
35 | 


--------------------------------------------------------------------------------
/ec2_vpc/variables.tf:
--------------------------------------------------------------------------------
 1 | # Do not change the values here, but rather place them in secret.tfvars (gitignored) or in another tfvars file to pass to Terraform
 2 | 
 3 | variable "aws_access_key" {
 4 |   description = "A valid AWS ACCESS KEY"
 5 |   type = "string"
 6 | }
 7 | 
 8 | variable "aws_secret_key" {
 9 |   description = "A valid AWS SECRET KEY"
10 |   type = "string"
11 | }
12 | 
13 | variable "aws_account" {
14 |   description = "Your AWS Account number"
15 |   type = "string"
16 | }
17 | 
18 | variable "aws_region" {
19 |   type = "string"
20 |   default = "us-east-1"
21 | }
22 | 
23 | variable "private_key_name" {
24 |   description = "Name of the EC2 private key to use to provision the instances in that region."
25 |   type = "string"
26 | }
27 | 
28 | variable "private_key_path" {
29 |   description = "Path to the private key registred to EC2 keypair with the name put in private_key_name"
30 |   type = "string"
31 | }
32 | 
33 | variable "admin_public_ips" {
34 |   description = "List of public IPs to grant access to the EC2 instances"
35 |   type = "list"
36 |   default = [
37 |     "0.0.0.0/0"
38 |   ]
39 |   /*
40 |   Sample white-list:
41 |   default = ["75.98.128.74/32"]
42 |   */
43 | }
44 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/ec2.tf:
--------------------------------------------------------------------------------
 1 | # --- Some instance to run our services onto
 2 | 
 3 | resource "aws_instance" "ssh_test_demo" {
 4 | 
 5 |   ami = "${lookup(var.aws_ami, var.aws_region)}"
 6 |   availability_zone = "${lookup(var.aws_availability_zone, var.aws_region)}"
 7 |   # Check http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html for the ami ids for each region
 8 |   # If we really want to handle multiple regions, this should come from a Map
 9 |   instance_type = "t2.micro"
10 | 
11 |   iam_instance_profile = "${aws_iam_instance_profile.ssh_test_demo.name}"
12 | 
13 |   vpc_security_group_ids = ["${aws_security_group.ssh_test_demo.id}"]
14 |   subnet_id = "${aws_subnet.subnet1-public.id}"
15 |   associate_public_ip_address = true
16 | 
17 |   # Default key for ec2 user ssh access
18 |   key_name = "${var.private_key_name}"
19 | 
20 |   user_data = "${file("resources/instance_user_data.sh")}"
21 | 
22 |   tags {
23 |     Name = "ssh_test_demo"
24 |   }
25 | }
26 | 
27 | 
28 | # --- Define some output to easily get the public IP if we want to ssh into the instances
29 | 
30 | output "ec2_instance_public_dns" {
31 |   value = "${aws_instance.ssh_test_demo.public_dns}"
32 | }
33 | output "ec2_instance_public_ip" {
34 |   value = "${aws_instance.ssh_test_demo.public_ip}"
35 | }
36 | 


--------------------------------------------------------------------------------
/ec2_simple/resources/iam_role_policy.template.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Sid": "AllowGetAWSUserNames",
 6 |       "Effect": "Allow",
 7 |       "Action": [
 8 |         "iam:ListUsers"
 9 |       ],
10 |       "Resource": [
11 |         "*"
12 |       ]
13 |     },
14 |     {
15 |       "Sid": "AllowFetchAWSUserSSHKeys",
16 |       "Effect": "Allow",
17 |       "Action": [
18 |         "iam:ListSSHPublicKeys",
19 |         "iam:GetSSHPublicKey"
20 |       ],
21 |       "Resource": "arn:aws:iam::${aws_account}:user/*"
22 |     },
23 |     {
24 |       "Sid": "PolicyForECSInstances",
25 |       "Effect": "Allow",
26 |       "Action": [
27 |         "ecs:CreateCluster",
28 |         "ecs:DeregisterContainerInstance",
29 |         "ecs:DiscoverPollEndpoint",
30 |         "ecs:Poll",
31 |         "ecs:RegisterContainerInstance",
32 |         "ecs:StartTelemetrySession",
33 |         "ecs:Submit*",
34 |         "ecr:GetAuthorizationToken",
35 |         "ecr:BatchCheckLayerAvailability",
36 |         "ecr:GetDownloadUrlForLayer",
37 |         "ecr:BatchGetImage",
38 |         "ecs:StartTask",
39 |         "logs:CreateLogGroup",
40 |         "logs:CreateLogStream",
41 |         "logs:DescribeLogStreams",
42 |         "logs:PutLogEvents"
43 |       ],
44 |       "Resource": "*"
45 |     }
46 |   ]
47 | }


--------------------------------------------------------------------------------
/ec2_vpc/resources/iam_role_policy.template.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Sid": "AllowGetAWSUserNames",
 6 |       "Effect": "Allow",
 7 |       "Action": [
 8 |         "iam:ListUsers"
 9 |       ],
10 |       "Resource": [
11 |         "*"
12 |       ]
13 |     },
14 |     {
15 |       "Sid": "AllowFetchAWSUserSSHKeys",
16 |       "Effect": "Allow",
17 |       "Action": [
18 |         "iam:ListSSHPublicKeys",
19 |         "iam:GetSSHPublicKey"
20 |       ],
21 |       "Resource": "arn:aws:iam::${aws_account}:user/*"
22 |     },
23 |     {
24 |       "Sid": "PolicyForECSInstances",
25 |       "Effect": "Allow",
26 |       "Action": [
27 |         "ecs:CreateCluster",
28 |         "ecs:DeregisterContainerInstance",
29 |         "ecs:DiscoverPollEndpoint",
30 |         "ecs:Poll",
31 |         "ecs:RegisterContainerInstance",
32 |         "ecs:StartTelemetrySession",
33 |         "ecs:Submit*",
34 |         "ecr:GetAuthorizationToken",
35 |         "ecr:BatchCheckLayerAvailability",
36 |         "ecr:GetDownloadUrlForLayer",
37 |         "ecr:BatchGetImage",
38 |         "ecs:StartTask",
39 |         "logs:CreateLogGroup",
40 |         "logs:CreateLogStream",
41 |         "logs:DescribeLogStreams",
42 |         "logs:PutLogEvents"
43 |       ],
44 |       "Resource": "*"
45 |     }
46 |   ]
47 | }


--------------------------------------------------------------------------------
/ec2_vpc_nokey/resources/iam_role_policy.template.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Sid": "AllowGetAWSUserNames",
 6 |       "Effect": "Allow",
 7 |       "Action": [
 8 |         "iam:ListUsers"
 9 |       ],
10 |       "Resource": [
11 |         "*"
12 |       ]
13 |     },
14 |     {
15 |       "Sid": "AllowFetchAWSUserSSHKeys",
16 |       "Effect": "Allow",
17 |       "Action": [
18 |         "iam:ListSSHPublicKeys",
19 |         "iam:GetSSHPublicKey"
20 |       ],
21 |       "Resource": "arn:aws:iam::${aws_account}:user/*"
22 |     },
23 |     {
24 |       "Sid": "PolicyForECSInstances",
25 |       "Effect": "Allow",
26 |       "Action": [
27 |         "ecs:CreateCluster",
28 |         "ecs:DeregisterContainerInstance",
29 |         "ecs:DiscoverPollEndpoint",
30 |         "ecs:Poll",
31 |         "ecs:RegisterContainerInstance",
32 |         "ecs:StartTelemetrySession",
33 |         "ecs:Submit*",
34 |         "ecr:GetAuthorizationToken",
35 |         "ecr:BatchCheckLayerAvailability",
36 |         "ecr:GetDownloadUrlForLayer",
37 |         "ecr:BatchGetImage",
38 |         "ecs:StartTask",
39 |         "logs:CreateLogGroup",
40 |         "logs:CreateLogStream",
41 |         "logs:DescribeLogStreams",
42 |         "logs:PutLogEvents"
43 |       ],
44 |       "Resource": "*"
45 |     }
46 |   ]
47 | }


--------------------------------------------------------------------------------
/ec2_simple_nokey/resources/iam_role_policy.template.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Sid": "AllowGetAWSUserNames",
 6 |       "Effect": "Allow",
 7 |       "Action": [
 8 |         "iam:ListUsers"
 9 |       ],
10 |       "Resource": [
11 |         "*"
12 |       ]
13 |     },
14 |     {
15 |       "Sid": "AllowFetchAWSUserSSHKeys",
16 |       "Effect": "Allow",
17 |       "Action": [
18 |         "iam:ListSSHPublicKeys",
19 |         "iam:GetSSHPublicKey"
20 |       ],
21 |       "Resource": "arn:aws:iam::${aws_account}:user/*"
22 |     },
23 |     {
24 |       "Sid": "PolicyForECSInstances",
25 |       "Effect": "Allow",
26 |       "Action": [
27 |         "ecs:CreateCluster",
28 |         "ecs:DeregisterContainerInstance",
29 |         "ecs:DiscoverPollEndpoint",
30 |         "ecs:Poll",
31 |         "ecs:RegisterContainerInstance",
32 |         "ecs:StartTelemetrySession",
33 |         "ecs:Submit*",
34 |         "ecr:GetAuthorizationToken",
35 |         "ecr:BatchCheckLayerAvailability",
36 |         "ecr:GetDownloadUrlForLayer",
37 |         "ecr:BatchGetImage",
38 |         "ecs:StartTask",
39 |         "logs:CreateLogGroup",
40 |         "logs:CreateLogStream",
41 |         "logs:DescribeLogStreams",
42 |         "logs:PutLogEvents"
43 |       ],
44 |       "Resource": "*"
45 |     }
46 |   ]
47 | }


--------------------------------------------------------------------------------
/ec2_simple/ec2.tf:
--------------------------------------------------------------------------------
 1 | # --- Some instance to run our services onto
 2 | 
 3 | resource "aws_instance" "ssh_test_demo" {
 4 | 
 5 |   # Check http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html for the AMI ids for each region
 6 |   # or check other sample for using an HCL map to only set the region
 7 |   ami = "ami-55870742" # ECS-optimized AMI for us-east-1
 8 |   availability_zone = "us-east-1b"
 9 | 
10 |   instance_type = "t2.micro"
11 | 
12 |   iam_instance_profile = "${aws_iam_instance_profile.ssh_test_demo.name}"
13 | 
14 |   security_groups = ["${aws_security_group.ssh_test_demo.name}"]
15 | 
16 |   key_name = "${var.private_key_name}"
17 | 
18 |   # Connection used by the provisionners below to access the instance
19 |   connection {
20 |     user = "ec2-user"
21 |     private_key = "${file(var.private_key_path)}"
22 |   }
23 | 
24 |   provisioner "remote-exec" {
25 |     inline = [
26 |       "mkdir -p /home/ec2-user/tf_files"
27 |     ]
28 |   }
29 | 
30 |   # Copy the ssh-updates file to the new instance
31 |   provisioner "file" {
32 |     source = "files/"
33 |     destination = "/home/ec2-user/tf_files"
34 |   }
35 | 
36 |   user_data = <<EOF
37 | #!/bin/bash
38 | cd /home/ec2-user/tf_files
39 | chmod +x *.sh
40 | sudo ./install.sh
41 | EOF
42 | 
43 |   tags {
44 |     Name = "ssh_test_demo"
45 |   }
46 | }
47 | 
48 | 
49 | 
50 | # --- Define some output to easily get the public IP if we want to ssh into the instances
51 | 
52 | output "ec2_instance_public_dns" {
53 |   value = "${aws_instance.ssh_test_demo.public_dns}"
54 | }
55 | output "ec2_instance_public_ip" {
56 |   value = "${aws_instance.ssh_test_demo.public_ip}"
57 | }
58 | 


--------------------------------------------------------------------------------
/ec2_vpc/ec2.tf:
--------------------------------------------------------------------------------
 1 | # --- Some instance to run our services onto
 2 | 
 3 | resource "aws_instance" "ssh_test_demo" {
 4 | 
 5 |   ami = "ami-55870742" # ECS-optimized AMI for us-east-1
 6 |   availability_zone = "us-east-1b"
 7 |   # Check http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html for the ami ids for each region
 8 |   # If we really want to handle multiple regions, this should come from a Map
 9 |   instance_type = "t2.micro"
10 | 
11 |   iam_instance_profile = "${aws_iam_instance_profile.ssh_test_demo.name}"
12 | 
13 |   // security_groups = ["${aws_security_group.ssh_test_demo.id}"]
14 |   vpc_security_group_ids = ["${aws_security_group.ssh_test_demo.id}"]
15 |   subnet_id = "${aws_subnet.subnet1.id}"
16 |   associate_public_ip_address = true
17 | 
18 |   # Default key for ec2 user ssh access
19 |   key_name = "${var.private_key_name}"
20 | 
21 | 
22 |   # Connection used by the provisionners below to access the instance
23 |   connection {
24 |     user = "ec2-user"
25 |     private_key = "${file(var.private_key_path)}"
26 |   }
27 | 
28 |   provisioner "remote-exec" {
29 |     inline = [
30 |       "mkdir -p /home/ec2-user/tf_files"
31 |     ]
32 |   }
33 | 
34 |   # Copy the ssh-updates file to the new instance
35 |   provisioner "file" {
36 |     source = "files/"
37 |     destination = "/home/ec2-user/tf_files"
38 |   }
39 | 
40 |   user_data = <<EOF
41 | #!/bin/bash
42 | cd /home/ec2-user/tf_files
43 | chmod +x *.sh
44 | sudo ./install.sh
45 | EOF
46 | 
47 |   tags {
48 |     Name = "ssh_test_demo"
49 |   }
50 | }
51 | 
52 | 
53 | 
54 | # --- Define some output to easily get the public IP if we want to ssh into the instances
55 | 
56 | output "ec2_instance_public_dns" {
57 |   value = "${aws_instance.ssh_test_demo.public_dns}"
58 | }
59 | output "ec2_instance_public_ip" {
60 |   value = "${aws_instance.ssh_test_demo.public_ip}"
61 | }
62 | 


--------------------------------------------------------------------------------
/ec2_simple_nokey/variables.tf:
--------------------------------------------------------------------------------
 1 | # Do not change the values here, but rather place them in secret.tfvars (gitignored) or in another tfvars file to pass to Terraform
 2 | 
 3 | variable "aws_access_key" {
 4 |   description = "A valid AWS ACCESS KEY"
 5 |   type = "string"
 6 | }
 7 | 
 8 | variable "aws_secret_key" {
 9 |   description = "A valid AWS SECRET KEY"
10 |   type = "string"
11 | }
12 | 
13 | variable "aws_account" {
14 |   description = "Your AWS Account number"
15 |   type = "string"
16 | }
17 | 
18 | variable "aws_region" {
19 |   type = "string"
20 |   default = "us-east-1"
21 | }
22 | 
23 | variable "private_key_name" {
24 |   description = "Name of the EC2 private key to use to provision the instances in that region."
25 |   type = "string"
26 | }
27 | 
28 | variable "admin_public_ips" {
29 |   description = "List of public IPs to grant access to the EC2 instances"
30 |   type = "list"
31 |   default = [
32 |     "0.0.0.0/0"
33 |   ]
34 | }
35 | 
36 | 
37 | # ECS optimized AMIs
38 | # Some regions and availability zones are ignored here, because of lack of support for ECS (our use case), but edit/complete this at will
39 | # No ECS support in Seoul, so we ignore ap-northeast-2
40 | # No ECS support in Mumbai, so we ignore ap-south-1
41 | # No ECS support in Sao Paulo, so we ignore sa-east-1
42 | 
43 | variable "aws_ami" {
44 |   description = "amazon-ecs-optimized AMI (amzn-ami-2016.09.b-amazon-ecs-optimized)"
45 |   type = "map"
46 |   default = {
47 |     us-east-1 = "ami-eca289fb"
48 |     us-east-2 = "ami-446f3521"
49 |     us-west-1 = "ami-9fadf8ff"
50 |     us-west-2 = "ami-7abc111a"
51 |     eu-west-1 = "ami-a1491ad2"
52 |     eu-central-1 = "ami-54f5303b"
53 |     ap-northeast-1 = "ami-9cd57ffd"
54 |     ap-southeast-1 = "ami-a900a3ca"
55 |     ap-southeast-2 = "ami-5781be34"
56 |   }
57 | }
58 | 
59 | # Because in this simple sample we're only targeting a single AZ for each region, we just need a simple map
60 | variable "aws_availability_zone" {
61 |   type = "map"
62 |   default = {
63 |     us-east-1 = "us-east-1b"
64 |     us-east-2 = "us-east-2b"
65 |     us-west-1 = "us-west-1b"
66 |     us-west-2 = "us-west-2b"
67 |     eu-west-1 = "eu-west-1b"
68 |     eu-central-1 = "eu-central-1b"
69 |     ap-northeast-1 = "ap-northeast-c"
70 |     ap-southeast-1 = "ap-southeast-1b"
71 |     ap-southeast-2 = "ap-southeast-2b"
72 |   }
73 | }
74 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/variables.tf:
--------------------------------------------------------------------------------
 1 | # Do not change the values here, but rather place them in secret.tfvars (gitignored) or in another tfvars file to pass to Terraform
 2 | 
 3 | variable "aws_access_key" {
 4 |   description = "A valid AWS ACCESS KEY"
 5 |   type = "string"
 6 | }
 7 | 
 8 | variable "aws_secret_key" {
 9 |   description = "A valid AWS SECRET KEY"
10 |   type = "string"
11 | }
12 | 
13 | variable "aws_account" {
14 |   description = "Your AWS Account number"
15 |   type = "string"
16 | }
17 | 
18 | variable "aws_region" {
19 |   type = "string"
20 |   default = "us-east-1"
21 | }
22 | 
23 | variable "private_key_name" {
24 |   description = "Name of the EC2 private key to use to provision the instances in that region."
25 |   type = "string"
26 | }
27 | 
28 | variable "private_key_path" {
29 |   description = "Path to the private key registred to EC2 keypair with the name put in private_key_name"
30 |   type = "string"
31 | }
32 | 
33 | variable "admin_public_ips" {
34 |   description = "List of public IPs to grant access to the EC2 instances"
35 |   type = "list"
36 |   default = [
37 |     "0.0.0.0/0"
38 |   ]
39 |   /*
40 |   Sample white-list:
41 |   default = ["75.98.128.74/32"]
42 |   */
43 | }
44 | 
45 | 
46 | # ECS optimized AMIs
47 | # Some regions and availability zones are ignored here, because of lack of support for ECS (our use case), but edit/complete this at will
48 | # No ECS support in Seoul, so we ignore ap-northeast-2
49 | # No ECS support in Mumbai, so we ignore ap-south-1
50 | # No ECS support in Sao Paulo, so we ignore sa-east-1
51 | 
52 | variable "aws_ami" {
53 |   description = "amazon-ecs-optimized AMI (amzn-ami-2016.09.b-amazon-ecs-optimized)"
54 |   type = "map"
55 |   default = {
56 |     us-east-1 = "ami-eca289fb"
57 |     us-east-2 = "ami-446f3521"
58 |     us-west-1 = "ami-9fadf8ff"
59 |     us-west-2 = "ami-7abc111a"
60 |     eu-west-1 = "ami-a1491ad2"
61 |     eu-central-1 = "ami-54f5303b"
62 |     ap-northeast-1 = "ami-9cd57ffd"
63 |     ap-southeast-1 = "ami-a900a3ca"
64 |     ap-southeast-2 = "ami-5781be34"
65 |   }
66 | }
67 | 
68 | # Because in this simple sample we're only targeting a single AZ for each region, we just need a simple map
69 | variable "aws_availability_zone" {
70 |   type = "map"
71 |   default = {
72 |     us-east-1 = "us-east-1b"
73 |     us-east-2 = "us-east-2b"
74 |     us-west-1 = "us-west-1b"
75 |     us-west-2 = "us-west-2b"
76 |     eu-west-1 = "eu-west-1b"
77 |     eu-central-1 = "eu-central-1b"
78 |     ap-northeast-1 = "ap-northeast-c"
79 |     ap-southeast-1 = "ap-southeast-1b"
80 |     ap-southeast-2 = "ap-southeast-2b"
81 |   }
82 | }
83 | 


--------------------------------------------------------------------------------
/ec2_vpc/security.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | resource "aws_vpc" "ssh_test_demo" {
  4 |   # For real use-case, you'd probably prefer something more restrictive to avoir overlaping between different regions
  5 |   cidr_block = "10.0.0.0/16"
  6 | 
  7 |   tags {
  8 |     Name = "ssh_test_demo"
  9 |   }
 10 | }
 11 | 
 12 | # Configure internet connection
 13 | resource "aws_internet_gateway" "ssh_test_demo" {
 14 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 15 | 
 16 |   tags {
 17 |     Name = "ssh_test_demo"
 18 |   }
 19 | }
 20 | 
 21 | # Public subnets
 22 | 
 23 | resource "aws_subnet" "subnet1" {
 24 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 25 | 
 26 |   cidr_block = "10.0.0.0/24"
 27 |   availability_zone = "us-east-1b"
 28 | 
 29 |   tags {
 30 |     Name = "ssh_test_demo"
 31 |   }
 32 | }
 33 | 
 34 | 
 35 | resource "aws_route_table" "route1" {
 36 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 37 | 
 38 |   route {
 39 |     cidr_block = "0.0.0.0/0"
 40 |     gateway_id = "${aws_internet_gateway.ssh_test_demo.id}"
 41 |   }
 42 | 
 43 |   tags {
 44 |     Name = "ssh_test_demo"
 45 |   }
 46 | }
 47 | 
 48 | 
 49 | resource "aws_route_table_association" "us-east-1b-public" {
 50 |   subnet_id = "${aws_subnet.subnet1.id}"
 51 |   route_table_id = "${aws_route_table.route1.id}"
 52 | }
 53 | 
 54 | 
 55 | // ElasticIP isn't required, you can leave this commented or enable it. It's useful when you have multiple AZ.
 56 | //resource "aws_eip" "ip" {
 57 | //  instance = "${aws_instance.ssh_test_demo.id}"
 58 | //  vpc = true
 59 | //}
 60 | //
 61 | //output "elastic_ip_used" {
 62 | //  value = "${aws_eip.ip.public_ip}"
 63 | //}
 64 | 
 65 | 
 66 | # --- A security group is needed only to be able to connect to our instance
 67 | resource "aws_security_group" "ssh_test_demo" {
 68 |   name = "ssh_test_demo"
 69 |   description = "Allow all inbound traffic"
 70 | 
 71 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 72 | 
 73 |   // Note: For ecs usage, Https outboud traffic to ssm.us-east-1.amazonaws.com and https://ecs.us-east-1.amazonaws.com must be allowed
 74 | 
 75 |   # SSH config
 76 |   ingress {
 77 |     from_port = 22
 78 |     to_port   = 22
 79 |     protocol  = "tcp"
 80 |     cidr_blocks = "${var.admin_public_ips}"
 81 |   }
 82 | 
 83 |   # Web traffic
 84 |   ingress {
 85 |     from_port = 443
 86 |     to_port   = 443
 87 |     protocol  = "tcp"
 88 |     cidr_blocks = ["0.0.0.0/0"]
 89 |   }
 90 | 
 91 |   ingress {
 92 |     from_port = 80
 93 |     to_port   = 80
 94 |     protocol  = "tcp"
 95 |     cidr_blocks = ["0.0.0.0/0"]
 96 |   }
 97 | 
 98 |   egress {
 99 |       from_port = 0
100 |       to_port = 0
101 |       protocol = "-1"
102 |       cidr_blocks = ["0.0.0.0/0"]
103 |   }
104 | 
105 |   tags {
106 |     Scope = "ssh_test_demo"
107 |   }
108 | }
109 | 


--------------------------------------------------------------------------------
/ec2_vpc_nokey/security.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | resource "aws_vpc" "ssh_test_demo" {
  4 |   # For real use-case, you'd probably prefer something more restrictive to avoir overlaping between different regions
  5 |   cidr_block = "10.0.0.0/16"
  6 | 
  7 |   tags {
  8 |     Name = "ssh_test_demo"
  9 |   }
 10 | }
 11 | 
 12 | # Configure internet connection
 13 | resource "aws_internet_gateway" "ssh_test_demo" {
 14 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 15 | 
 16 |   tags {
 17 |     Name = "ssh_test_demo"
 18 |   }
 19 | }
 20 | 
 21 | # Public subnets
 22 | 
 23 | resource "aws_subnet" "subnet1-public" {
 24 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 25 | 
 26 |   cidr_block = "10.0.0.0/24"
 27 |   availability_zone = "${lookup(var.aws_availability_zone, var.aws_region)}"
 28 | 
 29 |   tags {
 30 |     Name = "ssh_test_demo"
 31 |   }
 32 | }
 33 | 
 34 | //resource "aws_subnet" "subnet2-public" {
 35 | //  vpc_id = "${aws_vpc.ssh_test_demo.id}"
 36 | //
 37 | //  cidr_block = "10.0.2.0/24"
 38 | //  availability_zone = "us-east-1a"
 39 | //
 40 | //  tags {
 41 | //    Name = "ssh_test_demo"
 42 | //  }
 43 | //}
 44 | 
 45 | resource "aws_route_table" "az1-public" {
 46 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 47 | 
 48 |   route {
 49 |     cidr_block = "0.0.0.0/0"
 50 |     gateway_id = "${aws_internet_gateway.ssh_test_demo.id}"
 51 |   }
 52 | 
 53 |   tags {
 54 |     Name = "ssh_test_demo"
 55 |   }
 56 | }
 57 | 
 58 | 
 59 | resource "aws_route_table_association" "subnet1-public" {
 60 |   subnet_id = "${aws_subnet.subnet1-public.id}"
 61 |   route_table_id = "${aws_route_table.az1-public.id}"
 62 | }
 63 | 
 64 | //resource "aws_route_table_association" "subnet2-public" {
 65 | //  subnet_id = "${aws_subnet.subnet2-public.id}"
 66 | //  route_table_id = "${aws_route_table.az1-public.id}"
 67 | //}
 68 | 
 69 | // ElasticIP isn't required, because we're only using a single AZ here. You can leave this commented or enable it
 70 | //resource "aws_eip" "ip" {
 71 | //  instance = "${aws_instance.ssh_test_demo.id}"
 72 | //  vpc = true
 73 | //}
 74 | //
 75 | //output "elastic_ip_used" {
 76 | //  value = "${aws_eip.ip.public_ip}"
 77 | //}
 78 | 
 79 | 
 80 | # --- A security group is needed only to be able to connect to our instance
 81 | resource "aws_security_group" "ssh_test_demo" {
 82 |   name = "ssh_test_demo"
 83 |   description = "Allow all inbound traffic"
 84 | 
 85 |   vpc_id = "${aws_vpc.ssh_test_demo.id}"
 86 | 
 87 |   // Note: For ecs usage, Https outboud traffic to ssm.us-east-1.amazonaws.com and https://ecs.us-east-1.amazonaws.com must be allowed
 88 | 
 89 |   # SSH config
 90 |   ingress {
 91 |     from_port = 22
 92 |     to_port   = 22
 93 |     protocol  = "tcp"
 94 |     cidr_blocks = "${var.admin_public_ips}"
 95 |   }
 96 | 
 97 |   # Web traffic
 98 |   ingress {
 99 |     from_port = 443
100 |     to_port   = 443
101 |     protocol  = "tcp"
102 |     cidr_blocks = ["0.0.0.0/0"]
103 |   }
104 | 
105 |   ingress {
106 |     from_port = 80
107 |     to_port   = 80
108 |     protocol  = "tcp"
109 |     cidr_blocks = ["0.0.0.0/0"]
110 |   }
111 | 
112 |   egress {
113 |       from_port = 0
114 |       to_port = 0
115 |       protocol = "-1"
116 |       cidr_blocks = ["0.0.0.0/0"]
117 |   }
118 | 
119 |   tags {
120 |     Scope = "ssh_test_demo"
121 |   }
122 | }
123 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # User-specific SSH keys management for EC2 instances with Terraform provisioning
  2 | 
  3 | By default, AWS EC2 let you connect to your instances using the EC2 key pair defined when created this instance. 
  4 | Managing this key, sharing it across your users who need ssh access, correctly revoking access whenever required, requires some work. 
  5 | These samples will show you an easy way to synchronize IAM users with instances users, and will use CodeCommit ssh keys to authenticate the users when the try to ssh the instance. 
  6 | 
  7 | 
  8 | Usually, 1 keypair is defined for each EC2 region and associated to your instance that you can use with a ec2-user (or other used for different AMIs)
  9 | With this setup: no longer mandatory to have region-defined key (but you could), and automatic sync of users from IAM, each one with their own ssh-keys.
 10 | 
 11 | _Note_: there's a lot of duplication across the samples, because we want each sample to be self-sufficient (you can take the one you like and throw out the others)
 12 | 
 13 | 
 14 | ## What's in there
 15 | 
 16 | Each of of the subfolders provides a standalone implementation. All use the same logic, with little added details here and there.
 17 | All these solutions comes as a Terraform solution, with a Makefile to get a simple plan/apply syntax without having to bother with extra arguments.
 18 | 
 19 | - `ec2_*` folders provision an ec2 ECS optimized AMI
 20 | - `*_simple_*` folders provision the bare minimum: 
 21 |     - An EC2 instance
 22 |     - IAM role and profile used by the instance 
 23 |     - A security group to setup basic network rules or the instance
 24 | - `*_vpc_*` folders provision an ec2 instance in a VPC
 25 |     - An EC2 instance
 26 |     - IAM role and profile used by the instance 
 27 |     - A security group to setup basic network rules or the instance
 28 |     - A VPC
 29 |     - The internet gateway, subnet, route table for the VPC 
 30 | - `*_nokey` folders are variations of the same where the ec2 keypair isn't required to provision the host: only user-data is used to pull the setup information from Git when he instance is bootstrapped.
 31 |    
 32 |    
 33 | If you want to get a quick view, you'd better start with `ec2_simple` which is the straightfoward way to do it.
 34 | If you later want to remove need of the ssh key to provision the instance, move on to `ec2_simple_nokey`
 35 | The VPC versions will help you to get started with a VPC (kep simple here, with a single instance in a single availability zone)
 36 | 
 37 | Finally, `ec2_vpc_nokey` uses maps to set the AMI and the availibity zone, depending on the region you set in your variables. 
 38 | 
 39 | If you're new into Terraform and HCL, the same progression applies: it will be easier to get started with the simplest version (`ec2_simple`, to later only focus on the changes and additon... rather than trying to get everything at once)
 40 | 
 41 | 
 42 | ### What's the goal of this setup?
 43 | 
 44 | These are slightly different ways to setup your instance, but they all achieve the same setup to later let a user ssh the instance.
 45 | The process is twofolds:
 46 | 
 47 | - at regular interval, the instance will update the local sudoers, getting a list of users (without any key) and create them on the host if they're new
 48 | 
 49 | ![Regular refresh of the users](docs/aws-entities-1.png)
 50 | 
 51 | - whenever a user ssh the instance, the key will be looked for in his IAM CodeCommit config.
 52 | 
 53 | ![Regular refresh of the users](docs/aws-entities-2.png)
 54 | 
 55 | 
 56 | Which can be viewed as:
 57 | 
 58 | ![Sequence diagram](docs/sequence.png)
 59 | 
 60 | 
 61 | ## Quick note about IAM Roles and Profiles
 62 | 
 63 | One of the constraints shown here is that an EC2 instance can have 1 profile, with a single role. So you can't have a few roles and bundle them in that profile, you have ot put everything together there. (But that role can be used by many instances)
 64 | 
 65 | Detail about the EC2 IAM restriction: Roles in an instance profile: 1 (each instance profile can contain only 1 role)
 66 | 
 67 | 
 68 | ## Set it up
 69 | 
 70 | After initial cloning/downloading, you need to setup your secrets.
 71 | Enter the folder of the solution you want to try, then prepare your secret file with
 72 | 
 73 |     cp secret.sample.fvars secret.tfvars
 74 |     vi secret.tfvars
 75 | 
 76 | Then open and edit `secret.tfvars` to enter your real secrets (aws credentials, and for some samples the desired region).
 77 | These secrets will be used by Terraform 
 78 | - to be abel to perform AWS commands on your behalf.
 79 | - to customize some variable depending on your own variables (region, ...)
 80 | 
 81 | It doesn't need to be your own user's credentials. 
 82 | At the end of the day, the IAM users you use will need all the privileges to perform all the resources creation we do in this terraform plan. You can create and use any CI user to do this.
 83 | 
 84 | 
 85 | ## Dry-run / plan
 86 | 
 87 |     make plan
 88 | 
 89 | Terraform will do a dry-run and save it as an execution plan. It will tell you everything that is going to be created/edited/destroyed, but no change will be done in your infrastructure.
 90 | 
 91 | 
 92 | ## Create/update your stack
 93 | 
 94 |     make apply
 95 | 
 96 | Terraform is going to create all the resources... If your secrets are corrcet and if you have enough privileges, you should get the ip of the instance at the end (otherwise you'll see some detailed error report)
 97 | 
 98 | 
 99 | ## Test it
100 | 
101 | The public IP/DNS of your instance is shown in Terraform outputs. In the following snippet, `awsUsername` contains the name of your AWS IAM user (if you need to specify the ssh key, use `-i path/to/your/key` like for any ssh connection)
102 | 
103 |     ec2PublicIp=$(terraform output | grep 'ec2_instance_public_ip' | sed 's@.*= @@g')
104 |     awsUsername=$(aws iam get-user  | jq -r .User.UserName)
105 |     ssh ${awsUsername}@${ec2PublicIp}
106 | 
107 | 
108 | ## Clean it
109 | 
110 | You might already guessed it, but destroying all the resources you created to run this sample is as simple as 
111 | 
112 |     make destroy
113 |     
114 | If you change it to use ElasticIP, you might need to call it several times, because of timeouts during elastic ip cleanup. 
115 | 
116 | 
117 | ## Where to go from here
118 | 
119 | 
120 | These samples should help getting you started. Then you'd probably want to look into these to make your solution more robust abd better meet your specific needs.
121 | 
122 | ### Simpler storage of ssh sync scripts
123 | 
124 | To keep these samples simple, everything is in there. In the real world, you'd probably want to keep your Terraform projects in your private source control system, and to make the ssh sync scripts used easy to fetch securely form the instance (ie maybe not from the VCS). 
125 | An easy solution, for simple project, is a dedicated public repo, as long as there's no specific information about your infrastructure, it could be fine and it's very easy. You can browse for inspiration in the [aws-ec2-ssh-sync-samples](https://github.com/sportebois/aws-ec2-ssh-sync-samples) repo.
126 | Other use cases could leverage S3, since the secure access would be resolved by the IAM role associated with the instance profile of your instance, and therefore no specific credentials would need to be added.
127 | 
128 | ### Smaller list of users
129 | 
130 | To only sync a subset of users, you can update `aws iam list-users ...` in  the `import_users.sh` script to fetch only the users who should access this instance. 
131 | For instance, the following command will only get the users who belong to the `App01` group. Only those will be able to ssh the instance:
132 |     `aws iam get-group --group-name Admins --query "Users[].[UserName]" --output text`
133 | 
134 | This is a starting point, you now have some foundation set on which to build the solution that best matches your use-case. 
135 | 
136 | 
137 | ### Better networking
138 | 
139 | In order to reduce the scope of these sample, networking was limited to the bare minimum.
140 | From the ssh point of view, implementing a bastion in the public subnet of the VPC, which would then let your access the private subnet where your other hosts live would be something you'd like to look into.
141 | 
142 | 
143 | ### Other improvements
144 | 
145 | - Add CloudTrail logging for IAM activity
146 | - Investigate KMS-based solution to store and fetch keys
147 | 
148 | 
149 | ## Credits
150 | 
151 | All the hard work has been done by Michael Wittig, and his presentation of the 'hack' to use CodeCommit's ssh keys or EC2 instances is brilliant. 
152 | Go read [Manage AWS EC2 SSH access with IAM](https://cloudonaut.io/manage-aws-ec2-ssh-access-with-iam/) to learn more.
153 | This repo started as doing a port using the same technique with Terraform, because we'd prefer to use Terraform than CloudFormation. Then some variations were added to illustrate different techniques. 
154 | 
155 | 
156 | ## Want to learn more?
157 | 
158 | If you're new to Terraform but want to learn more, [The Terraform Book](https://terraformbook.com) offers a free preview, and is a great intro to this thing. You'll get the basics to then read the official documentation (which is great, but maybe not as much newcomer-friendly) 
159 | 
160 | 
161 | ## TODO / next steps
162 | 
163 | - Basic arch diagram to make this easier to get at first glance
164 | - do a clean variation using CoreOS
165 | - do bastion/nat/multipleAZ variations? 
166 |  


--------------------------------------------------------------------------------