Add the SSMManagedInstanceCore policy to all EC2 resources

[RLIndia]

Add the SSMManagedInstanceCore policy to all EC2 resources so that Session Manager connection can be established to debug issues if required.

---

This change is 

Summary by CodeRabbit

• New Features

  • Added explicit selection of Availability Zone in multiple EC2 CloudFormation templates for improved instance placement control.
  • Introduced enhanced S3 bucket templates with configurable access logging, enforced secure transport (TLS 1.2+), encryption, and detailed logging.
  • Added new script to initialize Docker Swarm with dynamic address pool selection.

• Improvements

  • Updated all EC2 instance user data and related scripts to use IMDSv2 for secure metadata retrieval.
  • Extended IAM roles across templates to include AmazonSSMManagedInstanceCore for improved Systems Manager integration.
  • Refined IAM and S3 bucket policies for stricter security and permissions granularity.
  • Enhanced Docker, MongoDB, and AWS CLI provisioning scripts for modern, secure installation practices.
  • Improved documentation with detailed, step-by-step AMI creation instructions.

• Bug Fixes

  • Corrected output formatting and minor whitespace issues in CloudFormation templates and scripts.

• Chores

  • Updated Docker image references in docker-compose to newer versions.
  • Updated catalog item file references for consistency.
  • Added update logic for new scripts in the update process.

[coderabbitai]

Walkthrough

This update introduces widespread enhancements to AWS infrastructure provisioning scripts and CloudFormation templates. Key changes include enforcing IMDSv2 for EC2 metadata retrieval, adding explicit Availability Zone selection for EC2 resources, tightening IAM permissions, improving S3 bucket security with encryption and logging, updating Docker and MongoDB provisioning to newer and more secure methods, and expanding documentation for AMI creation. Several scripts and templates now support more secure and auditable deployments.

Changes

File(s) / Group	Change Summary
cft-templates/ec2-*.yml, cft-templates/igv.yml, cft-templates/Rstudio.yml, cft-templates/vpc-squid.yml, products/Nextflow-Advanced/.../set-token, products/ec2-secure-windows/set_user_token.bat, scripts/fixconfigs.sh, scripts/create_rg_admin_user.sh, scripts/import_bulk_users.sh, scripts/fixdocdb.sh, scripts/fixmongo.sh, scripts/start_server.sh	Switched EC2 metadata access to IMDSv2 (token-based); added debug logging for metadata values; updated user-data and helper scripts accordingly.
cft-templates/ec2-*.yml, cft-templates/igv.yml, cft-templates/Rstudio.yml, cft-templates/vpc-squid.yml	Added AvailabilityZone parameter for explicit instance placement; updated instance resources and outputs to use this parameter.
cft-templates/ec2-*.yml, cft-templates/igv.yml, cft-templates/Rstudio.yml	Attached AWS managed policy AmazonSSMManagedInstanceCore to EC2 instance IAM roles.
cft-templates/ec2-secure-desktop.yml, cft-templates/ec2-winsecure-desktop.yml	Tightened IAM policies with explicit actions and SIDs; added/updated tags; updated device mappings; added launch template for IMDSv2; enhanced user-data scripts.
cft-templates/s3.yml, rg_deploy_bucket.yml	Enhanced S3 bucket security: added logging, encryption (KMS), public access blocking, and bucket policies enforcing TLS 1.2+.
rg_main_stack.yml	Refined IAM managed policy with granular statements; updated security group rules; added launch template enforcing IMDSv2.
packer-rg.json, provisioners/provision-awscli.sh, provisioners/provision-cfn-helper.sh, provisioners/provision-docker.sh, provisioners/provision-mongo.sh	Updated AMI build process for Ubuntu 24.04; improved AWS CLI, Docker, and MongoDB provisioning scripts for modern best practices and versions.
provisioners/provision-rg.sh, scripts/swarm_init.sh, updatescripts.sh, scripts/start_server.sh	Added/updated Docker Swarm initialization with dynamic address pool selection; introduced new script and update logic.
scripts/connect-db.sh	Added detection and fallback for mongosh vs mongo client; improved error handling.
dump/standardcatalogitems.json	Fixed S3 catalog item filename from .yaml to .yml.
rg_AMI-creation.md	Expanded and restructured AMI creation documentation for clarity and completeness.
rg_userpool.yml	Restricted Lambda execution IAM policy to specific CloudWatch Logs actions.
rg_document_db.yml	Added egress rules to security groups for unrestricted outbound traffic.
docker-compose.yml	Updated service images to newer versions from Docker Hub.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CloudFormation
    participant EC2Instance
    participant IMDS
    participant SSM

    User->>CloudFormation: Deploy stack with AvailabilityZone, IAMRole, UserData
    CloudFormation->>EC2Instance: Launch with UserData script and IAMRole
    EC2Instance->>IMDS: Request IMDSv2 token (PUT /latest/api/token)
    IMDS-->>EC2Instance: Return token
    EC2Instance->>IMDS: Request metadata (GET /latest/meta-data/..., with token)
    IMDS-->>EC2Instance: Return metadata (region, instance-id, etc.)
    EC2Instance->>SSM: Store parameter (e.g., auth token) using fetched metadata

Loading

sequenceDiagram
    participant User
    participant CloudFormation
    participant S3Bucket
    participant KMS
    participant LoggingBucket

    User->>CloudFormation: Deploy stack with S3 and logging parameters
    CloudFormation->>KMS: Create KMS keys for S3 and logs
    CloudFormation->>LoggingBucket: Create S3 bucket for access logs (KMS-encrypted)
    CloudFormation->>S3Bucket: Create main S3 bucket (KMS-encrypted, logging enabled, public access blocked)
    CloudFormation->>S3Bucket: Attach bucket policy enforcing TLS 1.2+

Loading

Poem

🐇
Hopping through the code I go,
IMDSv2 now steals the show!
Secure and strong, our buckets gleam,
With KMS and logging, a cloud dream.
Swarm scripts dance, new docs appear—
This rabbit’s proud of changes here!
🌱✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 19

🔭 Outside diff range comments (2)

cft-templates/ec2-jupyterLab.yml (1)

215-220: Duplicate BlockDeviceMappings property will invalidate the stack.

BlockDeviceMappings is defined twice (lines 206-210 and 216-220). CloudFormation allows only one; the latter will silently overwrite the first, but this is brittle and confusing.

Consolidate into a single section that uses !Ref EBSVolumeSize.

-  BlockDeviceMappings:
-    - DeviceName: /dev/xvda
-      Ebs:
-        VolumeSize: 32
-        Encrypted: false      
...
-  BlockDeviceMappings:
+  BlockDeviceMappings:
     - DeviceName: /dev/xvda
       Ebs:
         VolumeSize: !Ref EBSVolumeSize
         Encrypted: true

cft-templates/ec2-vscode.yml (1)

202-215: Remove the second BlockDeviceMappings key – duplicate YAML keys are invalid

BlockDeviceMappings is declared twice (L202–206 and L211–215). Most YAML parsers – including CloudFormation’s – treat duplicate keys as an error, so the stack will fail to launch.

Pick one mapping block and delete the other, e.g.:

-  BlockDeviceMappings:
-    - DeviceName: /dev/xvda
-      Ebs:
-        VolumeSize: 32
-        Encrypted: false      
...
   BlockDeviceMappings:
     - DeviceName: /dev/xvda
       Ebs:
         VolumeSize: !Ref EBSVolumeSize
         Encrypted: true

♻️ Duplicate comments (1)

docker-compose.yml (1)

45-46: Repeat the digest pinning for scheduler-3102

Same concern as above: tag-only reference can silently change. Pin to the exact digest.

🧹 Nitpick comments (21)

docker-compose.yml (1)

20-66: Consider adding healthchecks & resource limits

While unrelated to the image switch, these services currently have no healthcheck, deploy.resources.limits, or restart policies. Adding them will improve observability and resiliency, especially now that the images are changing.

scripts/connect-db.sh (1)

36-47: Harden the connection logic & align TLS flags with mongosh expectations

1. mongosh now prefers --tls / --tlsCAFile flags; continuing to pass --ssl works but emits deprecation warnings.
2. The script does not set -euo pipefail, so silent failures (e.g. a missing CA file) will fall through to the mongo block or exit with an unclear error.
3. Connection command duplication can be reduced.

+# Fail fast and surface unexpected variables
+set -euo pipefail
+
 if command -v mongosh >/dev/null 2>&1; then
   echo "Using mongosh to connect..."
-  mongosh --ssl --host "$mydocdburl:27017" --sslCAFile "$RG_HOME/config/rds-combined-ca-bundle.pem" \
-    --username "$mydbuser" --password "$mydbuserpwd"
+  mongosh --tls --host "$mydocdburl:27017" \
+          --tlsCAFile "$RG_HOME/config/rds-combined-ca-bundle.pem" \
+          --username "$mydbuser" --password "$mydbuserpwd"
 elif command -v mongo >/dev/null 2>&1; then
   echo "Using mongo to connect..."
   mongo --ssl --host "$mydocdburl:27017" --sslCAFile "$RG_HOME/config/rds-combined-ca-bundle.pem" \
     --username "$mydbuser" --password "$mydbuserpwd"

This keeps the script future-proof and makes failures explicit.

cft-templates/ec2-linux-docker.yml (1)

150-150: Trailing-space removal

Minor formatting fix – thanks for the cleanup.

cft-templates/ec2-linux-docker-mysql.yml (1)

189-189: Removed trailing whitespace

Purely cosmetic; appreciated.

scripts/swarm_init.sh (1)

4-8: IP-address detection can return the docker bridge or 127.0.0.1

ip route get 1 is brittle on hosts with multiple routes (VPNs, docker0, etc.).
Consider hostname -I | awk '{print $1}' as a fallback, or allow the caller to override with SWARM_IP.

cft-templates/igv.yml (1)

187-196: Trailing spaces + token error handling

Same whitespace issue flagged by YAMLlint and the potential empty-token problem noted in vpc-squid.yml. Consider adopting the hardened snippet shown earlier.

cft-templates/s3.yml (2)

24-29: Condition syntax is correct, but readability can be improved

Minor: the long-form intrinsics are verbose; consider !Not [ !Equals [ !Ref AccessLoggingBucketName, "" ] ] for brevity.

---

58-85: Duplicate TLS policies

Statements EnforceTLS12 and EnforceTLS12OrHigher overlap.
One denies all insecure transport; the other denies TLS < 1.2. Keeping just the second is sufficient.

cft-templates/ec2-EIP.yml (1)

48-50: Strip trailing whitespace to satisfy YAML lint and avoid noisy CI failures.

-  AvailabilityZone:
-    Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
-    Type: AWS::EC2::AvailabilityZone::Name    
+  AvailabilityZone:
+    Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
+    Type: AWS::EC2::AvailabilityZone::Name

cft-templates/ec2-jupyterLab.yml (2)

40-43: Fix trailing spaces in new parameter block.

Identical to the EIP template, a couple of spaces at EOL will fail YAML lint.

-    Type: AWS::EC2::AvailabilityZone::Name    
+    Type: AWS::EC2::AvailabilityZone::Name

---

286-288: Trailing spaces – same lint failure as above.

rg_deploy_bucket.yml (2)

110-129: Minor: two separate TLS-enforcement statements are redundant.

EnforceTLS12 (SecureTransport == false) already blocks plain HTTP.
EnforceTLS12OrHigher then blocks TLS < 1.2. They can be merged, but the duplication is harmless if readability is the goal.

---

114-124: YAML-lint trailing-space warnings

Lines 114 and 124 have trailing spaces; clean them to keep pipelines green.

provisioners/provision-mongo.sh (1)

12-12: Consider the implications of removing version pinning.

The removal of explicit version pinning (mongodb-org=4.4.29) means the latest available version will be installed, which could lead to inconsistencies across deployments if the repository is updated.

Consider pinning to a specific MongoDB 8.0 version for consistency:

-sudo apt-get install -y mongodb-org
+sudo apt-get install -y mongodb-org=8.0.3

provisioners/provision-docker.sh (1)

18-18: Consider re-adding the user to the docker group

You dropped the previously‐present usermod -aG docker ubuntu line. Without it the default SSH user will have to sudo every Docker command, which breaks several downstream scripts that assume password-less access.
If this was intentional for stricter hardening, document the change and audit all scripts that invoke docker as an unprivileged user.

rg_AMI-creation.md (1)

1-84: Minor markdown & grammar nits

Several headings have trailing punctuation and many lines miss terminal periods or have double spaces. Run markdownlint + prettier to clean up; content is otherwise clear.

cft-templates/Rstudio.yml (1)

130-134: Trailing whitespace

Lines 130 and 134 have trailing spaces, causing yamllint errors. Strip them to keep the template lint-clean.

cft-templates/ec2-vscode.yml (1)

23-27: Strip trailing whitespace

YAML-lint flags L23 & L26. Harmless but easy to clean and keeps VCS churn low.

cft-templates/ec2-dcv.yml (2)

226-236: Echo uses wrong variable & possible empty region

The IMDS call stores the region in region, but the echo on L231 references ${region} correctly while later the script uses $region again – fine.
However, add a set -euo pipefail or explicit check to abort if $TOKEN or $region is empty; otherwise the subsequent aws ssm put-parameter may silently hit the default region.

---

27-32: Trailing comma in YAML flow-style list

The AllowedValues flow list ends with t3.xlarge, (L30-31). Many YAML parsers allow it, but CloudFormation’s can be picky. Safer to drop the comma.

cft-templates/ec2-winsecure-desktop.yml (1)

46-47: Trailing comma in flow list

The final comma after t3.xlarge can trip CloudFormation’s YAML loader. Remove it for safety.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94e50b0 and 2ebaef2.

📒 Files selected for processing (37)

• SRE/Network-CFTS/vpc-squid.yml (1 hunks)
• cft-templates/Rstudio.yml (6 hunks)
• cft-templates/ec2-EIP.yml (4 hunks)
• cft-templates/ec2-dcv.yml (5 hunks)
• cft-templates/ec2-jupyterLab.yml (5 hunks)
• cft-templates/ec2-linux-docker-mysql.yml (2 hunks)
• cft-templates/ec2-linux-docker.yml (2 hunks)
• cft-templates/ec2-secure-desktop.yml (5 hunks)
• cft-templates/ec2-ubuntu.yml (2 hunks)
• cft-templates/ec2-vscode.yml (5 hunks)
• cft-templates/ec2-winsecure-desktop.yml (5 hunks)
• cft-templates/igv.yml (2 hunks)
• cft-templates/s3.yml (2 hunks)
• docker-compose.yml (4 hunks)
• dump/standardcatalogitems.json (1 hunks)
• packer-rg.json (4 hunks)
• products/Nextflow-Advanced/machine-images/config/infra/files/nextflow/set-token (1 hunks)
• products/ec2-secure-windows/set_user_token.bat (1 hunks)
• provisioners/provision-awscli.sh (1 hunks)
• provisioners/provision-cfn-helper.sh (1 hunks)
• provisioners/provision-docker.sh (1 hunks)
• provisioners/provision-mongo.sh (1 hunks)
• provisioners/provision-rg.sh (1 hunks)
• rg_AMI-creation.md (1 hunks)
• rg_deploy_bucket.yml (1 hunks)
• rg_document_db.yml (2 hunks)
• rg_main_stack.yml (2 hunks)
• rg_userpool.yml (1 hunks)
• scripts/connect-db.sh (1 hunks)
• scripts/create_rg_admin_user.sh (1 hunks)
• scripts/fixconfigs.sh (1 hunks)
• scripts/fixdocdb.sh (1 hunks)
• scripts/fixmongo.sh (3 hunks)
• scripts/import_bulk_users.sh (1 hunks)
• scripts/start_server.sh (3 hunks)
• scripts/swarm_init.sh (1 hunks)
• updatescripts.sh (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

rg_document_db.yml

[error] 81-81: trailing spaces

(trailing-spaces)

---

[error] 98-98: trailing spaces

(trailing-spaces)

cft-templates/ec2-EIP.yml

[error] 50-50: trailing spaces

(trailing-spaces)

cft-templates/s3.yml

[error] 22-22: trailing spaces

(trailing-spaces)

---

[error] 24-24: trailing spaces

(trailing-spaces)

---

[error] 61-61: trailing spaces

(trailing-spaces)

SRE/Network-CFTS/vpc-squid.yml

[error] 318-318: trailing spaces

(trailing-spaces)

---

[error] 322-322: trailing spaces

(trailing-spaces)

cft-templates/ec2-jupyterLab.yml

[error] 42-42: trailing spaces

(trailing-spaces)

---

[error] 170-170: trailing spaces

(trailing-spaces)

---

[error] 174-174: trailing spaces

(trailing-spaces)

rg_main_stack.yml

[error] 138-138: trailing spaces

(trailing-spaces)

---

[error] 148-148: trailing spaces

(trailing-spaces)

---

[error] 164-164: trailing spaces

(trailing-spaces)

---

[error] 169-169: trailing spaces

(trailing-spaces)

---

[warning] 177-177: wrong indentation: expected 6 but found 8

(indentation)

---

[error] 180-180: trailing spaces

(trailing-spaces)

cft-templates/ec2-vscode.yml

[error] 23-23: trailing spaces

(trailing-spaces)

---

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 173-173: trailing spaces

(trailing-spaces)

---

[error] 177-177: trailing spaces

(trailing-spaces)

cft-templates/ec2-dcv.yml

[error] 52-52: trailing spaces

(trailing-spaces)

---

[error] 228-228: trailing spaces

(trailing-spaces)

---

[error] 232-232: trailing spaces

(trailing-spaces)

cft-templates/igv.yml

[error] 189-189: trailing spaces

(trailing-spaces)

---

[error] 193-193: trailing spaces

(trailing-spaces)

rg_deploy_bucket.yml

[error] 114-114: trailing spaces

(trailing-spaces)

---

[error] 124-124: trailing spaces

(trailing-spaces)

cft-templates/ec2-secure-desktop.yml

[error] 317-317: trailing spaces

(trailing-spaces)

---

[error] 321-321: trailing spaces

(trailing-spaces)

---

[error] 325-325: trailing spaces

(trailing-spaces)

---

[error] 407-407: trailing spaces

(trailing-spaces)

---

[error] 501-501: trailing spaces

(trailing-spaces)

cft-templates/Rstudio.yml

[error] 42-42: trailing spaces

(trailing-spaces)

---

[error] 130-130: trailing spaces

(trailing-spaces)

---

[error] 134-134: trailing spaces

(trailing-spaces)

cft-templates/ec2-winsecure-desktop.yml

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 190-190: trailing spaces

(trailing-spaces)

---

[error] 223-223: trailing spaces

(trailing-spaces)

---

[error] 226-226: trailing spaces

(trailing-spaces)

---

[error] 254-254: trailing spaces

(trailing-spaces)

---

[error] 258-258: trailing spaces

(trailing-spaces)

---

[error] 261-261: trailing spaces

(trailing-spaces)

---

[error] 279-279: trailing spaces

(trailing-spaces)

---

[error] 280-280: trailing spaces

(trailing-spaces)

---

[error] 288-288: trailing spaces

(trailing-spaces)

---

[error] 354-354: trailing spaces

(trailing-spaces)

🪛 LanguageTool

rg_AMI-creation.md

[grammar] ~1-~1: Use proper spacing conventions.
Context: # Creating the AMI with Pre-Requisites Follow these steps to create an AMI with...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~3-~3: There might be a problem here.
Context: ...ollow these steps to create an AMI with pre-requisites: ## 1. Install Packer - Refer to the [Packe...

(QB_NEW_EN_MERGED_MATCH)

---

[grammar] ~5-~5: Place a period at the end of declarative sentences.
Context: ...th pre-requisites: ## 1. Install Packer - Refer to the [Packer Installation Guide]...

(QB_NEW_EN_OTHER_ERROR_IDS_000178)

---

[grammar] ~7-~7: Use proper spacing conventions.
Context: ...torials/packer/get-started-install-cli). - For Amazon Linux 2023 (AWS CloudShell): ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~8-~8: Use proper spacing conventions.
Context: ... For Amazon Linux 2023 (AWS CloudShell): bash sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo sudo yum -y install packer ## 2. Install the Amazon Plugin for Packer ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~15-~15: Place a period at the end of declarative sentences.
Context: ... 2. Install the Amazon Plugin for Packer 1. Create a Packer Configuration File: ...

(QB_NEW_EN_OTHER_ERROR_IDS_000178)

---

[grammar] ~17-~17: There might be a mistake here.
Context: ... Create a Packer Configuration File: Create a file named `packer-config.pkr....

(QB_NEW_EN_OTHER)

---

[grammar] ~18-~18: Use proper spacing conventions.
Context: ...fig.pkr.hcl` with the following content: hcl packer { required_plugins { amazon = { version = ">= 1.3.3" source = "github.com/hashicorp/amazon" } } } 2. Run Packer Initialization: Use the ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~30-~30: There might be a mistake here.
Context: ... ``` 2. Run Packer Initialization: Use the following command to download a...

(QB_NEW_EN_OTHER)

---

[grammar] ~31-~31: Use proper spacing conventions.
Context: ... download and install the Amazon plugin: bash packer init packer-config.pkr.hcl ## 3. Export AWS Credentials Set your AWS ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~36-~36: Use proper spacing conventions.
Context: ...hcl ``` ## 3. Export AWS Credentials Set your AWS credentials and region as e...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~38-~38: Use proper spacing conventions.
Context: ...als and region as environment variables: bash export AWS_ACCESS_KEY_ID="your_Access_Key" export AWS_SECRET_ACCESS_KEY="your_Secret_Key" export AWS_DEFAULT_REGION="Your_Region" ## 4. Clone the Repository Clone the requi...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~45-~45: Use proper spacing conventions.
Context: ..._Region" ``` ## 4. Clone the Repository Clone the required repository to your lo...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~47-~47: Use proper spacing conventions.
Context: ...to your local machine or AWS CloudShell. ## 5. Grant Permissions for Target Account ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~49-~49: Use proper spacing conventions.
Context: ... 5. Grant Permissions for Target Account - Ensure the target account number is adde...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~51-~51: Use proper spacing conventions.
Context: ...with permissions to access image builds. ## 6. Create an IAM Role for ECR and EC2 Ac...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~53-~53: Use proper spacing conventions.
Context: ...eate an IAM Role for ECR and EC2 Actions 1. Create a Role: - Create a role and ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~56-~56: Use proper spacing conventions.
Context: ...a policy permitting ECR and EC2 actions. 2. Update the packer-rg.json File: -...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~59-~59: Use proper spacing conventions.
Context: ...he builders section with your role name. ## 7. Build the AMI Run the following comm...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~61-~61: Place a period at the end of declarative sentences.
Context: ...ith your role name. ## 7. Build the AMI Run the following command to build the A...

(QB_NEW_EN_OTHER_ERROR_IDS_000178)

---

[grammar] ~63-~63: Use proper spacing conventions.
Context: ... the following command to build the AMI: bash packer build -var 'awsRegion=your_region' -var 'vpcId=your_VPCID' -var 'subnetId=your_SubnetID' packer-rg.json ### Runtime Variables: - Pass the following ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~69-~69: Use proper spacing conventions.
Context: ...Pass the following variables at runtime: - VPCID - SubnetID - AWSRegion ## 8. Retrieve the AMI ID After the build ...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~74-~74: Place a period at the end of declarative sentences.
Context: ...- AWSRegion ## 8. Retrieve the AMI ID After the build completes successfully, ...

(QB_NEW_EN_OTHER_ERROR_IDS_000178)

---

[grammar] ~76-~76: Use proper spacing conventions.
Context: ...sfully, note the AMI ID from the output. --- ### Notes - Ensure all variables and IAM ro...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~80-~80: Use proper spacing conventions.
Context: ... AMI ID from the output. --- ### Notes - Ensure all variables and IAM roles are c...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~82-~82: Use proper spacing conventions.
Context: ...tly configured before running the build. - For further details, refer to the reposi...

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

---

[grammar] ~83-~83: Use proper spacing conventions.
Context: ...umentation](https://www.packer.io/docs).

(QB_NEW_EN_OTHER_ERROR_IDS_000007)

🪛 markdownlint-cli2 (0.17.2)

rg_AMI-creation.md

68-68: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

🔇 Additional comments (38)

cft-templates/ec2-ubuntu.yml (2)

69-70: SSM policy addition looks good

Attaching AmazonSSMManagedInstanceCore enables Session Manager without widening the role’s permissions beyond the managed policy.

---

143-143: Whitespace tidy-up acknowledged

No functional impact; keeps the template clean.

cft-templates/ec2-linux-docker.yml (1)

67-68: SSM policy correctly attached

Matches the PR objective and is consistent with other templates.

rg_document_db.yml (1)

79-82: Egress “allow all” may violate least-privilege principle

Security groups default to 0.0.0.0/0 egress; explicitly declaring it is fine but still permits any outbound traffic—including from the VPCE SG—which may be broader than necessary. Consider locking down to the specific AWS service CIDRs (DocumentDB endpoints, Secrets Manager, etc.) or to the VPC CIDR to minimise lateral movement.

Also, YAML-lint flags trailing spaces on lines 81 & 98—worth trimming to keep CI happy.

Also applies to: 96-98

cft-templates/ec2-linux-docker-mysql.yml (1)

81-82: SSM managed policy addition approved

Consistent with other stacks; no further action required.

cft-templates/igv.yml (1)

107-109: 👍 Added AmazonSSMManagedInstanceCore – good move

This managed policy is the recommended way to enable SSM agent features; no issues spotted.

cft-templates/s3.yml (1)

51-56: LoggingConfiguration object formatting is valid

Just a quick confirmation: the Fn::If returns an object vs AWS::NoValue; CloudFormation accepts this pattern. 👍

dump/standardcatalogitems.json (1)

8-8: Confirm downstream references to the renamed template file.

Changing the extension from s3.yaml to s3.yml is harmless here, but any automation, documentation, or code that still hard-codes the old name will now break.

Run a quick grep across the repo and update links / references accordingly.

cft-templates/ec2-EIP.yml (1)

70-72: 👍 Managed policy addition looks correct.

Attaching AmazonSSMManagedInstanceCore is the right way to enable Session Manager and aligns with the PR objective.

cft-templates/ec2-jupyterLab.yml (1)

62-64: SSM managed policy addition LGTM.

provisioners/provision-rg.sh (1)

15-16: Swarm reset is not idempotent and diverges from PR summary.

docker swarm leave --force will exit non-zero when the node is not part of a swarm, potentially breaking re-runs.
Also, the AI summary mentions a switch to an external swarm_init.sh, but that file is not invoked here—possible drift.

Consider:

docker info --format '{{ .Swarm.LocalNodeState }}' | grep -q active && docker swarm leave --force || true
docker swarm init --default-addr-pool 172.20.0.0/16

to make the step repeat-safe and verify that the intended helper script path is correct.

Likely an incorrect or invalid review comment.

updatescripts.sh (1)

82-85: LGTM! Consistent pattern for script updates.

The addition of swarm_init.sh to the update process follows the same pattern as other scripts in the file, maintaining consistency in the update mechanism.

scripts/create_rg_admin_user.sh (1)

42-47: Excellent security improvement with IMDSv2 migration.

The migration from IMDSv1 to IMDSv2 for metadata service calls enhances security by requiring token authentication. The implementation correctly obtains a session token first, then uses it for the metadata request.

scripts/import_bulk_users.sh (1)

56-57: Security improvement with IMDSv2 migration.

The migration to IMDSv2 for metadata service calls enhances security. The implementation correctly uses token authentication and maintains the existing test mode logic.

scripts/fixdocdb.sh (1)

23-25: Security enhancement with IMDSv2 implementation.

The migration to IMDSv2 for metadata service calls improves security by requiring token authentication. The implementation correctly retrieves the session token first, then uses it to fetch the local IPv4 address.

scripts/start_server.sh (4)

31-32: Good implementation of IMDSv2 token authentication.

The script correctly implements IMDSv2 by fetching a session token and using it for secure metadata retrieval. The token TTL of 21600 seconds (6 hours) is appropriate for the script's execution time.

---

36-36: Consistent token usage for metadata retrieval.

The script properly reuses the token from line 31 for secure metadata access, maintaining consistency with the IMDSv2 implementation.

---

45-45: Efficient token reuse for instance ID retrieval.

Good practice reusing the existing token for subsequent metadata calls instead of creating a new one.

---

50-50: Good architectural improvement with external swarm initialization.

Delegating Docker swarm initialization to a dedicated script /usr/local/sbin/swarm_init.sh improves maintainability and separation of concerns.

scripts/fixmongo.sh (3)

30-32: Correct IMDSv2 token implementation with wget.

The script properly implements IMDSv2 by fetching a session token using wget's PUT method and then using it for secure metadata retrieval. The token TTL of 21600 seconds is appropriate.

---

41-41: Consistent token usage for public hostname retrieval.

Good practice reusing the existing token for metadata access to maintain security and efficiency.

---

106-106: Secure local hostname retrieval for certificate generation.

The script correctly uses the token to securely fetch the local hostname for MongoDB certificate generation, maintaining consistency with the IMDSv2 implementation.

scripts/fixconfigs.sh (5)

13-14: Correct IMDSv2 token implementation.

The script properly implements IMDSv2 by fetching a session token using wget's PUT method with appropriate TTL header.

---

16-19: Good addition of debug logging for region retrieval.

The debug echo statement helps with troubleshooting and provides visibility into the metadata retrieval process. The token usage is consistent with IMDSv2 security requirements.

---

20-20: Consistent token usage for role name retrieval.

Good practice reusing the existing token for secure metadata access.

---

22-24: Secure account ID retrieval using token.

The script correctly uses the token to access the instance identity document and extract the account ID using jq.

---

25-27: Proper instance ID retrieval with token authentication.

The script maintains consistency by using the token for secure instance ID retrieval.

products/ec2-secure-windows/set_user_token.bat (4)

5-6: Correct IMDSv2 token implementation for Windows.

The script properly implements IMDSv2 by fetching a session token using curl with appropriate TTL header. The token is stored correctly for reuse.

---

7-8: Secure region retrieval using token.

The script correctly uses the token for secure metadata access to retrieve the AWS region.

---

9-10: Proper instance ID retrieval with token authentication.

The script maintains consistency by using the token for secure instance ID retrieval.

---

15-16: Good security improvement with SecureString parameter type.

Changing from "String" to "SecureString" type and adding quotes around the parameter name and region arguments improves security and prevents potential issues with special characters.

provisioners/provision-mongo.sh (3)

8-8: Verify Ubuntu noble compatibility.

The APT repository configuration now targets Ubuntu "noble" distribution. Ensure that all deployment targets are compatible with Ubuntu 24.04 (noble).

---

14-19: Comprehensive service management commands are well-structured.

The service management commands provide thorough control over the MongoDB service lifecycle, including status checks, enabling on boot, and proper restart procedures.

---

4-6: Verify legacy mongo shell compatibility with MongoDB 8.0

I found multiple provisioning and utility scripts that invoke the legacy mongo shell (and in one place fall back to mongosh), but MongoDB 8.0 no longer bundles the old mongo shell by default. Please:

• Ensure your APT install of mongodb-org still includes mongodb-org-shell or explicitly install the legacy shell package, or
• Migrate all mongo invocations to mongosh and confirm feature parity.

Scripts requiring attention:

• scripts/connect-db.sh (uses both mongosh and mongo)
• scripts/fixmongo.sh (mongo --host … with inline JS)
• scripts/fixdocdb.sh (mongo --ssl …)
• scripts/import-seed-db.sh & scripts/remove-org.sh (mongo --eval)

Action: test each end-to-end against a fresh MongoDB 8.0 instance to validate CLI flags, JS eval blocks, and any data-model assumptions still hold.

cft-templates/Rstudio.yml (2)

40-43: Parameter lacks a default, breaking existing automation

AvailabilityZone is now mandatory but no default is provided. Existing pipelines that didn’t supply this parameter will fail. Either supply a sensible default (e.g., first AZ of the region) or make the property conditional.

---

62-64: 👍 Addition of AmazonSSMManagedInstanceCore

Attaching the managed policy is the right move to enable Session Manager connectivity without extra IAM plumbing.

rg_main_stack.yml (1)

121-150: Granular IAM split looks good

The refactor into InstancePermissions, RoleRelatedPermissions, and PolicyRelatedPermissions tightens scope without breaking existing actions – nice!

cft-templates/ec2-winsecure-desktop.yml (1)

255-259: External dependency on pre-existing launch template

The stack references LaunchTemplateName: "RG-IMDSv2" but does not create it. Make sure this launch template is created before stack deployment, or reference the one defined inside this template to avoid a ValidationError: LaunchTemplateName does not exist.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Pin cc-3102 image to digest for deterministic, secure deployments

Relying solely on the tag _fd_1.22.0_b2690 leaves you open to “latest-tag drift” if the publisher mutates or re-tags the image. Pin the image by SHA-256 digest and optionally keep the tag as an inline comment for human readability.

-    image: relevancelab/researchportal:_fd_1.22.0_b2690
+# Pin by digest to avoid unexpected upgrades
+    image: relevancelab/researchportal@sha256:<calculated-digest> # _fd_1.22.0_b2690

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cc-3102:
	image: 045938549113.dkr.ecr.us-east-2.amazonaws.com/researchportal:_fd_1.21.2_b2433
	image: relevancelab/researchportal:_fd_1.22.0_b2690
	secrets:
	cc-3102:
	# Pin by digest to avoid unexpected upgrades
	image: relevancelab/researchportal@sha256:<calculated-digest> # _fd_1.22.0_b2690
	secrets:

🤖 Prompt for AI Agents

In docker-compose.yml around lines 20 to 22, the image for service cc-3102 is
specified using a tag only, which can lead to non-deterministic deployments if
the tag is updated or changed. To fix this, replace the image tag with the full
image digest (SHA-256) to pin the exact image version. Optionally, keep the
original tag as a comment for readability. This ensures deployments use the
exact same image every time.

[coderabbitai]

⚠️ Potential issue

notificationsink image should also be immutable

The Docker Hub tag 1.22.0_b1 is mutable. Pin by digest to guarantee the runtime artifact.

-    image: relevancelab/aws-notificationsink:1.22.0_b1
+    image: relevancelab/aws-notificationsink@sha256:<calculated-digest> # 1.22.0_b1

🤖 Prompt for AI Agents

In docker-compose.yml around lines 65 to 66, the notificationsink image tag
`1.22.0_b1` is mutable and should be pinned by digest to ensure immutability.
Replace the image tag with the image digest (sha256) from Docker Hub for that
specific version to guarantee the runtime artifact remains unchanged.

[coderabbitai]

⚠️ Potential issue

Missing logs:PutLogEvents will block Lambda logging; logs:DeleteLogGroup is unnecessary

The Lambda service needs logs:PutLogEvents to write log entries—without it, every invocation fails with AccessDeniedException.
Granting logs:DeleteLogGroup is over-permissive; the function never needs to delete its own log group.

-                  - logs:CreateLogDelivery
-                  - logs:CreateLogGroup
-                  - logs:CreateLogStream
-                  - logs:DeleteLogGroup
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                  # logs:CreateLogDelivery only if you use cross-account log delivery; otherwise omit

Alternatively, attach the managed policy AWSLambdaBasicExecutionRole to simplify and future-proof the permissions.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- logs:CreateLogDelivery
	- logs:CreateLogGroup
	- logs:CreateLogStream
	- logs:DeleteLogGroup
	Resource: arn:aws:logs:*:*:*
	- logs:CreateLogGroup
	- logs:CreateLogStream
	- logs:PutLogEvents
	# logs:CreateLogDelivery only if you use cross-account log delivery; otherwise omit
	Resource: arn:aws:logs:*:*:*

🤖 Prompt for AI Agents

In rg_userpool.yml around lines 351 to 355, the IAM policy is missing the
logs:PutLogEvents permission required for Lambda to write logs, causing
AccessDeniedException on invocation. Add logs:PutLogEvents to the list of
allowed actions and remove logs:DeleteLogGroup as it is unnecessary and
over-permissive. Alternatively, replace the custom permissions with the
AWSLambdaBasicExecutionRole managed policy to simplify and future-proof the
Lambda's logging permissions.

[coderabbitai]

🛠️ Refactor suggestion

Assumes Debian-based AMI – may break on Amazon Linux or RHEL images

apt-get will fail silently on the Amazon Linux 2 and RHEL family AMIs that are used elsewhere in this repo (yum is available there).
Unless the Packer build matrix guarantees Ubuntu/Debian only, guard the installation with a distro check or switch to yum install jq unzip curl when which yum is present.

🤖 Prompt for AI Agents

In provisioners/provision-awscli.sh around lines 4 to 7, the script uses apt-get
which assumes a Debian-based system and will fail on Amazon Linux or RHEL AMIs.
Modify the script to detect the package manager by checking if yum exists; if
yum is present, use yum install for jq, unzip, and curl, otherwise use apt-get.
This conditional logic will ensure compatibility across different Linux
distributions.

[coderabbitai]

⚠️ Potential issue

No integrity / signature check on the AWS-CLI installer

Blindly executing the downloaded ZIP is a supply-chain risk. Fetch and verify the published SHA256 (or the GPG signature) before unzipping:

+curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sha256" -o awscliv2.zip.sha256
+sha256sum -c awscliv2.zip.sha256
+if [ $? -ne 0 ]; then
+  echo "Checksum verification failed" >&2
+  exit 1
+fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
	# Unzip the AWS CLI installer
	unzip awscliv2.zip
	# Install AWS CLI
	sudo ./aws/install
	curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
	curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sha256" -o awscliv2.zip.sha256
	sha256sum -c awscliv2.zip.sha256
	if [ $? -ne 0 ]; then
	echo "Checksum verification failed" >&2
	exit 1
	fi
	# Unzip the AWS CLI installer
	unzip awscliv2.zip
	# Install AWS CLI
	sudo ./aws/install

🤖 Prompt for AI Agents

In provisioners/provision-awscli.sh around lines 10 to 16, the script downloads
and installs the AWS CLI without verifying the integrity of the downloaded ZIP
file. To fix this, fetch the official SHA256 checksum from AWS, compute the
checksum of the downloaded awscliv2.zip, and compare them before unzipping. Only
proceed with unzipping and installing if the checksums match to ensure the
installer has not been tampered with.

[coderabbitai]

⚠️ Potential issue

Undefined variable in debug echo

echo "Retrieved region ${region} …" references ${region}, which is unset; the correct variable is instance_region.

-echo "Retrieved region ${region} from metadata service"
+echo "Retrieved region ${instance_region} from metadata service"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Get the session token
	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
	# Get the region to build the parameter name
	instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
	echo "Retrieved region ${region} from metadata service"
	# Get the instance id to build the parameter name
	instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
	# Get the session token
	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
	# Get the region to build the parameter name
	instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
	echo "Retrieved region ${instance_region} from metadata service"
	# Get the instance id to build the parameter name
	instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 130-130: trailing spaces

(trailing-spaces)

---

[error] 134-134: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In cft-templates/Rstudio.yml around lines 128 to 137, the debug echo references
an undefined variable ${region} instead of the correct variable
${instance_region}. Update the echo statement to use ${instance_region} to
correctly display the retrieved region value.

[coderabbitai]

⚠️ Potential issue

Fix variable‐name typo & quote the token before logging

instance_region is set on L175, but the debug echo on L176 references ${region} – this will print an empty string.
While touching this, quote $access_token in the aws ssm put-parameter call to prevent word-splitting and possible shell-injection via the random UUID.

- instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
- echo "Retrieved region ${region} from metadata service"
+instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
+echo "Retrieved region ${instance_region} from metadata service"

- aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value $access_token --region $instance_region --type SecureString --overwrite 
+aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value "$access_token" --region "$instance_region" --type SecureString --overwrite 

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Get the session token
	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
	# Get the region to build the parameter name
	instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
	echo "Retrieved region ${region} from metadata service"
	# Get the instance id to build the parameter name
	instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
	echo "Retrieved instance_id $instance_id from metadata service"
	aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value $access_token --region $instance_region --type SecureString --overwrite
	# Get the session token
	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
	# Get the region to build the parameter name
	instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
	echo "Retrieved region ${instance_region} from metadata service"
	# Get the instance id to build the parameter name
	instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
	echo "Retrieved instance_id $instance_id from metadata service"
	aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value "$access_token" --region "$instance_region" --type SecureString --overwrite

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 173-173: trailing spaces

(trailing-spaces)

---

[error] 177-177: trailing spaces

(trailing-spaces)

---

[error] 181-181: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In cft-templates/ec2-vscode.yml around lines 171 to 181, fix the variable name
typo by changing the echo statement to reference ${instance_region} instead of
${region} to correctly display the retrieved region. Also, quote the
$access_token variable in the aws ssm put-parameter command to prevent
word-splitting and potential shell injection vulnerabilities.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

IMDSv2LaunchTemplate declared but never used

The new launch template enforces IMDSv2, but RGEC2Instance (L184 ff.) is still defined the old way and does not reference it.
Either attach the template:

LaunchTemplate:
  LaunchTemplateName: !Ref IMDSv2LaunchTemplate
  Version: 1

or remove the unused resource to avoid dead-code drift.

---

🏁 Script executed:

#!/bin/bash
# Verify if RGEC2Instance references the new LaunchTemplate
rg -n -A10 "RGEC2Instance:" rg_main_stack.yml

Length of output: 386

---

Attach or Remove the Unused IMDSv2LaunchTemplate

The IMDSv2LaunchTemplate resource is declared but never referenced by your EC2 instance. You should either attach it to RGEC2Instance or remove it to avoid dead-code drift.

• File: rg_main_stack.yml
• Location: around lines 183–192

Suggested change—add under RGEC2Instance.Properties:

    LaunchTemplate:
      LaunchTemplateName: !Ref IMDSv2LaunchTemplate
      Version: !GetAtt IMDSv2LaunchTemplate.LatestVersionNumber

Or, if you don’t intend to use it, delete the IMDSv2LaunchTemplate resource block.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 177-177: wrong indentation: expected 6 but found 8

(indentation)

---

[error] 180-180: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rg_main_stack.yml around lines 174 to 183, the IMDSv2LaunchTemplate resource
is defined but not used by the RGEC2Instance. To fix this, either attach the
IMDSv2LaunchTemplate to the RGEC2Instance by adding a LaunchTemplate property
under RGEC2Instance.Properties referencing the IMDSv2LaunchTemplate name and its
latest version, or remove the entire IMDSv2LaunchTemplate resource block if it
is not needed.

[coderabbitai]

⚠️ Potential issue

LaunchTemplate.Version should be quoted

YAML interprets bare 1 as an integer, but CloudFormation expects a string for the Version field. Quote it to avoid “expected String” validation errors.

-  Version: 1
+  Version: "1"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	LaunchTemplate:
	LaunchTemplateName: "RG-IMDSv2"
	Version: 1
	LaunchTemplate:
	LaunchTemplateName: "RG-IMDSv2"
	Version: "1"

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 407-407: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In cft-templates/ec2-secure-desktop.yml around lines 405 to 407, the
LaunchTemplate.Version value is currently an unquoted integer (1), but
CloudFormation requires this to be a string. Fix this by enclosing the Version
value in quotes, changing it from 1 to "1" to ensure proper YAML parsing and
CloudFormation validation.