Skip to content

Add the SSMManagedInstanceCore policy to all EC2 resources #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RLIndia merged 16 commits into from
Jul 18, 2025
Merged

Add the SSMManagedInstanceCore policy to all EC2 resources #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
8ee56a7
Add AvailabilityZone parameter to multiple CloudFormation templates
Piyusha-01 Apr 16, 2025
0d10792
Update AvailabilityZone parameter descriptions for clarity across mul…
Piyusha-01 Apr 16, 2025
9de6faa
Merge pull request #187 from Piyusha-01/topic-release
RLIndia Apr 16, 2025
59d154f
Add AvailabilityZone parameter to multiple EC2 CloudFormation templates
Piyusha-01 Apr 23, 2025
ac6077d
Merge pull request #188 from Piyusha-01/topic-release
RLIndia Apr 23, 2025
4bc4a65
Use IMDSv2 where possible.
RLIndia May 7, 2025
7ee0518
Update docker-compose.yml to latest build
RLIndia May 9, 2025
8137726
Update connect-db.sh: prefer mongosh, fallback to mongo, error if nei…
RLIndia May 14, 2025
286765c
Update notificationsink image to relevancelab/aws-notificationsink:1.…
RLIndia May 14, 2025
faa26f8
Add swarm_init.sh and integrate with updatescripts.sh and start_serve…
RLIndia May 14, 2025
706844a
Update AMI w.r.t Ubuntu 24.04
rgurram-hbs May 15, 2025
45cb5b0
Update Readme
rgurram-hbs May 15, 2025
5d9261f
AMI update
rgurram-hbs May 15, 2025
992d488
Added kms:Decrypt permission to RGPortalRole
Anusha-janardhan May 16, 2025
c2ad554
Merge pull request #189 from Anusha-janardhan/topic-release
RLIndia May 16, 2025
2ebaef2
Attach AmazonSSMManagedInstanceCore managed policy to IAM roles for a…
RLIndia Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions SRE/Network-CFTS/vpc-squid.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,8 +313,16 @@ Resources:
yum update -y --security

# Disable source / destination check. It cannot be disabled from the launch configuration
region=${AWS::Region}
instanceid=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)

Comment on lines +316 to +325
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Trailing spaces + missing error handling for empty IMDS token

YAMLlint flags trailing whitespace on 318 & 322.
Also, if the PUT fails (e.g. IMDSv1 disabled but v2 not yet enabled), $TOKEN is empty and the subsequent calls succeed unauthenticated, defeating the purpose.

-            TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+            TOKEN=$(curl -sSf -X PUT "http://169.254.169.254/latest/api/token" \
+              -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") || {
+                echo "Failed to fetch IMDSv2 token" >&2
+                exit 1
+            }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"
# Get the instance id to build the parameter name
instanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
# Get the session token
TOKEN=$(curl -sSf -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600") || {
echo "Failed to fetch IMDSv2 token" >&2
exit 1
}
# Get the region to build the parameter name
region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"
# Get the instance id to build the parameter name
instanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 318-318: trailing spaces

(trailing-spaces)

[error] 322-322: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In SRE/Network-CFTS/vpc-squid.yml around lines 316 to 325, remove trailing
spaces on lines 318 and 322 to fix YAMLlint warnings. Add error handling after
the PUT request to retrieve the IMDS token by checking if the TOKEN variable is
empty; if it is, exit the script or handle the error appropriately to prevent
unauthenticated metadata calls that bypass IMDSv2 security.

aws ec2 modify-instance-attribute --no-source-dest-check --instance-id $instanceid --region $region

# Install and start Squid
Expand Down
21 changes: 18 additions & 3 deletions cft-templates/Rstudio.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ Parameters:
KeyPair:
Type: "AWS::EC2::KeyPair::KeyName"
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance. If no key pairs exist, please create one from the button next to the dropdown. Please contact your Administrator if you are unable to create one.
AvailabilityZone:
Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
Type: AWS::EC2::AvailabilityZone::Name

Conditions:
IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
Expand All @@ -56,6 +59,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -120,7 +125,16 @@ Resources:
group: 'root'
content: !Sub |
#!/usr/bin/env bash
instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)

Comment on lines +128 to +137
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Undefined variable in debug echo

echo "Retrieved region ${region} …" references ${region}, which is unset; the correct variable is instance_region.

-echo "Retrieved region ${region} from metadata service"
+echo "Retrieved region ${instance_region} from metadata service"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${instance_region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 130-130: trailing spaces

(trailing-spaces)

[error] 134-134: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In cft-templates/Rstudio.yml around lines 128 to 137, the debug echo references
an undefined variable ${region} instead of the correct variable
${instance_region}. Update the echo statement to use ${instance_region} to
correctly display the retrieved region value.

secret=`uuidgen`
echo "setting ${InitialUser} password and starting rstudio"
password=$(echo -n "$instance_id$secret" | sha256sum | awk '{print $1}')
Expand All @@ -129,7 +143,7 @@ Resources:

sleep 10
public_key=$(curl http://localhost:8787/auth-public-key)
instance_region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")

aws ssm put-parameter --name "/RL/RG/rstudio/public-key/$instance_id" --value '{"secret":"'$secret'","public_key":"'$public_key'"}' --region $instance_region --type SecureString --overwrite
echo "Stored rstudio public key in SSM"
'/var/log/rstudio.log':
Expand All @@ -150,6 +164,7 @@ Resources:
Properties:
ImageId : '{{resolve:ssm:/RL/RG/StandardCatalog/RStudio}}'
InstanceType: !Ref 'InstanceType'
AvailabilityZone: !Ref AvailabilityZone
SecurityGroups: [!Ref 'RstudioEC2SecurityGroup']
KeyName: !Ref 'KeyPair'
IamInstanceProfile: !Ref InstanceProfile
Expand Down Expand Up @@ -206,4 +221,4 @@ Outputs:
Value: '443'
AvailabilityZone:
Description: AvailabilityZone of newly created Rstudio EC2Instance
Value: !GetAtt [RstudioEC2Instance, AvailabilityZone]
Value: !Ref AvailabilityZone
8 changes: 7 additions & 1 deletion cft-templates/ec2-EIP.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ Parameters:
LatestAmiId:
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
AvailabilityZone:
Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
Type: AWS::EC2::AvailabilityZone::Name

Conditions:
IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
Expand All @@ -64,6 +67,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -94,6 +99,7 @@ Resources:
# Signal result to CloudFormation
/opt/aws/bin/cfn-signal -e $? --stack "${AWS::StackName}" --resource "EC2Instance" --region "${AWS::Region}"
InstanceType: !Ref 'InstanceType'
AvailabilityZone: !Ref AvailabilityZone
SecurityGroups: [!Ref 'InstanceSecurityGroup']
KeyName: !Ref 'KeyPair'
ImageId: !Ref 'LatestAmiId'
Expand Down Expand Up @@ -134,4 +140,4 @@ Outputs:
Value: !GetAtt [EC2Instance, PublicDnsName]
AvailabilityZone:
Description: AvailabilityZone of newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !Ref AvailabilityZone
20 changes: 17 additions & 3 deletions cft-templates/ec2-dcv.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ Parameters:
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
AvailabilityZone:
Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
Type: AWS::EC2::AvailabilityZone::Name

Conditions:
IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
Expand Down Expand Up @@ -87,6 +90,7 @@ Resources:
PolicyDocument: !Ref IamPolicyDocument
ManagedPolicyArns:
- Ref: SSMPolicy
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Expand Down Expand Up @@ -218,8 +222,17 @@ Resources:
content: !Sub |
#!/bin/bash
# trap '/opt/aws/bin/cfn-signal --exit-code 1 --resource EC2Instance --region ${AWS::Region} --stack ${AWS::StackName}' ERR
region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")

# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
session_id="rg-session"
auth_token=`uuidgen`
parameter_name="/RL/RG/nice-dcv/auth-token/$instance_id"
Expand Down Expand Up @@ -385,6 +398,7 @@ Resources:
InstanceType: !Ref 'InstanceType'
SecurityGroups: [!Ref 'InstanceSecurityGroup']
KeyName: !Ref 'KeyPair'
AvailabilityZone: !Ref AvailabilityZone
ImageId: "{{resolve:ssm:/RL/RG/StandardCatalog/linux-nice-dcv-ami}}"
IamInstanceProfile: !Ref InstanceProfile
BlockDeviceMappings:
Expand Down Expand Up @@ -433,4 +447,4 @@ Outputs:
Value: '8443'
AvailabilityZone:
Description: AvailabilityZone of newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !Ref AvailabilityZone
21 changes: 18 additions & 3 deletions cft-templates/ec2-jupyterLab.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ Parameters:
KeyPair:
Type: "AWS::EC2::KeyPair::KeyName"
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance. If no key pairs exist, please create one from the button next to the dropdown. Please contact your Administrator if you are unable to create one.
AvailabilityZone:
Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
Type: AWS::EC2::AvailabilityZone::Name

Conditions:
IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
Expand All @@ -56,6 +59,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -160,8 +165,17 @@ Resources:
echo "fetching token and starting jupyterlab"
`docker-compose up -d`
sleep 5
instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
instance_region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"

Comment on lines +168 to +178
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Variable typo drops useful debug output.

echo "Retrieved region ${region} …" references an undefined ${region}.
Should echo ${instance_region} instead.

-echo "Retrieved region ${region} from metadata service"
+echo "Retrieved region ${instance_region} from metadata service"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${instance_region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 170-170: trailing spaces

(trailing-spaces)

[error] 174-174: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In cft-templates/ec2-jupyterLab.yml around lines 168 to 178, the echo statement
incorrectly references an undefined variable ${region} instead of the correct
${instance_region}. Update the echo command to use ${instance_region} to
correctly display the retrieved region for debugging purposes.

#access_token=$((docker exec jupyterlab /bin/bash -c "jupyter server list" | grep token | awk '{print $1}') | sed 's/.*=//')
#echo "$access_token"
docker exec jupyterlab /bin/bash -c "jupyter server list" > access_token.txt 2>&1
Expand Down Expand Up @@ -198,6 +212,7 @@ Resources:
KeyName: !Ref 'KeyPair'
IamInstanceProfile: !Ref InstanceProfile
PropagateTagsToVolumeOnCreation: true
AvailabilityZone: !Ref AvailabilityZone
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
Expand Down Expand Up @@ -269,4 +284,4 @@ Outputs:
Value: '443'
AvailabilityZone:
Description: AvailabilityZone of newly created JupyterLab EC2Instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !Ref AvailabilityZone
4 changes: 3 additions & 1 deletion cft-templates/ec2-linux-docker-mysql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -184,4 +186,4 @@ Outputs:
Value: !GetAtt [EC2Instance, PrivateIp]
AvailabilityZone:
Description: AvailabilityZone of newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !GetAtt [EC2Instance, AvailabilityZone]
4 changes: 3 additions & 1 deletion cft-templates/ec2-linux-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -145,4 +147,4 @@ Outputs:
Value: !GetAtt [EC2Instance, PublicDnsName]
AvailabilityZone:
Description: AvailabilityZone of newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !GetAtt [EC2Instance, AvailabilityZone]
39 changes: 32 additions & 7 deletions cft-templates/ec2-secure-desktop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,20 @@ Resources:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
- Sid: AllowSSMParamActions
Effect: Allow
Action:
- ssm:GetParameter
- ssm:PutParameter
- ssm:DescribeParameters
Resource: "*"
- Sid: AllowAccessToEncryptionKeys
Effect: Allow
Action:
- ssm:*
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
- kms:DescribeKey
Resource: "*"
InstanceRolePermissionBoundary:
Type: AWS::IAM::ManagedPolicy
Expand Down Expand Up @@ -300,9 +311,18 @@ Resources:
group: "ec2-user"
content: !Sub |
#!/bin/bash
# trap '/opt/aws/bin/cfn-signal --exit-code 1 --resource EC2Instance --region ${AWS::Region} --stack ${AWS::StackName}' ERR
region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
trap "Error setting user token. You may not be able to access your instance URL" ERR
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"

session_id="rg-session"
auth_token=`uuidgen`
parameter_name="/RL/RG/secure-desktop/auth-token/$instance_id"
Expand Down Expand Up @@ -382,6 +402,9 @@ Resources:
cwd: "/home/ec2-user"
command: "/home/ec2-user/start_jupyter.sh"
Properties:
LaunchTemplate:
LaunchTemplateName: "RG-IMDSv2"
Version: 1
Comment on lines +405 to +407
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

LaunchTemplate.Version should be quoted

YAML interprets bare 1 as an integer, but CloudFormation expects a string for the Version field. Quote it to avoid “expected String” validation errors.

-  Version: 1
+  Version: "1"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
LaunchTemplate:
LaunchTemplateName: "RG-IMDSv2"
Version: 1
LaunchTemplate:
LaunchTemplateName: "RG-IMDSv2"
Version: "1"
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 407-407: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In cft-templates/ec2-secure-desktop.yml around lines 405 to 407, the
LaunchTemplate.Version value is currently an unquoted integer (1), but
CloudFormation requires this to be a string. Fix this by enclosing the Version
value in quotes, changing it from 1 to "1" to ensure proper YAML parsing and
CloudFormation validation.

UserData:
Fn::Base64: !Sub |
#!/usr/bin/env bash
Expand Down Expand Up @@ -454,7 +477,7 @@ Resources:


BlockDeviceMappings:
- DeviceName: /dev/xvda
- DeviceName: /dev/sda1
Ebs:
VolumeSize: !Ref EBSVolumeSize
Encrypted: true
Expand All @@ -469,11 +492,13 @@ Resources:
PropagateTagsToVolumeOnCreation: true
Tags:
- Key: Name
Value: !Join ["-", [Ref: Namespace, "ec2-linux"]]
Value: !Join ["-", [Ref: Namespace, "ec2-secure-linux"]]
- Key: Description
Value: EC2 workspace instance
- Key: cost_resource
Value: !Sub ${AWS::StackName}
- Key: PatchGroup
Value: RG-PatchGroup-Linux

InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Expand Down
4 changes: 3 additions & 1 deletion cft-templates/ec2-ubuntu.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -138,4 +140,4 @@ Outputs:
Value: !GetAtt [EC2Instance, PublicDnsName]
AvailabilityZone:
Description: AvailabilityZone of newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !GetAtt [EC2Instance, AvailabilityZone]
22 changes: 18 additions & 4 deletions cft-templates/ec2-vscode.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ Parameters:
EBSVolumeSize:
Description: The initial size of the volume (in GBs), Select volume size must be 32 or above.
Type: Number
Default: 32
Default: 32
AvailabilityZone:
Description: Select the availability zone in which to create the instance. If you plan to attach a secondary volume to the instance, create this instance in the same AvailabilityZone as the volume you created.
Type: AWS::EC2::AvailabilityZone::Name
InstanceType:
Type: String
Description: Choose the instance type e.g t3.medium (2vCPU , 2GiB RAM), t3.large (2vCPU, 8GiB RAM), t3.xlarge(4vCPU, 16GiB RAM)
Expand Down Expand Up @@ -56,6 +59,8 @@ Resources:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- !If
- IamPolicyEmpty
Expand Down Expand Up @@ -163,8 +168,16 @@ Resources:
access_token=`uuidgen`
`PASSWORD=$access_token docker-compose up -d`
sleep 5
instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
instance_region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"

# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value $access_token --region $instance_region --type SecureString --overwrite
Comment on lines +171 to 181
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix variable‐name typo & quote the token before logging

instance_region is set on L175, but the debug echo on L176 references ${region} – this will print an empty string.
While touching this, quote $access_token in the aws ssm put-parameter call to prevent word-splitting and possible shell-injection via the random UUID.

- instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
- echo "Retrieved region ${region} from metadata service"
+instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
+echo "Retrieved region ${instance_region} from metadata service"

- aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value $access_token --region $instance_region --type SecureString --overwrite 
+aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value "$access_token" --region "$instance_region" --type SecureString --overwrite
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value $access_token --region $instance_region --type SecureString --overwrite
# Get the session token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Get the region to build the parameter name
instance_region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
echo "Retrieved region ${instance_region} from metadata service"
# Get the instance id to build the parameter name
instance_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
echo "Retrieved instance_id $instance_id from metadata service"
aws ssm put-parameter --name "/RL/RG/vs-code/auth-token/$instance_id" --value "$access_token" --region "$instance_region" --type SecureString --overwrite
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 173-173: trailing spaces

(trailing-spaces)

[error] 177-177: trailing spaces

(trailing-spaces)

[error] 181-181: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In cft-templates/ec2-vscode.yml around lines 171 to 181, fix the variable name
typo by changing the echo statement to reference ${instance_region} instead of
${region} to correctly display the retrieved region. Also, quote the
$access_token variable in the aws ssm put-parameter command to prevent
word-splitting and potential shell injection vulnerabilities.

echo "Stored vscode token in SSM"
'/var/log/vscode.log':
Expand All @@ -185,6 +198,7 @@ Resources:
Properties:
ImageId : '{{resolve:ssm:/RL/RG/StandardCatalog/VS-Code}}'
InstanceType: !Ref 'InstanceType'
AvailabilityZone: !Ref AvailabilityZone
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
Expand Down Expand Up @@ -267,4 +281,4 @@ Outputs:
Value: '443'
AvailabilityZone:
Description: AvailabilityZone of newly created VS-Code EC2Instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Value: !Ref AvailabilityZone
Loading