A custom resource Lambda function for creating EC2 key-pairs, written in Go, and suitable for direct invocation by CloudFormation. The private key material is pushed into an associated SSM Parameter.
Well, at the time of this writing the EC2 key-pair is not a supported resource type in CloudFormation and I really wanted it to be.
You see, for demonstration purposes, I'm a big fan of as-self-contained-as-possible infrastructure definitions.
I really hate specifying parameters for my templates (everything should have a default).
Because, have you seen the aws cloudformation
CLI for specifying parameters? /me shudders
Additionally, for those teams that aren't yet spun up on or are otherwise unable to leverage Terraform or other infrastructure-as-code development tools, this implementation requires no tooling other than the AWS CLI and optionally the SAM CLI for testing.
AS A developer of infrastructure I WANT to create SSH key-pairs for EC2 instances by declaring such in a CloudFormation template SO THAT when applying said template I am not required to have first created, out of band, EC2 key-pair(s).
-
optional
KeyName
the EC2 KeyPair name- if not specified, this will be generated (see NewPhysicalResourceID)
-
optional
ParameterPath
the SSM Parameter name prefix- if not specified, this will default to
/ec2/key-pair
- if not specified, this will default to
-
optional
ParameterKeyId
which represents the encryption key used to encipher the private key material- if not specified, this will default to
alias/aws/ssm
- if not specified, this will default to
-
optional
ParameterDescription
- if not specified, this will default to value of the key fingerprint
-
optional
ParameterOverwrite
determines if a parameter with the existing name with be overwritten with a new version- if not specified, this will default to
false
- if not specified, this will default to
- !Ref
KeyName
- Fn::GetAtt
ParameterName
- Fn::GetAtt
ParameterKeyId
- support indirect invocation via SNS
- support alternative methods for handling the private key material, such as:
- cipher-text as an attribute, suitable for use in an output (NoEcho?)
- Simple Storage Service (S3)
- Secrets Manager
- HTTP PUT