Use aws-ec2-ssh (https://github.com/widdix/aws-ec2-ssh) to auto auth through IAM user public key.
- Crontab will execute command to sync users from groups every 30 seconds.
- When user SSH login, will trigger to get the user public key to authorize.
- EC2 needs to open egress 80 & 443 port for package installation and AWS IAM access.
- This module will disable AWS ec2-instance-connect feature.
module "ec2_auth" {
source = "git::https://github.com/kkstream/terraform-aws-ec2-ssh-auth-iam"
ec2_role_id = "ec2-role"
allow_login_iam_group_names = ["Developers"]
}
resource "aws_instance" "instance" {
ami = "ami-0eeb679d57500a06c"
instance_type = "m5.large"
vpc_security_group_ids = var.security_group_ids
subnet_id = var.subnet_id
iam_instance_profile = var.iam_instance_profile_name
user_data_base64 = module.ec2_auth.ec2_user_data_base64
}| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws provider | >= 3.20 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ec2_role_id | Give the EC2 role ID (role name) for attaching the additional permissions. | string | no | yes |
| allow_login_iam_group_names | Give the IAM group names for allowing group users login | list(string) | no | yes |
| Name | Description | Type |
|---|---|---|
| ec2_user_data | (Deprecated) User data for EC2 | string |
| ec2_user_data_base64 | (Recommend) User data for EC2 in base64 | string |