Create a simple ec2 instance in VPC/Subnet of your choice, with SSM enabled so you can get a shell on it without opening SSH. This can be used to test connectivity between AWS locations. It runs a simple user_data.sh script that will install some common tools (docker) and login to the ECR registry of the AWS account.
The only required variables are the vpc_id and subnet_id where you want to creat the instance.
The instance MUST have access to AWS Apis for SSM to work. This can be via a IGW (public IP on instance, or via VPC-Endpoints, see Starting a service in an air gapped private Subnet)
You can get the instance id from Terraform and pass it straight into AWS CLI. Note the --raw which removes the quotes from the instance_id as AWS CLI fails if they are present.
aws ssm start-session --target $(terraform output --raw instance_id)
SSM requires access to AWS APIs in order to work. This requires the server being placed in a Subnet that has outbound internet access. This can be either a public subnet using an Internet Gateway and public IP assigned to the instance, a private subnet with a NAT-Gateway, or in a subnet that has VPC Endpoints configured for ssmmessages, ssm, and ec2messages
In order to populate the following Terraform documentation, run the terraform-docs . command.
The .terraform-docs.yml file contains the configuration to make sure if gets created in the correct way.
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| random | n/a |
| template | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_instance_profile.profile | resource |
| aws_iam_role.role | resource |
| aws_instance.instance | resource |
| aws_security_group.security_group | resource |
| random_string.module_suffix | resource |
| aws_ami.this | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_policy | data source |
| aws_region.current | data source |
| template_file.user_data | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_role_policies | Additional Policies to attach to the instance in additional to SSM | list(string) |
[] |
no |
| additional_security_groups | Addition security groups to assign to the instance | list(string) |
[] |
no |
| additional_tags | Map of tags to add to all resources | map(string) |
{} |
no |
| additional_user_data | Additional code to be added to the user_data.sh script | string |
null |
no |
| ami | Specify an AMI to run, if not it will use the latest Amazon Linux, or Windows Server image. | string |
"" |
no |
| associate_public_ip_address | Assign public IP to the instance. | bool |
true |
no |
| comment | Comment tag to add to all resources | string |
"" |
no |
| instance_name_override | Override the name tag provided to the instance. default: -tmp-instance- | string |
null |
no |
| instance_type | AWS instance type to create | string |
"t3.nano" |
no |
| key_name | SSH key pair to use | string |
"" |
no |
| subnet_id | Subnet to create the instance in | string |
n/a | yes |
| volume_size | Root volume size of instance | number |
10 |
no |
| vpc_id | VPC to create the test instance in | string |
n/a | yes |
| windows | Do you want to run a Windows server?... whyyy? | bool |
false |
no |
| Name | Description |
|---|---|
| ami | ID of the AMI that has been selected. |
| instance | The created instance, allowing use of any of the attributes of the aws_instance resourfce |
| instance_id | ID of the instance that has been created. Can be used in SSM Start session command with $(terraform output instance_id|jq -r) |
| instance_role | The IAM role assigned to the instance |
| security_group | The security group created for instance. Can be used to add additional rules |