Merge pull request #145 from redhat-cop/patchback/backports/stable-3/c7c6737a2a2695198185a7e4450c58d60ea4def8/pr-129

[PR #129/c7c6737a backport][stable-3] Add security for keypair creation in configure_ec2 pattern

Author: abikouo

extensions/patterns/configure_ec2/README.md

@@ -4,6 +4,18 @@
 
 This pattern is designed to help get an EC2 instance up and running.
 
+To enable SSH access to the EC2 instance from your local machine, you need to do 2 things:
+
+1. **Provide the Key Name**: Specify an existing key name in the **key_name** parameter in the survey. The EC2 instance will be associated with the key pair corresponding to the provided name. If the key pair is unavailable, you will not be able to access the instance from your local machine.
+
+2. **Add a Security Group Rule for SSH Access**: Configure a security group rule to allow inbound SSH traffic from your local machine's IP address. Provide this rule in the **sg_rules** parameter in the survey. Following is an example of the security group rule:
+
+```yaml
+  - proto: tcp
+    ports: 22
+    cidr_ip: 203.0.113.0/3
+```
+
 ## What This Pattern Covers
 
 ### Projects

extensions/patterns/configure_ec2/playbooks/create_ec2_instance.yml

@@ -14,6 +14,20 @@
       ansible.builtin.set_fact:
         final_sg_rules: "{{ create_external_access_resources | ternary(sg_rules_list + allow_external_access_sg_rules, sg_rules_list) }}"
 
+    - name: Validate key if given
+      when: key_name is defined and key_name != ''
+      block:
+        - name: Check if the key exists
+          amazon.aws.ec2_key_info:
+            names:
+              - "{{ key_name }}"
+          register: key_info_result
+
+        - name: Set manage_ec2_instance_key_name role var
+          ansible.builtin.set_fact:
+            manage_ec2_instance_key_name: "{{ key_name }}"
+          when: key_info_result.keypairs | length > 0
+
     - name: Get RHEL 9 AMI ID if needed
       when: ami_id | default("", true) == ""
       block:
@@ -25,6 +39,7 @@
             owner:
               - amazon
           register: images
+
         - name: Update ami_id variable
           ansible.builtin.set_fact:
             ami_id: "{{ (images.images | sort(attribute='name') | last).image_id }}"
@@ -50,9 +65,13 @@
         manage_ec2_instance_instance_name: "{{ instance_name }}"
         manage_ec2_instance_instance_type: "{{ instance_type }}"
         manage_ec2_instance_ami_id: "{{ ami_id }}"
-        manage_ec2_instance_key_name: "{{ key_name }}"
         manage_ec2_instance_vpc_subnet_id: "{{ ec2_networking_resources_subnet_result.subnet.id }}"
         manage_ec2_instance_wait_for_state: "{{ wait_for_state | bool }}"
         manage_ec2_instance_associate_security_groups: "{{ [sg_name] }}"
         manage_ec2_instance_associate_eip: "{{ create_external_access_resources }}"
         manage_ec2_instance_instance_tags: "{{ instance_tags | default('{}', true) | from_json }}"
+
+    - name: Warn if key does not exist
+      ansible.builtin.debug:
+        msg: "Warning: The key '{{ key_name }}' does not exist!"
+      when: key_name is defined and key_info_result.keypairs | length == 0

extensions/patterns/configure_ec2/playbooks/group_vars/all.yml

@@ -1,4 +1,3 @@
-key_name: "{{ instance_name }}-key"
 wait_for_state: true
 vpc_name: "{{ instance_name }}-vpc"
 vpc_cidr: 10.0.0.0/24

extensions/patterns/configure_ec2/template_surveys/create_ec2_instance.yml

@@ -28,7 +28,7 @@ spec:
 
   - type: text
     question_name: Key Pair Name
-    question_description: Name of key pair to use or create for SSH access to the EC2 instance. Defaults to '{{ instance_name }}-key'
+    question_description: Name of key pair to use for SSH access to the EC2 instance. If the key does not exist or not provided, the instance will not be accessible via SSH.
     variable: key_name
     required: false
 

roles/manage_ec2_instance/README.md

@@ -6,7 +6,7 @@ Users can specify various parameters for instance configuration, including insta
 
 This role can be combined with the [cloud.aws_ops.ec2_networking_resources role](../ec2_networking_resources/README.md) to create/delete networking resources for the instance, see [examples](#examples).
 
-EC2 instance details and the private key (if a key pair is created) will be displayed as role output. The instance and key pair details are accessible via variables `ec2_instance_manage_create_result` and `ec2_instance_manage_key_pair_result`, respectively.
+The instance and key pair details are accessible via variables `ec2_instance_manage_create_result` and `ec2_instance_manage_key_pair_result`, respectively.
 
 ## Requirements
 

roles/manage_ec2_instance/tasks/ec2_instance_create_operations.yml

@@ -21,13 +21,15 @@
         names:
           - "{{ manage_ec2_instance_key_name }}"
       register: key_info_result
+      no_log: true
 
     - name: Create new key pair
       amazon.aws.ec2_key:
         name: "{{ manage_ec2_instance_key_name }}"
         state: present
       when: key_info_result.keypairs | length == 0
       register: ec2_instance_manage_key_pair_result
+      no_log: true
 
 - name: Create EC2 instance with provided configuration
   amazon.aws.ec2_instance:
@@ -59,8 +61,3 @@
     msg:
       - "EC2 instance {{ ec2_instance.instance_ids[0] }} created successfully"
       - "Instance details: {{ ec2_instance_manage_create_result.instances[0] }}"
-
-- name: Output private key if a new keypair was created
-  when: ec2_instance_manage_key_pair_result.key is defined
-  ansible.builtin.debug:
-    msg: "A new key pair was created for ssh access to the instance. Please save this private key for reference: {{ ec2_instance_manage_key_pair_result.key.private_key }}"