Enable SSM access and disable SSH access.

xiaket · xiaket · commit e4255d247683 · 2020-10-10T09:14:15.000+11:00
Signed-off-by: Kai Xia &lt;kaix+github@fastmail.com&gt;
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -40,7 +40,6 @@ Metadata:
         - ImageIdParameter
         - InstanceType
         - AgentsPerInstance
-        - KeyName
         - SpotPrice
         - SecretsBucket
         - ArtifactsBucket
@@ -88,11 +87,6 @@ Metadata:
         - EnableDockerLoginPlugin
 
 Parameters:
-  KeyName:
-    Description: Optional - SSH keypair used to access the buildkite instances, setting this will enable SSH ingress
-    Type: String
-    Default: ""
-
   BuildkiteAgentRelease:
     Type: String
     AllowedValues:
@@ -464,17 +458,6 @@ Conditions:
     UseCostAllocationTags:
       !Equals [ !Ref EnableCostAllocationTags, "true" ]
 
-    HasKeyName:
-      !Not [ !Equals [ !Ref KeyName, "" ] ]
-
-    EnableSshIngress:
-      !And
-        - { Condition : CreateSecurityGroup }
-        # Enable ingress if a key can be specified another way
-        - !Or
-          - { Condition: HasKeyName }
-          - !Not [ !Equals [ !Ref AuthorizedUsersUrl, "" ] ]
-
     # Whether or not there's any managed polices to attach
     HasManagedPolicies:
       !Or [ { Condition: UseManagedPolicyARN }, { Condition: UseECR } ]
@@ -693,6 +676,23 @@ Resources:
               - sns:Unsubscribe
               - sns:Subscribe
             Resource: "*"
+          - Effect: Allow
+            Action:
+              - ssm:DescribeInstanceProperties
+              - ssm:ListAssociations
+              - ssm:PutInventory
+              - ssm:UpdateInstanceInformation
+              - ssmmessages:CreateControlChannel
+              - ssmmessages:CreateDataChannel
+              - ssmmessages:OpenControlChannel
+              - ssmmessages:OpenDataChannel
+              - ec2messages:AcknowledgeMessage
+              - ec2messages:DeleteMessage
+              - ec2messages:FailMessage
+              - ec2messages:GetEndpoint
+              - ec2messages:GetMessages
+              - ec2messages:SendRepl
+            Resource: "*"
       Roles:
         - !Ref IAMRole
 
@@ -800,7 +800,6 @@ Resources:
             - DeviceIndex: 0
               AssociatePublicIpAddress: { Ref: AssociatePublicIpAddress }
               Groups: !Split [ ",", !If [ "CreateSecurityGroup", !Ref SecurityGroup, !Ref SecurityGroupId ] ]
-          KeyName: !If [ "HasKeyName", !Ref KeyName, !Ref 'AWS::NoValue' ]
           IamInstanceProfile:
             Arn: !GetAtt "IAMInstanceProfile.Arn"
           InstanceType: !Ref InstanceType
@@ -949,16 +948,6 @@ Resources:
       - Key: Name
         Value: !Ref 'AWS::StackName'
 
-  SecurityGroupSshIngress:
-    Condition: EnableSshIngress
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      GroupId: !GetAtt SecurityGroup.GroupId
-      IpProtocol: tcp
-      FromPort: 22
-      ToPort: 22
-      CidrIp: 0.0.0.0/0
-
   AutoscalingLambdaExecutionRole:
     Type: AWS::IAM::Role
     Condition: HasVariableSize
