[#327] Use AWS Session Manager to Securely connect to an EC2 instance#330
Open
tung-nimblehq wants to merge 4 commits intodevelopfrom
Open
[#327] Use AWS Session Manager to Securely connect to an EC2 instance#330tung-nimblehq wants to merge 4 commits intodevelopfrom
tung-nimblehq wants to merge 4 commits intodevelopfrom
Conversation
tung-nimblehq
requested review from
andyduong1920,
bterone,
hoangmirs,
liamstevens111,
nvminhtue,
sanG-github and
suho
as code owners
tung-nimblehq
force-pushed
the
feature/327-add-ssm-login-instead-of-key-pair
branch
from
fba02c0 to
e7d7b67
Compare
tung-nimblehq
changed the title
DustinDust
approved these changes
Feb 24, 2026
DustinDust
left a comment
DustinDust
left a comment
There was a problem hiding this comment.
Approved with optional minor comments 💯
Base automatically changed from
fix/326-migrate-bastion-module-from-launch-configuration-to-launch-template
to
develop
February 26, 2026 02:38
tung-nimblehq
force-pushed
the
feature/327-add-ssm-login-instead-of-key-pair
branch
from
86b88db to
2a5a922
Compare
…e, remove ssh ingress rule and add HTTPS engress rule for SSM
tung-nimblehq
force-pushed
the
feature/327-add-ssm-login-instead-of-key-pair
branch
from
2a5a922 to
91d120f
Compare
tung-nimblehq
force-pushed
the
feature/327-add-ssm-login-instead-of-key-pair
branch
from
81dd178 to
b5d8760
Compare
| image_id = var.image_id | ||
| image_id = data.aws_ami.amazon_linux_2023.id | ||
| instance_type = var.instance_type | ||
| key_name = var.key_name |
There was a problem hiding this comment.
Since we're replacing SSH with SSM, can we remove this? 🙏
tung-nimblehq
force-pushed
the
feature/327-add-ssm-login-instead-of-key-pair
branch
from
b5d8760 to
90b3e99
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What happened 👀
iam_rolemodule.bastionmodule to setiam_instance_profileto allow it to connect with SSM.bastion_ingress_ssh_nimbleingress rule.bastion_egress_ssmegress rule.bastion_image_idto useamazon_linux_2023that will ensure the SSM agent was already set up on the image instance.SSMInstanceRoleto attach AmazonSSMManagedInstanceCore tobastioninstance allow to connect with SSMInsight 📝
Iam_rolemodule to allow us to reuse for case needs to create role or profile(ec2), that's easier to maintain and more readable than injecting insidebastionmain.tfcontent.bastion_image_id, which was inconvenient for developer experience because we had to go to the AWS console or use the CLI to list bastion image IDs, which took time and wasn't very necessary for a bastion instance. Instead, we can force the bastion to use the optimized and recommended image instance from AWS,amazon_linux_2023. It also sets up the SSM agent for us.key-pair, but its default does not create.Proof Of Work 📹
Able to connect bastion instance without keypair, without an open ssh port, and without set specific ip address for connection
Screen.Recording.2026-01-24.at.21.28.34.mov