general guide to get a basion no ssh host running on an EC2 instance

aws_ssm_ssh_less_connection.md

~/.ssh/config

Host aws-sshless-basion
    Hostname i-xxxxxxxxxxxx
    IdentityFile ~/.ssh/ssh_key
    ProxyCommand sh -c "aws ssm start-session --profile aws-profile --region us-east-2 --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Required Software

yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

Iam permissions AWS SSM (terraform)

locals {
  hostname = "host.com"
  attach_general_policies = [
    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
  ]
}


resource "aws_iam_role" "host-role" {
  name = "${local.hostname}-host-role"
  path = "/"

  assume_role_policy = <<POLICY
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "attach_policies-general" {
  count      = length(local.attach_general_policies)
  role       = aws_iam_role.host-role.name
  policy_arn = local.attach_general_policies[count.index]
}

resource "aws_iam_role_policy_attachment" "attach_policies-var" {
  count      = length(var.attach_policies)
  role       = aws_iam_role.host-role.name
  policy_arn = var.attach_policies[count.index]
}


resource "aws_iam_instance_profile" "campus-general-host-profile" {
  name = "${local.hostname}-profile"
  role = aws_iam_role.host-role.name
}