cfn: Update ec2 key ref to be conditional (#415)

exdx · web-flow · commit d44eec683fc3 · 2023-07-19T12:02:40.000-04:00
* cfn: Update ec2 key ref to be conditional

Signed-off-by: Dan Sover &lt;dan.sover@avalabs.org&gt;

* fix: Use condition for ec2 key name

* apply: Use String type for ec2 key name

Signed-off-by: Dan Sover &lt;dan.sover@avalabs.org&gt;

---------

Signed-off-by: Dan Sover &lt;dan.sover@avalabs.org&gt;
diff --git a/avalanche-ops/src/aws/cfn-templates/asg_ubuntu.yaml b/avalanche-ops/src/aws/cfn-templates/asg_ubuntu.yaml
@@ -42,8 +42,9 @@ Parameters:
     Description: S3 bucket name.
 
   Ec2KeyPairName:
-    Type: AWS::EC2::KeyPair::KeyName
+    Type: String
     Description: EC2 SSH key name
+    Default: ""
 
   InstanceProfileArn:
     Type: String
@@ -201,6 +202,12 @@ Parameters:
     MaxValue: 100
     Description: 0 for Spot only. 100 for On-Demand only.
 
+  SshEnabled:
+    Type: String
+    AllowedValues: [true, false]
+    Default: false
+    Description: true to enable SSH access to nodes
+
   NlbEnabled:
     Type: String
     AllowedValues: [true, false]
@@ -410,6 +417,11 @@ Conditions:
       - Ref: NlbEnabled
       - "true"
 
+  SshEnabledTrue:
+    Fn::Equals:
+      - Ref: SshEnabled
+      - "true"
+
   NlbTargetGroupArnEmpty:
     Fn::Equals:
       - Ref: NlbTargetGroupArn
@@ -526,7 +538,11 @@ Resources:
             - HasImageId
             - !Ref ImageId
             - !Ref ImageIdSsmParameter
-        KeyName: !Ref Ec2KeyPairName
+        KeyName:
+          Fn::If: 
+            - SshEnabledTrue
+            - !Ref Ec2KeyPairName
+            - !Ref AWS::NoValue
 
         # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html
         # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-blockdevicemapping.html
diff --git a/avalanche-ops/src/dev-machines/cfn-templates/asg_ubuntu.yaml b/avalanche-ops/src/dev-machines/cfn-templates/asg_ubuntu.yaml
@@ -29,8 +29,9 @@ Parameters:
     Description: S3 bucket name.
 
   Ec2KeyPairName:
-    Type: AWS::EC2::KeyPair::KeyName
+    Type: String
     Description: EC2 SSH key name
+    Default: ""
 
   InstanceProfileArn:
     Type: String
@@ -187,6 +188,12 @@ Parameters:
     MaxValue: 100
     Description: 0 for Spot only. 100 for On-Demand only.
 
+  SshEnabled:
+    Type: String
+    AllowedValues: [true, false]
+    Default: false
+    Description: true to enable SSH access to nodes
+
 Conditions:
   HasImageId:
     Fn::Not:
@@ -355,6 +362,11 @@ Conditions:
       - Ref: InstanceTypesCount
       - 10
 
+  SshEnabledTrue:
+    Fn::Equals:
+      - Ref: SshEnabled
+      - "true"
+
 Resources:
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html
   AsgLaunchTemplate:
@@ -370,7 +382,11 @@ Resources:
             - HasImageId
             - !Ref ImageId
             - !Ref ImageIdSsmParameter
-        KeyName: !Ref Ec2KeyPairName
+        KeyName:
+          Fn::If: 
+            - SshEnabledTrue
+            - !Ref Ec2KeyPairName
+            - !Ref AWS::NoValue
 
         # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html
         # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-blockdevicemapping.html
diff --git a/avalancheup-aws/src/apply/mod.rs b/avalancheup-aws/src/apply/mod.rs
@@ -826,7 +826,7 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
             build_param("AadTag", &spec.aad_tag),
             build_param("S3Region", &spec.resource.regions[0]),
             build_param("S3BucketName", &spec.resource.s3_bucket),
-            build_param("Ec2KeyPairName", &regional_resource.ec2_key_name),
+            build_param("SshEnabled", &spec.enable_ssh.to_string()),
             build_param(
                 "InstanceProfileArn",
                 &regional_resource
@@ -878,6 +878,12 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
                 .unwrap(),
             ));
         }
+        if spec.enable_ssh {
+            common_asg_params.push(build_param(
+                "Ec2KeyPairName",
+                &regional_resource.ec2_key_name,
+            ));
+        }
 
         // just copy the regional machine params, and later overwrite if 'create-dev-machine' is true
         let mut common_dev_machine_params = BTreeMap::new();
@@ -897,10 +903,13 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
         common_dev_machine_params.insert("AadTag".to_string(), spec.aad_tag.clone());
         common_dev_machine_params
             .insert("S3BucketName".to_string(), spec.resource.s3_bucket.clone());
-        common_dev_machine_params.insert(
-            "Ec2KeyPairName".to_string(),
-            regional_resource.ec2_key_name.clone(),
-        );
+
+        if spec.enable_ssh {
+            common_dev_machine_params.insert(
+                "Ec2KeyPairName".to_string(),
+                regional_resource.ec2_key_name.clone(),
+            );
+        }
         common_dev_machine_params.insert(
             "InstanceProfileArn".to_string(),
             regional_resource
@@ -1346,8 +1355,10 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
                 }
             }
 
-            let f = File::open(&regional_resource.ec2_key_path).unwrap();
-            f.set_permissions(PermissionsExt::from_mode(0o444)).unwrap();
+            if spec.enable_ssh {
+                let f = File::open(&regional_resource.ec2_key_path).unwrap();
+                f.set_permissions(PermissionsExt::from_mode(0o444)).unwrap();
+            }
 
             println!();
             let mut ssh_commands = Vec::new();
@@ -1379,7 +1390,7 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
                     },
                 };
                 if spec.enable_ssh {
-                    println!("\n{}\n", ssh_command.to_string());
+                    println!("\n{}\n", ssh_command);
                 } else {
                     println!("\n{}\n", ssh_command.ssm_start_session_command());
                 }
@@ -1855,8 +1866,10 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
                 }
             }
 
-            let f = File::open(&regional_resource.ec2_key_path).unwrap();
-            f.set_permissions(PermissionsExt::from_mode(0o444)).unwrap();
+            if spec.enable_ssh {
+                let f = File::open(&regional_resource.ec2_key_path).unwrap();
+                f.set_permissions(PermissionsExt::from_mode(0o444)).unwrap();
+            }
 
             println!();
             let mut ssh_commands = Vec::new();
@@ -1889,7 +1902,7 @@ pub async fn execute(log_level: &str, spec_file_path: &str, skip_prompt: bool) -
                     },
                 };
                 if spec.enable_ssh {
-                    println!("\n{}\n", ssh_command.to_string());
+                    println!("\n{}\n", ssh_command);
                 } else {
                     println!("\n{}\n", ssh_command.ssm_start_session_command());
                 }
@@ -2740,6 +2753,9 @@ default-spec --log-level=info --funded-keys={funded_keys} --region={region} --up
                 regional_common_dev_machine_asg_params
                     .insert("SshKeyEmail".to_string(), email.clone());
             };
+            // SSH keys for dev machine
+            regional_common_dev_machine_asg_params
+                .insert("SshEnabled".to_string(), spec.enable_ssh.to_string());
 
             if !dev_machine.instance_types.is_empty() {
                 let instance_types = dev_machine.instance_types.clone();
