ec2-remove-unused-key-pairs/ec2-remove-unused-key-pairs.yaml

apiVersion: v1
summary: Remove unused EC2 key pairs
description: This workflow finds all EC2 key pairs that are not used by an EC2 instance and removes them from the account.
homepage: https://github.com/puppetlabs/relay-workflows/tree/master/ec2-remove-unused-key-pairs
tags:
  - compliance

# Uncomment out this trigger to run this workflow hourly.
# triggers:
# - name: schedule
#   source:
#     type: schedule
#     schedule: '0 * * * *'
#   binding:
#     parameters:
#       awsRegion: us-east-1
#       dryRun: true

parameters:
  awsRegion:
    description: The AWS region to run in
    default: us-east-1
  dryRun:
    description: True if you dont want to actually delete the resources. Use this to test the workflow and ensure it is behaving as expected.
    default: 'true'

steps:
- name: describe-instances
  image: relaysh/aws-ec2-step-instances-describe
  spec:
    aws: &aws
      connection: !Connection { type: aws, name: my-aws-account }
      region: !Parameter awsRegion

- name: describe-key-pairs
  image: relaysh/aws-ec2-step-key-pairs-describe
  spec:
    aws: *aws

- name: filter-key-pairs
  image: relaysh/core:latest-python
  spec:
    instances: !Output {from: describe-instances, name: instances}
    keyPairs: !Output { from: describe-key-pairs, name: keyPairs}
  inputFile: https://raw.githubusercontent.com/puppetlabs/relay-workflows/master/ec2-remove-unused-key-pairs/filter-key-pairs.py

- name: approval
  description: Wait for approval to delete key pairs
  type: approval
  dependsOn: filter-key-pairs
  when:
    - !Fn.equals [!Parameter dryRun, 'false']

- name: delete-key-pairs
  dependsOn: approval
  image: relaysh/aws-ec2-step-key-pairs-delete
  when:
    - !Fn.equals [!Parameter dryRun, 'false']
  spec:
    aws: *aws
    keyPairNames: !Output {from: filter-key-pairs, name: keyPairNames}