kitchen-ec2 3.20.0 → 3.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f47ffd935db82650266d977423d84a3361466c34385adb49dcb782ce8f584b4d
-  data.tar.gz: 11a0789de1befe3293786fe5d4dcd305cda95517bdc5195738bffb1eefede547
+  metadata.gz: 3baf7353ac946ddb0ad70a816dc36b0017afaddddb8392bd8a26e0e2f2afbbe4
+  data.tar.gz: 53f26dec487092acfe0e9b8bf495e7727e161b43b0b45085e92391a85fc7efae
 SHA512:
-  metadata.gz: 37f1555b120b84df599b4c3378c8ac4dc49ca485d08fdaa491c3ffa8ef11e175c4d1cfad534f8529eec4f71683e276062ed4454116279de82ab9ce3638d38426
-  data.tar.gz: b3c8845339ffc8f823881c4e336114ddd94139b193a192e5cef0fb0e25cd50b57f7bf69a03735f727d1407937527389337ef75aaa609339f891f6fc48f961a82
+  metadata.gz: a28a41f6067d48c4f233963a40e0b96756f06c30096f0dc0cded285f11b2c6f08c31f0a52762c89e26f223512304655ec807bfc0f20700150dfe01c0e2c489c4
+  data.tar.gz: d17ba3bb0ed6bba7744e4f0b8ebca626bb26fbfd11e37a00ce243a64e91a51d7df69af6a2f238bf13fe5a88de699b2248cb3fa2c3d014468d4ce9e2ac13f6bb5

data/lib/kitchen/driver/aws/instance_connect.rb

@@ -0,0 +1,44 @@
+#
+# Author:: Alex Kokkinos
+#
+# Copyright:: 2025, Alex Kokkinos
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require "aws-sdk-ec2instanceconnect"
+
+module Kitchen
+  module Driver
+    class Aws
+      class InstanceConnect
+        def initialize(config, logger)
+          @config = config
+          @logger = logger
+          @client = ::Aws::EC2InstanceConnect::Client.new(region: config[:region])
+        end
+
+        def send_ssh_public_key(instance_id, username, public_key)
+          @logger.info("Sending SSH public key to instance #{instance_id} for user #{username}")
+
+          @client.send_ssh_public_key({
+            instance_id: instance_id,
+            instance_os_user: username,
+            ssh_public_key: public_key,
+            availability_zone: @config[:availability_zone],
+          })
+
+          @logger.debug("SSH public key successfully sent to instance")
+        end
+      end
+    end
+  end
+end

data/lib/kitchen/driver/aws/ssm_session_manager.rb

@@ -0,0 +1,85 @@
+#
+# Author:: GitHub Copilot
+#
+# Copyright:: 2025, GitHub
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "aws-sdk-ssm"
+require "open3"
+
+module Kitchen
+  module Driver
+    class Aws
+      # Manages AWS Systems Manager Session Manager connections for Test Kitchen
+      class SsmSessionManager
+        def initialize(config, logger)
+          @config = config
+          @logger = logger
+          @ssm_client = ::Aws::SSM::Client.new(
+            region: config[:region],
+            profile: config[:shared_credentials_profile]
+          )
+        end
+
+        # Check if SSM agent is running on the instance
+        def ssm_agent_available?(instance_id)
+          @logger.debug("Checking if SSM agent is available on instance #{instance_id}")
+
+          begin
+            resp = @ssm_client.describe_instance_information(
+              filters: [
+                {
+                  key: "InstanceIds",
+                  values: [instance_id],
+                },
+              ]
+            )
+
+            available = !resp.instance_information_list.empty? &&
+              resp.instance_information_list.first.ping_status == "Online"
+
+            if available
+              @logger.info("SSM agent is available on instance #{instance_id}")
+            else
+              @logger.warn("SSM agent is not available on instance #{instance_id}")
+            end
+
+            available
+          rescue ::Aws::SSM::Errors::ServiceError => e
+            @logger.warn("Error checking SSM agent status: #{e.message}")
+            false
+          end
+        end
+
+        # Verify that the AWS CLI session manager plugin is installed
+        def session_manager_plugin_installed?
+          _output, status = Open3.capture2e("session-manager-plugin", "--version")
+          installed = status.success?
+
+          if installed
+            @logger.debug("Session Manager plugin is installed")
+          else
+            @logger.warn("Session Manager plugin is not installed. Install it from: " \
+                        "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html")
+          end
+
+          installed
+        rescue StandardError => e
+          @logger.warn("Error checking for session-manager-plugin: #{e.message}")
+          false
+        end
+      end
+    end
+  end
+end

data/lib/kitchen/driver/aws/standard_platform/debian.rb

@@ -23,17 +23,15 @@ module Kitchen
         class Debian < StandardPlatform
           StandardPlatform.platforms["debian"] = self
 
-          # 12/13 are listed last since we default to the first item in the hash
-          # and 12/13 are not released yet. When they're released move them up
           DEBIAN_CODENAMES = {
+            13 => "trixie",
+            12 => "bookworm",
             11 => "bullseye",
             10 => "buster",
             9 => "stretch",
             8 => "jessie",
             7 => "wheezy",
             6 => "squeeze",
-            12 => "bookworm",
-            13 => "trixie",
           }.freeze
 
           # default username for this platform's ami

data/lib/kitchen/driver/ec2.rb

@@ -16,6 +16,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "sshkey" unless defined?(SSHKey)
 require "benchmark" unless defined?(Benchmark)
 require "json" unless defined?(JSON)
 require "kitchen"
@@ -37,12 +38,15 @@ require_relative "aws/standard_platform/freebsd"
 require_relative "aws/standard_platform/macos"
 require_relative "aws/standard_platform/ubuntu"
 require_relative "aws/standard_platform/windows"
+require_relative "aws/instance_connect"
+require_relative "aws/ssm_session_manager"
 require "aws-sdk-ec2"
 require "aws-sdk-core/waiters/errors"
 require "retryable" unless defined?(Retryable)
 require "time" unless defined?(Time)
 require "etc" unless defined?(Etc)
 require "socket" unless defined?(Socket)
+require "shellwords" unless defined?(Shellwords)
 
 module Kitchen
   module Driver
@@ -95,6 +99,11 @@ module Kitchen
       default_config :skip_cost_warning, false
       default_config :allocate_dedicated_host, false
       default_config :deallocate_dedicated_host, false
+      default_config :use_instance_connect, false
+      default_config :instance_connect_endpoint_id, nil
+      default_config :instance_connect_max_tunnel_duration, 3600
+      default_config :use_ssm_session_manager, false
+      default_config :ssm_session_manager_document_name, nil
 
       include Kitchen::Driver::Mixins::DedicatedHosts
 
@@ -191,6 +200,15 @@ module Kitchen
         end
       end
 
+      # Ensure use_instance_connect and use_ssm_session_manager are not both enabled
+      validations[:use_ssm_session_manager] = lambda do |_attr, val, driver|
+        if val && driver[:use_instance_connect]
+          warn "Cannot use both 'use_instance_connect' and 'use_ssm_session_manager' at the same time. " \
+            "Please enable only one transport method."
+          exit!
+        end
+      end
+
       # empty keys cause failures when tagging and they make no sense
       validations[:tags] = lambda do |_attr, val, _driver|
         # if someone puts the tags each on their own line it's an array not a hash
@@ -226,7 +244,8 @@ module Kitchen
         case config[:aws_ssh_key_id]
         when nil
           create_key(state)
-          config[:aws_ssh_key_id] = state[:auto_key_id]
+          # Don't set aws_ssh_key_id if using Instance Connect
+          config[:aws_ssh_key_id] = state[:auto_key_id] unless config[:use_instance_connect]
         when "_disable"
           info("Disabling AWS-managed SSH key pairs for this EC2 instance.")
           info("The key pairs for the kitchen transport config and the AMI must match.")
@@ -265,13 +284,20 @@ module Kitchen
         # Waiting can fail, so we have to retry on that.
         Retryable.retryable(
           tries: 10,
-          sleep: lambda { |n| [2**n, 30].min },
+          sleep: ->(n) { [2**n, 30].min },
           on: ::Aws::EC2::Errors::InvalidInstanceIDNotFound
         ) do |_r, _|
           wait_until_ready(server, state)
         end
 
         info("EC2 instance <#{state[:server_id]}> ready (hostname: #{state[:hostname]}).")
+
+        if config[:use_instance_connect]
+          instance_connect_setup_ready(state)
+        elsif config[:use_ssm_session_manager]
+          ssm_session_manager_setup_ready(state)
+        end
+
         instance.transport.connection(state).wait_until_ready
         attach_network_interface(state) unless config[:elastic_network_interface_id].nil?
         create_ec2_json(state) if /chef/i.match?(instance.provisioner.name)
@@ -444,10 +470,7 @@ module Kitchen
         expanded = []
         keys = %i{instance_type}
 
-        unless config[:subnet_filter]
-          # => Use explicitly specified subnets
-          keys << :subnet_id
-        else
+        if config[:subnet_filter]
           # => Enable cascading through matching subnets
           client = ::Aws::EC2::Client.new(region: config[:region])
 
@@ -472,6 +495,9 @@ module Kitchen
             new_config[:subnet_filter] = nil
             new_config
           end
+        else
+          # => Use explicitly specified subnets
+          keys << :subnet_id
         end
 
         keys.each do |key|
@@ -526,7 +552,7 @@ module Kitchen
         # not retry if the price could not be satisfied immediately.
         Retryable.retryable(
           tries: config[:spot_wait] / config[:retryable_sleep],
-          sleep: lambda { |_n| config[:retryable_sleep] },
+          sleep: ->(_n) { config[:retryable_sleep] },
           on: ::Aws::EC2::Errors::SpotMaxPriceTooLow
         ) do |retries|
           c = retries * config[:retryable_sleep]
@@ -560,12 +586,12 @@ module Kitchen
               # supplied, try to fetch it from the AWS instance
               fetch_windows_admin_password(server, state)
             else
-              output = server.console_output.output
+              output = server.console_output.output || ""
               unless output.nil?
                 output = Base64.decode64(output)
                 debug "Console output: --- \n#{output}"
               end
-              ready = !!(output.include?("Windows is Ready to use"))
+              ready = !!output.include?("Windows is Ready to use")
             end
           end
           ready
@@ -671,7 +697,7 @@ module Kitchen
 
       def create_ec2_json(state)
         if windows_os?
-          cmd = "New-Item -Force C:\\chef\\ohai\\hints\\ec2.json -ItemType File"
+          cmd = 'New-Item -Force C:\\chef\\ohai\\hints\\ec2.json -ItemType File'
         else
           debug "Using sudo_command='#{sudo_command}' for ohai hints"
           cmd = "#{sudo_command} mkdir -p /etc/chef/ohai/hints; #{sudo_command} touch /etc/chef/ohai/hints/ec2.json"
@@ -899,16 +925,16 @@ module Kitchen
         client = ::Aws::EC2::Client.new(region: config[:region])
         begin
           check_eni = client.describe_network_interface_attribute({
-            attribute: "attachment",
-            network_interface_id: config[:elastic_network_interface_id],
-          })
+                                                                    attribute: "attachment",
+                                                                    network_interface_id: config[:elastic_network_interface_id],
+                                                                  })
           if check_eni.attachment.nil?
             unless state[:server_id].nil?
               client.attach_network_interface({
-              device_index: 1,
-              instance_id: state[:server_id],
-              network_interface_id: config[:elastic_network_interface_id],
-              })
+                                                device_index: 1,
+                                                instance_id: state[:server_id],
+                                                network_interface_id: config[:elastic_network_interface_id],
+                                              })
               info("Attached Network interface <#{config[:elastic_network_interface_id]}> with the instance <#{state[:server_id]}> .")
             end
           else
@@ -945,6 +971,456 @@ module Kitchen
         state.delete(:auto_key_id)
         File.unlink("#{config[:kitchen_root]}/.kitchen/#{instance.name}.pem")
       end
+
+      def finalize_config!(instance)
+        super
+
+        # Set up Instance Connect transport override if configured
+        if config[:use_instance_connect]
+          debug("[AWS EC2 Instance Connect] Setting up Instance Connect overrides")
+          instance_connect_setup_override(instance)
+          instance_connect_setup_inspec_override(instance)
+        elsif config[:use_ssm_session_manager]
+          debug("[AWS SSM Session Manager] Setting up SSM Session Manager overrides")
+          ssm_session_manager_setup_override(instance)
+          ssm_session_manager_setup_inspec_override(instance)
+        end
+
+        self
+      end
+
+      private
+
+      def instance_connect_setup_override(instance)
+        # Prevent double pushing of the SSH public keys
+        return if instance.transport.respond_to?(:instance_connect_override_applied)
+
+        # Store reference to driver for use in override
+        driver_instance = self
+        use_instance_connect = config[:use_instance_connect]
+
+        # Override the transport's connection method to inject Instance Connect setup
+        original_connection = instance.transport.method(:connection)
+
+        instance.transport.define_singleton_method(:connection) do |state, &block|
+          # Set up Instance Connect configuration before every connection
+          if use_instance_connect
+            # Refresh Instance Connect SSH key
+            driver_instance.send(:instance_connect_refresh_key, state)
+
+            # Configure connection mode based on endpoint availability
+            if driver_instance.send(:instance_connect_endpoint_available?, state)
+              # Proxy command mode - ensure ssh_proxy_command is set
+              unless state[:ssh_proxy_command]
+                driver_instance.send(:instance_connect_configure_ssh_proxy_command, state)
+              end
+              driver_instance.debug("[AWS EC2 Instance Connect] Transport using proxy command mode")
+            else
+              # Direct SSH mode - ensure hostname is set to public DNS
+              driver_instance.send(:instance_connect_configure_direct_ssh, state)
+              driver_instance.debug("[AWS EC2 Instance Connect] Transport using direct SSH mode")
+            end
+          end
+          # Call original connection method
+          original_connection.call(state, &block)
+        end
+
+        # Mark as applied to prevent double pushing of the SSH public keys
+        instance.transport.define_singleton_method(:instance_connect_override_applied) { true }
+      end
+
+      def instance_connect_setup_inspec_override(instance)
+        # Only apply to InSpec verifier
+        return unless instance.verifier.name.downcase == "inspec"
+        return if instance.verifier.respond_to?(:instance_connect_inspec_override_applied)
+
+        # Store reference to driver for use in override
+        driver_instance = self
+        use_instance_connect = config[:use_instance_connect]
+
+        # Override the verifier's call method to inject proxy command setup
+        original_call = instance.verifier.method(:call)
+
+        instance.verifier.define_singleton_method(:call) do |state|
+          driver_instance.debug("[AWS EC2 Instance Connect] InSpec call method intercepted, connecting using kitchen-ec2 driver AWS EC2 Instance Connect")
+          driver_instance.debug("[AWS EC2 Instance Connect] Instance ID: #{state[:server_id]}")
+
+          # If using Instance Connect, set up the override just before the call
+          if use_instance_connect && state[:server_id]
+
+            # Check if we already have the override method defined
+            unless respond_to?(:instance_connect_original_runner_options_for_ssh)
+              # Store the original method
+              define_singleton_method(:instance_connect_original_runner_options_for_ssh, method(:runner_options_for_ssh))
+
+              # Override runner_options_for_ssh
+              define_singleton_method(:runner_options_for_ssh) do |config_data|
+                # Get the original options
+                opts = instance_connect_original_runner_options_for_ssh(config_data)
+
+                # Inject Instance Connect configuration if enabled
+                if use_instance_connect && config_data[:server_id]
+                  # Refresh Instance Connect SSH key
+                  driver_instance.send(:instance_connect_refresh_key, config_data)
+
+                  # Check if we should use proxy command or direct SSH
+                  if driver_instance.send(:instance_connect_endpoint_available?, config_data)
+                    # Build proxy command with the instance ID from state
+                    proxy_command = [
+                      "aws", "ec2-instance-connect", "open-tunnel",
+                      "--instance-id", config_data[:server_id]
+                    ]
+
+                    # Add optional parameters
+                    if driver_instance.config[:instance_connect_endpoint_id]
+                      proxy_command += ["--instance-connect-endpoint-id", driver_instance.config[:instance_connect_endpoint_id]]
+                    end
+                    if driver_instance.config[:instance_connect_max_tunnel_duration]
+                      proxy_command += ["--max-tunnel-duration", driver_instance.config[:instance_connect_max_tunnel_duration].to_s]
+                    end
+                    if driver_instance.config[:shared_credentials_profile]
+                      proxy_command += ["--profile", driver_instance.config[:shared_credentials_profile]]
+                    end
+                    proxy_command += ["--region", driver_instance.config[:region]]
+
+                    opts["proxy_command"] = proxy_command.join(" ")
+                    driver_instance.info("[AWS EC2 Instance Connect] InSpec using proxy command: #{opts["proxy_command"]}")
+                  else
+                    # Direct SSH mode - ensure we're using the public DNS and proper SSH options
+                    server = driver_instance.ec2.get_instance(config_data[:server_id])
+                    public_dns = server&.public_dns_name
+
+                    if public_dns && !public_dns.empty?
+                      opts["host"] = public_dns
+                      opts["ssh_options"] = (opts["ssh_options"] || {}).merge({
+                                                                                "IdentitiesOnly" => "yes",
+                                                                              })
+                      driver_instance.info("[AWS EC2 Instance Connect] InSpec using direct SSH to #{public_dns} with IdentitiesOnly=yes")
+                    else
+                      driver_instance.warn("[AWS EC2 Instance Connect] No public DNS available for direct SSH mode")
+                    end
+                  end
+                else
+                  driver_instance.info("[AWS EC2 Instance Connect] Not configuring Instance Connect - use_instance_connect: #{use_instance_connect}, server_id present: #{!!config_data[:server_id]}")
+                end
+
+                opts
+              end
+            end
+          end
+
+          # Call the original method
+          original_call.call(state)
+        end
+
+        # Mark as applied to prevent double setup
+        instance.verifier.define_singleton_method(:instance_connect_inspec_override_applied) { true }
+      end
+
+      def instance_connect_setup_ready(state)
+        # Determine whether to use proxy command or direct SSH based on endpoint availability
+        if instance_connect_endpoint_available?(state)
+          # Configure SSH proxy command if not already done
+          instance_connect_configure_ssh_proxy_command(state) unless state[:ssh_proxy_command]
+          info("[AWS EC2 Instance Connect] Using tunnel mode - Instance Connect endpoint available")
+        else
+          # Configure direct SSH with public DNS
+          instance_connect_configure_direct_ssh(state)
+          info("[AWS EC2 Instance Connect] Using direct SSH mode - no Instance Connect endpoint")
+        end
+
+        # Refresh Instance Connect SSH key before connection
+        instance_connect_refresh_key(state)
+      end
+
+      def instance_connect_refresh_key(state)
+        # Extract public key from the key that was already set up
+        key_path = state[:ssh_key] || instance.transport[:ssh_key]
+        return unless key_path
+
+        public_key = instance_connect_extract_public_key(key_path)
+        return unless public_key
+
+        username = state[:username] || actual_platform&.username
+
+        # Build AWS CLI command to send public key
+        cmd = [
+          "aws", "ec2-instance-connect", "send-ssh-public-key",
+          "--instance-id", state[:server_id],
+          "--instance-os-user", username,
+          "--ssh-public-key", public_key,
+          "--region", config[:region]
+        ]
+
+        cmd += ["--profile", config[:shared_credentials_profile]] if config[:shared_credentials_profile]
+
+        # Execute the command with proper shell escaping
+        debug("[AWS EC2 Instance Connect] Refreshing SSH public key for #{state[:server_id]}")
+        escaped_cmd = cmd.map { |arg| Shellwords.escape(arg) }.join(" ")
+        result = `#{escaped_cmd} 2>&1`
+        unless $?.success?
+          warn("[AWS EC2 Instance Connect] Failed to refresh SSH key: #{result}")
+        end
+      end
+
+      def instance_connect_configure_ssh_proxy_command(state)
+        info("[AWS EC2 Instance Connect] Configuring proxy command mode (tunnel)")
+
+        # Build the AWS CLI command for the tunnel
+        proxy_command = [
+          "aws", "ec2-instance-connect", "open-tunnel",
+          "--instance-id", state[:server_id]
+        ]
+
+        # Add optional parameters
+        if config[:instance_connect_endpoint_id]
+          proxy_command += ["--instance-connect-endpoint-id", config[:instance_connect_endpoint_id]]
+        end
+        if config[:instance_connect_max_tunnel_duration]
+          proxy_command += ["--max-tunnel-duration", config[:instance_connect_max_tunnel_duration].to_s]
+        end
+        if config[:shared_credentials_profile]
+          proxy_command += ["--profile", config[:shared_credentials_profile]]
+        end
+        proxy_command += ["--region", config[:region]]
+        proxy_command_str = proxy_command.join(" ")
+
+        info("Configuring SSH to use Instance Connect tunnel: #{proxy_command_str}")
+        state[:ssh_proxy_command] = proxy_command_str
+
+        # Store Instance Connect details for the transport to use
+        state[:instance_connect_config] = {
+          server_id: state[:server_id],
+          username: state[:username] || actual_platform&.username,
+          region: config[:region],
+          profile: config[:shared_credentials_profile],
+          tunnel_mode: true,
+        }
+      end
+
+      def instance_connect_endpoint_available?(state)
+        # If explicitly configured, respect that configuration
+        return true if config[:instance_connect_endpoint_id]
+
+        # Check if there are any instance connect endpoints in the VPC
+        vpc_id = get_vpc_id_for_instance(state)
+        return false unless vpc_id
+
+        begin
+          endpoints = ec2.client.describe_instance_connect_endpoints(
+            filters: [
+              { name: "vpc-id", values: [vpc_id] },
+              { name: "state", values: ["create-complete"] },
+            ]
+          ).instance_connect_endpoints
+
+          !endpoints.empty?
+        rescue ::Aws::EC2::Errors::InvalidAction, ::Aws::EC2::Errors::UnauthorizedOperation => e
+          # Instance Connect endpoints may not be available in this region or account
+          debug("[AWS EC2 Instance Connect] Cannot check for endpoints: #{e.message}")
+          false
+        end
+      end
+
+      def get_vpc_id_for_instance(state)
+        # Get the instance details to find its VPC
+        return unless state[:server_id]
+
+        begin
+          instance_info = ec2.client.describe_instances(instance_ids: [state[:server_id]]).reservations.first&.instances&.first
+          return unless instance_info
+
+          instance_info.vpc_id
+        rescue => e
+          debug("[AWS EC2 Instance Connect] Error getting VPC ID for instance: #{e.message}")
+          nil
+        end
+      end
+
+      def instance_connect_configure_direct_ssh(state)
+        # For direct SSH, we need to ensure the hostname is the public DNS name
+        # and configure SSH options appropriately
+        server = ec2.get_instance(state[:server_id])
+        public_dns = server.public_dns_name
+
+        if public_dns && !public_dns.empty?
+          info("[AWS EC2 Instance Connect] Configuring direct SSH to #{public_dns}")
+          state[:hostname] = public_dns
+
+          # Store Instance Connect details for direct SSH mode
+          state[:instance_connect_config] = {
+            server_id: state[:server_id],
+            username: state[:username] || actual_platform&.username,
+            region: config[:region],
+            profile: config[:shared_credentials_profile],
+            direct_ssh: true,
+            hostname: public_dns,
+          }
+        else
+          warn("[AWS EC2 Instance Connect] No public DNS available for direct SSH, falling back to existing hostname")
+        end
+      end
+
+      def instance_connect_extract_public_key(private_key_path)
+        public_key_path = "#{private_key_path}.pub"
+
+        if File.exist?(public_key_path)
+          return File.read(public_key_path).strip
+        end
+
+        begin
+          key = SSHKey.new(File.read(private_key_path))
+          key.ssh_public_key
+        rescue => e
+          raise "Unable to extract public key from #{private_key_path}: #{e.message}"
+        end
+      end
+
+      # SSM Session Manager Support Methods
+
+      def ssm_session_manager
+        @ssm_session_manager ||= Aws::SsmSessionManager.new(config, instance.logger)
+      end
+
+      def ssm_session_manager_setup_ready(state)
+        info("[AWS SSM Session Manager] Setting up SSM Session Manager connection")
+
+        # Verify session manager plugin is installed
+        unless ssm_session_manager.session_manager_plugin_installed?
+          warn("[AWS SSM Session Manager] Session Manager plugin not found. Please install it from: " \
+               "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html")
+        end
+
+        # Wait for SSM agent to be available
+        max_retries = 12
+        retry_delay = 10
+        retries = 0
+
+        loop do
+          if ssm_session_manager.ssm_agent_available?(state[:server_id])
+            info("[AWS SSM Session Manager] SSM agent is available on instance #{state[:server_id]}")
+            break
+          end
+
+          retries += 1
+          if retries >= max_retries
+            warn("[AWS SSM Session Manager] SSM agent did not become available after #{max_retries * retry_delay} seconds. " \
+                 "Ensure the instance has an IAM instance profile with SSM permissions and the SSM agent is running.")
+            break
+          end
+
+          info("[AWS SSM Session Manager] Waiting for SSM agent to be available (attempt #{retries}/#{max_retries})...")
+          sleep retry_delay
+        end
+      end
+
+      def ssm_session_manager_setup_override(instance)
+        # Prevent double setup
+        return if instance.transport.respond_to?(:ssm_session_manager_override_applied)
+
+        # Store reference to driver for use in override
+        driver_instance = self
+        use_ssm = config[:use_ssm_session_manager]
+
+        # Override the transport's connection method to inject SSM setup
+        original_connection = instance.transport.method(:connection)
+
+        instance.transport.define_singleton_method(:connection) do |state, &block|
+          if use_ssm && state[:server_id]
+            # Build SSM start-session command
+            cmd = [
+              "aws", "ssm", "start-session",
+              "--target", state[:server_id],
+              "--region", driver_instance.config[:region]
+            ]
+
+            # Add document name if specified
+            if driver_instance.config[:ssm_session_manager_document_name]
+              cmd += ["--document-name", driver_instance.config[:ssm_session_manager_document_name]]
+            end
+
+            # Add AWS profile if specified
+            if driver_instance.config[:shared_credentials_profile]
+              cmd += ["--profile", driver_instance.config[:shared_credentials_profile]]
+            end
+
+            proxy_command = cmd.join(" ")
+            driver_instance.info("[AWS SSM Session Manager] Using proxy command: #{proxy_command}")
+
+            # Set proxy command for SSH transport
+            state[:ssh_proxy_command] = proxy_command
+          end
+
+          # Call original connection method
+          original_connection.call(state, &block)
+        end
+
+        # Mark as applied
+        instance.transport.define_singleton_method(:ssm_session_manager_override_applied) { true }
+      end
+
+      def ssm_session_manager_setup_inspec_override(instance)
+        # Only apply to InSpec verifier
+        return unless instance.verifier.name.downcase == "inspec"
+        return if instance.verifier.respond_to?(:ssm_session_manager_inspec_override_applied)
+
+        # Store reference to driver for use in override
+        driver_instance = self
+        use_ssm = config[:use_ssm_session_manager]
+
+        # Override the verifier's call method to inject SSM setup
+        original_call = instance.verifier.method(:call)
+
+        instance.verifier.define_singleton_method(:call) do |state|
+          driver_instance.debug("[AWS SSM Session Manager] InSpec call method intercepted")
+
+          # Set up SSM for InSpec if enabled
+          if use_ssm && state[:server_id]
+            # Check if we already have the override method defined
+            unless respond_to?(:ssm_original_runner_options_for_ssh)
+              # Store the original method
+              define_singleton_method(:ssm_original_runner_options_for_ssh, method(:runner_options_for_ssh))
+
+              # Override runner_options_for_ssh
+              define_singleton_method(:runner_options_for_ssh) do |config_data|
+                # Get the original options
+                opts = ssm_original_runner_options_for_ssh(config_data)
+
+                # Inject SSM Session Manager configuration if enabled
+                if use_ssm && config_data[:server_id]
+                  # Build SSM start-session command
+                  cmd = [
+                    "aws", "ssm", "start-session",
+                    "--target", config_data[:server_id],
+                    "--region", driver_instance.config[:region]
+                  ]
+
+                  # Add document name if specified
+                  if driver_instance.config[:ssm_session_manager_document_name]
+                    cmd += ["--document-name", driver_instance.config[:ssm_session_manager_document_name]]
+                  end
+
+                  # Add AWS profile if specified
+                  if driver_instance.config[:shared_credentials_profile]
+                    cmd += ["--profile", driver_instance.config[:shared_credentials_profile]]
+                  end
+
+                  opts["proxy_command"] = cmd.join(" ")
+                  driver_instance.info("[AWS SSM Session Manager] InSpec using proxy command: #{opts["proxy_command"]}")
+                end
+
+                opts
+              end
+            end
+          end
+
+          # Call the original method
+          original_call.call(state)
+        end
+
+        # Mark as applied
+        instance.verifier.define_singleton_method(:ssm_session_manager_inspec_override_applied) { true }
+      end
     end
   end
 end

data/lib/kitchen/driver/ec2_version.rb

@@ -19,6 +19,6 @@
 module Kitchen
   module Driver
     # Version string for EC2 Test Kitchen driver
-    EC2_VERSION = "3.20.0".freeze
+    EC2_VERSION = "3.22.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-ec2
 version: !ruby/object:Gem::Version
-  version: 3.20.0
+  version: 3.22.0
 platform: ruby
 authors:
 - Test Kitchen Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-16 00:00:00.000000000 Z
+date: 2026-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ec2
@@ -24,6 +24,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ec2instanceconnect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: retryable
   requirement: !ruby/object:Gem::Requirement
@@ -44,13 +72,27 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: sshkey
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: test-kitchen
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.1
+        version: 3.9.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '4'
@@ -60,7 +102,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.1
+        version: 3.9.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '4'
@@ -74,7 +116,9 @@ files:
 - LICENSE
 - lib/kitchen/driver/aws/client.rb
 - lib/kitchen/driver/aws/dedicated_hosts.rb
+- lib/kitchen/driver/aws/instance_connect.rb
 - lib/kitchen/driver/aws/instance_generator.rb
+- lib/kitchen/driver/aws/ssm_session_manager.rb
 - lib/kitchen/driver/aws/standard_platform.rb
 - lib/kitchen/driver/aws/standard_platform/alma.rb
 - lib/kitchen/driver/aws/standard_platform/amazon.rb