Allow private IP address and tags for SSM targets

EC2 instance private IPv4 addresses and instance tags
can now be used to specify a target instance when
using runas for sessions and port forwarding.  This is
in addition to providing the instance ID directly, and
using DNS TXT records.

Author: Mike Morris

docs/ssm.md

@@ -7,7 +7,10 @@ Starting with version 1.5, the tool supports integration with the SSM Session Ma
 a shell, or port-forwarding, session with appropriately configured EC2 instances.
 
 Starting with version 2.2, the tool supports the ability to specify the target instance as an EC2 instance identifier,
-or using a DNS TXT record which contains the instance ID.
+or using a DNS TXT record which contains the instance ID. As of version 2.2.1 you can also provide the target instance
+as the instance's private IPv4 address, or as a tag key and tag value pair in the format `tag_key:tag_value`.  Both
+formats will perform a DescribeInstances EC2 API call, and if multiple instance IDs are returned, the first one in the
+list is used.
 
 ### Prerequisites
 In addition to having a target EC2 instance registered with an SSM agent version supporting the desired functionality,

main.go

@@ -18,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -910,17 +911,40 @@ func getSamlPassword() (string, error) {
 func checkTarget(target string) string {
 	matched, err := regexp.MatchString(`^i-[[:xdigit:]]{8,}$`, target)
 	if err != nil {
-		log.Fatalf("error checking target host", err)
+		log.Fatalf("error checking target host: %s", err)
 	}
 
 	if matched {
 		log.Debugln("detected EC2 instance id target")
 		return target
 	}
 
+	matched, err = regexp.MatchString(`^.+:.+$`, target)
+	if err != nil {
+		log.Fatalf("error checking target host: %s", err)
+	}
+
+	if matched {
+		log.Debugln("detected EC2 instance tag spec")
+		spec := strings.SplitN(target, `:`, 2)
+		f := new(ec2.Filter).SetName(fmt.Sprintf(`tag:%s`, spec[0])).SetValues(aws.StringSlice([]string{spec[1]}))
+		return describeInstance(f)
+	}
+
+	matched, err = regexp.MatchString(`^\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,3}$`, target)
+	if err != nil {
+		log.Fatalf("error checking target host: %s", err)
+	}
+
+	if matched {
+		log.Debugln("detected EC2 instance IPv4 address")
+		f := new(ec2.Filter).SetName(`private-ip-address`).SetValues(aws.StringSlice([]string{target}))
+		return describeInstance(f)
+	}
+
 	rr, err := net.LookupTXT(target)
 	if err != nil {
-		log.Fatalf("error looking up target host", err)
+		log.Fatalf("error looking up target host: %s", err)
 	}
 
 	for _, r := range rr {
@@ -938,3 +962,23 @@ func checkTarget(target string) string {
 	log.Fatal("unable to determine target host type")
 	return ""
 }
+
+func describeInstance(filter *ec2.Filter) string {
+	o, err := ec2.New(ses).DescribeInstances(new(ec2.DescribeInstancesInput).SetFilters([]*ec2.Filter{filter}))
+	if err != nil {
+		log.Fatalf("error describing instance: %s", err)
+	}
+
+	for _, r := range o.Reservations {
+		if len(r.Instances) > 0 {
+			if len(r.Instances) > 1 {
+				log.Warn("more than 1 instance found, using 1st value")
+			}
+
+			return *r.Instances[0].InstanceId
+		}
+	}
+
+	log.Fatal("no instances returned from lookup")
+	return ""
+}