From ac2c4f7fd93d4436606e3070728f025af721cedd Mon Sep 17 00:00:00 2001
From: Chris Kalafarski <chris@farski.com>
Date: Fri, 15 May 2026 14:16:14 -0400
Subject: [PATCH 1/2] Remove Spire instance SG SSH rule

---
 spire/templates/shared-ecs/asg-sg.yml | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/spire/templates/shared-ecs/asg-sg.yml b/spire/templates/shared-ecs/asg-sg.yml
index 676043c0e..8371d0886 100644
--- a/spire/templates/shared-ecs/asg-sg.yml
+++ b/spire/templates/shared-ecs/asg-sg.yml
@@ -47,26 +47,6 @@ Resources:
       IpProtocol: tcp
       SourceSecurityGroupId: !Ref LoadBalancerSecurityGroupId
       ToPort: 60999
-  InstanceSecurityGroupSshIpv4Ingress:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      CidrIp: 0.0.0.0/0
-      Description: !Sub >-
-        Allows inbound SSH traffic to ${EnvironmentType} ASG instances
-      FromPort: 22
-      GroupId: !GetAtt InstanceSecurityGroup.GroupId
-      IpProtocol: tcp
-      ToPort: 22
-  InstanceSecurityGroupSshIpv6Ingress:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      CidrIpv6: ::/0
-      Description: !Sub >-
-        Allows inbound SSH traffic to ${EnvironmentType} ASG instances
-      FromPort: 22
-      GroupId: !GetAtt InstanceSecurityGroup.GroupId
-      IpProtocol: tcp
-      ToPort: 22
   InstanceSecurityGroupAllIpv4Egress:
     Type: AWS::EC2::SecurityGroupEgress
     Properties:

From e405e5fb711dd4459491ea4edf82ea6a04ee9190 Mon Sep 17 00:00:00 2001
From: Chris Kalafarski <chris@farski.com>
Date: Fri, 15 May 2026 14:50:33 -0400
Subject: [PATCH 2/2] Skip authorized_keys installation

---
 spire/templates/root.yml                   |  2 --
 spire/templates/shared-ecs/asg-aarch64.yml | 11 -----------
 spire/templates/shared-ecs/asg-x86-64.yml  | 11 -----------
 3 files changed, 24 deletions(-)

diff --git a/spire/templates/root.yml b/spire/templates/root.yml
index a4264e5cd..6e7dcf6f8 100644
--- a/spire/templates/root.yml
+++ b/spire/templates/root.yml
@@ -398,7 +398,6 @@ Resources:
         RootStackName: !Ref AWS::StackName
         RootStackId: !Ref AWS::StackName
         NestedChangeSetScrubbingResourcesState: !Ref NestedChangeSetScrubbingResourcesState
-        AuthorizedKeys: !Join [",", !Ref AuthorizedKeys]
         VpcPublicSubnet1Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet1Id
         VpcPublicSubnet2Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet2Id
         VpcPublicSubnet3Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet3Id
@@ -433,7 +432,6 @@ Resources:
         RootStackName: !Ref AWS::StackName
         RootStackId: !Ref AWS::StackName
         NestedChangeSetScrubbingResourcesState: !Ref NestedChangeSetScrubbingResourcesState
-        AuthorizedKeys: !Join [",", !Ref AuthorizedKeys]
         VpcPublicSubnet1Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet1Id
         VpcPublicSubnet2Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet2Id
         VpcPublicSubnet3Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet3Id
diff --git a/spire/templates/shared-ecs/asg-aarch64.yml b/spire/templates/shared-ecs/asg-aarch64.yml
index e3b578e1c..f788a3f36 100644
--- a/spire/templates/shared-ecs/asg-aarch64.yml
+++ b/spire/templates/shared-ecs/asg-aarch64.yml
@@ -22,7 +22,6 @@ Parameters:
   RootStackName: { Type: String }
   RootStackId: { Type: String }
   NestedChangeSetScrubbingResourcesState: { Type: String }
-  AuthorizedKeys: { Type: CommaDelimitedList }
   VpcPublicSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet3Id: { Type: AWS::EC2::Subnet::Id }
@@ -279,16 +278,6 @@ Resources:
                   text: !Sub >-
                     EC2 instance `'"$INSTANCE_ID"'` could not connect to `${DovetailRedisReplicationGroupEndpointAddress}`
                     at `'"$IP"'`. It will be marked as *unhealthy* in its auto scaling group and get replaced.
-            02_add_authorized_keys:
-              # For more information, see:
-              # https://github.com/PRX/internal/wiki/AWS:-Developer-Access
-              command: !Sub
-                - |-
-                  #!/bin/bash
-                  echo "Adding developer public keys to authorized_keys"
-                  truncate -s 0 /home/ec2-user/.ssh/authorized_keys
-                  echo "${developer_keys}" >> /home/ec2-user/.ssh/authorized_keys
-                - developer_keys: !Join ["\n", !Ref AuthorizedKeys]
           services:
             sysvinit:
               cfn-hup:
diff --git a/spire/templates/shared-ecs/asg-x86-64.yml b/spire/templates/shared-ecs/asg-x86-64.yml
index 1aebf9201..eefbfe6f5 100644
--- a/spire/templates/shared-ecs/asg-x86-64.yml
+++ b/spire/templates/shared-ecs/asg-x86-64.yml
@@ -30,7 +30,6 @@ Parameters:
   RootStackName: { Type: String }
   RootStackId: { Type: String }
   NestedChangeSetScrubbingResourcesState: { Type: String }
-  AuthorizedKeys: { Type: CommaDelimitedList }
   VpcPublicSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet3Id: { Type: AWS::EC2::Subnet::Id }
@@ -289,16 +288,6 @@ Resources:
                   text: !Sub >-
                     EC2 instance `'"$INSTANCE_ID"'` could not connect to `${DovetailRedisReplicationGroupEndpointAddress}`
                     at `'"$IP"'`. It will be marked as *unhealthy* in its auto scaling group and get replaced.
-            02_add_authorized_keys:
-              # For more information, see:
-              # https://github.com/PRX/internal/wiki/AWS:-Developer-Access
-              command: !Sub
-                - |-
-                  #!/bin/bash
-                  echo "Adding developer public keys to authorized_keys"
-                  truncate -s 0 /home/ec2-user/.ssh/authorized_keys
-                  echo "${developer_keys}" >> /home/ec2-user/.ssh/authorized_keys
-                - developer_keys: !Join ["\n", !Ref AuthorizedKeys]
           services:
             sysvinit:
               cfn-hup: