Link Search Menu Expand Document



The Provose ec2_on_demand_instances module enables the creation and deployment of Amazon EC2 instances.

The phrase “On Demand” means these are regular ol’ AWS instances that are billed at the same price per-second. This is in contrast to Spot instances–where the price can fluctuate over time–or Reserved Instances–which are partially or completely purchased upfront.

If you are looking to deploy the same application across multiple services–perhaps behind an HTTP load balancer–you might find it handier to use the containers module instead.


module "myproject" {
  source = ""
  provose_config = {
    authentication = {
      aws = {
        region = "us-east-1"
    name                 = "myproject"
    internal_root_domain = ""
    internal_subdomain   = "production"
  ec2_on_demand_instances = {
    my-instance-name = {
      instances = {
        instance_type = "t3.micro"
        # Create and name keys pairs in the AWS console. You can attach
        # one key pair to an instance on creation, but then you can add
        # more SSH keys via the user's ~/.ssh/authorized_keys file.
        key_name = "james_laptop"
      public = {
        # Open port 22 for public SSH access.
        tcp = [22]
      vpc = {
        # Open ports 80 and 443 to run HTTP and HTTPS servers only
        # available in the VPC.
        tcp = [80, 443]


  • instancesRequired. This object contains various meta-settings about the AWS instance.

    • instance_typeRequired. The instance type.

    • ami_idRequired. The ID of the Amazon Machine Image (AMI) to deploy for this instance.

    • instance_countOptional. The number of instances to deploy. This defaults to 1. If you deploy one instance named bob, then it will be named bob in the AWS console and Provose creates a DNS record for your internal subdomain named bob. If you set instance_count to be greater than one, then the instances will be bob-1, bob-2, and so forth.

    • key_nameOptional. The name of the AWS key pair.

    • availability_zoneOptional. Set this to a specific Availability Zone in your AWS Region if you have a preference for what availability zone to deploy your instance in.

    • bash_user_dataOptional. This is a user data script–a Bash script that will be run on the EC2 instance’s creation. This script will not be rerun when the instance reboots. Provose currently does not support the cloud-init standard for user data.

  • publicOptional. This is a grouping for network settings for the public Internet.

    • tcp Optional. This is a list of TCP ports to open to the public Internet.

    • udp Optional. This is a list of UDP ports to open to the public Internet.

  • vpcOptional. This is a grouping for network settings only within the Virtual Private Cloud (VPC) that Provose creates.

  • secretsOptional. This is a list of AWS Secrets Manager secret names that this EC2 instance should have access to. This setting only configures access. You have to fetch the secrets yourself in your application with the AWS API. The secrets key in the containers module goes a step further and loads your secrets as environment variables.

  • associate_public_ip_addressOptional. Defaults to true, which provisions a public IPv4 address for this instance. However, it will not be possible to make inbound requests to the instance using this IP address unless you also choose to open TCP ports with the public.tcp key or the UDP ports with the public.udp key. The public IP address that AWS gives this instance should be considered temporary. If you want a more permanent IP address, you should provision an Elastic IP and assign it to this instance.

  • vpc_security_group_idsOptional. This key is for adding additional, custom security groups in addition to what Provose sets up from the public and vpc keys. You may want to add a custom security group with a more specific CIDR.

  • root_block_deviceOptional These are optional settings about the Elastic Block Storage (EBS) volume that stores the root filesystem for this EC2 instance.

    • volume_size_gbRequired. This is the size of the root EBS volume in gigabytes.

    • volume_typeOptional. This is the type of EBS volume. Values can be either "standard", "gp2", "io1", "sc1", or "st1", with "standard" being the default.

    • delete_on_terminationOptional. This defaults to true, which deletes the EBS volume if the instance is terminated. Set this to false to keep the root EBS volume in your account after instance termination.

    • encryptedOptional. Set this to true to encrypt the EBS volume. This value is false by default.

    • kms_key_idOptional. This is the Amazon Resource Name (ARN) for the custom AWS Key Management Service (KMS) key that you would like to use to encrypt the drive.

  • s3_bucketsOptional. This is a mapping of S3 buckets to the classes of permissions available to the instances. The four classes of permissions available are list, get, put, and delete, and the values for each one is true or false. To use this configuration, place the s3_buckets key inside a block that defines an instance. Below is an example of how to give an EC2 instance access to two buckets–one with list and get permissions, and another with get and delete permissions.

s3_buckets = {
  "" = {
    permissions = {
      list   = true
      get    = true
      put    = false
      delete = false
  "" = {
    permissions = {
      list   = false
      get    = true
      put    = false
      delete = true


  • ec2_on_demand_instances.aws_security_group.ec2_on_demand_instances – A map with a key for every instance and every value is a Terraform aws_security_group type.

  • ec2_on_demand_instances.aws_instance.ec2_on_demand_instances – A map with the keys as the names of the on-demand instances–dashed with a number if we set the instances.instance_count parameter to be greater than 1. Each value is a Terraform aws_instance type.

  • ec2_on_demand_instances.aws_route53_record.ec2_on_demand_instances – This is a mapping from the names EC2 On-Demand instances to the aws_route53_record resource that describes the DNS records internal to the VPC.