EC2 Launch Template + Auto Scaling Group

aws-autoscaling

EC2 launch template + Auto Scaling group with secure defaults. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. The launch template enforces IMDSv2, encrypts the root volume, and the group is wired to always track the template's latest version. Networking is self-contained: with no subnets supplied the module uses the account's default VPC and creates an egress-only security group, so it applies cleanly in a fresh account.

By default the group scales to zero (desired_capacity = 0, min_size = 0): the ASG and launch template are created and fully exercised, but no instances launch — no compute cost. Raise desired_capacity to run instances.

Secure defaults:

• IMDSv2 required on the launch template (http_tokens = required) — blocks the SSRF → credential-theft class of attacks
• Root volume encrypted at rest always (AWS-managed aws/ebs key, or your kms_key_id), gp3 by default
• Egress-only security group (no inbound) created automatically; bring your own via security_group_ids to allow specific ingress
• ebs_optimized instances; instance tags propagated to launched instances

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status. The included tests/ fixture applies with desired_capacity = 0 so a live run creates and destroys the ASG/launch template with zero compute cost.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).