Support AWS SSM Session Manager + ssh as a connection protocol for the AWS fleeting plugin

Description

We would like to adopt the new AWS fleeting plugin for managing hundreds of runner groups, each of which are in a different AWS account. Each runner group provides account level separation for deployment.

In order for a central 'runner manager' to use this architecture, it would need to have ssh access directly to all of the instances in the runner groups, of which would have dynamic ip's because of the nature of AutoScaling. This is a security concern and would not be acceptable at our company due to the runner managers being able to essentially ssh anywhere, even non-runner instances.

However, if the runner manager could tunnel through a Systems Manager session, it would not need direct network access to the runner instances.

Advantages

• Access to ssh through a session tunnel could be much more granular than a network based firewall policy.
• Better auditing/logging of sessions using AWS Cloudtrail
• Still uses a standard ssh connection to the instance, just through a tunnel.

Proposal

Establishing a connection to an instance would be similar to a standard ssh connection:

1. Use the same AWS credential configuration which is already defined in the plugin configuration.
2. Aquire an instance
3. Add a key with ec2 instance-connect.
4. Start a port-forwarding SSM session to the instance on port 22 (returns a websocket with a local port)
5. Ssh to the websocket local port, which is forwarded to the instance.