ec2.rb in kitchen-ec2-2.2.2

- old
+ new

@@ -215,13 +215,20 @@
           create_security_group(state)
           config[:security_group_ids] = [state[:auto_security_group_id]]
         end
 
         # If no SSH key pair name is specified, create one automatically.
-        unless config[:aws_ssh_key_id]
+        # If `_disabled`, nullify the key ID to avoid associating the instance with
+        # an AWS-managed key pair.
+        case config[:aws_ssh_key_id]
+        when nil
           create_key(state)
           config[:aws_ssh_key_id] = state[:auto_key_id]
+        when "_disable"
+          info("Disabling AWS-managed SSH key pairs for this EC2 instance.")
+          info("The key pairs for the kitchen transport config and the AMI must match.")
+          config[:aws_ssh_key_id] = nil
         end
 
         if config[:spot_price]
           # Spot instance when a price is set
           server = submit_spot(state)
@@ -776,13 +783,12 @@
         # probably fine. If you want very high security, probably don't use this
         # feature anyway.
         resp = ec2.client.create_key_pair(key_name: "kitchen-#{name_parts.join('-')}")
         state[:auto_key_id] = resp.key_name
         info("Created automatic key pair #{state[:auto_key_id]}")
-        # Write the key out, but safely hence the weird sysopen.
+        # Write the key out with safe permissions
         key_path = "#{config[:kitchen_root]}/.kitchen/#{instance.name}.pem"
-        key_fd = File.sysopen(key_path, File::WRONLY | File::CREAT | File::EXCL, 00600)
-        File.open(key_fd) do |f|
+        File.open(key_path, File::WRONLY | File::CREAT | File::EXCL, 00600) do |f|
           f.write(resp.key_material)
         end
         # Inject the key into the state to be used by the SSH transport, or for
         # the Windows password decrypt above in {#fetch_windows_admin_password}.
         state[:ssh_key] = key_path