fix(ec2): passing keypair to instance unexpectedly does nothing (#28482)

Fixes by Specifying key pair reference in cfnInstance.

This will change behavior if both `keyName` and `keyPair` is set on an existing resource, since we will use `keyPair.keyPairName` instead of `keyName` now. However, there is no correct use case for specifying both `keyPair` and `keyName`, and given `keyName` is deprecated, this PR is introducing the correct behavior.

Closes #28478.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.key-pair.js.snapshot/aws-cdk-ec2-key-pair-1.template.json

@@ -489,7 +489,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "a099fdfc61c84ffc56cef4fb2c9472483623ac865ce5d8fca88c89cf60d48d03.zip"
+     "S3Key": "4554b47be6f57b68c6c7a7391dcc73894866d2377fe174883351e7639097f292.zip"
     },
     "Timeout": 900,
     "MemorySize": 128,
@@ -588,6 +588,9 @@
      "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
     },
     "InstanceType": "t3.micro",
+    "KeyName": {
+     "Ref": "TestKeyPair38B6CD21"
+    },
     "SecurityGroupIds": [
      {
       "Fn::GetAtt": [

packages/aws-cdk-lib/aws-ec2/lib/instance.ts

@@ -77,7 +77,7 @@ export interface InstanceProps {
    * Name of SSH keypair to grant access to instance
    *
    * @default - No SSH access will be possible.
-   * @deprecated - Use {@link keyPair} instead
+   * @deprecated - Use `keyPair` instead - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#using-an-existing-ec2-key-pair
    */
   readonly keyName?: string;
 
@@ -437,7 +437,7 @@ export class Instance extends Resource implements IInstance {
     // there is no need to configure them on the instance level
     this.instance = new CfnInstance(this, 'Resource', {
       imageId: imageConfig.imageId,
-      keyName: props.keyName,
+      keyName: props.keyPair?.keyPairName ?? props?.keyName,
       instanceType: props.instanceType.toString(),
       subnetId: networkInterfaces ? undefined : subnet.subnetId,
       securityGroupIds: networkInterfaces ? undefined : securityGroupsToken,

packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts

@@ -333,7 +333,7 @@ export interface LaunchTemplateProps {
    * Name of SSH keypair to grant access to instance
    *
    * @default - No SSH access will be possible.
-   * @deprecated - Use `keyPair` instead.
+   * @deprecated - Use `keyPair` instead - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#using-an-existing-ec2-key-pair
    */
   readonly keyName?: string;
 

packages/aws-cdk-lib/aws-ec2/lib/nat.ts

@@ -172,7 +172,7 @@ export interface NatInstanceProps {
    * Name of SSH keypair to grant access to instance
    *
    * @default - No SSH access will be possible.
-   * @deprecated - Use `keyPair` instead.
+   * @deprecated - Use `keyPair` instead - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#using-an-existing-ec2-key-pair
    */
   readonly keyName?: string;
 

packages/aws-cdk-lib/aws-ec2/test/instance.test.ts

@@ -520,6 +520,26 @@ describe('instance', () => {
     })).toThrow('Cannot specify both of \'keyName\' and \'keyPair\'; prefer \'keyPair\'');
   });
 
+  it('correctly associates a key pair', () => {
+    // GIVEN
+    const keyPair = new KeyPair(stack, 'KeyPair', {
+      keyPairName: 'test-key-pair',
+    });
+
+    // WHEN
+    new Instance(stack, 'Instance', {
+      vpc,
+      instanceType: new InstanceType('t2.micro'),
+      machineImage: new AmazonLinuxImage(),
+      keyPair,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::EC2::Instance', {
+      KeyName: stack.resolve(keyPair.keyPairName),
+    });
+  });
+
   describe('Detailed Monitoring', () => {
     test('instance with Detailed Monitoring enabled', () => {
       // WHEN