I am creating an ec2 instance for usage as a bastion host, using terraform. The instance is reached via an elastic ip. I deploy ssh-keys to the bastion host using a shell script inside the user_data directive. When I add or remove a key from the shell script the ec2 instance is redeployed to apply the changes. For that I use the user_data_replace_on_change directive.