@rafd123 I have no means of verifying that this works; are there any tests you could write or incorporate for this?

The easiest way to verify that this works is to specify a Windows AMI and enable WinRM via UserData. You then use the Vagrant WinRM communicator as advertised...the exception being that you specify :aws for the WinRM password; the end result is that the Vagrant WinRM communicator should be able to authenticate without knowing the EC2-generated admin password up front.

To create a test for this means creating an integration test that actually spins up an instance. I didn't see any of these in the code base. If you could point me to an integration test suite that the core team uses to validate vagrant-aws, I'd be more than happy to write a test.

Alternatively, I can create an example box that can be used for smoke testing.

LMK

FWIW I've updated the README in the PR to include a more complete example on how to get this to work.

Here's the Vagrantfile I used to test this:

Vagrant.configure("2") do |config|
  config.vm.box = "dummy"
  config.vm.synced_folder ".", "/vagrant", disabled: true

  # Set default communicator
  config.vm.communicator = 'winrm'
  config.winrm.username = 'Administrator'
  config.winrm.password = :aws # indicates that the password should be fetched and decrypted from AWS 

  # private_key_path needed to decrypt the password
  config.ssh.private_key_path = '~/mykeypair.pem'

  config.vm.provider :aws do |aws, override|
    # Security group that allows WinRM port inbound (port 5985)
    aws.security_groups = ['some_security_group_that_allows_winrm_inbound']

    aws.access_key_id = ENV['AWS_ACCESS_KEY']
    aws.secret_access_key = ENV['AWS_SECRET_KEY']
    aws.region = 'us-west-2'

    # keypair name corresponding to private_key_path
    aws.keypair_name = "mykeypair"

    # Microsoft Windows Server 2012 Base in us-west-2
    aws.ami = "ami-990acff9"

    # Enable WinRM on the instance
    aws.user_data = <<-USERDATA
      <powershell>
        Enable-PSRemoting -Force
        netsh advfirewall firewall add rule name="WinRM HTTP" dir=in localport=5985 protocol=TCP action=allow
      </powershell>
    USERDATA
  end
end

After everything is said and done, no only will Vagrant use the EC2-generated administrator password to verify the machine is up using winrm, you can issue a vagrant powershell to remote shell into the machine...again, not having to know the administrator password that EC2 generated.