Hi, I don't think we have anything ready out-of-the-box to work with spot instances. I found a related issue and cross-linked with the article as suggestion for the use-case / need for better support: https://gitlab.com/gitlab-org/gitlab-ce/issues/13666.
1) Create Managed AD or Simple AD + AD Connector pair.
2) Enable MFA via RADIUS for Managed AD or AD Connector.
3) Enable awsapps domain.
4) Create a user account on either your Managed AD or Simple AD.
5) Configure OTP for your newly created LDAP user.
6) Configure your RADIUS to authenticate using your OTP only (no password+pin combo).
7) Configure your RADIUS to log authentication attempts.
8) Log into your awsapps domain using your LDAP user.
9) Check your RADIUS logs (you will see authentication was successful, confirming your RADIUS is correctly configured).
10) Setup Client VPN, use either your Managed AD or AD Connector for authentication.
11) Associate a target network and allow all authenticated users to access it.
12) Download Client VPN config file.
13) Download AWSs Starfield Technologies Cert.
14) Add cert from (13) to the top of the <ca> section in the Client VPN config file.
15) Attempt to connect to Client VPN with your LDAP creds and the Client VPN config file (this will fail).
16) Check the logs on your RADIUS server (you will see no authentication attempt was made).
17) Enable support for 2FA in your Client VPN config file by adding the line: static-challenge "enter otp" 0
18) Try to log in again (this will fail).
19) Check the logs on your RADIUS server (there will have been no authentication attempt).
20) Disable MFA on either your AD Connector or your Microsoft AD.
21) Remove the line: `static-challenge "enter otp" 0` from your Client VPN config file.
22) Attempt to login to your Client VPN with your username and password.
23) You will be able to login to your VPN (without MFA).