fix: resolve EC2 CREATE_FAILED by moving UserData to cfn-init metadata

[gutomo]

Problem

Deploying the CloudFormation stack fails with:

User data is limited to 16384 bytes (Service: Ec2, Status Code: 400)

The inline UserData bash script is ~20KB raw. After Fn::Sub variable
expansion and base64 encoding, it exceeds EC2's hard 16,384-byte limit.

Solution

Move the bulk setup logic from inline UserData into
AWS::CloudFormation::Init metadata, which is fetched via the
CloudFormation API at runtime and has no size limit.

What changed

• UserData reduced to a ~900-byte bootstrap that installs
  cfn-bootstrap and runs cfn-init
• cfn-init write_files stages config files to /opt/openclaw/:
  • setup.sh — the full setup script (formerly inline in UserData)
  • openclaw-config.json — Bedrock config template
  • SOUL.md — first-message onboarding prompt
  • ssm-portforward.sh — SSM access helper
• cfn-init run_setup executes /opt/openclaw/setup.sh
• IAM policies added for permissions required by cfn-init and
  the SSM helper script:
  • ec2:DescribeTags
  • cloudformation:DescribeStackResource
  • cloudformation:SignalResource

No behavioral changes

The setup flow, installed software, config files, and outputs are
identical. Only the delivery mechanism changed (inline UserData →
cfn-init metadata).

Testing

• cfn-lint passes (only pre-existing W8001 warning for unused
  EnableDocker condition)
• UserData base64 size verified at 1,216 bytes (well under 16KB)

[JiaDe-Wu]

Hi @gutomo, thanks for this contribution! The cfn-init architecture is exactly the right approach — clean solution and well-structured PR.

Since you opened this PR, we've landed a few changes on main that overlap with what you're addressing:

1. SOUL.md injection has been removed — it's a user-customizable file and shouldn't be owned by the template
2. openclaw is now pinned to 2026.3.24 due to a regression in newer releases affecting WeChat and Feishu
3. WeChat personal channel support has been added via openclaw plugins install @tencent/openclaw-weixin@latest

Could you rebase your branch on the latest main and update the PR? Your cfn-init restructuring is the valuable part here and we'd love to get it merged. Happy to help if you run into any conflicts.