How do we code in AWS terraform the keypair (PEM) download?

How to code terraform so that each VM can have a unique keypair (PEM) downloaded? The below link in “background” shows a single key-pair in the provider block so I am assuming that there will be only one key-pair for this deployment which will include multiple VMs with unique server names. I read it is best practice to provide a unique key-pair for each EC2?,… how can I do this?. Is there a way to add this kind of parameter under the EC2 deployment process?,… did not see this type of parameter? Please provide a understandable example. If you are going to use a counter please include this in the example ( ie I am a novice in the usage of the counter?)

Create keypair in the below “provider block”

 provider "aws" {                      ### This is referred to "AWS 
 provider block"
   region     = "us-west-2"
   access_key = "my-access-key"
   secret_key = "my-secret-key"

}

Where is the key pair located after the deployment? If the provider block does not include the access_key/secret_key how will the user access the EC2 once deployed? What is the default action if the key-pair is stated in the provider block? (ie I am seeing example terraform code with out any key-pair).

Is there another alternative for Windows users who are often are not experienced with SSH? Any possibility in AWS terraform can create a standard user and password for an RDP session? Please provide an example.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The below resource aws_key_pair can be used for providing a key. Is the below key_name/Public_key equivalent to the access_key/secret_key? Is there any way to provide a user name and password for both Windows VMs and Linux VMs using aws terraform?

Must the “aws_key_pair” be created during creation of the EC2 only?,… or can we apply this resource after creation?

How do we associate this “aws_key_pair” resource with a specific EC2 in terraform? Please provide an example.

The issue with the below is that it would require alot of work to gather and input the rsa certificate information when you have many servers. This is why I was interested in finding a way to provide a name and password to provide for initial logon (ie Azure Terraform provides this option) then the system owners can make the user name and password complex. Note-Enterprise level-policies are in place for both linux and windows to provide complex password for local admin accounts.

What I am looking for is a way use terraform to create an initial user name and password for created EC2 so that system owners can reset these credentials.

 resource "aws_key_pair" "deployer" {
   key_name   = "deployer-key"
   public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 email@example.com"

}