cem_acpt 0.2.6-universal-java-17

data/lib/cem_acpt/platform/gcp/cmd.rb

@@ -0,0 +1,345 @@
+# frozen_string_literal: true
+
+module CemAcpt::Platform::Gcp
+  require 'json'
+  require 'open3'
+  require_relative File.join(__dir__, '..', 'base', 'cmd.rb')
+
+  # This class provides methods to run gcloud commands. It allows for default values to be
+  # set for the project, zone, and user and can also find these values from the local config.
+  # Additionally, this class provides a way to run SSH commands against GCP VMs using IAP.
+  class Cmd < CemAcpt::Platform::CmdBase
+    def initialize(project: nil, zone: nil, out_format: nil, filter: nil, user_name: nil, local_port: nil, ssh_key: nil)
+      super(env: { 'CLOUDSDK_PYTHON_SITEPACKAGES' => '1' })
+      require 'net/ssh'
+      require 'net/ssh/proxy/command'
+
+      @project = project unless project.nil?
+      @zone = zone unless zone.nil?
+      @default_out_format = out_format
+      @default_filter = filter
+      @user_name = user_name
+      @local_port = local_port
+      @ssh_key = ssh_key
+      raise CemAcpt::Platform::CmdError, 'gcloud command not available' unless gcloud?
+      raise CemAcpt::Platform::CmdError, 'gcloud is not authenticated' unless authenticated?
+    end
+
+    # Returns either the project name passed in during object initialization
+    # or the project name from the local config.
+    def project
+      @project ||= project_from_config&.chomp
+    end
+
+    # Returns either the zone name passed in during object initialization
+    # or the zone name from the local config.
+    def zone
+      @zone ||= zone_from_config&.chomp
+    end
+
+    # Returns either the user name passed in during object initialization
+    # or queries the current active, authenticated user from gcloud and returns the name.
+    def user_name
+      @user_name ||= authenticated_user_name
+    end
+
+    # Returns the format string passed in during object initialization or
+    # the default format string.
+    def format(out_format = nil)
+      out_format&.chomp || @default_out_format
+    end
+
+    # Returns the filter string passed in during object initialization or
+    # the default filter string.
+    def filter(out_filter = nil)
+      out_filter&.chomp || @default_filter
+    end
+
+    def local_port
+      @local_port ||= rand(49_512..65_535)
+    end
+
+    def ssh_key
+      return @ssh_key unless @ssh_key.nil?
+
+      if File.exist?(File.join([ENV['HOME'], '.ssh', 'acpt_test_key']))
+        @ssh_key = File.join([ENV['HOME'], '.ssh', 'acpt_test_key'])
+      else
+        logger.debug("Test SSH key not found at #{File.join([ENV['HOME'], '.ssh', 'acpt_test_key'])}, using default")
+        @ssh_key = File.join([ENV['HOME'], '.ssh', 'google_compute_engine'])
+      end
+      @ssh_key
+    end
+
+    # Returns a formatted hash of ssh options to be used with Net::SSH.start.
+    # If you pass in a GCP VM instance name, this method will configure the
+    # IAP tunnel ProxyCommand to use. If you pass in an opts hash, it will
+    # merge the options with the default options.
+    def ssh_opts(instance_name: nil, use_proxy_command: true, opts: {})
+      base_opts = default_ssh_opts
+      if use_proxy_command
+        base_opts[:proxy] = proxy_command(instance_name, port: base_opts[:port])
+        base_opts[:host_key_alias] = vm_alias(instance_name)
+      end
+      base_opts.merge(opts).reject { |_, v| v.nil? }
+    end
+
+    # Runs `gcloud` commands locally.
+    def local_exec(command, out_format: 'json', out_filter: nil, project_flag: true)
+      final_command = format_gcloud_command(command, out_format: out_format, out_filter: out_filter, project_flag: project_flag)
+      stdout, stderr, status = Open3.capture3(env, final_command)
+      raise "gcloud command '#{final_command}' failed: #{stderr}" unless status.success?
+
+      if format(out_format) == 'json'
+        begin
+          ::JSON.parse(stdout)
+        rescue ::JSON::ParserError
+          stdout.chomp
+        end
+      else
+        stdout.chomp
+      end
+    end
+
+    # Stops a GCP VM instance.
+    def stop_instance(instance_name)
+      local_exec("compute instances stop #{instance_name}")
+    end
+
+    # Deletes a GCP VM instance.
+    def delete_instance(instance_name)
+      local_exec("compute instances delete #{instance_name} --quiet")
+    rescue StandardError
+      # Ignore errors when deleting instances.
+    end
+
+    # Returns a Hash describing a GCP VM instance.
+    def vm_describe(instance_name, out_format: 'json', out_filter: nil)
+      local_exec("compute instances describe #{instance_name}", out_format: out_format, out_filter: out_filter)
+    end
+
+    # This function runs the specified command as the currently authenticated user
+    # on the given CGP VM via SSH. Using `ssh` does not invoke the gcloud command
+    # and is dependent on the system's SSH configuration.
+    def ssh(instance_name, cmd, ignore_command_errors: false, use_proxy_command: true, opts: {})
+      Net::SSH.start(instance_name, user_name,
+                     ssh_opts(instance_name: instance_name, use_proxy_command: use_proxy_command, opts: opts)) do |ssh|
+        logger.debug("Running SSH command '#{cmd}' on instance '#{instance_name}'")
+        result = ssh.exec!(cmd)
+        if result.exitstatus != 0 && !ignore_command_errors
+          abridged_cmd = cmd.length > 100 ? "#{cmd[0..100]}..." : cmd
+          raise "Failed to run SSH command \"#{abridged_cmd}\" on #{instance_name}: #{result}"
+        end
+        result
+      end
+    end
+
+    # Uploads a file to the specified VM.
+    def scp_upload(instance_name, local, remote, use_proxy_command: true, scp_opts: {}, opts: {})
+      raise "Local file #{local} does not exist" unless File.exist?(local)
+
+      cmd = [
+        'compute',
+        'scp',
+      ]
+      cmd << '--strict-host-key-checking=no'
+      cmd << "--tunnel-through-iap" if use_proxy_command
+      cmd << "--recurse" if scp_opts[:recurse]
+      cmd << "#{local} #{instance_name}:#{remote}"
+      local_exec(cmd.join(' '), out_format: 'json')
+    end
+
+    # Downloads a file from the specified VM.
+    def scp_download(instance_name, remote, local, use_proxy_command: true, scp_opts: {}, opts: {})
+      raise "Local file #{local} does not exist" unless File.exist?(local)
+
+      cmd = [
+        'compute',
+        'scp',
+      ]
+      cmd << '--strict-host-key-checking=no'
+      cmd << '--tunnel-through-iap' if use_proxy_command
+      cmd << '--recurse' if scp_opts[:recurse]
+      cmd << "#{instance_name}:#{remote} #{local}"
+      local_exec(cmd.join(' '), out_format: 'json')
+    end
+
+    def ssh_ready?(instance_name, opts: {})
+      ssh_options = ssh_opts(instance_name: instance_name, opts: opts)
+      logger.debug("Testing SSH connection to #{instance_name} with options #{ssh_options}")
+      gcloud_ssh(instance_name, 'echo "SSH is ready"')
+      logger.debug('Removing ecdsa & ed25519 host keys from config due to bug in jruby-openssl')
+      gcloud_ssh(instance_name, 'sudo sed -E -i "s;HostKey /etc/ssh/ssh_host_(ecdsa|ed25519)_key;;g" /etc/ssh/sshd_config')
+      logger.debug('Restarting SSH service')
+      gcloud_ssh(instance_name, 'sudo systemctl restart sshd', ignore_command_errors: true)
+      logger.info("SSH connection to #{instance_name} is ready")
+      true
+    rescue StandardError => e
+      logger.debug("SSH connection to #{instance_name} failed: #{e}")
+      false
+    end
+
+    # This function spawns a background thread to run a GCP IAP tunnel, run the given
+    # code block, then kill the thread. The code block will be yielded ssh_opts that
+    # are used to configure SSH connections over the IAP tunnel. The IAP tunnel is
+    # run in it's own thread and will not block the main thread. The IAP tunnel is
+    # killed when the code block exits. All SSH connections made in the code block
+    # must be made to the host '127.0.0.1' using the yielded ssh_opts and not the VM name.
+    # @param instance_name [String] The name of the GCP VM instance to connect to.
+    # @param instance_port [Integer] The port to connect to on the GCP VM instance.
+    # @param disable_connection_check [Boolean] If true, the connection check will be disabled.
+    def with_iap_tunnel(instance_name, instance_port = 22, disable_connection_check: false, &block)
+      cmd = [
+        'compute start-iap-tunnel',
+        "#{instance_name} #{instance_port}",
+        "--local-host-port=localhost:#{local_port}",
+      ]
+      cmd << '--disable-connection-check' if disable_connection_check
+      tunnel_ssh_opts = {
+        proxy: nil,
+        port: local_port,
+        forward_agent: false,
+      }
+      final_cmd = format_gcloud_command(cmd.join(' '), out_format: nil, project_flag: false)
+      tunnel_pid = Process.spawn(env, final_cmd)
+      begin
+        block.call(ssh_opts(use_proxy_command: false, opts: tunnel_ssh_opts))
+      ensure
+        Process.kill('TERM', tunnel_pid)
+      end
+    end
+
+    def project_from_config
+      local_exec('config get-value project', out_format: nil, project_flag: false)
+    end
+
+    def zone_from_config
+      local_exec('config get-value compute/zone', out_format: nil, project_flag: false)
+    end
+
+    def run_shell(instance_name, cmd, opts = {})
+      ssh_opts = opts.key?(:ssh_opts) ? opts[:ssh_opts] : {}
+      command = [
+        'sudo -n -u root -i',
+        cmd,
+      ]
+      ssh(
+        instance_name,
+        command.join(' '),
+        ignore_command_errors: true,
+        opts: ssh_opts,
+      )
+    end
+
+    def apply_manifest(instance_name, manifest, opts = {})
+      unless opts[:apply][:no_upload]
+        with_temp_manifest_file(manifest) do |tf|
+          upload_temp_manifest(instance_name, tf.path, remote_path: '/tmp/acpt_manifest.pp', opts: opts)
+        end
+      end
+      apply_cmd = [opts[:puppet_path], 'apply', '/tmp/acpt_manifest.pp']
+      apply_cmd << '--trace' if opts[:apply][:trace]
+      apply_cmd << "--hiera_config=#{opts[:apply][:hiera_config]}" if opts[:apply][:hiera_config]
+      apply_cmd << '--debug' if opts[:apply][:debug]
+      apply_cmd << '--noop' if opts[:apply][:noop]
+      apply_cmd << '--detailed-exitcodes' if opts[:apply][:detailed_exitcodes]
+
+      run_shell(
+        instance_name,
+        apply_cmd.join(' '),
+        opts
+      )
+    end
+
+    private
+
+    def format_gcloud_command(command, out_format: 'json', out_filter: nil, project_flag: true)
+      cmd_parts = ['gcloud', command]
+      cmd_parts << "--project=#{project.chomp}" unless !project_flag || project.nil?
+      cmd_parts << "--format=#{format(out_format)}" if format(out_format)
+      cmd_parts << "--filter=\"#{filter(out_filter)}\"" if filter(out_filter)
+      cmd_parts.join(' ')
+    end
+
+    def with_temp_manifest_file(manifest, file_name: 'acpt_manifest')
+      require 'tempfile'
+      tf = Tempfile.new(file_name)
+      tf.write(manifest)
+      tf.close
+      begin
+        yield tf
+      ensure
+        tf.unlink
+      end
+    end
+
+    def upload_temp_manifest(instance_name, local_path, remote_path: '/tmp/acpt_manifest.pp', opts: {})
+      scp_upload(instance_name, local_path, remote_path, opts: opts[:ssh_opts]) unless opts[:apply][:no_upload]
+    end
+
+    def gcloud_ssh(instance_name, command, ignore_command_errors: false)
+      local_exec("compute ssh --ssh-key-file #{ssh_key} --tunnel-through-iap #{instance_name} --command='#{command}'")
+    rescue StandardError => e
+      raise e unless ignore_command_errors
+    end
+
+    def vm_alias(vm)
+      "compute.#{vm_describe(vm)['id']}"
+    end
+
+    # Default options for Net::SSH
+    def default_ssh_opts
+      {
+        auth_methods: ['publickey'],
+        check_host_ip: false,
+        compression: true,
+        config: false,
+        keys: [ssh_key],
+        keys_only: true,
+        kex: ['diffie-hellman-group-exchange-sha256'], # ecdh algos cause jruby to shit the bed
+        non_interactive: true,
+        port: 22,
+        user: user_name,
+        user_known_hosts_file: File.join(ENV['HOME'], '.ssh', 'acpt_test_known_hosts'),
+        verify_host_key: :never,
+      }
+    end
+
+    # Returns a Proxy::Command object to use for the SSH option ProxyCommand.
+    # This works in the same way that `gcloud compute ssh --tunnel-through-iap` does.
+    def proxy_command(instance_name, port: 22, quiet: true, verbosity: 'debug')
+      proxy_command = [
+        'gcloud compute start-iap-tunnel',
+        "#{instance_name} #{port}",
+        '--listen-on-stdin',
+        "--project=#{project}",
+        "--zone=#{zone}",
+      ]
+      #proxy_command << '--no-user-output-enabled --quiet' if quiet
+      proxy_command << "--verbosity=#{verbosity}" unless quiet || verbosity.nil? || verbosity.empty?
+      Net::SSH::Proxy::Command.new(proxy_command.join(' '))
+    end
+
+    # This function checks to ensure that the gcloud tool is available on the system.
+    def gcloud?
+      ver = local_exec('--version', out_format: nil, project_flag: false)
+      !ver.nil? && !ver.empty?
+    rescue RuntimeError, Errno::ENOENT
+      false
+    end
+
+    # This function checks to ensure that a user is authenticated with gcloud.
+    def authenticated?
+      local_exec('auth list', project_flag: false).any? { |a| a['status'] == 'ACTIVE' }
+    rescue RuntimeError, Errno::ENOENT
+      false
+    end
+
+    # This function returns the currently authenticated user's name sanitized for use in SSH
+    def authenticated_user_name
+      local_exec('compute os-login describe-profile', project_flag: false)['posixAccounts'][0]['username']
+    rescue StandardError => e
+      raise "failed to find authenticated user name from os-login profile: #{e.message}"
+    end
+  end
+end

data/lib/cem_acpt/platform/gcp/compute.rb

@@ -0,0 +1,332 @@
+# frozen_string_literal: true
+
+module CemAcpt::Platform::Gcp
+  require_relative 'cmd'
+  require_relative File.join(__dir__, '..', '..', 'logging.rb')
+
+  module Helper
+    def add_cmd(cmd_obj)
+      @cmd = cmd_obj
+    end
+
+    def cmd
+      @cmd ||= CemAcpt::Platform::Gcp::Cmd.new(out_format: 'json')
+    end
+
+    def cmd_flag_vars?(*vars)
+      vars.none? { |v| v.nil? || (v.empty? if v.respond_to?(:empty?)) }
+    end
+  end
+
+  # This class represents a GCP project
+  class Project
+    include Helper
+
+    def initialize(name: nil, zone: nil)
+      @name = name
+      @zone = zone
+    end
+
+    def name
+      @name ||= cmd.project_from_config
+    end
+
+    def zone
+      @zone ||= cmd.zone_from_config
+    end
+
+    def cmd_flag
+      "--project=#{name}"
+    end
+  end
+
+  # This class represents a GCP VM service account
+  class ServiceAccount
+    include Helper
+
+    attr_reader :name, :scopes
+
+    def initialize(name: nil, scopes: ['devstorage.read_only', 'logging.write', 'monitoring.write', 'servicecontrol', 'service.management.readonly', 'trace.append' ])
+      @name = name
+      @scopes = scopes.map { |s| "https://www.googleapis.com/auth/#{s}" }
+    end
+
+    def cmd_flag
+      "--service-account=#{name} --scopes=#{scopes.join(',')}" if cmd_flag_vars?(name, scopes)
+    end
+  end
+
+  # This class represents a GCP VM disk
+  class Disk
+    include Helper
+
+    attr_reader :project, :name, :size, :image_name
+
+    def initialize(project: nil, name: 'disk-1', image_name: '', size: 20, type: 'pd-standard')
+      @project = project
+      @name = name
+      @image_name = image_name
+      @size = size
+      @type = type
+    end
+
+    def cmd_flag
+      return unless cmd_flag_vars?(name, image, size, type)
+
+      '--create-disk=auto-delete=yes,boot=yes,' \
+      "device-name=#{name},image=#{image}," \
+      "mode=rw,size=#{size},type=#{type}"
+    end
+
+    def type
+      type_path(@type)
+    end
+
+    def image
+      @image ||= image_path(@image_name)
+    end
+
+    private
+
+    def image_path(image_str)
+      raise ArgumentError, 'image must be a non-empty string' unless image_str.is_a?(String) && !image_str.empty?
+
+      data = cmd.local_exec('compute images list', out_filter: "name ~ '#{image_str}$'").first
+      if data.nil? || data.empty?
+        data = cmd.local_exec('compute images list', out_filter: "family ~ '#{image_str}$'").first
+      end
+      raise "Image #{image_str} not found" unless data
+      raise "Image status invalid for image #{data['selfLink']}: #{data[status]}" unless data['status'] == 'READY'
+
+      data['selfLink'].split('v1/')[-1]
+    end
+
+    def type_path(type)
+      raise ArgumentError, 'type must be a non-empty string' unless type.is_a?(String) && !type.empty?
+
+      "projects/#{project.name}/zones/#{project.zone}/diskTypes/#{type}"
+    end
+  end
+
+  # This class represents a GCP VM network interface
+  class NetworkInterface
+    include Helper
+
+    attr_reader :tier, :subnetwork
+
+    def initialize(tier: 'STANDARD', subnetwork: 'default')
+      @tier = tier.upcase
+      @subnetwork = subnetwork
+    end
+
+    def cmd_flag
+      "--network-interface=network-tier=#{tier},subnet=#{subnetwork}" if cmd_flag_vars?(tier, subnetwork)
+    end
+  end
+
+  # This class represents GCP VM metadata
+  class Metadata
+    include Helper
+
+    def initialize(**data)
+      @data = data.transform_keys(&:to_s)
+    end
+
+    def data
+      format_data(@data)
+    end
+
+    def cmd_flag
+      return unless cmd_flag_vars?(data)
+
+      data_from_file = data.select { |k, _v| k == 'ssh-keys' }.map { |k, v| "#{k}=#{v}" }.join(',')
+      normalized_data = data.reject { |k, _v| k == 'ssh-keys' }.map { |k, v| "#{k}=#{v}" }.join(',')
+      cmd = []
+      cmd << "--metadata-from-file=#{data_from_file}" unless data_from_file.empty?
+      cmd << "--metadata=#{normalized_data}" unless normalized_data.empty?
+      cmd.join(' ')
+    end
+
+    private
+
+    def format_data(data)
+      default_data = { 'enable-oslogin' => 'TRUE' }
+      if data['ephemeral_ssh_key']
+        args = {
+          username: (data.dig('ephemeral_ssh_key', 'username') || cmd.user_name),
+        }
+        args[:lifetime] = data.dig('ephemeral_ssh_key', 'lifetime') if data.dig('ephemeral_ssh_key', 'lifetime')
+        args[:keydir] = data.dig('ephemeral_ssh_key', 'keydir') if data.dig('ephemeral_ssh_key', 'keydir')
+        priv_key_path, ssh_keys = ephemeral_ssh_key(**args)
+        default_data['priv_key_local_path'] = priv_key_path
+        default_data['ssh-keys'] = ssh_keys
+        data.delete('ephemeral_ssh_key')
+      end
+      default_data.merge(data)
+    end
+
+    def ephemeral_ssh_key(username: nil, lifetime: 2, keydir: '/tmp/acpt_ssh_keys')
+      raise ArgumentError, 'username must be a non-empty string' unless username.is_a?(String) && !username.empty?
+
+      keypath = File.join(keydir, SecureRandom.hex(10))
+      Dir.mkdir(keydir) unless Dir.exist?(keydir)
+      lifetime_in_seconds = (lifetime.to_i * 60 * 60)
+      iso8601_expiration = (Time.now.utc + lifetime_in_seconds).strftime('%Y-%m-%dT%H:%M:%S%z')
+      keygen_cmd = [
+        'ssh-keygen',
+        '-t ecdsa',
+        '-b 521',
+        "-C 'google-ssh {\"userName\":\"#{username}\",\"expireOn\":\"#{iso8601_expiration}\"}'",
+        "-f #{keypath}",
+        '-N ""',
+        '-q',
+      ].join(' ')
+      _, stderr, status = Open3.capture3(keygen_cmd)
+      raise stderr unless status.success?
+
+      File.write("#{keypath}.pub", "#{username}:#{File.read("#{keypath}.pub")}")
+      [keypath, "#{keypath}.pub"]
+    rescue StandardError => e
+      raise "Failed to generate ephemeral SSH key: #{e} #{e.backtrace}"
+    end
+  end
+
+  # This class represents a GCP VM. It is composed of various component classes.
+  class VM
+    include Helper
+    include CemAcpt::Logging
+
+    attr_accessor :name, :project, :service_account, :disk, :network_interface, :machine_type, :metadata
+    attr_reader :cmd
+
+    def initialize(name, components: {})
+      @name = name
+      @components = components
+      @machine_type = components[:machine_type]
+      @cmd = CemAcpt::Platform::Gcp::Cmd.new(
+        project: components[:project][:name],
+        zone: components[:project][:zone],
+        out_format: 'json',
+        local_port: components[:local_port],
+      )
+      @configured = false
+    end
+
+    def configure!
+      return @configured if @configured
+
+      @project = Project.new(**@components[:project])
+      @project.add_cmd(@cmd)
+      @service_account = @components.key?(:service_account) ? ServiceAccount.new(**@components[:service_account]) : nil
+      @disk = Disk.new(project: @project, **@components[:disk])
+      @disk.add_cmd(@cmd)
+      @network_interface = NetworkInterface.new(**@components[:network_interface])
+      @machine_type = @components[:machine_type]
+      @metadata = Metadata.new(**@components[:metadata])
+      @metadata.add_cmd(@cmd)
+      @configured = true
+    end
+
+    def info
+      describe_cmd = "compute instances describe #{name}"
+      logger.debug("Gathering info for VM #{name} with gcloud command: #{describe_cmd}")
+      data = @cmd.local_exec(describe_cmd, out_format: 'json')
+      opts = @cmd.ssh_opts(instance_name: name)
+      {
+        node_data: data,
+        transport: :ssh,
+        ssh_opts: opts,
+      }
+    end
+
+    def create
+      # Add the test ssh key to os-login
+      logger.debug("Adding test SSH key to os-login for #{name}")
+      @cmd.local_exec("compute os-login ssh-keys add --key-file #{@cmd.ssh_key}.pub --project #{project.name} --ttl 4h")
+      @cmd.local_exec(create_cmd)
+    rescue StandardError => e
+      raise "Failed to create VM #{name} with command #{create_cmd}: #{e}"
+    end
+
+    def ready?
+      logger.debug("Checking if VM #{name} is ready")
+      instance_status = @cmd.local_exec('compute instances list', out_filter: "NAME = #{name}").first['status']
+      logger.debug("Instance #{name} status: #{instance_status}")
+      return false unless instance_status == 'RUNNING'
+
+      logger.debug("Checking instance #{name} SSH connectivity")
+      @cmd.ssh_ready?(name)
+    rescue StandardError, Exception
+      false
+    end
+
+    def destroy
+      @cmd.delete_instance(name)
+    end
+
+    def install_puppet_module_package(module_pkg_path, remote_path, puppet_path)
+      @cmd.scp_upload(@name, module_pkg_path, remote_path)
+      logger.info("Uploaded module package #{module_pkg_path} to #{remote_path} on #{@name}")
+      @cmd.ssh(@name, "sudo #{puppet_path} module install #{remote_path}")
+      logger.info("Installed module package #{remote_path} on #{@name}")
+    end
+
+    private
+
+    # Determines whether the given instance name is a fully qualified
+    # hostname or not.
+    def hostname?(instance_name)
+      instance_name.include?('.')
+    end
+
+    # Validates a GCP instance name.
+    def validate_instance_name(instance_name)
+      if instance_name.nil? || !instance_name.is_a?(String) || instance_name.empty?
+        raise ArgumentError, 'Instance name must be a non-empty string'
+      end
+      raise ArgumentError, 'Instance name must be less than 253 characters' if instance_name.length > 253
+
+      return true unless hostname?(instance_name)
+
+      labels = instance_name.split('.')
+      labels.each do |label|
+        unless label.match?(%r{^[a-z]([-a-z0-9]*[a-z0-9])?$})
+          raise ArgumentError, "Instance name portion #{label} contains invalid characters"
+        end
+        raise ArgumentError, "Instance name portion #{label} is too long" if label.length > 63
+      end
+      true
+    end
+
+    def create_cmd
+      validate_instance_name(name)
+      if hostname?(name)
+        instance_name = name.split('.')[0]
+        hostname = name
+      else
+        instance_name = name
+        hostname = nil
+      end
+
+      cmd = [
+        'compute',
+        'instances',
+        'create',
+        instance_name,
+        '--async',
+        "--machine-type=#{machine_type}",
+        '--maintenance-policy=MIGRATE',
+        '--no-shielded-secure-boot',
+        '--shielded-vtpm',
+        '--shielded-integrity-monitoring',
+        '--reservation-affinity=any',
+        '--tags=acpt-test-node',
+      ]
+      [disk&.cmd_flag, network_interface&.cmd_flag, metadata&.cmd_flag, service_account&.cmd_flag].each do |flag|
+        cmd << flag unless flag.nil?
+      end
+      cmd << "--hostname=#{hostname}" unless hostname.nil?
+      cmd.join(' ')
+    end
+  end
+end