chef-provisioning-aws 1.6.1 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 62665ba3e28e4e1a98db8822ca277579ae6e3453
-  data.tar.gz: 20e6faf05a83817c47dccb6d8229d23c006ed25a
+  metadata.gz: 1484fb7faef2c0ce2abadef678b520d88219f7de
+  data.tar.gz: c7f948fc458daa4f0ba1ba2294f17bf9e368133b
 SHA512:
-  metadata.gz: fa274c48c2ec46e0ce297eb55294e7ade6887e461853f7686f3e1dd925310a4b3957d841e65a66a7ed0d0e8bbcedf4ebf249a6442bb0c217fd7d79b660d83391
-  data.tar.gz: 3c9e658df95add6289bc049ffbd46e652f68ba489c541f1b13aa0106d44fa3b56f63ad957b435b658362e058c9227fddd49653b2075d6f82b957e094f83c2ae4
+  metadata.gz: 397a01589702e2d9439a7209dbaaaf3548ca9d5cc7707fd2b2ed05a69dc5f0a9c43fc0524559e4c288e5d76e8180ff6696810fd0e22d9b3c44c80418110d3e9e
+  data.tar.gz: 090afbab837aadcf3c502cbc96ec633069cc6685aa67a1c56ae2fc93cc9ace1e8ca725c8735fd7304e9bb991bc887c9d5ab1aced3c869152df4f211ce65508de

data/README.md

@@ -187,10 +187,47 @@ load_balancer "my_elb" do
 
 The available parameters for `load_balancer_options` can be viewed in the [aws docs](http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/ELB/Client.html#create_load_balancer-instance_method).
 
+If you wish to enable sticky sessions, pass a `sticky_sessions` key to the
+`load_balancer_options` and specify a cookie name and the ports that should be
+sticky. In the above example, it would look like this:
+
+```ruby
+machine 'test1'
+m2 = machine 'test2'
+load_balancer "my_elb" do
+  machines ['test1', m2]
+  load_balancer_options({
+    subnets: subnets,
+    security_groups: [load_balancer_sg],
+    listeners: [
+      {
+          instance_port: 8080,
+          protocol: 'HTTP',
+          instance_protocol: 'HTTP',
+          port: 80
+      },
+      {
+          instance_port: 8080,
+          protocol: 'HTTPS',
+          instance_protocol: 'HTTP',
+          port: 443,
+          ssl_certificate_id: "arn:aws:iam::360965486607:server-certificate/cloudfront/foreflight-2015-07-09"
+      }
+    ],
+    sticky_sessions: {
+      cookie_name: 'my-app-cookie',
+      ports: [80, 443]
+    }
+  })
+```
+
 NOTES:
 
 1. You can specify either `ssl_certificate_id` or `server_certificate` in a listener but the value to both parameters should be the ARN of an existing IAM::ServerCertificate object.
 
+2. The `sticky_sessions` option currently only supports Application-Controlled
+   Session Stickiness.
+
 # RDS Instance Options
 
 ### Additional Options

data/Rakefile

@@ -4,8 +4,6 @@ require 'rspec/core/rake_task'
 
 task :default => :spec
 
-ENV['AWS_TEST_DRIVER'] ||= "aws"
-
 desc "run all non-integration specs"
 RSpec::Core::RakeTask.new(:spec) do |spec|
   spec.pattern = 'spec/**/*_spec.rb'
@@ -39,9 +37,14 @@ end
 
 desc "travis specific task - runs CI integration tests (regular and super_slow in parallel) and sets up travis specific ENV variables"
 task :travis, [:sub_task] do |t, args|
-  pattern = "load_balancer_spec.rb,machine_spec.rb,aws_iam_instance_profile_spec.rb,aws_security_group_spec.rb" # This is a comma seperated list
-  pattern = pattern.split(",").map {|p| "spec/integration/**/*#{p}"}.join(",")
-  Rake::Task[args[:sub_task]].invoke(pattern)
+  sub_task = args[:sub_task]
+  if sub_task == "super_slow"
+    pattern = "load_balancer_spec.rb,aws_route_table_spec.rb,machine_spec.rb,aws_eip_address_spec.rb" # This is a comma seperated list
+    pattern = pattern.split(",").map {|p| "spec/integration/**/*#{p}"}.join(",")
+  else
+    pattern = 'spec/integration/**/*_spec.rb'
+  end
+  Rake::Task[sub_task].invoke(pattern)
 end
 
 desc "travis task for machine_image tests - these take so long to run that we only run the first test"

data/chef-provisioning-aws.gemspec

@@ -15,9 +15,9 @@ Gem::Specification.new do |s|
   s.add_dependency 'chef-provisioning', '~> 1.4'
 
   s.add_dependency 'aws-sdk-v1', '>= 1.59.0'
-  s.add_dependency 'aws-sdk', '~> 2.1'
-  s.add_dependency 'retryable', '~> 2.0.1'
-  s.add_dependency 'ubuntu_ami', '~> 0.4.1'
+  s.add_dependency 'aws-sdk', ['>= 2.1.26', '< 3.0']
+  s.add_dependency 'retryable', '~> 2.0', '>= 2.0.1'
+  s.add_dependency 'ubuntu_ami', '~> 0.4', '>= 0.4.1'
 
   # chef-zero is only a development dependency because we leverage its RSpec support
   s.add_development_dependency 'chef-zero', '~> 4.2'

data/lib/chef/provider/aws_cloudsearch_domain.rb

@@ -2,7 +2,7 @@ require 'chef/provisioning/aws_driver/aws_provider'
 
 class Chef::Provider::AwsCloudsearchDomain < Chef::Provisioning::AWSDriver::AWSProvider
   provides :aws_cloudsearch_domain
-  
+
   def create_aws_object
     domain = nil # define here to ensure it is available outside of the coverge_by scope
     converge_by "create CloudSearch domain #{new_resource.name}" do
@@ -127,8 +127,10 @@ class Chef::Provider::AwsCloudsearchDomain < Chef::Provisioning::AWSDriver::AWSP
   end
 
   def create_index_fields
-    new_resource.index_fields.each do |field|
-      create_index_field(field)
+    unless new_resource.index_fields.nil?
+      new_resource.index_fields.each do |field|
+        create_index_field(field)
+      end
     end
   end
 

data/lib/chef/provider/aws_elasticsearch_domain.rb

@@ -0,0 +1,131 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+require 'chef/provisioning/aws_driver/tagging_strategy/elasticsearch'
+
+class Chef::Provider::AwsElasticsearchDomain < Chef::Provisioning::AWSDriver::AWSProvider
+  provides :aws_elasticsearch_domain
+
+  def create_aws_object
+    converge_by "create Elasticsearch domain #{new_resource.domain_name}" do
+      es_client.create_elasticsearch_domain(update_payload)
+    end
+  end
+
+  def destroy_aws_object(domain)
+    converge_by "destroy Elasticsearch domain #{new_resource.domain_name}" do
+      es_client.delete_elasticsearch_domain({domain_name: new_resource.domain_name})
+    end
+  end
+
+  def update_aws_object(domain)
+    updates = required_updates(domain)
+    if ! updates.empty?
+      converge_by updates do
+        es_client.update_elasticsearch_domain_config(update_payload)
+      end
+    end
+  end
+
+  def aws_tagger
+    @aws_tagger ||= begin
+                      strategy = Chef::Provisioning::AWSDriver::TaggingStrategy::Elasticsearch.new(
+                        es_client,
+                        new_resource.aws_object.arn,
+                        new_resource.aws_tags)
+                      Chef::Provisioning::AWSDriver::AWSTagger.new(strategy, action_handler)
+                    end
+  end
+
+  def converge_tags
+    aws_tagger.converge_tags
+  end
+
+  private
+
+  def required_updates(object)
+    ret = []
+    ret << "   update cluster configuration" if cluster_options_changed?(object)
+    ret << "   update ebs options" if ebs_options_changed?(object)
+    ret << "   update snapshot options" if snapshot_options_changed?(object)
+    ret << "   update access policy" if access_policy_changed?(object)
+    ret.unshift("update Elasticsearch domain #{new_resource.name}") unless ret.empty?
+    ret
+  end
+
+  def update_payload
+    payload = {domain_name: new_resource.domain_name}
+    payload.merge!(ebs_options) if ebs_options_present?
+    payload.merge!(cluster_options) if cluster_options_present?
+    payload.merge!(snapshot_options) if snapshot_options_present?
+    payload[:access_policies] = new_resource.access_policies if new_resource.access_policies
+    payload
+  end
+
+  EBS_OPTIONS = %i(ebs_enabled volume_type volume_size iops)
+  def ebs_options
+    opts = EBS_OPTIONS.inject({}) do |accum, i|
+      new_resource.send(i).nil? ? accum : accum.merge({i => new_resource.send(i)})
+    end
+    {ebs_options: opts}
+  end
+
+  def ebs_options_present?
+    EBS_OPTIONS.any? {|i| !new_resource.send(i).nil? }
+  end
+
+  def ebs_options_changed?(object)
+    changed?(ebs_options[:ebs_options], object.ebs_options)
+  end
+
+  CLUSTER_OPTIONS = %i(instance_type instance_count dedicated_master_enabled
+                       dedicated_master_type dedicated_master_count zone_awareness_enabled)
+
+  def cluster_options
+    opts = CLUSTER_OPTIONS.inject({}) do |accum, i|
+      new_resource.send(i).nil? ? accum : accum.merge({i => new_resource.send(i)})
+    end
+    {elasticsearch_cluster_config: opts}
+  end
+
+  def cluster_options_present?
+    CLUSTER_OPTIONS.any? {|i| !new_resource.send(i).nil? }
+  end
+
+  def cluster_options_changed?(object)
+    changed?(cluster_options[:elasticsearch_cluster_config], object.elasticsearch_cluster_config)
+  end
+
+  def snapshot_options
+    if !new_resource.automated_snapshot_start_hour.nil?
+      {snapshot_options: { automated_snapshot_start_hour: new_resource.automated_snapshot_start_hour }}
+    else
+      {}
+    end
+  end
+
+  def snapshot_options_present?
+    ! new_resource.automated_snapshot_start_hour.nil?
+  end
+
+  def snapshot_options_changed?(object)
+    changed?(snapshot_options[:snapshot_options] || {}, object.snapshot_options)
+  end
+
+  def access_policy_changed?(object)
+    if new_resource.access_policies
+      Chef::JSONCompat.parse(object.access_policies) != Chef::JSONCompat.parse(new_resource.access_policies)
+    else
+      false
+    end
+  end
+
+  def changed?(desired, actual)
+    desired.each do |key, value|
+      return true if actual[key] != value
+    end
+    false
+  end
+
+  def es_client
+    @es_client ||= new_resource.driver.elasticsearch_client
+  end
+end

data/lib/chef/provider/aws_key_pair.rb

@@ -5,7 +5,7 @@ require 'aws-sdk-v1'
 
 class Chef::Provider::AwsKeyPair < Chef::Provisioning::AWSDriver::AWSProvider
   provides :aws_key_pair
-  
+
   action :create do
     create_key(:create)
   end
@@ -171,7 +171,7 @@ class Chef::Provider::AwsKeyPair < Chef::Provisioning::AWSDriver::AWSProvider
     if current_key_pair
       @current_fingerprint = current_key_pair.fingerprint
     else
-      current_resource.action :destroy
+      current_resource.action [:destroy]
     end
 
     if new_private_key_path && ::File.exist?(new_private_key_path)

data/lib/chef/provider/aws_rds_instance.rb

@@ -26,7 +26,7 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
 
   def create_aws_object
     converge_by "create RDS instance #{new_resource.db_instance_identifier} in #{region}" do
-      new_resource.driver.rds.client.create_db_instance(options_hash)
+      new_resource.driver.rds_resource.create_db_instance(options_hash)
     end
   end
 
@@ -38,12 +38,14 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
     converge_by "waited until RDS instance #{new_resource.name} was deleted" do
       wait_for(
         aws_object: instance,
-        query_method: :exists?,
-        expected_responses: [false],
-        acceptable_errors: [AWS::RDS::Errors::DBInstanceNotFound],
+        # http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Status.html
+        # It cannot _actually_ return a deleted status, we're just looking for the error
+        query_method: :db_instance_status,
+        expected_responses: ['deleted'],
+        acceptable_errors: [::Aws::RDS::Errors::DBInstanceNotFound],
         tries: 60,
         sleep: 10
-      )
+      ) { |instance| instance.reload }
     end
   end
 

data/lib/chef/provider/aws_rds_subnet_group.rb

@@ -12,14 +12,14 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
     end
   end
 
-  def destroy_aws_object(object)
+  def destroy_aws_object(subnet_group)
     converge_by "delete RDS subnet group #{new_resource.name} in #{region}" do
       driver.delete_db_subnet_group(db_subnet_group_name: new_resource.name)
     end
   end
 
-  def update_aws_object(object)
-    updates = required_updates(object)
+  def update_aws_object(subnet_group)
+    updates = required_updates(subnet_group)
     if ! updates.empty?
       converge_by updates do
         driver.modify_db_subnet_group(desired_options)
@@ -37,18 +37,18 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
     end
   end
 
-  # Given an existing object, return an array of update descriptions
+  # Given an existing subnet group, return an array of update descriptions
   # representing the updates that need to be made.
   #
   # If no updates are needed, an empty array is returned.
   #
-  def required_updates(object)
+  def required_updates(subnet_group)
     ret = []
-    if desired_options[:db_subnet_group_description] != object[:db_subnet_group_description]
+    if desired_options[:db_subnet_group_description] != subnet_group[:db_subnet_group_description]
       ret << "  set group description to #{desired_options[:db_subnet_group_description]}"
     end
 
-    if ! xor_array(desired_options[:subnet_ids], subnet_ids(object[:subnets])).empty?
+    if ! xor_array(desired_options[:subnet_ids], subnet_ids(subnet_group[:subnets])).empty?
       ret << "  set subnets to #{desired_options[:subnet_ids]}"
     end
 

data/lib/chef/provider/aws_route_table.rb

@@ -87,7 +87,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
         current_route = current_routes.delete(destination_cidr_block)
         current_target = current_route.gateway_id || current_route.instance_id || current_route.network_interface_id || current_route.vpc_peering_connection_id
         if current_target != target
-          action_handler.perform_action "reroute #{destination_cidr_block} to #{route_target} (#{target}) instead of #{current_route.target}" do
+          action_handler.perform_action "reroute #{destination_cidr_block} to #{route_target} (#{target}) instead of #{current_target}" do
             current_route.replace(options)
           end
         end
@@ -144,6 +144,8 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
       route_target = { network_interface: route_target }
     when /^pcx-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsVpcPeeringConnection, ::Aws::EC2::VpcPeeringConnection
       route_target = { vpc_peering_connection: route_target }
+    when /^vgw-[A-Fa-f0-9]{8}$/
+      route_target = { virtual_private_gateway: route_target }
     when String, Chef::Resource::AwsInstance
       route_target = { instance: route_target }
     when Chef::Resource::Machine
@@ -169,6 +171,8 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
         updated_route_target[:gateway_id] = Chef::Resource::AwsInternetGateway.get_aws_object_id(value, resource: new_resource)
       when :vpc_peering_connection
         updated_route_target[:vpc_peering_connection_id] = Chef::Resource::AwsVpcPeeringConnection.get_aws_object_id(value, resource: new_resource)
+      when :virtual_private_gateway
+        updated_route_target[:gateway_id] = value
       end
     end
     updated_route_target

data/lib/chef/provider/aws_server_certificate.rb

@@ -9,12 +9,13 @@ class Chef::Provider::AwsServerCertificate < Chef::Provisioning::AWSDriver::AWSP
 
   def create_aws_object
     converge_by "create server certificate #{new_resource.name}" do
-      new_resource.driver.iam.server_certificates.upload(
+      opts = {
         :name => new_resource.name,
         :certificate_body => new_resource.certificate_body,
-        :certificate_chain => new_resource.certificate_chain,
         :private_key => new_resource.private_key
-      )
+      }
+      opts[:certificate_chain] = new_resource.certificate_chain if new_resource.certificate_chain
+      new_resource.driver.iam.server_certificates.upload(**opts)
     end
   end
 

data/lib/chef/provisioning/aws_driver.rb

@@ -9,6 +9,7 @@ require "chef/resource/aws_cloudsearch_domain"
 require "chef/resource/aws_dhcp_options"
 require "chef/resource/aws_ebs_volume"
 require "chef/resource/aws_eip_address"
+require "chef/resource/aws_elasticsearch_domain"
 require "chef/resource/aws_iam_role"
 require "chef/resource/aws_iam_instance_profile"
 require "chef/resource/aws_image"

data/lib/chef/provisioning/aws_driver/aws_provider.rb

@@ -270,8 +270,9 @@ class AWSProvider < Chef::Provider::LWRPBase
 
     Retryable.retryable(:tries => tries, :sleep => sleep) do |retries, exception|
       action_handler.report_progress "waited #{retries*sleep}/#{tries*sleep}s for <#{aws_object.class}:#{aws_object.id}>##{query_method} state to change to #{expected_responses.inspect}..."
-      Chef::Log.debug("Current exception in wait_for is #{exception.inspect}")
+      Chef::Log.debug("Current exception in wait_for is #{exception.inspect}") if exception
       begin
+        yield(aws_object) if block_given?
         current_response = aws_object.send(query_method)
         Chef::Log.debug("Current response in wait_for from [#{query_method}] is #{current_response}")
         unless expected_responses.include?(current_response)

data/lib/chef/provisioning/aws_driver/driver.rb

@@ -33,7 +33,9 @@ AWS_V2_SERVICES = {
   "Route53" => "route53",
   "S3" => "s3",
   "ElasticLoadBalancing" => "elb",
+  "ElasticsearchService" => "elasticsearch",
   "IAM" => "iam",
+  "RDS" => "rds",
 }
 Aws.eager_autoload!(:services => AWS_V2_SERVICES.keys)
 
@@ -160,11 +162,12 @@ module AWSDriver
     def allocate_load_balancer(action_handler, lb_spec, lb_options, machine_specs)
       lb_options = (lb_options || {}).to_h
       lb_options = AWSResource.lookup_options(lb_options, managed_entry_store: lb_spec.managed_entry_store, driver: self)
-      # We delete the attributes and a health check here because they are not valid in the create call
+      # We delete the attributes, tags, health check, and sticky sessions here because they are not valid in the create call
       # and must be applied afterward
       lb_attributes = lb_options.delete(:attributes)
       lb_aws_tags = lb_options.delete(:aws_tags)
       health_check  = lb_options.delete(:health_check)
+      sticky_sessions = lb_options.delete(:sticky_sessions)
 
       old_elb = nil
       actual_elb = load_balancer_for(lb_spec)
@@ -390,6 +393,61 @@ module AWSDriver
         end
       end
 
+      # Update the load balancer sticky sessions
+      if sticky_sessions
+        policy_name = "#{actual_elb.name}-sticky-session-policy"
+        policies = elb.client.describe_load_balancer_policies(load_balancer_name: actual_elb.name)
+
+        existing_cookie_policy = policies[:policy_descriptions].detect { |pd| pd[:policy_type_name] == 'AppCookieStickinessPolicyType' && pd[:policy_name] == policy_name}
+        existing_cookie_name = existing_cookie_policy ? (existing_cookie_policy[:policy_attribute_descriptions].detect { |pad| pad[:attribute_name] == 'CookieName' })[:attribute_value] : nil
+        desired_cookie_name = sticky_sessions[:cookie_name]
+
+        # Create or update the policy to have the desired cookie_name
+        if existing_cookie_policy.nil?
+          perform_action.call("  creating sticky sessions with cookie_name #{desired_cookie_name}") do
+            elb.client.create_app_cookie_stickiness_policy(
+              load_balancer_name: actual_elb.name,
+              policy_name: policy_name,
+              cookie_name: desired_cookie_name
+            )
+          end
+        elsif existing_cookie_name && existing_cookie_name != desired_cookie_name
+          perform_action.call("  updating sticky sessions from cookie_name #{existing_cookie_name} to cookie_name #{desired_cookie_name}") do
+            elb.client.delete_load_balancer_policy(
+              load_balancer_name: actual_elb.name,
+              policy_name: policy_name
+            )
+            elb.client.create_app_cookie_stickiness_policy(
+              load_balancer_name: actual_elb.name,
+              policy_name: policy_name,
+              cookie_name: desired_cookie_name
+            )
+          end
+        end
+
+        # Ensure the policy is attached to the appropriate listener
+        elb_description = elb.client.describe_load_balancers(load_balancer_names: [actual_elb.name])[:load_balancer_descriptions].first
+        listeners = elb_description[:listener_descriptions]
+
+        sticky_sessions[:ports].each do |ss_port|
+          listener = listeners.detect { |ld| ld[:listener][:load_balancer_port] == ss_port }
+
+          unless listener.nil?
+            policy_names = listener[:policy_names]
+
+            unless policy_names.include?(policy_name)
+              policy_names << policy_name
+
+              elb.client.set_load_balancer_policies_of_listener(
+                load_balancer_name: actual_elb.name,
+                load_balancer_port: ss_port,
+                policy_names: policy_names
+              )
+            end
+          end
+        end
+      end
+
       # Update instance list, but only if there are machines specified
       if machine_specs
         assigned_instance_ids = actual_elb.instances.map { |i| i.instance_id }
@@ -521,6 +579,8 @@ module AWSDriver
         aws_image image_spec.name do
           action :destroy
           driver d
+          chef_server image_spec.managed_entry_store.chef_server
+          managed_entry_store image_spec.managed_entry_store
         end
       end
     end
@@ -597,7 +657,7 @@ EOD
           end
         }
       end
-      wait_for_transport(action_handler, machine_spec, machine_options)
+      wait_for_transport(action_handler, machine_spec, machine_options, instance)
       machine_for(machine_spec, machine_options, instance)
     end
 
@@ -630,6 +690,8 @@ EOD
         aws_instance machine_spec.name do
           action :destroy
           driver d
+          chef_server machine_spec.managed_entry_store.chef_server
+          managed_entry_store machine_spec.managed_entry_store
         end
       end
 
@@ -1041,70 +1103,77 @@ EOD
 
     def wait_until_ready_image(action_handler, image_spec, image=nil)
       wait_until_image(action_handler, image_spec, image) { image.state == :available }
+      action_handler.report_progress "Image #{image_spec.name} is now ready"
     end
 
     def wait_until_image(action_handler, image_spec, image=nil, &block)
       image ||= image_for(image_spec)
-      time_elapsed = 0
       sleep_time = 10
-      max_wait_time = Chef::Config.chef_provisioning[:image_max_wait_time] || 300
-      if !yield(image)
-        action_handler.report_progress "waiting for #{image_spec.name} (#{image.id} on #{driver_url}) to be ready ..."
-        while time_elapsed < max_wait_time && !yield(image)
-          action_handler.report_progress "been waiting #{time_elapsed}/#{max_wait_time} -- sleeping #{sleep_time} seconds for #{image_spec.name} (#{image.id} on #{driver_url}) to be ready ..."
-          sleep(sleep_time)
-          time_elapsed += sleep_time
-        end
-        unless yield(image)
-          raise "Image #{image.id} did not become ready within #{max_wait_time} seconds"
+      unless yield(image)
+        if action_handler.should_perform_actions
+          action_handler.report_progress "waiting for #{image_spec.name} (#{image.id} on #{driver_url}) to be ready ..."
+          max_wait_time = Chef::Config.chef_provisioning[:image_max_wait_time] || 300
+          Retryable.retryable(
+            :tries => (max_wait_time/sleep_time).to_i,
+            :sleep => sleep_time,
+            :matching => /did not become ready within/
+          ) do |retries, exception|
+            action_handler.report_progress "been waiting #{retries*sleep_time}/#{max_wait_time} -- sleeping #{sleep_time} seconds for #{image_spec.name} (#{image.id} on #{driver_url}) to become ready ..."
+            unless yield(image)
+              raise "Image #{image.id} did not become ready within #{max_wait_time} seconds"
+            end
+          end
         end
-        action_handler.report_progress "Image #{image_spec.name} is now ready"
       end
     end
 
     def wait_until_instance_running(action_handler, machine_spec, instance=nil)
-      wait_until_machine(action_handler, machine_spec, "be ready", instance) { |instance|
+      wait_until_machine(action_handler, machine_spec, "become ready", instance) { |instance|
         instance.state.name == "running"
       }
     end
 
     def wait_until_machine(action_handler, machine_spec, output_msg, instance=nil, &block)
       instance ||= instance_for(machine_spec)
-      max_attempts = ((Chef::Config.chef_provisioning[:machine_max_wait_time] || 120) / 10).floor
-      delay = 10
-      log_progress = Proc.new do |attempts, response|
-        action_handler.report_progress "been waiting #{delay*attempts}/#{delay*max_attempts} -- sleeping #{delay} seconds for #{machine_spec.name} (#{instance.id} on #{driver_url}) to #{output_msg} ..."
-      end
-      if action_handler.should_perform_actions
-        no_wait = yield(instance)
-        unless no_wait
+      sleep_time = 10
+      unless yield(instance)
+        if action_handler.should_perform_actions
           action_handler.report_progress "waiting for #{machine_spec.name} (#{instance.id} on #{driver_url}) to #{output_msg} ..."
-          instance.wait_until(:max_attempts => max_attempts, :delay => delay, before_wait: log_progress) do |instance|
-            yield(instance)
+          max_wait_time = Chef::Config.chef_provisioning[:machine_max_wait_time] || 120
+          Retryable.retryable(
+            :tries => (max_wait_time/sleep_time).to_i,
+            :sleep => sleep_time,
+            :matching => /did not #{output_msg} within/
+          ) do |retries, exception|
+            action_handler.report_progress "been waiting #{sleep_time*retries}/#{max_wait_time} -- sleeping #{sleep_time} seconds for #{machine_spec.name} (#{instance.id} on #{driver_url}) to #{output_msg} ..."
+            # We have to manually reload the instance each loop, otherwise data is stale
+            instance.reload
+            unless yield(instance)
+              raise "Instance #{machine_spec.name} (#{instance.id} on #{driver_url}) did not #{output_msg} within #{max_wait_time} seconds"
+            end
           end
         end
       end
-      # We need an instance.reload here because the `wait_until` does not reload the instance it is called on,
-      # only the instance that is passed to the block
-      instance.reload
     end
 
-    def wait_for_transport(action_handler, machine_spec, machine_options)
-      instance = instance_for(machine_spec)
-      time_elapsed = 0
+    def wait_for_transport(action_handler, machine_spec, machine_options, instance=nil)
+      instance ||= instance_for(machine_spec)
       sleep_time = 10
-      max_wait_time = Chef::Config.chef_provisioning[:machine_max_wait_time] || 120
       transport = transport_for(machine_spec, machine_options, instance)
       unless transport.available?
         if action_handler.should_perform_actions
           action_handler.report_progress "waiting for #{machine_spec.name} (#{instance.id} on #{driver_url}) to be connectable (transport up and running) ..."
-          while time_elapsed < max_wait_time && !transport.available?
-            action_handler.report_progress "been waiting #{time_elapsed}/#{max_wait_time} -- sleeping #{sleep_time} seconds for #{machine_spec.name} (#{instance.id} on #{driver_url}) to be connectable ..."
-            sleep(sleep_time)
-            time_elapsed += sleep_time
+          max_wait_time = Chef::Config.chef_provisioning[:machine_max_wait_time] || 120
+          Retryable.retryable(
+            :tries => (max_wait_time/sleep_time).to_i,
+            :sleep => sleep_time,
+            :matching => /did not become connectable within/
+          ) do |retries, exception|
+            action_handler.report_progress "been waiting #{sleep_time*retries}/#{max_wait_time} -- sleeping #{sleep_time} seconds for #{machine_spec.name} (#{instance.id} on #{driver_url}) to become connectable ..."
+            unless transport.available?
+              raise "Instance #{machine_spec.name} (#{instance.id} on #{driver_url}) did not become connectable within #{max_wait_time} seconds"
+            end
           end
-
-          action_handler.report_progress "#{machine_spec.name} is now connectable"
         end
       end
     end
@@ -1125,6 +1194,8 @@ EOD
         Provisioning.inline_resource(action_handler) do
           aws_key_pair default_key_name do
             driver driver
+            chef_server machine_spec.managed_entry_store.chef_server
+            managed_entry_store machine_spec.managed_entry_store
             allow_overwrite true
           end
         end