cloudstrap 0.29.1.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 79075784a2e532fa8f708f83ab14d4d2d4f7f262
+  data.tar.gz: a36f02ccc53bbba3cd7c6985c9dc778a016ebcbf
+SHA512:
+  metadata.gz: db973e404ee5707cbcb8b5af935815b8aca99df65a77b9f908f362c39cd2a4aa7e389e82227f62321305df04dcdb1f56d93fa2bdcd4be83c7921e3be7fbf925e
+  data.tar.gz: 68112e361736d5a9912f3638a4706547a1d23c4eb9108a96b7bd8ace7b438a699741ea8f8b04f0edfdd92c3083f4a1108870f711ccaa06f442e6b265bdc05bc3

data/.gitignore

@@ -0,0 +1,55 @@
+
+# Created by https://www.gitignore.io/api/ruby
+
+### Ruby ###
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+.cache/**

data/LICENSE.txt

@@ -0,0 +1,21 @@
+
+The MIT License (MIT)
+Copyright © 2016 Chris Olstrom <chris@olstrom.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the “Software”), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.org

@@ -0,0 +1,114 @@
+#+TITLE: Cloudstrap
+#+SUBTITLE: Strapping Boots to Clouds
+#+LATEX: \pagebreak
+
+* Overview
+
+=cloudstrap= straps your boots to the cloud. Think of it as sort of a
+meta-bootstrap tool. It handles pre-bootstrapping, primarily. Once complete, you
+should have an environment suitable for launching your bootstrapper.
+
+* Why does this exist?
+
+To simplify deployment by replacing manual process with glorious automation.
+
+* Installation
+
+#+BEGIN_SRC shell
+  gem install --pre cloudstrap
+#+END_SRC
+
+* Usage
+
+Simply run the automated bootstrap tool. You can configure it via ENV or =config.yaml=
+
+#+BEGIN_SRC shell
+ env BOOTSTRAP_WITHOUT_HUMAN_OVERSIGHT=true cloudstrap
+#+END_SRC
+
+The output describes the results, and all settings used in the process.
+
+#+BEGIN_EXAMPLE
+  # Cloudstrap v0.28.0.pre
+
+  # General Configuration
+  #   These settings can be configured via ENV or config.yaml
+
+  BOOTSTRAP_REGION=us-west-2
+  BOOTSTRAP_CACHE_PATH=/Users/colstrom/cloudstrap/.cache
+  BOOTSTRAP_VPC_CIDR_BLOCK=10.0.0.0/16
+  BOOTSTRAP_PUBLIC_CIDR_BLOCK=10.0.0.0/24
+  BOOTSTRAP_PRIVATE_CIDR_BLOCK=10.0.1.0/24
+  BOOTSTRAP_AMI_OWNER=099720109477
+  BOOTSTRAP_UBUNTU_RELEASE=14.04
+  BOOTSTRAP_INSTANCE_TYPE=t2.micro
+  BOOTSTRAP_SSH_DIR=/Users/colstrom/cloudstrap/.ssh
+  BOOTSTRAP_SSH_USERNAME=ubuntu
+  BOOTSTRAP_HDP_DIR=/Users/colstrom/cloudstrap
+
+  # Cached Configuration
+  #   These settings can be overridden via ENV only
+
+  BOOTSTRAP_USERNAME=colstrom
+  BOOTSTRAP_UUID=97cb1464-cf44-479e-be47-9a212131ad4c
+  BOOTSTRAP_TAG=lkg@colstrom/97cb1464-cf44-479e-be47-9a212131ad4c
+  BOOTSTRAP_AMI=ami-70b67d10
+  BOOTSTRAP_VPC_ID=vpc-0e93a16a
+  BOOTSTRAP_INTERNET_GATEWAY_ID=igw-942af8f0
+  BOOTSTRAP_JUMPBOX_SECURITY_GROUP=sg-43f9183a
+  BOOTSTRAP_PRIVATE_SUBNET_ID=subnet-b7047dc1
+  BOOTSTRAP_PUBLIC_SUBNET_ID=subnet-9c1c65ea
+  BOOTSTRAP_ROUTE_TABLE_ID=rtb-9d28dcfa
+  BOOTSTRAP_AVAILABILITY_ZONE=us-west-2b
+  BOOTSTRAP_JUMPBOX_ID=i-051c248563a2c3f54
+  BOOTSTRAP.JUMPBOX_IP=52.89.237.123
+  BOOTSTRAP_WITHOUT_HUMAN_OVERSIGHT=true
+
+  # Additional Information
+  #   These do not need configuration, and are presented as a debugging checklist
+
+  # Public IPs Enabled in Public Subnet? true
+  # Gateway Attached to VPC? true
+  # Route to Internet via Gateway? true
+  # Route to NAT Gateway from Private Subnet? true
+  # SSH Allowed to Jumpbox? true
+  # SSH Key uploaded to AWS? 1a:c4:ec:25:94:90:ed:ee:c2:66:2e:3c:9c:c8:7a:12
+  # HDP bootstrap.properties configured? true
+  # Jumpbox Running? true
+
+  # No version specified for HDP Bootstrap, falling back to default version
+  INFO [0942f874] Running /usr/bin/env rm -f /home/ubuntu/.ssh/id_rsa as ubuntu@52.89.237.123
+  INFO [0942f874] Finished in 11.547 seconds with exit status 0 (successful).
+  INFO Uploading /Users/colstrom/cloudstrap/.ssh/lkg@colstrom/97cb1464-cf44-479e-be47-9a212131ad4c 100.0%
+  INFO [bec7b898] Running /usr/bin/env chmod -w /home/ubuntu/.ssh/id_rsa as ubuntu@52.89.237.123
+  INFO [bec7b898] Finished in 0.048 seconds with exit status 0 (successful).
+  INFO Uploading /Users/colstrom/bootstrap.properties 100.0%
+  INFO [e091db46] Running /usr/bin/env apt install --assume-yes genisoimage aria2 as ubuntu@54.89.237.123
+  INFO [e091db46] Finished in 8.157 seconds with exit status 0 (successful).
+  INFO [1fa8cae1] Running /usr/bin/env aria2c --continue=true --dir=/opt --out=bootstrap.deb https://s3-us-west-2.amazonaws.com/hcp-concourse/hcp-bootstrap_1.2.30%2Bmaster.77bb464.20160819000448_amd64.deb as ubuntu@52.89.237.123
+  INFO [1fa8cae1] Finished in 3.395 seconds with exit status 0 (successful).
+  INFO [577d4fdc] Running /usr/bin/env dpkg --install /opt/bootstrap.deb as ubuntu@52.89.237.123
+  INFO [577d4fdc] Finished in 3.055 seconds with exit status 0 (successful).
+
+  Contratulations! Your Jumpbox is ready. This instance has been configured with
+  everything you need to deploy your very own Stackato. The SSH key used by this
+  process has been uploaded to your Jumpbox, along with a bootstrap.properties
+  file that has been configured to match the settings used here.
+
+  Human oversight has been disabled.
+
+  Now would be a good time for tea and swordplay (https://xkcd.com/303/). What
+  happens next is non-interactive and will take approximately 30 minutes.
+
+    INFO [03a68da8] Running /usr/bin/env bootstrap install bootstrap.properties as ubuntu@52.89.237.123
+    INFO [03a68da8] Finished in 1457.406 seconds with exit status 0 (successful).
+#+END_EXAMPLE
+
+* License
+
+  =cloudstrap= is available under the [[https://tldrlegal.com/license/mit-license][MIT License]]. See ~LICENSE.txt~ for the
+  full text. The software it deploys has its own license.
+
+* Contributors
+
+  - [[https://colstrom.github.io/][Chris Olstrom]] | [[mailto:chris@olstrom.com][e-mail]] | [[https://twitter.com/ChrisOlstrom][Twitter]]

data/bin/cloudstrap

@@ -0,0 +1,115 @@
+#!/usr/bin/env ruby
+
+require 'pastel'
+
+if ENV['HACKING']
+  require_relative '../lib/cloudstrap'
+else
+  require 'cloudstrap'
+end
+
+gem = Gem::Specification
+      .find_all_by_name('cloudstrap')
+      .sort_by { |spec| spec.version }
+      .last
+
+config = StackatoLKG::Config.new
+agent = StackatoLKG::BootstrapAgent.new
+
+puts <<-EOS
+# #{gem.name} v#{gem.version}
+#   #{gem.summary}
+
+# General Configuration
+#   These settings can be configured via ENV or config.yaml
+
+BOOTSTRAP_REGION=#{config.region}
+BOOTSTRAP_CACHE_PATH=#{config.cache_path}
+BOOTSTRAP_VPC_CIDR_BLOCK=#{config.vpc_cidr_block}
+BOOTSTRAP_PUBLIC_CIDR_BLOCK=#{config.public_cidr_block}
+BOOTSTRAP_PRIVATE_CIDR_BLOCK=#{config.private_cidr_block}
+BOOTSTRAP_AMI_OWNER=#{config.ami_owner}
+BOOTSTRAP_UBUNTU_RELEASE=#{config.ubuntu_release}
+BOOTSTRAP_INSTANCE_TYPE=#{config.instance_type}
+BOOTSTRAP_SSH_DIR=#{config.ssh_dir}
+BOOTSTRAP_SSH_USERNAME=#{config.ssh_username}
+BOOTSTRAP_HDP_DIR=#{config.hdp_dir}
+BOOTSTRAP_HDP_BOOTSTRAP_ORIGIN=#{config.hdp_origin}
+BOOTSTRAP_HDP_BOOTSTRAP_VERSION=#{config.hdp_version}
+BOOTSTRAP_HDP_BOOTSTRAP_PACKAGE_URL=#{config.hdp_package_url}
+BOOTSTRAP_PROPERTIES_SEED_URL=#{config.bootstrap_properties_seed_url}
+
+# Cached Configuration
+#   These settings can be overridden via ENV only
+
+BOOTSTRAP_USERNAME=#{agent.username}
+BOOTSTRAP_UUID=#{agent.uuid}
+BOOTSTRAP_TAG=#{agent.bootstrap_tag}
+BOOTSTRAP_AMI=#{agent.ami}
+BOOTSTRAP_VPC_ID=#{agent.vpc}
+BOOTSTRAP_INTERNET_GATEWAY_ID=#{agent.internet_gateway}
+BOOTSTRAP_NAT_GATEWAY_ID=#{agent.nat_gateway}
+BOOTSTRAP_JUMPBOX_SECURITY_GROUP=#{agent.jumpbox_security_group}
+BOOTSTRAP_PRIVATE_SUBNET_ID=#{agent.private_subnet}
+BOOTSTRAP_PUBLIC_SUBNET_ID=#{agent.public_subnet}
+BOOTSTRAP_ROUTE_TABLE_ID=#{agent.route_table}
+BOOTSTRAP_PRIVATE_ROUTE_TABLE_ID=#{agent.private_route_table}
+BOOTSTRAP_NAT_ROUTE_ASSOCIATION_ID=#{agent.nat_route_association}
+BOOTSTRAP_PRIVATE_AVAILABILITY_ZONE=#{agent.private_availability_zone}
+BOOTSTRAP_PUBLIC_AVAILABILITY_ZONE=#{agent.public_availability_zone}
+BOOTSTRAP_JUMPBOX_ID=#{agent.jumpbox}
+BOOTSTRAP_JUMPBOX_IP=#{agent.jumpbox_ip}
+BOOTSTRAP_WITHOUT_HUMAN_OVERSIGHT=#{!agent.requires_human_oversight?}
+
+# Additional Information
+#   These do not need configuration, and are presented as a debugging checklist
+
+# Public IPs Enabled in Public Subnet? #{agent.enable_public_ips}
+# Gateway Attached to VPC? #{agent.attach_gateway}
+# Route to Internet via Gateway? #{agent.default_route}
+# Route to NAT Gateway from Private Subnet? #{agent.nat_route}
+# SSH Allowed to Jumpbox? #{agent.allow_ssh}
+# SSH Key uploaded to AWS? #{agent.upload_ssh_key}
+# HDP bootstrap.properties configured? #{agent.configure_hdp}
+# Jumpbox Running? #{agent.jumpbox_running?}
+
+EOS
+
+if agent.jumpbox_running?
+  agent.configure_jumpbox
+
+  STDERR.puts Pastel.new.green <<-EOS
+
+Congratulations! Your Jumpbox is ready. This instance has been configured with
+everything you need to deploy your very own Stackato. The SSH key used by this
+process has been uploaded to your Jumpbox, along with a bootstrap.properties
+file that has been configured to match the settings used here.
+EOS
+
+  if agent.requires_human_oversight?
+    STDERR.puts <<-EOS
+When you are ready to proceed, the following command will do the rest:
+
+ssh -l ubuntu -i #{agent.ssh_key.private_file} #{agent.jumpbox_ip} bootstrap
+
+EOS
+  else
+    STDERR.puts Pastel.new.bold.bright_yellow.on_blue 'Human oversight has been disabled.'
+
+    STDERR.puts Pastel.new.blue <<-EOS
+
+Now would be a good time for tea and swordplay (https://xkcd.com/303/). What
+happens next is non-interactive and will take approximately 30 minutes.
+EOS
+    agent.launch
+  end
+
+else
+  STDERR.puts Pastel.new.red <<-EOS
+Your Jumpbox (#{agent.jumpbox}) is not in a "running" state. It is normal for
+the first boot to take several minutes as the instance configures itself.
+
+If you wait a few minutes and try again, it should work.
+EOS
+  abort
+end

data/cloudstrap.gemspec

@@ -0,0 +1,24 @@
+Gem::Specification.new do |gem|
+  gem.name        = 'cloudstrap'
+  gem.version     = `git describe --tags --abbrev=0`.chomp + '.pre'
+  gem.licenses    = 'MIT'
+  gem.authors     = ['Chris Olstrom']
+  gem.email       = 'chris@olstrom.com'
+  gem.homepage    = 'https://github.com/colstrom/cloudstrap'
+  gem.summary     = 'Strapping Boots to Clouds'
+
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  gem.require_paths = ['lib']
+
+  gem.add_runtime_dependency 'aws-sdk', '~> 2.5', '>= 2.5.0'
+  gem.add_runtime_dependency 'contracts', '~> 0.14', '>= 0.14.0'
+  gem.add_runtime_dependency 'retries', '~> 0.0.5', '>= 0.0.5'
+  gem.add_runtime_dependency 'moneta', '~> 0.8', '>= 0.8.0'
+  gem.add_runtime_dependency 'sshkey', '~> 1.8', '>= 1.8.0'
+  gem.add_runtime_dependency 'sshkit', '~> 1.11', '>= 1.11.0'
+  gem.add_runtime_dependency 'java-properties', '~> 0.1', '>= 0.1.1'
+  gem.add_runtime_dependency 'pastel', '~> 0.6', '>= 0.6.0'
+  gem.add_runtime_dependency 'faraday', '~> 0.9', '>= 0.9.0'
+end

data/lib/cloudstrap.rb

@@ -0,0 +1,3 @@
+require_relative 'cloudstrap/amazon'
+require_relative 'cloudstrap/bootstrap_agent'
+require_relative 'cloudstrap/config'

data/lib/cloudstrap/amazon.rb

@@ -0,0 +1,2 @@
+require_relative 'amazon/ec2'
+require_relative 'amazon/iam'

data/lib/cloudstrap/amazon/ec2.rb

@@ -0,0 +1,377 @@
+require 'aws-sdk'
+require 'contracts'
+require_relative 'service'
+
+module StackatoLKG
+  module Amazon
+    class EC2 < Service
+      Contract None => ArrayOf[::Aws::EC2::Types::Vpc]
+      def vpcs
+        @vpcs ||= vpcs!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Vpc]
+      def vpcs!
+        @vpcs = call_api(:describe_vpcs).vpcs
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Subnet]
+      def subnets
+        @subnets ||= subnets!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Subnet]
+      def subnets!
+        @subnets = call_api(:describe_subnets).subnets
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::RouteTable]
+      def route_tables
+        @route_tables ||= route_tables!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::RouteTable]
+      def route_tables!
+        @route_tables = call_api(:describe_route_tables).route_tables
+      end
+
+      Contract String => ::Aws::EC2::Types::RouteTable
+      def create_route_table(vpc_id)
+        call_api(:create_route_table, vpc_id: vpc_id).route_table
+          .tap { route_tables! }
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::NatGateway]
+      def nat_gateways
+        @nat_gateways ||= nat_gateways!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::NatGateway]
+      def nat_gateways!
+        @nat_gateways ||= call_api(:describe_nat_gateways).nat_gateways
+      end
+
+      Contract String, String => ::Aws::EC2::Types::NatGateway
+      def create_nat_gateway(subnet_id, allocation_id)
+        call_api(:create_nat_gateway, subnet_id: subnet_id, allocation_id: allocation_id).nat_gateway
+          .tap { nat_gateways! }
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::InternetGateway]
+      def internet_gateways
+        @internet_gateways ||= internet_gateways!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::InternetGateway]
+      def internet_gateways!
+        @internet_gateways = call_api(:describe_internet_gateways).internet_gateways
+      end
+
+      Contract String => Bool
+      def internet_gateway_exist?(internet_gateway_id)
+        ! internet_gateways.select { |igw| igw.internet_gateway_id == internet_gateway_id }.empty?
+      end
+
+      Contract String, String => Bool
+      def internet_gateway_attached?(internet_gateway_id, vpc_id)
+        (internet_gateway_exist?(internet_gateway_id) ? internet_gateways : internet_gateways!)
+          .flat_map { |internet_gateway| internet_gateway.attachments }
+          .any? { |attachment| attachment.vpc_id == vpc_id }
+      end
+
+      Contract String, String => Bool
+      def attach_internet_gateway(internet_gateway_id, vpc_id)
+        call_api(:attach_internet_gateway,
+                 internet_gateway_id: internet_gateway_id,
+                 vpc_id: vpc_id).successful?
+      rescue ::Aws::EC2::Errors::ResourceAlreadyAssociated
+        internet_gateway_attached? internet_gateway_id, vpc_id
+      end
+
+      Contract String, String, String => Bool
+      def create_route(destination_cidr_block, gateway_id, route_table_id)
+        call_api(:create_route,
+                 route_table_id: route_table_id,
+                 destination_cidr_block: destination_cidr_block,
+                 gateway_id: gateway_id).successful?
+          .tap { route_tables! }
+      rescue ::Aws::EC2::Errors::RouteAlreadyExists
+        route_tables!
+          .select { |route_table| route_table.route_table_id = route_table_id }
+          .flat_map { |route_table| route_table.routes }
+          .select { |route| route.destination_cidr_block == destination_cidr_block }
+          .any? { |route| route.gateway_id == gateway_id || route.nat_gateway_id == gateway_id }
+      end
+
+      Contract String, String => String
+      def associate_route_table(route_table_id, subnet_id)
+        call_api(:associate_route_table,
+                 route_table_id: route_table_id,
+                 subnet_id: subnet_id).association_id
+          .tap { route_tables! }
+      end
+
+      Contract None => ::Aws::EC2::Types::InternetGateway
+      def create_internet_gateway
+        call_api(:create_internet_gateway).internet_gateway
+          .tap { internet_gateways! }
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Instance]
+      def instances
+        @instances ||= instances!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Instance]
+      def instances!
+        @instances = call_api(:describe_instances)
+                     .reservations
+                     .flat_map(&:instances)
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Address]
+      def addresses
+        @addresses ||= addresses!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Address]
+      def addresses!
+        @addresses = call_api(:describe_addresses).addresses
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Address]
+      def unassociated_addresses
+        addresses
+          .select { |address| address.domain == 'vpc' }
+          .select { |address| address.association_id == nil }
+      end
+
+      Contract None => Maybe[String]
+      def unassociated_address
+        unassociated_addresses.map(&:allocation_id).sample
+      end
+
+      Contract None => String
+      def create_address
+        call_api(:allocate_address).allocation_id
+          .tap { addresses! }
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::SecurityGroup]
+      def security_groups
+        @security_groups ||= security_groups!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::SecurityGroup]
+      def security_groups!
+        @security_groups = call_api(:describe_security_groups).security_groups
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::TagDescription]
+      def tags
+        @tags ||= tags!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::TagDescription]
+      def tags!
+        @tags = call_api(:describe_tags).tags
+      end
+
+      Contract KeywordArgs[
+                 image_id: String,
+                 instance_type: String,
+                 key_name: Optional[String],
+                 client_token: Optional[String],
+                 network_interfaces: Optional[ArrayOf[Hash]]
+               ] => ::Aws::EC2::Types::Instance
+      def create_instance(**properties)
+        call_api(:run_instances, properties.merge(min_count: 1, max_count: 2)).instances.first
+          .tap { instances! }
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Image]
+      def images
+        @images ||= images!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::Image]
+      def images!
+        @images ||= call_api(:describe_images,
+                             owners: [config.ami_owner],
+                             filters: [
+                               { name: 'virtualization-type', values: ['hvm'] },
+                               { name: 'architecture', values: ['x86_64'] },
+                               { name: 'root-device-type', values: ['ebs'] },
+                               { name: 'block-device-mapping.volume-type', values: ['gp2'] }
+                             ])
+                  .images
+                  .reject { |image| image.sriov_net_support.nil? }
+      end
+
+      Contract RespondTo[:to_s] => ArrayOf[::Aws::EC2::Types::Image]
+      def ubuntu_images(release)
+        images
+          .select { |image| image.name.start_with? 'ubuntu/images/' }
+          .select { |image| image.name.include? release.to_s }
+      end
+
+      Contract RespondTo[:to_s] => ::Aws::EC2::Types::Image
+      def latest_ubuntu(release)
+        ubuntu_images(release)
+          .sort_by { |image| image.creation_date }
+          .last
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::KeyPairInfo]
+      def key_pairs
+        @key_pairs ||= key_pairs!
+      end
+
+      Contract None => ArrayOf[::Aws::EC2::Types::KeyPairInfo]
+      def key_pairs!
+        @key_pairs = call_api(:describe_key_pairs).key_pairs
+      end
+
+      Contract String => Maybe[String]
+      def key_fingerprint(key_name)
+        key_pairs
+          .select { |ssh| ssh.key_name == key_name }
+          .map { |ssh| ssh.key_fingerprint }
+          .first
+      end
+
+      Contract String, String => String
+      def import_key_pair(key_name, public_key_material)
+        call_api(:import_key_pair, key_name: key_name, public_key_material: public_key_material).key_fingerprint
+          .tap { key_pairs! }
+      rescue ::Aws::EC2::Errors::InvalidKeyPairDuplicate
+        key_fingerprint(key_name)
+      end
+
+      Contract None => ::Aws::EC2::Types::Vpc
+      def create_vpc
+        call_api(:create_vpc, cidr_block: config.vpc_cidr_block).vpc
+          .tap { vpcs! }
+      end
+
+      Contract KeywordArgs[
+                 cidr_block: Optional[String],
+                 vpc_id: Optional[String],
+                 subnet_id: Optional[String]
+               ] => ArrayOf[::Aws::EC2::Types::Subnet]
+      def subnets(cidr_block: nil, vpc_id: nil, subnet_id: nil)
+        subnets
+          .select { |subnet| subnet_id.nil? || subnet.subnet_id == subnet_id }
+          .select { |subnet| vpc_id.nil? || subnet.vpc_id == vpc_id }
+          .select { |subnet| cidr_block.nil? || subnet.cidr_block == cidr_block }
+      end
+
+      Contract Args[Any] => Any
+      def subnets!(**properties)
+        subnets!
+        subnets(properties)
+      end
+
+      Contract Args[Any] => Maybe[::Aws::EC2::Types::Subnet]
+      def subnet(**properties)
+        subnets(properties).first
+      end
+
+      Contract Args[Any] => Any
+      def subnet!(**properties)
+        subnets!
+        subnet(properties)
+      end
+
+      Contract KeywordArgs[
+                 cidr_block: String,
+                 vpc_id: String
+               ] => ::Aws::EC2::Types::Subnet
+      def create_subnet(**properties)
+        call_api(:create_subnet, properties).subnet
+          .tap { subnets! }
+      rescue ::Aws::EC2::Errors::InvalidSubnetConflict
+        subnet(properties) || subnet!(properties)
+      end
+
+      Contract String => Bool
+      def map_public_ip_on_launch?(subnet_id)
+        subnets(subnet_id: subnet_id)
+          .map { |subnet| subnet.map_public_ip_on_launch }
+          .first == true
+      end
+
+      Contract String, Bool => Bool
+      def map_public_ip_on_launch(subnet_id, value)
+        call_api(:modify_subnet_attribute,
+                 subnet_id: subnet_id,
+                 map_public_ip_on_launch: { value: value }
+                ).successful?
+          .tap { subnets! }
+      end
+
+      Contract RespondTo[:to_s], RespondTo[:to_i], RespondTo[:to_s], String => Bool
+      def authorize_security_group_ingress(ip_protocol, port, cidr_ip, group_id)
+        call_api(:authorize_security_group_ingress,
+                 group_id: group_id,
+                 ip_protocol: ip_protocol.to_s,
+                 from_port: port.to_i,
+                 to_port: port.to_i,
+                 cidr_ip: cidr_ip.to_s
+                ).successful?
+          .tap { security_groups! }
+      rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate
+        true
+      end
+
+      Contract RespondTo[:to_s], String => String
+      def create_security_group(group_name, vpc_id)
+        call_api(:create_security_group,
+                 group_name: group_name.to_s,
+                 description: group_name.to_s,
+                 vpc_id: vpc_id).group_id
+          .tap { security_groups! }
+      rescue ::Aws::EC2::Errors::InvalidGroupDuplicate
+        security_group(group_name.to_s, vpc_id)
+      end
+
+      Contract RespondTo[:to_s], String => String
+      def security_group(group_name, vpc_id)
+        security_groups
+          .select { |sg| sg.vpc_id == vpc_id }
+          .select { |sg| sg.group_name == group_name }
+          .first
+          .group_id
+      end
+
+      Contract ArrayOf[String], ArrayOf[{ key: String, value: String}] => Bool
+      def create_tags(resources, tags)
+        call_api(:create_tags, resources: resources, tags: tags).successful?
+          .tap { tags! }
+      end
+
+      Contract String, Args[String] => Bool
+      def assign_name(name, *resources)
+        create_tags(resources, [{ key: 'Name', value: name } ])
+      end
+
+      Contract KeywordArgs[
+                 type: Optional[String],
+                 key: Optional[String],
+                 value: Optional[String]
+               ] => ArrayOf[::Aws::EC2::Types::TagDescription]
+      def tagged(type: nil, key: nil, value: nil)
+        tags
+          .select { |tag| type.nil? || tag.resource_type == type }
+          .select { |tag| tag.key == (key || 'Name') }
+          .select { |tag| value.nil? || tag.value == value }
+      end
+
+      private
+
+      def client
+        Aws::EC2::Client
+      end
+    end
+  end
+end