knife-ec2 0.12.0 → 0.13.0

data/knife-ec2.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new do |s|
   s.name         = 'knife-ec2'
   s.version      = Knife::Ec2::VERSION
   s.authors      = ['Adam Jacob', 'Seth Chisamore']
-  s.email        = ['adam@opscode.com', 'schisamo@opscode.com']
-  s.homepage     = 'https://github.com/opscode/knife-ec2'
+  s.email        = ['adam@chef.io', 'schisamo@chef.io']
+  s.homepage     = 'https://github.com/chef/knife-ec2'
   s.summary      = "EC2 Support for Chef's Knife Command"
   s.description  = s.summary
   s.license      = 'Apache-2.0'
@@ -16,7 +16,8 @@ Gem::Specification.new do |s|
   s.test_files   = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables  = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
 
-  s.add_dependency 'fog',           '~> 1.29.0'
+  s.add_dependency 'fog-aws',       '~> 0.7'
+  s.add_dependency 'mime-types'
   s.add_dependency 'knife-windows', '~> 1.0'
 
   s.add_development_dependency 'chef',  '~> 12.0', '>= 12.2.1'

data/lib/chef/knife/ec2_base.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Copyright:: Copyright (c) 2011 Opscode, Inc.
+# Author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2011-2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,19 +29,24 @@ class Chef
         includer.class_eval do
 
           deps do
-            require 'fog'
+            require 'fog/aws'
             require 'readline'
             require 'chef/json_compat'
           end
 
           option :aws_credential_file,
             :long => "--aws-credential-file FILE",
-            :description => "File containing AWS credentials as used by aws cmdline tools",
+            :description => "File containing AWS credentials as used by AWS command line tools",
             :proc => Proc.new { |key| Chef::Config[:knife][:aws_credential_file] = key }
 
+          option :aws_config_file,
+            :long => "--aws-config-file FILE",
+            :description => "File containing AWS configurations as used by aws cmdline tools",
+            :proc => Proc.new {|key| Chef::Config[:knife][:aws_config_file] = key}
+
           option :aws_profile,
             :long => "--aws-profile PROFILE",
-            :description => "AWS profile, from credential file, to use",
+            :description => "AWS profile, from AWS credential file and AWS config file, to use",
             :default => 'default',
             :proc => Proc.new { |key| Chef::Config[:knife][:aws_profile] = key }
 
@@ -81,6 +86,7 @@ class Chef
           :provider => 'AWS',
           :region => locate_config_value(:region)
         }
+
         if locate_config_value(:use_iam_profile)
           connection_settings[:use_iam_profile] = true
         else
@@ -112,8 +118,25 @@ class Chef
       def validate!(keys=[:aws_access_key_id, :aws_secret_access_key])
         errors = []
 
+        if locate_config_value(:aws_config_file)
+          aws_config = ini_parse(File.read(locate_config_value(:aws_config_file)))
+          profile = if locate_config_value(:aws_profile) == 'default'
+                      'default'
+                    else
+                      "profile #{locate_config_value(:aws_profile)}"
+                    end
+
+          unless aws_config.values.empty?
+            if aws_config[profile]
+               Chef::Config[:knife][:region] = aws_config[profile]['region']
+            else
+              raise ArgumentError, "The provided --aws-profile '#{profile}' is invalid."
+            end
+          end
+        end
+
         unless locate_config_value(:use_iam_profile)
-          unless Chef::Config[:knife][:aws_credential_file].nil?
+          if locate_config_value(:aws_credential_file)
             unless (Chef::Config[:knife].keys & [:aws_access_key_id, :aws_secret_access_key]).empty?
               errors << "Either provide a credentials file or the access key and secret keys but not both."
             end
@@ -125,12 +148,22 @@ class Chef
             # aws_access_key_id = somethingsomethingdarkside
             # aws_secret_access_key = somethingsomethingdarkside
 
-            aws_creds = ini_parse(File.read(Chef::Config[:knife][:aws_credential_file]))
-            profile = Chef::Config[:knife][:aws_profile] || 'default'
-            entries = aws_creds.values.first.has_key?("AWSAccessKeyId") ? aws_creds.values.first : aws_creds[profile]
-
-            Chef::Config[:knife][:aws_access_key_id] = entries['AWSAccessKeyId'] || entries['aws_access_key_id']
-            Chef::Config[:knife][:aws_secret_access_key] = entries['AWSSecretKey'] || entries['aws_secret_access_key']
+            aws_creds = ini_parse(File.read(locate_config_value(:aws_credential_file)))
+            profile = locate_config_value(:aws_profile)
+
+            entries = if aws_creds.values.first.has_key?("AWSAccessKeyId")
+                        aws_creds.values.first
+                      else
+                        aws_creds[profile]
+                      end
+
+            if entries
+              Chef::Config[:knife][:aws_access_key_id] = entries['AWSAccessKeyId'] || entries['aws_access_key_id']
+              Chef::Config[:knife][:aws_secret_access_key] = entries['AWSSecretKey'] || entries['aws_secret_access_key']
+              Chef::Config[:knife][:aws_session_token] = entries['AWSSessionToken'] || entries['aws_session_token']
+            else
+              raise ArgumentError, "The provided --aws-profile '#{profile}' is invalid."
+            end
           end
 
           keys.each do |k|

data/lib/chef/knife/ec2_flavor_list.rb

@@ -1,53 +1,53 @@
-#
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require 'chef/knife/ec2_base'
-
-class Chef
-  class Knife
-    class Ec2FlavorList < Knife
-
-      include Knife::Ec2Base
-
-      banner "knife ec2 flavor list (options)"
-
-      def run
-
-        validate!
-
-        flavor_list = [
-          ui.color('ID', :bold),
-          ui.color('Name', :bold),
-          ui.color('Architecture', :bold),
-          ui.color('RAM', :bold),
-          ui.color('Disk', :bold),
-          ui.color('Cores', :bold)
-        ]
-        connection.flavors.sort_by(&:id).each do |flavor|
-          flavor_list << flavor.id.to_s
-          flavor_list << flavor.name
-          flavor_list << "#{flavor.bits.to_s}-bit"
-          flavor_list << "#{flavor.ram.to_s}"
-          flavor_list << "#{flavor.disk.to_s} GB"
-          flavor_list << flavor.cores.to_s
-        end
-        puts ui.list(flavor_list, :columns_across, 6)
-      end
-    end
-  end
-end
+#
+# Author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2012-2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife/ec2_base'
+
+class Chef
+  class Knife
+    class Ec2FlavorList < Knife
+
+      include Knife::Ec2Base
+
+      banner "knife ec2 flavor list (options)"
+
+      def run
+
+        validate!
+
+        flavor_list = [
+          ui.color('ID', :bold),
+          ui.color('Name', :bold),
+          ui.color('Architecture', :bold),
+          ui.color('RAM', :bold),
+          ui.color('Disk', :bold),
+          ui.color('Cores', :bold)
+        ]
+        connection.flavors.sort_by(&:id).each do |flavor|
+          flavor_list << flavor.id.to_s
+          flavor_list << flavor.name
+          flavor_list << "#{flavor.bits.to_s}-bit"
+          flavor_list << "#{flavor.ram.to_s}"
+          flavor_list << "#{flavor.disk.to_s} GB"
+          flavor_list << flavor.cores.to_s
+        end
+        puts ui.list(flavor_list, :columns_across, 6)
+      end
+    end
+  end
+end

data/lib/chef/knife/ec2_server_create.rb

@@ -1,7 +1,7 @@
 #
-# Author:: Adam Jacob (<adam@opscode.com>)
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Copyright:: Copyright (c) 2010-2011 Opscode, Inc.
+# Author:: Adam Jacob (<adam@chef.io>)
+# Author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2010-2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -31,7 +31,7 @@ class Chef
       include Knife::BootstrapWindowsBase
       deps do
         require 'tempfile'
-        require 'fog'
+        require 'fog/aws'
         require 'uri'
         require 'readline'
         require 'chef/json_compat'
@@ -67,9 +67,9 @@ class Chef
         :proc => Proc.new { |groups| groups.split(',') }
 
       option :security_group_ids,
-        :short => "-g X,Y,Z",
-        :long => "--security-group-ids X,Y,Z",
-        :description => "The security group ids for this server; required when using VPC",
+        :short => "-g 'X,Y,Z'",
+        :long => "--security-group-ids 'X,Y,Z'",
+        :description => "The security group ids for this server; required when using VPC,Please provide values in format --security-group-ids 'X,Y,Z'",
         :proc => Proc.new { |security_group_ids| security_group_ids.split(',') }
 
       option :associate_eip,
@@ -194,7 +194,8 @@ class Chef
         :short => "-r RUN_LIST",
         :long => "--run-list RUN_LIST",
         :description => "Comma separated list of roles/recipes to apply",
-        :proc => lambda { |o| o.split(/[\s,]+/) }
+        :proc => lambda { |o| o.split(/[\s,]+/) },
+        :default => []
 
       option :secret,
         :long => "--secret ",
@@ -211,12 +212,6 @@ class Chef
         :description => 'S3 URL (e.g. s3://bucket/file) for the encrypted_data_bag_secret_file',
         :proc => lambda { |url| Chef::Config[:knife][:s3_secret] = url }
 
-      option :json_attributes,
-        :short => "-j JSON",
-        :long => "--json-attributes JSON",
-        :description => "A JSON string to be added to the first run of chef-client",
-        :proc => lambda { |o| JSON.parse(o) }
-
       option :subnet_id,
         :long => "--subnet SUBNET-ID",
         :description => "create node in this Virtual Private Cloud Subnet ID (implies VPC mode)",
@@ -270,7 +265,7 @@ class Chef
       option :server_connect_attribute,
         :long => "--server-connect-attribute ATTRIBUTE",
         :short => "-a ATTRIBUTE",
-        :description => "The EC2 server attribute to use for SSH connection. Use this attr for creating VPC instances along with --associate-eip",
+        :description => "The EC2 server attribute to use for the SSH connection if necessary, e.g. public_ip_address or private_ip_address.",
         :default => nil
 
       option :associate_public_ip,
@@ -317,6 +312,15 @@ class Chef
         :description => "The Spot Instance request type. Possible values are 'one-time' and 'persistent', default value is 'one-time'",
         :default => "one-time"
 
+      option :spot_wait_mode,
+        :long => "--spot-wait-mode MODE",
+        :description =>
+          "Whether we should wait for spot request fulfillment. Could be 'wait', 'exit', or " \
+          "'prompt' (default). For any of the above mentioned choices, ('wait') - if the " \
+          "instance does not get allocated before the command itself times-out or ('exit') the " \
+          "user needs to manually bootstrap the instance in the future after it gets allocated.",
+        :default => "prompt"
+
       option :aws_connection_timeout,
         :long => "--aws-connection-timeout MINUTES",
         :description => "The maximum time in minutes to wait to for aws connection. Default is 10 min",
@@ -393,6 +397,33 @@ class Chef
         :description => "Enable SSH agent forwarding",
         :boolean => true
 
+      option :create_ssl_listener,
+        :long => "--[no-]create-ssl-listener",
+        :description => "Create ssl listener, enabled by default.",
+        :boolean => true,
+        :default => true
+
+      option :network_interfaces,
+        :short => '-n',
+        :long => '--attach-network-interface ENI1,ENI2',
+        :description => 'Attach additional network interfaces during bootstrap',
+        :proc => proc { |nics| nics.split(',') }
+
+      option :classic_link_vpc_id,
+        :long => "--classic-link-vpc-id VPC_ID",
+        :description => "Enable ClassicLink connection with a VPC"
+
+      option :classic_link_vpc_security_group_ids,
+        :long => "--classic-link-vpc-security-groups-ids X,Y,Z",
+        :description => "Comma-separated list of security group ids for ClassicLink",
+        :proc => Proc.new { |groups| groups.split(',') }
+
+      option :disable_api_termination,
+        :long => "--disable-api-termination",
+        :description => "Disable termination of the instance using the Amazon EC2 console, CLI and API.",
+        :boolean => true,
+        :default => false
+
       def run
         $stdout.sync = true
 
@@ -404,17 +435,30 @@ class Chef
         elastic_ip = connection.addresses.detect{|addr| addr if addr.public_ip == requested_elastic_ip}
 
         if locate_config_value(:spot_price)
-          spot_request = connection.spot_requests.create(create_server_def)
+          server_def = create_server_def
+          server_def[:groups] = config[:security_group_ids] if vpc_mode?
+          spot_request = connection.spot_requests.create(server_def)
           msg_pair("Spot Request ID", spot_request.id)
           msg_pair("Spot Request Type", spot_request.request_type)
           msg_pair("Spot Price", spot_request.price)
 
-          wait_msg = "Do you want to wait for Spot Instance Request fulfillment? (Y/N) \n"
-          wait_msg += "Y - Wait for Spot Instance request fulfillment\n"
-          wait_msg += "N - Do not wait for Spot Instance request fulfillment. "
-          wait_msg += ui.color("[WARN :: Request would be alive on AWS ec2 side but execution of Chef Bootstrap on the target instance will get skipped.]\n", :red, :bold)
-          wait_msg += ui.color("\n[WARN :: For any of the above mentioned choices, (Y) - if the instance does not get allocated before the command itself times-out or (N) - user decides to exit, then in both cases user needs to manually bootstrap the instance in future after it gets allocated.]\n\n", :cyan, :bold)
-          confirm(wait_msg)
+          case config[:spot_wait_mode]
+          when 'prompt', '', nil
+            wait_msg = "Do you want to wait for Spot Instance Request fulfillment? (Y/N) \n"
+            wait_msg += "Y - Wait for Spot Instance request fulfillment\n"
+            wait_msg += "N - Do not wait for Spot Instance request fulfillment. "
+            wait_msg += ui.color("[WARN :: Request would be alive on AWS ec2 side but execution of Chef Bootstrap on the target instance will get skipped.]\n", :red, :bold)
+            wait_msg += ui.color("\n[WARN :: For any of the above mentioned choices, (Y) - if the instance does not get allocated before the command itself times-out or (N) - user decides to exit, then in both cases user needs to manually bootstrap the instance in the future after it gets allocated.]\n\n", :cyan, :bold)
+            confirm(wait_msg)
+          when 'wait'
+            # wait for the node and run Chef bootstrap
+          when 'exit'
+            ui.color("The 'exit' option was specified for --spot-wait-mode, exiting.", :cyan)
+            exit
+          else
+            raise "Invalid value for --spot-wait-mode: '#{config[:spot_wait_mode]}', " \
+              "valid values: wait, exit, prompt"
+          end
 
           print ui.color("Waiting for Spot Request fulfillment:  ", :cyan)
           spot_request.wait_for do
@@ -473,6 +517,7 @@ class Chef
         begin
           create_tags(hashed_tags) unless hashed_tags.empty?
           associate_eip(elastic_ip) if config[:associate_eip]
+          enable_classic_link(config[:classic_link_vpc_id], config[:classic_link_vpc_security_group_ids]) if config[:classic_link_vpc_id]
         rescue Fog::Compute::AWS::NotFound, Fog::Errors::Error
           raise if (tries -= 1) <= 0
           ui.warn("server not ready, retrying tag application (retries left: #{tries})")
@@ -480,6 +525,8 @@ class Chef
           retry
         end
 
+        attach_nics if config[:network_interfaces]
+
         if vpc_mode?
           msg_pair("Subnet ID", @server.subnet_id)
           msg_pair("Tenancy", @server.tenancy)
@@ -589,7 +636,9 @@ class Chef
         msg_pair("Private IP Address", @server.private_ip_address)
         msg_pair("Environment", config[:environment] || '_default')
         msg_pair("Run List", (config[:run_list] || []).join(', '))
-        msg_pair("JSON Attributes",config[:json_attributes]) unless !config[:json_attributes] || config[:json_attributes].empty?
+        if config[:first_boot_attributes] || config[:first_boot_attributes_from_file]
+          msg_pair("JSON Attributes",config[:first_boot_attributes] || config[:first_boot_attributes_from_file])
+        end
       end
 
       def default_bootstrap_template
@@ -642,9 +691,14 @@ class Chef
         bootstrap.config[:template_file] = locate_config_value(:template_file) || locate_config_value(:bootstrap_template)
         bootstrap.config[:environment] = locate_config_value(:environment)
         bootstrap.config[:prerelease] = config[:prerelease]
-        bootstrap.config[:first_boot_attributes] = locate_config_value(:json_attributes) || {}
-        bootstrap.config[:encrypted_data_bag_secret] = locate_config_value(:encrypted_data_bag_secret)
-        bootstrap.config[:encrypted_data_bag_secret_file] = locate_config_value(:encrypted_data_bag_secret_file)
+        bootstrap.config[:first_boot_attributes] = locate_config_value(:first_boot_attributes)
+        bootstrap.config[:first_boot_attributes_from_file] = locate_config_value(:first_boot_attributes_from_file)
+        bootstrap.config[:encrypted_data_bag_secret] = s3_secret || locate_config_value(:secret)
+        bootstrap.config[:encrypted_data_bag_secret_file] = locate_config_value(:secret_file)
+        # retrieving the secret from S3 is unique to knife-ec2, so we need to set "command line secret" to the value fetched from S3
+        # When linux vm is spawned, the chef's secret option proc function sets the value "command line secret" and this value is used by 
+        # chef's code to check if secret option is passed through command line or not
+        Chef::Knife::DataBagSecretOptions.set_cl_secret(s3_secret) if locate_config_value(:s3_secret)
         bootstrap.config[:secret] = s3_secret || locate_config_value(:secret)
         bootstrap.config[:secret_file] = locate_config_value(:secret_file)
         bootstrap.config[:node_ssl_verify_mode] = locate_config_value(:node_ssl_verify_mode)
@@ -741,6 +795,8 @@ class Chef
 
         super([:image, :ssh_key_name, :aws_access_key_id, :aws_secret_access_key])
 
+        validate_nics! if locate_config_value(:network_interfaces)
+
         if ami.nil?
           ui.error("You have not provided a valid image (AMI) value.")
           exit 1
@@ -791,15 +847,26 @@ class Chef
           exit 1
         end
 
-        if(config[:security_groups] && config[:security_groups].class == String)
+        if config[:security_groups] && config[:security_groups].class == String
           ui.error("Invalid value type for knife[:security_groups] in knife configuration file (i.e knife.rb). Type should be array. e.g - knife[:security_groups] = ['sgroup1']")
           exit 1
         end
 
-        if(config[:security_group_ids] && config[:security_group_ids].class == String)
+        if config[:security_group_ids] && config[:security_group_ids].class == String
           ui.error("Invalid value type for knife[:security_group_ids] in knife configuration file (i.e knife.rb). Type should be array. e.g - knife[:security_group_ids] = ['sgroup1']")
           exit 1
         end
+
+        if config[:classic_link_vpc_id].nil? ^ config[:classic_link_vpc_security_group_ids].nil?
+          ui.error("--classic-link-vpc-id and --classic-link-vpc-security-group-ids must be used together")
+          exit 1
+        end
+
+        if vpc_mode? and config[:classic_link_vpc_id]
+          ui.error("You can only use ClassicLink if you are not using a VPC")
+          exit 1
+        end
+
         if locate_config_value(:ebs_encrypted)
           error_message = ""
           errors = []
@@ -807,10 +874,12 @@ class Chef
           if !locate_config_value(:flavor)
             ui.error("--ebs-encrypted option requires valid flavor to be specified.")
             exit 1
-          elsif (locate_config_value(:ebs_encrypted) and ! %w(m3.medium  m3.large  m3.xlarge m3.2xlarge c4.large c4.xlarge
+          elsif (locate_config_value(:ebs_encrypted) and ! %w(m3.medium  m3.large  m3.xlarge m3.2xlarge m4.large m4.xlarge
+                                             m4.2xlarge m4.4xlarge m4.10xlarge t2.micro t2.small t2.medium t2.large
+                                             d2.xlarge  d2.2xlarge d2.4xlarge d2.8xlarge c4.large c4.xlarge
                                              c4.2xlarge c4.4xlarge c4.8xlarge c3.large c3.xlarge c3.2xlarge
                                              c3.4xlarge c3.8xlarge cr1.8xlarge r3.large r3.xlarge r3.2xlarge
-                                             r3.4xlarge r3.8xlarge i2.xlarge i2.2xlarge i2.4xlarge i2.8xlarge g2.2xlarge).include?(locate_config_value(:flavor)))
+                                             r3.4xlarge r3.8xlarge i2.xlarge i2.2xlarge i2.4xlarge i2.8xlarge g2.2xlarge g2.8xlarge).include?(locate_config_value(:flavor)))
             ui.error("--ebs-encrypted option is not supported for #{locate_config_value(:flavor)} flavor.")
             exit 1
           end
@@ -832,6 +901,16 @@ class Chef
           end
         end
 
+        if locate_config_value(:spot_price) && locate_config_value(:disable_api_termination)
+          ui.error("spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances.")
+          exit 1
+        end
+
+        if locate_config_value(:spot_price).nil? && locate_config_value(:spot_wait_mode).downcase != 'prompt'
+          ui.error('spot-wait-mode option requires that a spot-price option is set.')
+          exit 1
+        end
+
       end
 
       def tags
@@ -851,6 +930,57 @@ class Chef
         end
       end
 
+      def ssl_config_user_data
+      user_related_commands = ""
+      winrm_user = locate_config_value(:winrm_user).split("\\") 
+      if (winrm_user[0] == ".") || (winrm_user[0] == "") ||(winrm_user.length == 1)
+        user_related_commands = <<-EOH
+net user /add #{locate_config_value(:winrm_user).delete('.\\')} #{windows_password}; 
+net localgroup Administrators /add #{locate_config_value(:winrm_user).delete('.\\')};
+        EOH
+      end
+<<-EOH
+#{user_related_commands}
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+EOH
+      end
+
+      def ssl_config_data_already_exist?
+        File.read(locate_config_value(:aws_user_data)).gsub(/\\\\/,"\\").include? ssl_config_user_data.strip
+      end
+
+      def process_user_data(script_lines)
+        if !ssl_config_data_already_exist?
+          ps_start_tag = "<powershell>\n"
+          ps_end_tag = "</powershell>\n"
+          ps_start_tag_index = script_lines.index(ps_start_tag) || script_lines.index(ps_start_tag.strip)
+          ps_end_tag_index = script_lines.index(ps_end_tag) || script_lines.index(ps_end_tag.strip)
+          case
+          when ( ps_start_tag_index && !ps_end_tag_index ) || ( !ps_start_tag_index && ps_end_tag_index )
+            ui.error("Provided user_data file is invalid.")
+            exit 1
+          when ps_start_tag_index && ps_end_tag_index
+            script_lines[ps_end_tag_index] = ssl_config_user_data + ps_end_tag
+          when !ps_start_tag_index && !ps_end_tag_index
+            script_lines.insert(-1,"\n\n" + ps_start_tag + ssl_config_user_data + ps_end_tag)
+          end
+        end
+        script_lines
+      end
+
       def create_server_def
         server_def = {
           :image_id => locate_config_value(:image),
@@ -869,11 +999,30 @@ class Chef
         server_def[:tenancy] = "dedicated" if vpc_mode? and locate_config_value(:dedicated_instance)
         server_def[:associate_public_ip] = locate_config_value(:associate_public_ip) if vpc_mode? and config[:associate_public_ip]
 
-        if locate_config_value(:aws_user_data)
-          begin
-            server_def.merge!(:user_data => File.read(locate_config_value(:aws_user_data)))
-          rescue
-            ui.warn("Cannot read #{locate_config_value(:aws_user_data)}: #{$!.inspect}. Ignoring option.")
+        if locate_config_value(:winrm_transport) == 'ssl'
+          if locate_config_value(:aws_user_data)
+            begin
+              user_data = File.readlines(locate_config_value(:aws_user_data))
+              if config[:create_ssl_listener]
+                user_data = process_user_data(user_data)
+              end
+              user_data = user_data.join
+              server_def.merge!(:user_data => user_data)
+            rescue
+              ui.warn("Cannot read #{locate_config_value(:aws_user_data)}: #{$!.inspect}. Ignoring option.")
+            end
+          else
+            if config[:create_ssl_listener]
+              server_def.merge!(:user_data => "<powershell>\n" + ssl_config_user_data + "</powershell>\n")
+            end
+          end
+        else
+          if locate_config_value(:aws_user_data)
+            begin
+              server_def.merge!(:user_data => File.read(locate_config_value(:aws_user_data)))
+            rescue
+              ui.warn("Cannot read #{locate_config_value(:aws_user_data)}: #{$!.inspect}. Ignoring option.")
+            end
           end
         end
 
@@ -933,6 +1082,9 @@ class Chef
           server_def[:block_device_mapping] = (server_def[:block_device_mapping] || []) << {'VirtualName' => "ephemeral#{i}", 'DeviceName' => device_name}
         end
 
+        ## cannot pass disable_api_termination option to the API when using spot instances ##
+        server_def[:disable_api_termination] = locate_config_value(:disable_api_termination) if locate_config_value(:spot_price).nil?
+
         server_def
       end
 
@@ -1040,15 +1192,22 @@ class Chef
       end
 
       def ssh_connect_host
-        @ssh_connect_host ||= if config[:server_connect_attribute]
-                                server.send(config[:server_connect_attribute])
-                              else
-                                if vpc_mode? && !config[:associate_public_ip]
-                                  server.private_ip_address
-                                else
-                                  server.dns_name || server.public_ip_address
-                                end
-                              end
+        unless @ssh_connect_host
+          if config[:server_connect_attribute]
+            connect_attribute = config[:server_connect_attribute]
+          else
+            if vpc_mode? && !(config[:associate_public_ip] || config[:associate_eip])
+              connect_attribute = "private_ip_address"
+            else
+              connect_attribute = server.dns_name ? "dns_name" : "public_ip_address"
+            end
+          end
+
+          @ssh_connect_host = server.send(connect_attribute)
+        end
+
+        puts "\nSSH Target Address: #{@ssh_connect_host}(#{connect_attribute})"
+        @ssh_connect_host
       end
 
       def create_tags(hashed_tags)
@@ -1062,6 +1221,53 @@ class Chef
         @server.wait_for(locate_config_value(:aws_connection_timeout)) { public_ip_address == elastic_ip.public_ip }
       end
 
+      def validate_nics!
+        valid_nic_ids = connection.network_interfaces.all(
+          vpc_mode? ? { 'vpc-id' => vpc_id } : {}
+        ).map(&:network_interface_id)
+        invalid_nic_ids =
+          locate_config_value(:network_interfaces) - valid_nic_ids
+        return true if invalid_nic_ids.empty?
+        ui.error 'The following network interfaces are invalid: ' \
+          "#{invalid_nic_ids.join(', ')}"
+        exit 1
+      end
+
+      def vpc_id
+        @vpc_id ||= begin
+          connection.subnets.get(locate_config_value(:subnet_id)).vpc_id
+        end
+      end
+
+      def wait_for_nic_attachment
+        attached_nics_count = 0
+        until attached_nics_count ==
+              locate_config_value(:network_interfaces).count
+          attachment_nics =
+            locate_config_value(:network_interfaces).map do |nic_id|
+              connection.network_interfaces.get(nic_id).attachment['status']
+            end
+          attached_nics_count = attachment_nics.grep('attached').count
+        end
+      end
+
+      def attach_nics
+        attachments = []
+        config[:network_interfaces].each_with_index do |nic_id, index|
+          attachments << connection.attach_network_interface(nic_id,
+                                                             server.id,
+                                                             index + 1).body
+        end
+        wait_for_nic_attachment
+        # rubocop:disable Style/RedundantReturn
+        return attachments
+        # rubocop:enable Style/RedundantReturn
+      end
+
+      def enable_classic_link(vpc_id, security_group_ids)
+        connection.attach_classic_link_vpc(server.id, vpc_id, security_group_ids)
+      end
+
       def ssh_override_winrm
         # unchanged ssh_user and changed winrm_user, override ssh_user
         if locate_config_value(:ssh_user).eql?(options[:ssh_user][:default]) &&
@@ -1124,7 +1330,7 @@ class Chef
         else
           false
         end
-      rescue SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::ENETUNREACH, IOError
+      rescue SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::ENETUNREACH, Errno::ENOTCONN, IOError
         Chef::Log.debug("ssh failed to connect: #{hostname}")
         sleep 2
         false