knife-ec2 0.12.0 → 0.13.0

data/lib/chef/knife/s3_source.rb

@@ -1,49 +1,49 @@
-class Chef
-  class Knife
-    class S3Source
-      attr_accessor :url
-
-      def self.fetch(url)
-        source = Chef::Knife::S3Source.new
-        source.url = url
-        source.body
-      end
-
-      def body
-        bucket_obj.files.get(path).body
-      end
-
-      private
-
-      def bucket_obj
-        @bucket_obj ||= fog.directories.get(bucket)
-      end
-
-      def bucket
-        uri = URI(@url)
-        if uri.scheme == "s3"
-          URI(@url).host
-        else
-          URI(@url).path.split("/")[1]
-        end
-      end
-
-      def path
-        uri = URI(@url)
-        if uri.scheme == "s3"
-          URI(@url).path.sub(/^\//, '')
-        else
-          URI(@url).path.split(bucket).last.sub(/^\//, '')
-        end
-      end
-
-      def fog
-        require 'fog' # lazy load the fog library to speed up the knife run
-        @fog ||= Fog::Storage::AWS.new(
-          aws_access_key_id: Chef::Config[:knife][:aws_access_key_id],
-          aws_secret_access_key: Chef::Config[:knife][:aws_secret_access_key]
-        )
-      end
-    end
-  end
-end
+class Chef
+  class Knife
+    class S3Source
+      attr_accessor :url
+
+      def self.fetch(url)
+        source = Chef::Knife::S3Source.new
+        source.url = url
+        source.body
+      end
+
+      def body
+        bucket_obj.files.get(path).body
+      end
+
+      private
+
+      def bucket_obj
+        @bucket_obj ||= fog.directories.get(bucket)
+      end
+
+      def bucket
+        uri = URI(@url)
+        if uri.scheme == "s3"
+          URI(@url).host
+        else
+          URI(@url).path.split("/")[1]
+        end
+      end
+
+      def path
+        uri = URI(@url)
+        if uri.scheme == "s3"
+          URI(@url).path.sub(/^\//, '')
+        else
+          URI(@url).path.split(bucket).last.sub(/^\//, '')
+        end
+      end
+
+      def fog
+        require 'fog/aws' # lazy load the fog library to speed up the knife run
+        @fog ||= Fog::Storage::AWS.new(
+          aws_access_key_id: Chef::Config[:knife][:aws_access_key_id],
+          aws_secret_access_key: Chef::Config[:knife][:aws_secret_access_key]
+        )
+      end
+    end
+  end
+end

data/lib/knife-ec2/version.rb

@@ -1,6 +1,6 @@
-module Knife
-  module Ec2
-    VERSION = "0.12.0"
-    MAJOR, MINOR, TINY = VERSION.split('.')
-  end
-end
+module Knife
+  module Ec2
+    VERSION = "0.13.0"
+    MAJOR, MINOR, TINY = VERSION.split('.')
+  end
+end

data/spec/spec_helper.rb

@@ -1,18 +1,18 @@
-$:.unshift File.expand_path('../../lib', __FILE__)
-require 'chef'
-require 'chef/knife/winrm_base'
-require 'chef/knife/ec2_server_create'
-require 'chef/knife/ec2_server_delete'
-require 'chef/knife/ec2_server_list'
-
-# Clear config between each example
-# to avoid dependencies between examples
-RSpec.configure do |c|
-  c.raise_errors_for_deprecations!
-  c.filter_run_excluding :exclude => true
-  c.before(:each) do
-    Chef::Config.reset
-    Chef::Config[:knife] ={}
-  end
-end
-
+$:.unshift File.expand_path('../../lib', __FILE__)
+require 'chef'
+require 'chef/knife/winrm_base'
+require 'chef/knife/ec2_server_create'
+require 'chef/knife/ec2_server_delete'
+require 'chef/knife/ec2_server_list'
+
+# Clear config between each example
+# to avoid dependencies between examples
+RSpec.configure do |c|
+  c.raise_errors_for_deprecations!
+  c.filter_run_excluding :exclude => true
+  c.before(:each) do
+    Chef::Config.reset
+    Chef::Config[:knife] ={}
+  end
+end
+

data/spec/unit/ec2_server_create_spec.rb

@@ -20,7 +20,7 @@ require File.expand_path('../../spec_helper', __FILE__)
 require 'net/ssh/proxy/http'
 require 'net/ssh/proxy/command'
 require 'net/ssh/gateway'
-require 'fog'
+require 'fog/aws'
 require 'chef/knife/bootstrap'
 require 'chef/knife/bootstrap_windows_winrm'
 require 'chef/knife/bootstrap_windows_ssh'
@@ -35,11 +35,15 @@ describe Chef::Knife::Ec2ServerCreate do
       :image => 'image',
       :ssh_key_name => 'ssh_key_name',
       :aws_access_key_id => 'aws_access_key_id',
-      :aws_secret_access_key => 'aws_secret_access_key'
+      :aws_secret_access_key => 'aws_secret_access_key',
+      :network_interfaces => ['eni-12345678',
+                              'eni-87654321']
     }.each do |key, value|
       Chef::Config[:knife][key] = value
     end
 
+    @my_vpc = 'vpc-12345678'
+
     @ec2_connection = double(Fog::Compute::AWS)
     allow(@ec2_connection).to receive(:tags).and_return double('create', :create => true)
     allow(@ec2_connection).to receive_message_chain(:images, :get).and_return double('ami', :root_device_type => 'not_ebs', :platform => 'linux')
@@ -49,6 +53,11 @@ describe Chef::Knife::Ec2ServerCreate do
             :server_id => nil,
             :allocation_id => ''})]
 
+    allow(@ec2_connection).to receive(:subnets).and_return [@subnet_1, @subnet_2]
+    allow(@ec2_connection).to receive_message_chain(:network_interfaces, :all).and_return [
+      double('network_interfaces', network_interface_id: 'eni-12345678'),
+      double('network_interfaces', network_interface_id: 'eni-87654321')
+    ]
 
     @ec2_servers = double()
     @new_ec2_server = double()
@@ -98,6 +107,8 @@ describe Chef::Knife::Ec2ServerCreate do
     @validation_key_url = 's3://bucket/foo/bar'
     @validation_key_file = '/tmp/a_good_temp_file'
     @validation_key_body = "TEST VALIDATION KEY\n"
+    @vpc_id = "vpc-1a2b3c4d"
+    @vpc_security_group_ids = ["sg-1a2b3c4d"]
   end
 
   describe "Spot Instance creation" do
@@ -162,6 +173,66 @@ describe Chef::Knife::Ec2ServerCreate do
       expect(@new_ec2_server).to receive(:wait_for).and_return(true)
       @knife_ec2_create.run
     end
+
+    context 'spot-wait-mode option' do
+      context 'when spot-price is not given' do
+        context 'spot-wait-mode option is not given' do
+          before do
+            @knife_ec2_create.config.delete(:spot_price)
+          end
+
+          it 'does not raise error' do
+            expect(@knife_ec2_create.ui).to_not receive(:error).with(
+              'spot-wait-mode option requires that a spot-price option is set.'
+            )
+            expect { @knife_ec2_create.validate! }.to_not raise_error
+          end
+        end
+
+        context 'spot-wait-mode option is given' do
+          before do
+            @knife_ec2_create.config.delete(:spot_price)
+            @knife_ec2_create.config[:spot_wait_mode] = 'wait'
+          end
+
+          it 'raises error' do
+            expect(@knife_ec2_create.ui).to receive(:error).with(
+              'spot-wait-mode option requires that a spot-price option is set.'
+            )
+            expect { @knife_ec2_create.validate! }.to raise_error(SystemExit)
+          end
+        end
+      end
+
+      context 'when spot-price is given' do
+        context 'spot-wait-mode option is not given' do
+          before do
+            @knife_ec2_create.config[:spot_price] = 0.001
+          end
+
+          it 'does not raise error' do
+            expect(@knife_ec2_create.ui).to_not receive(:error).with(
+              'spot-wait-mode option requires that a spot-price option is set.'
+            )
+            expect { @knife_ec2_create.validate! }.to_not raise_error
+          end
+        end
+
+        context 'spot-wait-mode option is given' do
+          before do
+            @knife_ec2_create.config[:spot_price] = 0.001
+            @knife_ec2_create.config[:spot_wait_mode] = 'exit'
+          end
+
+          it 'does not raise error' do
+            expect(@knife_ec2_create.ui).to_not receive(:error).with(
+              'spot-wait-mode option requires that a spot-price option is set.'
+            )
+            expect { @knife_ec2_create.validate! }.to_not raise_error
+          end
+        end
+      end
+    end
   end
 
   describe "run" do
@@ -258,6 +329,17 @@ describe Chef::Knife::Ec2ServerCreate do
       expect(@knife_ec2_create.server).to_not be_nil
     end
 
+    it "creates an EC2 instance, enables ClassicLink and bootstraps it" do
+      @knife_ec2_create.config[:classic_link_vpc_id] = @vpc_id
+      @knife_ec2_create.config[:classic_link_vpc_security_group_ids] = @vpc_security_group_ids
+
+      expect(@ec2_connection).to receive(:attach_classic_link_vpc).with(@ec2_server_attribs[:id], @vpc_id, @vpc_security_group_ids)
+      expect(@new_ec2_server).to receive(:wait_for).and_return(true)
+
+      @knife_ec2_create.run
+      expect(@knife_ec2_create.server).to_not be_nil
+    end
+
     it "retries if it receives Fog::Compute::AWS::NotFound" do
       expect(@new_ec2_server).to receive(:wait_for).and_return(true)
       expect(@knife_ec2_create).to receive(:create_tags).and_raise(Fog::Compute::AWS::NotFound)
@@ -269,10 +351,8 @@ describe Chef::Knife::Ec2ServerCreate do
 
     it 'actually writes to the validation key tempfile' do
       expect(@new_ec2_server).to receive(:wait_for).and_return(true)
-      Chef::Config[:knife][:validation_key_url] =
-        @validation_key_url
-      @knife_ec2_create.config[:validation_key_url] =
-        @validation_key_url
+      Chef::Config[:knife][:validation_key_url] = @validation_key_url
+      @knife_ec2_create.config[:validation_key_url] = @validation_key_url
 
       allow(@knife_ec2_create).to receive_message_chain(:validation_key_tmpfile, :path).and_return(@validation_key_file)
       allow(Chef::Knife::S3Source).to receive(:fetch).with(@validation_key_url).and_return(@validation_key_body)
@@ -423,6 +503,10 @@ describe Chef::Knife::Ec2ServerCreate do
         expect(bootstrap.config[:secret]).to eql("sys-knife-secret")
       end
 
+      it "sets encrypted_data_bag_secret" do
+        expect(bootstrap.config[:encrypted_data_bag_secret]).to eql("sys-knife-secret")
+      end
+
       it "prefers using a provided value instead of the knife confiuration" do
         subject.config[:secret] = "cli-provided-secret"
         expect(bootstrap.config[:secret]).to eql("cli-provided-secret")
@@ -438,6 +522,10 @@ describe Chef::Knife::Ec2ServerCreate do
         expect(bootstrap.config[:secret_file]).to eql("sys-knife-secret-file")
       end
 
+      it "sets encrypted_data_bag_secret_file" do
+        expect(bootstrap.config[:encrypted_data_bag_secret_file]).to eql("sys-knife-secret-file")
+      end
+
       it "prefers using a provided value instead of the knife confiuration" do
         subject.config[:secret_file] = "cli-provided-secret-file"
         expect(bootstrap.config[:secret_file]).to eql("cli-provided-secret-file")
@@ -458,12 +546,41 @@ describe Chef::Knife::Ec2ServerCreate do
     end
   end
 
+  describe 'S3 secret test cases' do
+    before do
+      Chef::Config[:knife][:s3_secret] =
+        's3://test.bucket/folder/encrypted_data_bag_secret'
+      @knife_ec2_create.config[:distro] = 'ubuntu-10.04-magic-sparkles'
+      @secret_content = "TEST DATA BAG SECRET\n"
+      allow(@knife_ec2_create).to receive(:s3_secret).and_return(@secret_content)
+      allow(Chef::Knife).to receive(:Bootstrap)
+      @bootstrap = @knife_ec2_create.bootstrap_for_linux_node(@new_ec2_server, @new_ec2_server.dns_name)
+    end
+
+    context 'when s3 secret option is passed' do
+      it 'sets the s3 secret value to cl_secret key' do
+        @knife_ec2_create.bootstrap_common_params(@bootstrap)
+        expect(Chef::Config[:knife][:cl_secret]).to eql(@secret_content)
+      end
+    end
+
+    context 'when s3 secret option is not passed' do
+      it 'sets the cl_secret value to nil' do
+        Chef::Config[:knife].delete(:s3_secret)
+        Chef::Config[:knife].delete(:cl_secret)
+        @knife_ec2_create.bootstrap_common_params(@bootstrap)
+        expect(Chef::Config[:knife][:cl_secret]).to eql(nil)
+      end
+    end
+  end
+
   context "when deprecated aws_ssh_key_id option is used in knife config and no ssh-key is supplied on the CLI" do
     before do
       Chef::Config[:knife][:aws_ssh_key_id] = "mykey"
       Chef::Config[:knife].delete(:ssh_key_name)
       @aws_key = Chef::Config[:knife][:aws_ssh_key_id]
       allow(@knife_ec2_create).to receive(:ami).and_return(false)
+      allow(@knife_ec2_create).to receive(:validate_nics!).and_return(true)
     end
 
     it "gives warning message and creates the attribute with the required name" do
@@ -478,6 +595,7 @@ describe Chef::Knife::Ec2ServerCreate do
       Chef::Config[:knife][:aws_ssh_key_id] = "mykey"
       @aws_key = Chef::Config[:knife][:aws_ssh_key_id]
       allow(@knife_ec2_create).to receive(:ami).and_return(false)
+      allow(@knife_ec2_create).to receive(:validate_nics!).and_return(true)
     end
 
     it "gives warning message and gives preference to CLI value over knife config's value" do
@@ -491,6 +609,7 @@ describe Chef::Knife::Ec2ServerCreate do
     before do
       Chef::Config[:knife][:ssh_key_name] = "mykey"
       allow(@knife_ec2_create).to receive(:ami).and_return(false)
+      allow(@knife_ec2_create).to receive(:validate_nics!).and_return(true)
     end
 
     it "does nothing" do
@@ -521,7 +640,9 @@ describe Chef::Knife::Ec2ServerCreate do
       @knife_ec2_create.config[:template_file] = '~/.chef/templates/my-bootstrap.sh.erb'
       @knife_ec2_create.config[:distro] = 'ubuntu-10.04-magic-sparkles'
       @knife_ec2_create.config[:run_list] = ['role[base]']
-      @knife_ec2_create.config[:json_attributes] = "{'my_attributes':{'foo':'bar'}"
+      @knife_ec2_create.config[:first_boot_attributes] = "{'my_attributes':{'foo':'bar'}"
+      @knife_ec2_create.config[:first_boot_attributes_from_file] = "{'my_attributes':{'foo':'bar'}"
+
 
       @bootstrap = @knife_ec2_create.bootstrap_for_linux_node(@new_ec2_server, @new_ec2_server.dns_name)
     end
@@ -539,6 +660,10 @@ describe Chef::Knife::Ec2ServerCreate do
       expect(@bootstrap.config[:first_boot_attributes]).to eq("{'my_attributes':{'foo':'bar'}")
     end
 
+    it "should set the bootstrap 'first_boot_attributes_from_file' correctly" do
+      expect(@bootstrap.config[:first_boot_attributes_from_file]).to eq("{'my_attributes':{'foo':'bar'}")
+    end
+
     it "configures sets the bootstrap's run_list" do
       expect(@bootstrap.config[:run_list]).to eq(['role[base]'])
     end
@@ -613,7 +738,7 @@ describe Chef::Knife::Ec2ServerCreate do
       expect(@bootstrap.config[:forward_agent]).to eq(true)
     end
   end
-  
+
   describe "when configuring the winrm bootstrap process for windows" do
     before do
       allow(@knife_ec2_create).to receive(:fetch_server_fqdn).and_return("SERVERNAME")
@@ -628,8 +753,8 @@ describe Chef::Knife::Ec2ServerCreate do
       @knife_ec2_create.config[:template_file] = '~/.chef/templates/my-bootstrap.sh.erb'
       @knife_ec2_create.config[:distro] = 'ubuntu-10.04-magic-sparkles'
       @knife_ec2_create.config[:run_list] = ['role[base]']
-      @knife_ec2_create.config[:json_attributes] = "{'my_attributes':{'foo':'bar'}"
-      @knife_ec2_create.config[:winrm_ssl_verify_mode] = 'basic'
+      @knife_ec2_create.config[:first_boot_attributes] = "{'my_attributes':{'foo':'bar'}"
+      @knife_ec2_create.config[:winrm_ssl_verify_mode] = 'verify_peer'
       @knife_ec2_create.config[:msi_url] = 'https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chef-client-12.3.0-1.msi'
       @knife_ec2_create.config[:install_as_service] = true
       @knife_ec2_create.config[:session_timeout] = "90"
@@ -679,7 +804,7 @@ describe Chef::Knife::Ec2ServerCreate do
     end
 
     it "should set the bootstrap 'winrm_ssl_verify_mode' correctly" do
-      expect(@bootstrap.config[:winrm_ssl_verify_mode]).to eq("basic")
+      expect(@bootstrap.config[:winrm_ssl_verify_mode]).to eq("verify_peer")
     end
 
     it "should set the bootstrap 'msi_url' correctly" do
@@ -764,7 +889,75 @@ describe Chef::Knife::Ec2ServerCreate do
         @knife_ec2_create.validate!
         expect(Chef::Config[:knife][:aws_access_key_id]).to eq(@access_key_id)
         expect(Chef::Config[:knife][:aws_secret_access_key]).to eq(@secret_key)
-      end      
+      end
+
+      context "when invalid --aws-profile is given" do
+        it "raises exception" do
+          Chef::Config[:knife][:aws_profile] = 'xyz'
+          allow(File).to receive(:read).and_return("[default]\naws_access_key_id=TESTKEY\r\naws_secret_access_key=TESTSECRET")
+          expect{ @knife_ec2_create.validate! }.to raise_error("The provided --aws-profile 'xyz' is invalid.")
+        end
+      end
+    end
+
+
+    describe "when reading aws_config_file" do
+      before do
+        Chef::Config[:knife][:aws_config_file] = '/apple/pear'
+        @region = 'region'
+      end
+
+      it "reads UNIX Line endings" do
+        allow(File).to receive(:read).
+          and_return("[default]\r\nregion=#{@region}")
+        @knife_ec2_create.validate!
+        expect(Chef::Config[:knife][:region]).to eq(@region)
+      end
+
+      it "reads DOS Line endings" do
+        allow(File).to receive(:read).
+          and_return("[default]\r\nregion=#{@region}")
+        @knife_ec2_create.validate!
+        expect(Chef::Config[:knife][:region]).to eq(@region)
+      end
+      it "reads UNIX Line endings for new format" do
+         allow(File).to receive(:read).
+          and_return("[default]\nregion=#{@region}")
+        @knife_ec2_create.validate!
+        expect(Chef::Config[:knife][:region]).to eq(@region)
+      end
+
+      it "reads DOS Line endings for new format" do
+         allow(File).to receive(:read).
+          and_return("[default]\nregion=#{@region}")
+        @knife_ec2_create.validate!
+        expect(Chef::Config[:knife][:region]).to eq(@region)
+      end
+
+      it "loads the correct profile" do
+        Chef::Config[:knife][:aws_profile] = 'other'
+        allow(File).to receive(:read).
+          and_return("[default]\nregion=TESTREGION\n\n[profile other]\nregion=#{@region}")
+        @knife_ec2_create.validate!
+        expect(Chef::Config[:knife][:region]).to eq(@region)
+      end
+
+      context "when invalid --aws-profile is given" do
+        it "raises exception" do
+          Chef::Config[:knife][:aws_profile] = 'xyz'
+          allow(File).to receive(:read).and_return("[default]\nregion=TESTREGION")
+          expect{ @knife_ec2_create.validate! }.to raise_error("The provided --aws-profile 'profile xyz' is invalid.")
+        end
+      end
+
+      context "when aws_profile is passed a 'default' from CLI or knife.rb file" do
+        it 'loads the default profile successfully' do
+          Chef::Config[:knife][:aws_profile] = 'default'
+          allow(File).to receive(:read).and_return("[default]\nregion=#{@region}\n\n[profile other]\nregion=TESTREGION")
+          @knife_ec2_create.validate!
+          expect(Chef::Config[:knife][:region]).to eq(@region)
+        end
+      end
     end
 
     it 'understands that file:// validation key URIs are just paths' do
@@ -782,10 +975,33 @@ describe Chef::Knife::Ec2ServerCreate do
     end
 
     it "disallows security group names when using a VPC" do
-      @knife_ec2_create.config[:subnet_id] = 'subnet-1a2b3c4d'
+      @knife_ec2_create.config[:subnet_id] = @subnet_1_id
+      @knife_ec2_create.config[:security_group_ids] = 'sg-aabbccdd'
+      @knife_ec2_create.config[:security_groups] = 'groupname'
+
+      allow(@ec2_connection).to receive_message_chain(:subnets, :get).with(@subnet_1_id).and_return(@subnet_1)
+
+      expect { @knife_ec2_create.validate! }.to raise_error(SystemExit)
+    end
+
+    it 'disallows invalid network interface ids' do
+      @knife_ec2_create.config[:network_interfaces] = ['INVALID_ID']
+
+      expect { @knife_ec2_create.validate! }.to raise_error(SystemExit)
+    end
+
+    it 'disallows network interfaces not in the right VPC' do
+      @knife_ec2_create.config[:subnet_id] = @subnet_1_id
       @knife_ec2_create.config[:security_group_ids] = 'sg-aabbccdd'
       @knife_ec2_create.config[:security_groups] = 'groupname'
 
+      allow(@ec2_connection).to receive_message_chain(:subnets, :get).with(@subnet_1_id).and_return(@subnet_1)
+
+      allow(@ec2_connection).to receive_message_chain(:network_interfaces, :all).and_return [
+        double('network_interfaces', network_interface_id: 'eni-12345678', vpc_id: 'another_vpc'),
+        double('network_interfaces', network_interface_id: 'eni-87654321', vpc_id: @my_vpc)
+      ]
+
       expect { @knife_ec2_create.validate! }.to raise_error SystemExit
     end
 
@@ -809,6 +1025,23 @@ describe Chef::Knife::Ec2ServerCreate do
       expect { @knife_ec2_create.validate! }.to raise_error SystemExit
     end
 
+    it "disallows setting only one of the two ClassicLink options" do
+      @knife_ec2_create.config[:classic_link_vpc_id] = @vpc_id
+      @knife_ec2_create.config[:classic_link_vpc_security_group_ids] = nil
+
+      expect { @knife_ec2_create.validate! }.to raise_error SystemExit
+    end
+
+    it "disallows ClassicLink with VPC" do
+      @knife_ec2_create.config[:subnet_id] = 'subnet-1a2b3c4d'
+      @knife_ec2_create.config[:classic_link_vpc_id] = @vpc_id
+      @knife_ec2_create.config[:classic_link_vpc_security_group_ids] = @vpc_security_group_ids
+
+      allow(@knife_ec2_create).to receive(:validate_nics!).and_return(true)
+
+      expect { @knife_ec2_create.validate! }.to raise_error SystemExit
+    end
+
     it "disallows ebs provisioned iops option when not using ebs volume type" do
       @knife_ec2_create.config[:ebs_provisioned_iops] = "123"
       @knife_ec2_create.config[:ebs_volume_type] = nil
@@ -1151,8 +1384,8 @@ describe Chef::Knife::Ec2ServerCreate do
   describe "ssh_connect_host" do
     before(:each) do
       allow(@new_ec2_server).to receive_messages(
-        :dns_name => 'public_name',
-        :private_ip_address => 'private_ip',
+        :dns_name => 'public.example.org',
+        :private_ip_address => '192.168.1.100',
         :custom => 'custom',
         :public_ip_address => '111.111.111.111'
       )
@@ -1161,7 +1394,7 @@ describe Chef::Knife::Ec2ServerCreate do
 
     describe "by default" do
       it 'should use public dns name' do
-        expect(@knife_ec2_create.ssh_connect_host).to eq('public_name')
+        expect(@knife_ec2_create.ssh_connect_host).to eq('public.example.org')
       end
     end
 
@@ -1172,10 +1405,29 @@ describe Chef::Knife::Ec2ServerCreate do
       end
     end
 
-    describe "with vpc_mode?" do
-      it 'should use private ip' do
+    context "when vpc_mode? is true" do
+      before do
         allow(@knife_ec2_create).to receive_messages(:vpc_mode? => true)
-        expect(@knife_ec2_create.ssh_connect_host).to eq('private_ip')
+      end
+
+      context "--associate-public-ip is specified" do
+        it "uses the dns_name or public_ip_address" do
+          @knife_ec2_create.config[:associate_public_ip] = true
+          expect(@knife_ec2_create.ssh_connect_host).to eq('public.example.org')
+        end
+      end
+
+      context "--associate-eip is specified" do
+        it "uses the dns_name or public_ip_address" do
+          @knife_ec2_create.config[:associate_eip] = '111.111.111.111'
+          expect(@knife_ec2_create.ssh_connect_host).to eq('public.example.org')
+        end
+      end
+
+      context "with no other ip flags" do
+        it 'uses private_ip_address' do
+          expect(@knife_ec2_create.ssh_connect_host).to eq('192.168.1.100')
+        end
       end
     end
 
@@ -1278,4 +1530,663 @@ describe Chef::Knife::Ec2ServerCreate do
       expect(@knife_ec2_create.tcp_test_ssh("blackhole.ninja", 22)).to be_falsey
     end
   end
+
+  describe 'ssl_config_user_data' do
+    before do
+      @knife_ec2_create.config[:winrm_password] = "ec2@123"
+    end
+
+    context 'For domain user' do 
+      before do
+        @knife_ec2_create.config[:winrm_user] = "domain\\ec2"
+        @ssl_config_data = <<-EOH
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+        EOH
+      end
+
+      it 'gets ssl config user data' do
+        expect(@knife_ec2_create.ssl_config_user_data).to be == @ssl_config_data
+      end
+    end
+
+    context 'For local user' do
+      before do
+        @knife_ec2_create.config[:winrm_user] = ".\\ec2"
+        @ssl_config_data = <<-EOH
+net user /add ec2 ec2@123; 
+net localgroup Administrators /add ec2;
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+        EOH
+
+      end
+
+      it 'gets ssl config user data' do
+        expect(@knife_ec2_create.ssl_config_user_data).to be == @ssl_config_data
+      end
+    end
+  end
+
+  describe 'ssl_config_data_already_exist?' do
+
+    before(:each) do
+      @user_user_data = 'user_user_data.ps1'
+      @knife_ec2_create.config[:winrm_user] = "domain\\ec2"
+      @knife_ec2_create.config[:winrm_password] = "ec2@123"
+      @knife_ec2_create.config[:aws_user_data] = @user_user_data
+    end
+
+    context 'ssl config data does not exist in user supplied user_data' do
+      before do
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+user_command_1\\\\user_command_2\\\\user_command_3
+user_command_4
+          EOH
+        end
+      end
+
+      it 'returns false' do
+        expect(@knife_ec2_create.ssl_config_data_already_exist?).to eq(false)
+      end
+    end
+
+    context 'ssl config data already exist in user supplied user_data' do
+      before do
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+user_command_1
+user_command_2
+
+<powershell>
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+
+          EOH
+        end
+      end
+
+      it 'returns false' do
+        expect(@knife_ec2_create.ssl_config_data_already_exist?).to eq(true)
+      end
+    end
+
+    after(:each) do
+      @knife_ec2_create.config.delete(:aws_user_data)
+      FileUtils.rm_rf @user_user_data
+    end
+  end
+
+  describe 'attach ssl config into user data when transport is ssl' do
+    before(:each) do
+      allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+      Chef::Config[:knife][:ssh_key_name] = "mykey"
+      @knife_ec2_create.config[:ssh_key_name] = "ssh_key_name"
+      @knife_ec2_create.config[:winrm_transport] = "ssl"
+      @knife_ec2_create.config[:create_ssl_listener] = true
+      @knife_ec2_create.config[:winrm_user] = "domain\\ec2"
+      @knife_ec2_create.config[:winrm_password] = "ec2@123"
+    end
+
+    context 'when user_data script provided by user contains only <script> section' do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+          EOH
+        end
+        @server_def_user_data = <<-EOH
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+
+
+<powershell>
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+        EOH
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "appends ssl config to user supplied user_data after <script> tag section" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context 'when user_data script provided by user contains <powershell> section' do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+</powershell>
+          EOH
+        end
+        @server_def_user_data = <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+        EOH
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "appends ssl config to user supplied user_data at the end of <powershell> tag section" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context 'when user_data script provided by user already contains ssl config code' do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+        EOH
+        end
+        @server_def_user_data = <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+        EOH
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "does no modifications and passes user_data as it is to server_def" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context 'when user_data script provided by user has invalid syntax' do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+        EOH
+        end
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "gives error and exits" do
+        expect(@knife_ec2_create.ui).to receive(:error).with("Provided user_data file is invalid.")
+        expect { @knife_ec2_create.create_server_def }.to raise_error SystemExit
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context 'when user_data script provided by user has <powershell> and <script> tag sections' do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+</powershell>
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+        EOH
+        end
+        @server_def_user_data = <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+        EOH
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "appends ssl config to user supplied user_data at the end of <powershell> tag section" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context "when user_data is not supplied by user on cli" do
+      before do
+        @server_def_user_data = <<-EOH
+<powershell>
+
+If (-Not (Get-Service WinRM | Where-Object {$_.status -eq "Running"})) {
+  winrm quickconfig -q
+}
+If (winrm e winrm/config/listener | Select-String -Pattern " Transport = HTTP\\b" -Quiet) {
+  winrm delete winrm/config/listener?Address=*+Transport=HTTP
+}
+$vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/public-ipv4
+New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name
+$thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint;
+$create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'"
+iex $create_listener_cmd
+
+netsh advfirewall firewall add rule name="WinRM HTTPS" protocol=TCP dir=in Localport=5986 remoteport=any action=allow localip=any remoteip=any profile=any enable=yes
+
+</powershell>
+        EOH
+      end
+
+      it "creates user_data only with default ssl configuration" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+    end
+
+    context "when user has specified --no-create-ssl-listener along with his/her own user_data on cli" do
+      before do
+        @knife_ec2_create.config[:create_ssl_listener] = false
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+</powershell>
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+        EOH
+        end
+        @server_def_user_data = <<-EOH
+<powershell>
+
+Get-DscLocalConfigurationManager > c:\\dsc_data.txt
+
+</powershell>
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+
+</script>
+        EOH
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+      end
+
+      it "does not attach ssl config into the user_data supplied by user on cli" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context "when user has specified --no-create-ssl-listener with no user_data on cli" do
+      before do
+        @knife_ec2_create.config[:create_ssl_listener] = false
+        @server_def_user_data = nil
+      end
+
+      it "creates nil or empty user_data" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+    end
+
+    after(:each) do
+      @knife_ec2_create.config.delete(:ssh_key_name)
+      Chef::Config[:knife].delete(:ssh_key_name)
+      @knife_ec2_create.config.delete(:winrm_transport)
+      @knife_ec2_create.config.delete(:create_ssl_listener)
+    end
+  end
+
+  describe "do not attach ssl config into user data when transport is plaintext" do
+    before(:each) do
+      allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+      Chef::Config[:knife][:ssh_key_name] = "mykey"
+      @knife_ec2_create.config[:ssh_key_name] = "ssh_key_name"
+      @knife_ec2_create.config[:winrm_transport] = "plaintext"
+    end
+
+    context "when user_data is supplied on cli" do
+      before do
+        @user_user_data = 'user_user_data.ps1'
+        File.open(@user_user_data,"w+") do |f|
+          f.write <<-EOH
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+netstat > c:\\netstat_data.txt
+
+</script>
+          EOH
+        end
+        @knife_ec2_create.config[:aws_user_data] = @user_user_data
+        @server_def_user_data = <<-EOH
+<script>
+
+ipconfig > c:\\ipconfig_data.txt
+netstat > c:\\netstat_data.txt
+
+</script>
+        EOH
+      end
+
+      it "user_data is created only with user's user_data" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+
+      after do
+        @knife_ec2_create.config.delete(:aws_user_data)
+        FileUtils.rm_rf @user_user_data
+      end
+    end
+
+    context "when user_data is not supplied on cli" do
+      before do
+        @server_def_user_data = nil
+      end
+
+      it "creates nil or empty user_data" do
+        server_def = @knife_ec2_create.create_server_def
+
+        expect(server_def[:user_data]).to eq(@server_def_user_data)
+      end
+    end
+
+    after(:each) do
+      @knife_ec2_create.config.delete(:ssh_key_name)
+      Chef::Config[:knife].delete(:ssh_key_name)
+      @knife_ec2_create.config.delete(:winrm_transport)
+    end
+  end
+
+  describe 'disable_api_termination option' do
+    context 'spot instance' do
+      context 'disable_api_termination is not passed on CLI or in knife config' do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+          @knife_ec2_create.config[:spot_price] = 0.001
+        end
+
+        it "does not set disable_api_termination option in server_def" do
+          server_def = @knife_ec2_create.create_server_def
+          expect(server_def[:disable_api_termination]).to be == nil
+        end
+
+        it "does not raise error" do
+          expect(@knife_ec2_create.ui).to_not receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to_not raise_error
+        end
+      end
+
+      context 'disable_api_termination is passed on CLI' do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+          @knife_ec2_create.config[:spot_price] = 0.001
+          @knife_ec2_create.config[:disable_api_termination] = true
+        end
+
+        it "raises error" do
+          expect(@knife_ec2_create.ui).to receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to raise_error(SystemExit)
+        end
+      end
+
+      context 'disable_api_termination is passed in knife config' do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+          @knife_ec2_create.config[:spot_price] = 0.001
+          Chef::Config[:knife][:disable_api_termination] = true
+        end
+
+        it "raises error" do
+          expect(@knife_ec2_create.ui).to receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to raise_error(SystemExit)
+        end
+      end
+    end
+
+    context 'non-spot instance' do
+      context 'when disable_api_termination option is not passed on the CLI or in the knife config' do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+        end
+
+        it "sets disable_api_termination option in server_def with value as false" do
+          server_def = @knife_ec2_create.create_server_def
+          expect(server_def[:disable_api_termination]).to be == false
+        end
+
+        it "does not raise error" do
+          expect(@knife_ec2_create.ui).to_not receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to_not raise_error
+        end
+      end
+
+      context "when disable_api_termination option is passed on the CLI" do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+          @knife_ec2_create.config[:disable_api_termination] = true
+        end
+
+        it "sets disable_api_termination option in server_def with value as true" do
+          server_def = @knife_ec2_create.create_server_def
+          expect(server_def[:disable_api_termination]).to be == true
+        end
+
+        it "does not raise error" do
+          expect(@knife_ec2_create.ui).to_not receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to_not raise_error
+        end
+      end
+
+      context "when disable_api_termination option is passed in the knife config" do
+        before do
+          allow(Fog::Compute::AWS).to receive(:new).and_return(@ec2_connection)
+          Chef::Config[:knife][:disable_api_termination] = true
+        end
+
+        it "sets disable_api_termination option in server_def with value as true" do
+          server_def = @knife_ec2_create.create_server_def
+          expect(server_def[:disable_api_termination]).to be == true
+        end
+
+        it "does not raise error" do
+          expect(@knife_ec2_create.ui).to_not receive(:error).with(
+            "spot-price and disable-api-termination options cannot be passed together as 'Termination Protection' cannot be enabled for spot instances."
+          )
+          expect { @knife_ec2_create.validate! }.to_not raise_error
+        end
+      end
+    end
+  end
 end