From 2ba0555a25ffa4bd03d0a4bfaf36344266f80709 Mon Sep 17 00:00:00 2001
From: Ric Featherstone <ric@control-plane.io>
Date: Wed, 1 Nov 2023 10:39:28 +0000
Subject: [PATCH] feat: manage infrastructure

---
 .dockerignore                                 |  19 +++
 .gitignore                                    |   6 +
 Dockerfile                                    |   7 +
 Makefile                                      |  31 ++++
 ansible/init-cluster.yaml                     |  61 +++++++
 ansible/update-known-hosts.yaml               |   8 +
 aws-environment                               |   5 +
 config/.gitkeep                               |   0
 controlplane/aws/aws.go                       |  55 +++++++
 controlplane/cli/image.go                     |  37 +++++
 controlplane/cli/infra.go                     |  47 ++++++
 controlplane/cli/scenario.go                  |  46 ++++++
 controlplane/cli/simulator.go                 |  18 +++
 controlplane/cli/storage.go                   |  33 ++++
 controlplane/cmd/main.go                      |  35 ++++
 controlplane/commands/ansible.go              |  30 ++++
 controlplane/commands/packer.go               |  37 +++++
 controlplane/commands/runner.go               |  57 +++++++
 controlplane/commands/terraform.go            |  49 ++++++
 controlplane/simulator.go                     | 133 +++++++++++++++
 dev.Dockerfile                                |  44 +++++
 docs/terraform-aws-sso.md                     |  31 ++++
 go.mod                                        |  54 ++++++-
 go.sum                                        | 142 ++++++++++++++++
 internal/cli/config.go                        |  45 ++++++
 internal/cli/image.go                         |  47 ++++++
 internal/cli/infra.go                         |  70 ++++++++
 internal/cli/scenario.go                      | 128 +++++++++++++++
 internal/cli/simulator.go                     |  36 +++++
 internal/cli/storage.go                       |  41 +++++
 internal/cmd/main.go                          |   9 ++
 internal/config/config.go                     |  90 +++++++++++
 internal/config/config.yaml                   |   5 +
 internal/container/runner.go                  | 153 ++++++++++++++++++
 scenarios/scenarios.go                        |  66 ++++++++
 terraform/modules/cluster/bastion.tf          |  77 +++++++++
 terraform/modules/cluster/cloud-config.tf     |  21 +++
 terraform/modules/cluster/instances.tf        |  67 ++++++++
 terraform/modules/cluster/key-pairs.tf        |  33 ++++
 terraform/modules/cluster/locals.tf           |  32 ++++
 .../modules/instance-group/instances.tf       |  44 +++++
 .../cluster/modules/instance-group/outputs.tf |   4 +
 .../modules/instance-group/terraform.tf       |  12 ++
 .../modules/instance-group/variables.tf       |  63 ++++++++
 terraform/modules/cluster/outputs.tf          |  27 ++++
 .../modules/cluster/templates/ansible.cfg     |   6 +
 .../cluster/templates/cloud-config.yaml       |  12 ++
 .../modules/cluster/templates/inventory.yaml  |  17 ++
 .../modules/cluster/templates/ssh_config      |  17 ++
 terraform/modules/cluster/terraform.tf        |   9 ++
 terraform/modules/cluster/variables.tf        |  71 ++++++++
 terraform/modules/network/locals.tf           |   4 +
 terraform/modules/network/network.tf          |  53 ++++++
 terraform/modules/network/outputs.tf          |  15 ++
 terraform/modules/network/private.tf          |  33 ++++
 terraform/modules/network/public.tf           |  33 ++++
 terraform/modules/network/terraform.tf        |   9 ++
 terraform/modules/network/variables.tf        |  18 +++
 .../workspaces/simulator/.terraform.lock.hcl  | 138 ++++++++++++++++
 .../workspaces/simulator/admin_config.tf      |  80 +++++++++
 terraform/workspaces/simulator/main.tf        | 136 ++++++++++++++++
 .../workspaces/simulator/player_config.tf     |  46 ++++++
 62 files changed, 2751 insertions(+), 1 deletion(-)
 create mode 100644 .dockerignore
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 Makefile
 create mode 100644 ansible/init-cluster.yaml
 create mode 100644 ansible/update-known-hosts.yaml
 create mode 100644 aws-environment
 create mode 100644 config/.gitkeep
 create mode 100644 controlplane/aws/aws.go
 create mode 100644 controlplane/cli/image.go
 create mode 100644 controlplane/cli/infra.go
 create mode 100644 controlplane/cli/scenario.go
 create mode 100644 controlplane/cli/simulator.go
 create mode 100644 controlplane/cli/storage.go
 create mode 100644 controlplane/cmd/main.go
 create mode 100644 controlplane/commands/ansible.go
 create mode 100644 controlplane/commands/packer.go
 create mode 100644 controlplane/commands/runner.go
 create mode 100644 controlplane/commands/terraform.go
 create mode 100644 controlplane/simulator.go
 create mode 100644 dev.Dockerfile
 create mode 100644 docs/terraform-aws-sso.md
 create mode 100644 go.sum
 create mode 100644 internal/cli/config.go
 create mode 100644 internal/cli/image.go
 create mode 100644 internal/cli/infra.go
 create mode 100644 internal/cli/scenario.go
 create mode 100644 internal/cli/simulator.go
 create mode 100644 internal/cli/storage.go
 create mode 100644 internal/cmd/main.go
 create mode 100644 internal/config/config.go
 create mode 100644 internal/config/config.yaml
 create mode 100644 internal/container/runner.go
 create mode 100644 scenarios/scenarios.go
 create mode 100644 terraform/modules/cluster/bastion.tf
 create mode 100644 terraform/modules/cluster/cloud-config.tf
 create mode 100644 terraform/modules/cluster/instances.tf
 create mode 100644 terraform/modules/cluster/key-pairs.tf
 create mode 100644 terraform/modules/cluster/locals.tf
 create mode 100644 terraform/modules/cluster/modules/instance-group/instances.tf
 create mode 100644 terraform/modules/cluster/modules/instance-group/outputs.tf
 create mode 100644 terraform/modules/cluster/modules/instance-group/terraform.tf
 create mode 100644 terraform/modules/cluster/modules/instance-group/variables.tf
 create mode 100644 terraform/modules/cluster/outputs.tf
 create mode 100644 terraform/modules/cluster/templates/ansible.cfg
 create mode 100644 terraform/modules/cluster/templates/cloud-config.yaml
 create mode 100644 terraform/modules/cluster/templates/inventory.yaml
 create mode 100644 terraform/modules/cluster/templates/ssh_config
 create mode 100644 terraform/modules/cluster/terraform.tf
 create mode 100644 terraform/modules/cluster/variables.tf
 create mode 100644 terraform/modules/network/locals.tf
 create mode 100644 terraform/modules/network/network.tf
 create mode 100644 terraform/modules/network/outputs.tf
 create mode 100644 terraform/modules/network/private.tf
 create mode 100644 terraform/modules/network/public.tf
 create mode 100644 terraform/modules/network/terraform.tf
 create mode 100644 terraform/modules/network/variables.tf
 create mode 100644 terraform/workspaces/simulator/.terraform.lock.hcl
 create mode 100644 terraform/workspaces/simulator/admin_config.tf
 create mode 100644 terraform/workspaces/simulator/main.tf
 create mode 100644 terraform/workspaces/simulator/player_config.tf

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..1e1a78cc
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,19 @@
+.idea/
+.git/
+.simulator/
+bin/
+config/
+docs/
+internal/
+simulation-scripts/
+terraform/workspaces/simulator/.terraform/
+.dockerignore
+.editorconfig
+.gitignore
+aws-environment
+dev.Dockerfile
+Dockerfile
+LICENSE
+Makefile
+README.md
+SECURITY.md
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..584fcefa
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+.idea/
+.simulator/
+config/*
+!config/.gitkeep
+bin/
+terraform/workspaces/simulator/.terraform/
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 00000000..8249759f
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,7 @@
+FROM controlplane/simulator:dev
+
+COPY --chown=ubuntu:ubuntu packer packer
+COPY --chown=ubuntu:ubuntu terraform terraform
+COPY --chown=ubuntu:ubuntu scenarios scenarios
+
+RUN cd terraform/workspaces/simulator && terraform init -backend=false
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..71f6ceb4
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,31 @@
+SIMULATOR_IMAGE ?= controlplane/simulator
+
+simulator-dev-image:
+	docker build -t $(SIMULATOR_IMAGE):dev -f dev.Dockerfile .
+
+simulator-dev-image-run:
+	docker run -it --rm \
+		-v ~/.aws:/home/ubuntu/.aws \
+		-v $(shell pwd)/ansible:/simulator/ansible \
+		-v $(shell pwd)/config:/simulator/config:rw \
+		-v $(shell pwd)/packer:/simulator/packer \
+		-v $(shell pwd)/terraform:/simulator/terraform \
+		--env-file aws-environment \
+		--entrypoint bash \
+		$(SIMULATOR_IMAGE):dev \
+
+simulator-image: simulator-dev-image
+	docker build -t $(SIMULATOR_IMAGE) .
+
+simulator-image-run:
+	docker run -it --rm \
+		-v ~/.aws:/home/ubuntu/.aws \
+		-v $(shell pwd)/config:/simulator/config:rw \
+		--env-file aws-environment \
+		--entrypoint bash \
+		$(SIMULATOR_IMAGE):latest \
+
+simulator-cli:
+	go build -v -o bin/simulator internal/cmd/main.go
+
+
diff --git a/ansible/init-cluster.yaml b/ansible/init-cluster.yaml
new file mode 100644
index 00000000..bb61a44a
--- /dev/null
+++ b/ansible/init-cluster.yaml
@@ -0,0 +1,61 @@
+---
+
+- name: Initialise the kubernetes cluster
+  hosts: all
+  gather_facts: no
+  become: yes
+  tasks:
+    - name: Run kubeadm init
+      ansible.builtin.shell:
+        cmd: kubeadm init
+        creates: /etc/kubernetes/admin.conf
+      when: inventory_hostname in groups['masters'][0]
+
+    - name: Create join command
+      ansible.builtin.shell: kubeadm token create --print-join-command
+      become: yes
+      register: join_command
+      when: inventory_hostname in groups['masters'][0]
+
+    - name: Join nodes
+      ansible.builtin.shell: "{{ hostvars[groups['masters'][0]].join_command.stdout }}"
+      when: inventory_hostname in groups['nodes']
+
+    - name: Create .kube directories on bastion
+      ansible.builtin.file:
+        path: "/home/{{ item }}/.kube"
+        state: directory
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: '0755'
+      loop:
+        - ubuntu
+        - player
+      when: "'bastion' in inventory_hostname"
+
+    - name: Retrieve kubeconfig from master
+      ansible.builtin.fetch:
+        src: /etc/kubernetes/admin.conf
+        dest: kubeconfig
+        flat: yes
+      when: "'master-1' in inventory_hostname"
+
+    - name: Copy kubeconfig to bastion
+      ansible.builtin.copy:
+        src: kubeconfig
+        dest: "/home/{{ item }}/.kube/config"
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: 0440
+      loop:
+        - ubuntu
+        - player
+      when: "'bastion' in inventory_hostname"
+
+    - name: Remove pulled kubeconfig
+      ansible.builtin.file:
+        path: kubeconfig
+        state: absent
+      become: no
+      run_once: yes
+      delegate_to: localhost
diff --git a/ansible/update-known-hosts.yaml b/ansible/update-known-hosts.yaml
new file mode 100644
index 00000000..571aff25
--- /dev/null
+++ b/ansible/update-known-hosts.yaml
@@ -0,0 +1,8 @@
+---
+
+- hosts: all
+  gather_facts: no
+  become: no
+  tasks:
+    - ansible.builtin.wait_for_connection:
+    - ansible.builtin.ping:
diff --git a/aws-environment b/aws-environment
new file mode 100644
index 00000000..05f5f543
--- /dev/null
+++ b/aws-environment
@@ -0,0 +1,5 @@
+AWS_PROFILE
+AWS_REGION
+AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY
+AWS_SESSION_TOKEN
diff --git a/config/.gitkeep b/config/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/controlplane/aws/aws.go b/controlplane/aws/aws.go
new file mode 100644
index 00000000..3322e76d
--- /dev/null
+++ b/controlplane/aws/aws.go
@@ -0,0 +1,55 @@
+package aws
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+)
+
+var (
+	Env []string
+)
+
+func CreateBucket(ctx context.Context, name string) error {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		slog.Error("failed to create aws config", "error", err)
+	}
+
+	client := s3.NewFromConfig(cfg)
+	_, err = client.CreateBucket(ctx, &s3.CreateBucketInput{
+		Bucket: aws.String(name),
+		CreateBucketConfiguration: &types.CreateBucketConfiguration{
+			LocationConstraint: types.BucketLocationConstraintEuWest2, // TODO: lookup AWS_REGION
+		},
+	})
+	if err != nil { // TODO: ignore bucket already exists, and you own it
+		slog.Error("failed to create s3 bucket", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+func init() {
+	envKeys := []string{
+		"AWS_PROFILE",
+		"AWS_REGION",
+		"AWS_ACCESS_KEY_ID",
+		"AWS_SECRET_ACCESS_KEY",
+		"AWS_SESSION_TOKEN",
+	}
+
+	for _, key := range envKeys {
+		value, ok := os.LookupEnv(key)
+		if ok && len(value) > 0 {
+			Env = append(Env, fmt.Sprintf("%s=%s", key, value))
+		}
+	}
+}
diff --git a/controlplane/cli/image.go b/controlplane/cli/image.go
new file mode 100644
index 00000000..f41361f9
--- /dev/null
+++ b/controlplane/cli/image.go
@@ -0,0 +1,37 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/controlplane"
+)
+
+var (
+	template string
+)
+
+var imageCmd = &cobra.Command{
+	Use: "image",
+}
+
+var buildCmd = &cobra.Command{
+	Use: "build",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.BuildImage(ctx, controlplane.PackerTemplate(template))
+	},
+}
+
+func init() {
+	buildCmd.Flags().StringVar(&template, "template", "", "the packer template to build")
+
+	imageCmd.AddCommand(buildCmd)
+	simulatorCmd.AddCommand(imageCmd)
+}
diff --git a/controlplane/cli/infra.go b/controlplane/cli/infra.go
new file mode 100644
index 00000000..73b51299
--- /dev/null
+++ b/controlplane/cli/infra.go
@@ -0,0 +1,47 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/controlplane"
+)
+
+var infraCmd = &cobra.Command{
+	Use: "infra",
+}
+
+var createCmd = &cobra.Command{
+	Use: "create",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.CreateInfrastructure(ctx, bucket, key, name)
+	},
+}
+
+var destroyCmd = &cobra.Command{
+	Use: "destroy",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.DestroyInfrastructure(ctx, bucket, key, name)
+	},
+}
+
+func init() {
+	infraCmd.PersistentFlags().StringVar(&bucket, "bucket", "", "the s3 bucket to use")
+	infraCmd.PersistentFlags().StringVar(&key, "key", "state/terraform.tfstate", "the key to store state in the s3 bucket")
+	infraCmd.PersistentFlags().StringVar(&name, "name", "", "the name for the infrastructure")
+
+	infraCmd.AddCommand(createCmd)
+	infraCmd.AddCommand(destroyCmd)
+	simulatorCmd.AddCommand(infraCmd)
+}
diff --git a/controlplane/cli/scenario.go b/controlplane/cli/scenario.go
new file mode 100644
index 00000000..2c8eeeed
--- /dev/null
+++ b/controlplane/cli/scenario.go
@@ -0,0 +1,46 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/controlplane"
+)
+
+var scenarioCmd = &cobra.Command{
+	Use: "scenario",
+}
+
+var installCmd = &cobra.Command{
+	Use: "install",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.InstallScenario(ctx, name)
+	},
+}
+
+var uninstallCmd = &cobra.Command{
+	Use: "uninstall",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.UninstallScenario(ctx, name)
+	},
+}
+
+func init() {
+	scenarioCmd.PersistentFlags().StringVar(&name, "name", "", "the name of the scenario to deploy")
+
+	scenarioCmd.AddCommand(installCmd)
+	scenarioCmd.AddCommand(uninstallCmd)
+	simulatorCmd.AddCommand(scenarioCmd)
+
+}
diff --git a/controlplane/cli/simulator.go b/controlplane/cli/simulator.go
new file mode 100644
index 00000000..6a3657de
--- /dev/null
+++ b/controlplane/cli/simulator.go
@@ -0,0 +1,18 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var (
+	bucket, key, name string
+)
+
+var simulatorCmd = &cobra.Command{
+	Use: "simulator",
+}
+
+func Execute() {
+	err := simulatorCmd.Execute()
+	cobra.CheckErr(err)
+}
diff --git a/controlplane/cli/storage.go b/controlplane/cli/storage.go
new file mode 100644
index 00000000..33a9e662
--- /dev/null
+++ b/controlplane/cli/storage.go
@@ -0,0 +1,33 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/controlplane"
+)
+
+var bucketCmd = &cobra.Command{
+	Use: "bucket",
+}
+
+var createBucketCmd = &cobra.Command{
+	Use: "create",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		cp := controlplane.New()
+		return cp.CreateBucket(ctx, bucket)
+	},
+}
+
+func init() {
+	createBucketCmd.Flags().StringVar(&bucket, "name", "", "the name of the bucket to create")
+
+	bucketCmd.AddCommand(createBucketCmd)
+	simulatorCmd.AddCommand(bucketCmd)
+}
diff --git a/controlplane/cmd/main.go b/controlplane/cmd/main.go
new file mode 100644
index 00000000..dd088d8d
--- /dev/null
+++ b/controlplane/cmd/main.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"log/slog"
+	"os"
+
+	"github.com/controlplaneio/simulator/controlplane/cli"
+)
+
+const (
+	LogLevel = "LOG_LEVEL"
+)
+
+func main() {
+	level, ok := os.LookupEnv(LogLevel)
+	if !ok {
+		level = "info"
+	}
+
+	var sLevel slog.Level
+
+	switch level {
+	case "debug":
+		sLevel = slog.LevelDebug
+	case "info":
+		sLevel = slog.LevelInfo
+	}
+
+	logger := slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+		Level: sLevel,
+	}))
+	slog.SetDefault(logger)
+
+	cli.Execute()
+}
diff --git a/controlplane/commands/ansible.go b/controlplane/commands/ansible.go
new file mode 100644
index 00000000..e42c0a4d
--- /dev/null
+++ b/controlplane/commands/ansible.go
@@ -0,0 +1,30 @@
+package commands
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	AnsiblePlaybook Executable = "ansible-playbook"
+)
+
+func AnsiblePlaybookCommand(workingDir, playbook string, extraVars ...string) Runnable {
+	args := []string{
+		fmt.Sprintf("%s/%s.yaml", workingDir, playbook),
+	}
+
+	if len(extraVars) > 0 {
+		args = append(args,
+			"--extra-vars",
+			fmt.Sprintf("\"%s\"", strings.Join(extraVars, " ")),
+		)
+	}
+
+	return command{
+		Executable:  AnsiblePlaybook,
+		WorkingDir:  workingDir,
+		Environment: nil,
+		Arguments:   args,
+	}
+}
diff --git a/controlplane/commands/packer.go b/controlplane/commands/packer.go
new file mode 100644
index 00000000..dbfcfeef
--- /dev/null
+++ b/controlplane/commands/packer.go
@@ -0,0 +1,37 @@
+package commands
+
+import (
+	"github.com/controlplaneio/simulator/controlplane/aws"
+)
+
+const (
+	Packer Executable = "packer"
+)
+
+func PackerInitCommand(workingDir, template string) Runnable {
+	args := []string{
+		"init",
+		template,
+	}
+
+	return command{
+		Executable:  Packer,
+		WorkingDir:  workingDir,
+		Environment: aws.Env,
+		Arguments:   args,
+	}
+}
+
+func PackerBuildCommand(workingDir, template string) Runnable {
+	args := []string{
+		"build",
+		template,
+	}
+
+	return command{
+		Executable:  Packer,
+		WorkingDir:  workingDir,
+		Environment: aws.Env,
+		Arguments:   args,
+	}
+}
diff --git a/controlplane/commands/runner.go b/controlplane/commands/runner.go
new file mode 100644
index 00000000..405a630b
--- /dev/null
+++ b/controlplane/commands/runner.go
@@ -0,0 +1,57 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+type Executable string
+
+type Runnable interface {
+	Run(ctx context.Context) error
+}
+
+type command struct {
+	Executable  Executable
+	WorkingDir  string
+	Environment []string
+	Arguments   []string
+}
+
+func (c command) Run(ctx context.Context) error {
+	cmd := exec.CommandContext(ctx, string(c.Executable), c.Arguments...)
+	cmd.Dir = c.WorkingDir
+	cmd.Env = c.Environment
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	slog.Debug("running", "command", c)
+
+	// TODO: Ensure ctrl-c stops the command
+	err := cmd.Run()
+	if err != nil {
+		slog.Error("failed to run", "command", c)
+	}
+
+	return err
+}
+
+func (c command) LogValue() slog.Value {
+	cmd := fmt.Sprintf("%s %s", c.Executable, strings.Join(c.Arguments, " "))
+	var env []string
+
+	// Only log env keys, not values
+	for _, value := range c.Environment {
+		env = append(env, value[:strings.Index(value, "=")])
+	}
+
+	return slog.GroupValue(
+		slog.String("cmd", cmd),
+		slog.String("dir", c.WorkingDir),
+		slog.String("env", strings.Join(env, ",")),
+	)
+}
diff --git a/controlplane/commands/terraform.go b/controlplane/commands/terraform.go
new file mode 100644
index 00000000..e364b0a4
--- /dev/null
+++ b/controlplane/commands/terraform.go
@@ -0,0 +1,49 @@
+package commands
+
+import (
+	"github.com/controlplaneio/simulator/controlplane/aws"
+)
+
+type TerraformCommandType bool
+
+const (
+	Terraform        Executable           = "terraform"
+	TerraformApply   TerraformCommandType = true
+	TerraformDestroy TerraformCommandType = false
+)
+
+func TerraformInitCommand(workingDir string, backendConfig []string) Runnable {
+	args := []string{
+		"init",
+		"-reconfigure",
+	}
+
+	args = append(args, backendConfig...)
+
+	return command{
+		Executable:  Terraform,
+		WorkingDir:  workingDir,
+		Environment: aws.Env,
+		Arguments:   args,
+	}
+}
+
+func TerraformCommand(workingDir string, apply TerraformCommandType, vars []string) Runnable {
+	args := []string{
+		"apply",
+		"-auto-approve",
+	}
+
+	args = append(args, vars...)
+
+	if !apply {
+		args = append(args, "-destroy")
+	}
+
+	return command{
+		Executable:  Terraform,
+		WorkingDir:  workingDir,
+		Environment: aws.Env,
+		Arguments:   args,
+	}
+}
diff --git a/controlplane/simulator.go b/controlplane/simulator.go
new file mode 100644
index 00000000..726eefbd
--- /dev/null
+++ b/controlplane/simulator.go
@@ -0,0 +1,133 @@
+package controlplane
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"path/filepath"
+
+	"github.com/controlplaneio/simulator/controlplane/aws"
+	"github.com/controlplaneio/simulator/controlplane/commands"
+)
+
+type PackerTemplate string
+
+const (
+	BastionImage PackerTemplate = "bastion"
+	K8sImage     PackerTemplate = "k8s"
+
+	SimulatorDir = "/simulator"
+	Home         = "config"
+	Scenarios    = "scenarios"
+	Packer       = "packer"
+	Terraform    = "terraform"
+)
+
+var (
+	HomeDir         = filepath.Join(SimulatorDir, Home)
+	AdminConfigDir  = filepath.Join(HomeDir, "admin")
+	PlayerConfigDir = filepath.Join(HomeDir, "player")
+
+	AnsibleDir                = filepath.Join(SimulatorDir, Scenarios)
+	AnsiblePlaybookDir string = filepath.Join(AnsibleDir, "playbooks")
+
+	PackerTemplateDir string = filepath.Join(SimulatorDir, Packer)
+
+	TerraformDir          = filepath.Join(SimulatorDir, Terraform)
+	TerraformWorkspaceDir = filepath.Join(TerraformDir, "workspaces/simulator")
+)
+
+func New() Simulator {
+	return simulator{}
+}
+
+type Simulator interface {
+	// CreateBucket creates the S3 bucket used to store Simulator state.
+	CreateBucket(ctx context.Context, name string) error
+	// BuildImage runs Packer to create the specified AMI.
+	BuildImage(ctx context.Context, name PackerTemplate) error
+	// CreateInfrastructure runs Terraform to create the Simulator infrastructure.
+	CreateInfrastructure(ctx context.Context, bucket string, key string, name string) error
+	// DestroyInfrastructure runs Terraform to destroy the Simulator infrastructure.
+	DestroyInfrastructure(ctx context.Context, bucket string, key string, name string) error
+	// InstallScenario installs a scenario on the Simulator infrastructure.
+	InstallScenario(ctx context.Context, name string) error
+	// UninstallScenario uninstalls a scenario from the Simulator infrastructure.
+	UninstallScenario(ctx context.Context, name string) error
+}
+
+type simulator struct {
+}
+
+func (s simulator) CreateBucket(ctx context.Context, name string) error {
+	slog.Debug("simulator init", "name", name)
+
+	return aws.CreateBucket(ctx, name)
+}
+
+func (s simulator) BuildImage(ctx context.Context, name PackerTemplate) error {
+	slog.Debug("simulator build", "image", name)
+
+	err := commands.PackerInitCommand(PackerTemplateDir, string(name)).Run(ctx)
+	if err != nil {
+		return err
+	}
+
+	return commands.PackerBuildCommand(PackerTemplateDir, string(name)).Run(ctx)
+}
+
+func (s simulator) CreateInfrastructure(ctx context.Context, bucket, key, name string) error {
+	slog.Debug("simulator create infrastructure", "bucket", bucket, "key", key, "name", name)
+
+	err := commands.TerraformInitCommand(TerraformWorkspaceDir, backendConfig(bucket, key)).Run(ctx)
+	if err != nil {
+		return err
+	}
+
+	return commands.TerraformCommand(TerraformWorkspaceDir, commands.TerraformApply, terraformVars(name, bucket)).Run(ctx)
+}
+
+func (s simulator) DestroyInfrastructure(ctx context.Context, bucket, key, name string) error {
+	slog.Debug("simulator destroy infrastructure", "bucket", bucket, "key", key, "name", name)
+
+	err := commands.TerraformInitCommand(TerraformWorkspaceDir, backendConfig(bucket, key)).Run(ctx)
+	if err != nil {
+		return err
+	}
+
+	return commands.TerraformCommand(TerraformWorkspaceDir, commands.TerraformDestroy, terraformVars(name, bucket)).Run(ctx)
+}
+
+func (s simulator) InstallScenario(ctx context.Context, name string) error {
+	slog.Debug("simulator install", "scenario", name)
+
+	return commands.AnsiblePlaybookCommand(AdminConfigDir, name).Run(ctx)
+}
+
+func (s simulator) UninstallScenario(ctx context.Context, name string) error {
+	slog.Debug("simulator uninstall", "scenario", name)
+
+	return commands.AnsiblePlaybookCommand(name, "state=absent").Run(ctx)
+}
+
+func backendConfig(bucket, key string) []string {
+	return []string{
+		"-backend-config",
+		fmt.Sprintf("bucket=%s", bucket),
+		"-backend-config",
+		fmt.Sprintf("key=%s", key),
+	}
+}
+
+func terraformVars(name, bucket string) []string {
+	return []string{
+		"-var",
+		fmt.Sprintf("name=%s", name),
+		"-var",
+		fmt.Sprintf("bucket=%s", bucket),
+		"-var",
+		fmt.Sprintf("admin_config_dir=%s", AdminConfigDir),
+		"-var",
+		fmt.Sprintf("player_config_dir=%s", PlayerConfigDir),
+	}
+}
diff --git a/dev.Dockerfile b/dev.Dockerfile
new file mode 100644
index 00000000..f1a1fda1
--- /dev/null
+++ b/dev.Dockerfile
@@ -0,0 +1,44 @@
+ARG GOLANG_IMAGE=golang:1.21.3-alpine3.18@sha256:27c76dcf886c5024320f4fa8ceb57d907494a3bb3d477d0aa7ac8385acd871ea
+ARG GOLANGCI_LINT_IMAGE=golangci/golangci-lint:latest@sha256:c87d8a1a6521748fee124920c8e9302934ed26c9d3d48982449192b420a34686
+ARG PACKER_IMAGE=hashicorp/packer:1.9@sha256:03808122fbfdd88e03be0d21cce9b3317778319b415c77e88efe1a98db82c76a
+ARG TERRAFORM_IMAGE=hashicorp/terraform:1.5@sha256:c3bc74e7a2a8fab8216cbbedf12a9637db09288806a6aa537b6f397cba04dd93
+ARG UBUNTU_IMAGE=ubuntu:mantic@sha256:13f233a16be210b57907b98b0d927ceff7571df390701e14fe1f3901b2c4a4d7
+
+FROM ${GOLANGCI_LINT_IMAGE}
+
+WORKDIR /app
+
+COPY . .
+
+RUN /usr/bin/golangci-lint run -v
+
+FROM ${GOLANG_IMAGE} as BUILDER
+
+WORKDIR /build
+
+COPY go.* ./
+RUN go mod download
+
+COPY . .
+
+RUN go build -v -o /simulator controlplane/cmd/main.go
+
+FROM ${PACKER_IMAGE} as PACKER
+FROM ${TERRAFORM_IMAGE} as TERRAFORM
+FROM ${UBUNTU_IMAGE}
+
+WORKDIR simulator
+
+COPY --from=PACKER /bin/packer /usr/local/bin/packer
+COPY --from=TERRAFORM /bin/terraform /usr/local/bin/terraform
+
+RUN apt update && \
+    apt install -y ca-certificates openssh-client ansible-core && \
+    rm -rf /var/lib/apt/lists/* && \
+    ansible-galaxy collection install kubernetes.core
+
+COPY --from=BUILDER /simulator /usr/local/bin/simulator
+
+USER ubuntu
+
+ENTRYPOINT ["/usr/local/bin/simulator"]
diff --git a/docs/terraform-aws-sso.md b/docs/terraform-aws-sso.md
new file mode 100644
index 00000000..9d1547e5
--- /dev/null
+++ b/docs/terraform-aws-sso.md
@@ -0,0 +1,31 @@
+# Terraform AWS SSO Issue
+
+Terraform doesn't support SSO correctly until v1.6.
+
+You should be able to create a specific profile for running Terraform as detailed
+[here](https://github.com/gruntwork-io/terragrunt/issues/2604#issuecomment-1692391611).
+
+If that doesn't work, and you get an error like this:
+
+```shell
+Initializing the backend...
+╷
+│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
+│
+│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
+│ for more information about providing credentials.
+│
+│ Error: ProcessProviderExecutionError: error in credential_process
+│ caused by: exec: "sh": executable file not found in $PATH
+```
+
+You can export the required environment variables like this:
+
+```shell
+export AWS_REGION=...
+aws sso login --profile simulator
+source <(aws configure export-credentials --profile simulator --format env)
+```
+
+Be careful with timeouts, as this does not last as long as regular SSO credentials, so source the environment variables
+before you run a Terraform or Packer command
diff --git a/go.mod b/go.mod
index d3a333af..c1b6ee20 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,55 @@
 module github.com/controlplaneio/simulator
 
-go 1.21.0
+go 1.21
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.21.2
+	github.com/aws/aws-sdk-go-v2/config v1.19.0
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2
+	github.com/docker/docker v24.0.6+incompatible
+	github.com/opencontainers/image-spec v1.0.2
+	github.com/spf13/cobra v1.7.0
+	gopkg.in/yaml.v2 v2.2.8
+)
+
+require (
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
+	github.com/aws/smithy-go v1.15.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.15.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 00000000..2f520ed9
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,142 @@
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
+github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY=
+github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0=
+github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 h1:Ll5/YVCOzRB+gxPqs2uD0R7/MyATC0w85626glSKmp4=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2/go.mod h1:Zjfqt7KhQK+PO1bbOsFNzKgaq7TcxzmEoDWN8lM0qzQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
+github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
+github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
+github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
+github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
+github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
+github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
diff --git a/internal/cli/config.go b/internal/cli/config.go
new file mode 100644
index 00000000..41fe3bb6
--- /dev/null
+++ b/internal/cli/config.go
@@ -0,0 +1,45 @@
+package cli
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var name, bucket string
+var dev bool
+
+var configCmd = &cobra.Command{
+	Use:   "config",
+	Short: "Configure the simulator cli",
+	Run: func(cmd *cobra.Command, args []string) {
+		baseDir, err := os.Getwd()
+		cobra.CheckErr(err)
+
+		cfg.BaseDir = baseDir
+
+		if name != "" {
+			cfg.Name = name
+		}
+
+		if bucket != "" {
+			cfg.Bucket = bucket
+		}
+
+		if dev {
+			cfg.Cli.Dev = true
+			cfg.Container.Image = "controlplane/simulator:dev"
+		} else {
+			cfg.Cli.Dev = false
+			cfg.Container.Image = "controlplane/simulator:latest"
+		}
+	},
+}
+
+func init() {
+	configCmd.PersistentFlags().StringVar(&name, "name", "simulator", "the name for the infrastructure")
+	configCmd.PersistentFlags().StringVar(&bucket, "bucket", "", "the s3 bucket used for storage")
+	configCmd.PersistentFlags().BoolVar(&dev, "dev", false, "developer mode")
+
+	simulatorCmd.AddCommand(configCmd)
+}
diff --git a/internal/cli/image.go b/internal/cli/image.go
new file mode 100644
index 00000000..e3d83656
--- /dev/null
+++ b/internal/cli/image.go
@@ -0,0 +1,47 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/internal/container"
+)
+
+var imageCmd = &cobra.Command{
+	Use: "image",
+}
+
+var template string
+
+var imageBuildCmd = &cobra.Command{
+	Use:   "build",
+	Short: "Build the packer image",
+	Run: func(cmd *cobra.Command, args []string) {
+		runner := container.New(cfg)
+
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+		defer stop()
+
+		command := []string{
+			"image",
+			"build",
+			"--template",
+			fmt.Sprintf("%s.pkr.hcl", template),
+		}
+
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+func init() {
+	imageBuildCmd.Flags().StringVar(&template, "template", "", "the packer template to build; bastion, or k8s")
+	imageCmd.AddCommand(imageBuildCmd)
+
+	simulatorCmd.AddCommand(imageCmd)
+}
diff --git a/internal/cli/infra.go b/internal/cli/infra.go
new file mode 100644
index 00000000..ff5a6cef
--- /dev/null
+++ b/internal/cli/infra.go
@@ -0,0 +1,70 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/internal/container"
+)
+
+var infraCmd = &cobra.Command{
+	Use:   "infra [command]",
+	Short: "Manage the simulator infrastructure",
+}
+
+var infraCreateCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Create simulator infrastructure",
+	Run: func(cmd *cobra.Command, args []string) {
+		runner := container.New(cfg)
+
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+		defer stop()
+
+		command := []string{
+			"infra",
+			"create",
+			"--bucket",
+			cfg.Bucket,
+			"--name",
+			cfg.Name,
+		}
+
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+var infraDestroyCmd = &cobra.Command{
+	Use:   "destroy",
+	Short: "Destroy simulator infrastructure",
+	Run: func(cmd *cobra.Command, args []string) {
+		runner := container.New(cfg)
+
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+		defer stop()
+
+		command := []string{
+			"infra",
+			"destroy",
+			"--bucket",
+			cfg.Bucket,
+			"--name",
+			cfg.Name,
+		}
+
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+func init() {
+	infraCmd.AddCommand(infraCreateCmd)
+	infraCmd.AddCommand(infraDestroyCmd)
+
+	simulatorCmd.AddCommand(infraCmd)
+}
diff --git a/internal/cli/scenario.go b/internal/cli/scenario.go
new file mode 100644
index 00000000..4356eef3
--- /dev/null
+++ b/internal/cli/scenario.go
@@ -0,0 +1,128 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+
+	"github.com/olekukonko/tablewriter"
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/internal/container"
+	"github.com/controlplaneio/simulator/scenarios"
+)
+
+var scenarioCmd = &cobra.Command{
+	Use:   "scenario",
+	Short: "Manage the simulator scenario",
+}
+
+var scenarioInstallCmd = &cobra.Command{
+	Use:   "install [id]",
+	Short: "Install the scenario into the simulator infrastructure",
+	Args:  cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		scenarioID := args[0]
+
+		command := []string{
+			"scenario",
+			"install",
+			"--name",
+			scenarioID,
+		}
+
+		runner := container.New(cfg)
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+var scenarioUninstallCmd = &cobra.Command{
+	Use:   "uninstall [id]",
+	Short: "Uninstall the scenario into the simulator infrastructure",
+	Args:  cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
+		defer stop()
+
+		scenarioID := args[0]
+
+		command := []string{
+			"scenario",
+			"uninstall",
+			"--name",
+			scenarioID,
+		}
+
+		runner := container.New(cfg)
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+var scenarioListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List available scenarios",
+	Run: func(cmd *cobra.Command, args []string) {
+		scenarios, err := scenarios.List()
+		cobra.CheckErr(err)
+
+		table := tablewriter.NewWriter(os.Stdout)
+
+		table.SetHeader([]string{
+			"ID",
+			"Name",
+			"Description",
+			"Category",
+			"Difficulty",
+		})
+
+		table.SetHeaderColor(
+			tablewriter.Colors{tablewriter.Bold},
+			tablewriter.Colors{tablewriter.Bold},
+			tablewriter.Colors{tablewriter.Bold},
+			tablewriter.Colors{tablewriter.Bold},
+			tablewriter.Colors{tablewriter.Bold},
+		)
+
+		for _, s := range scenarios {
+			table.Append([]string{
+				s.ID,
+				s.Name,
+				s.Description,
+				s.Category,
+				s.Difficulty})
+			table.SetRowLine(true)
+		}
+		table.Render()
+	},
+}
+
+var scenarioDescribeCmd = &cobra.Command{
+	Use:   "describe [id]",
+	Short: "Describes a scenario",
+	Args:  cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		scenarioID := args[0]
+
+		s, err := scenarios.Find(scenarioID)
+		cobra.CheckErr(err)
+
+		b, err := s.Challenge()
+		cobra.CheckErr(err)
+
+		fmt.Println(string(b))
+	},
+}
+
+func init() {
+	scenarioCmd.AddCommand(scenarioInstallCmd)
+	scenarioCmd.AddCommand(scenarioUninstallCmd)
+	scenarioCmd.AddCommand(scenarioListCmd)
+	scenarioCmd.AddCommand(scenarioDescribeCmd)
+	simulatorCmd.AddCommand(scenarioCmd)
+}
diff --git a/internal/cli/simulator.go b/internal/cli/simulator.go
new file mode 100644
index 00000000..a2ba686d
--- /dev/null
+++ b/internal/cli/simulator.go
@@ -0,0 +1,36 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/internal/config"
+)
+
+var cfg *config.Config
+
+var simulatorCmd = &cobra.Command{
+	Use:   "simulator",
+	Short: "Simulator CLI",
+}
+
+func Execute() {
+	err := simulatorCmd.Execute()
+	cobra.CheckErr(err)
+}
+
+func init() {
+	cfg = &config.Config{}
+
+	cobra.OnInitialize(readConfig)
+	cobra.OnFinalize(writeConfig)
+}
+
+func readConfig() {
+	err := cfg.Read
+	cobra.CheckErr(err())
+}
+
+func writeConfig() {
+	err := cfg.Write
+	cobra.CheckErr(err())
+}
diff --git a/internal/cli/storage.go b/internal/cli/storage.go
new file mode 100644
index 00000000..10c6e1c0
--- /dev/null
+++ b/internal/cli/storage.go
@@ -0,0 +1,41 @@
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+
+	"github.com/controlplaneio/simulator/internal/container"
+)
+
+var bucketCmd = &cobra.Command{
+	Use: "bucket",
+}
+
+var createBucketCmd = &cobra.Command{
+	Use: "create",
+	Run: func(cmd *cobra.Command, args []string) {
+		runner := container.New(cfg)
+
+		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+		defer stop()
+
+		command := []string{
+			"bucket",
+			"create",
+			"--name",
+			cfg.Bucket,
+		}
+
+		err := runner.Run(ctx, command)
+		cobra.CheckErr(err)
+	},
+}
+
+func init() {
+	bucketCmd.AddCommand(createBucketCmd)
+	simulatorCmd.AddCommand(bucketCmd)
+}
diff --git a/internal/cmd/main.go b/internal/cmd/main.go
new file mode 100644
index 00000000..73c71fa3
--- /dev/null
+++ b/internal/cmd/main.go
@@ -0,0 +1,9 @@
+package main
+
+import (
+	"github.com/controlplaneio/simulator/internal/cli"
+)
+
+func main() {
+	cli.Execute()
+}
diff --git a/internal/config/config.go b/internal/config/config.go
new file mode 100644
index 00000000..fcec4e90
--- /dev/null
+++ b/internal/config/config.go
@@ -0,0 +1,90 @@
+package config
+
+import (
+	"embed"
+	"errors"
+	"os"
+	"path/filepath"
+
+	"gopkg.in/yaml.v2"
+)
+
+const (
+	Dir      = "SIMULATOR_DIR"
+	FileName = "config.yaml"
+)
+
+//go:embed config.yaml
+var defaultConfig embed.FS
+
+type Config struct {
+	Name    string `yaml:"name"`
+	Bucket  string `yaml:"bucket"`
+	BaseDir string `yaml:"baseDir"`
+
+	Cli struct {
+		Dev bool `yaml:"dev,omitempty"`
+	} `yaml:"cli,omitempty"`
+
+	Container struct {
+		Image string `yaml:"image"`
+	} `yaml:"container"`
+}
+
+func (c *Config) Read() error {
+	file := file()
+
+	if _, err := os.Stat(file); errors.Is(err, os.ErrNotExist) {
+		dir := filepath.Dir(file)
+		if _, err := os.Stat(dir); err != nil {
+			err = os.MkdirAll(dir, 0755)
+			if err != nil {
+				return err
+			}
+		}
+
+		config, err := defaultConfig.ReadFile(FileName)
+		if err != nil {
+			return err
+		}
+
+		err = os.WriteFile(file, config, 0644)
+		if err != nil {
+			return err
+		}
+	}
+
+	config, err := os.ReadFile(file)
+	if err != nil {
+		return err
+	}
+
+	err = yaml.Unmarshal(config, &c)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Config) Write() error {
+	config, err := yaml.Marshal(&c)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(file(), config, 0644)
+}
+
+func file() string {
+	dir, ok := os.LookupEnv(Dir)
+	if !ok {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			panic(err)
+		}
+		dir = filepath.Join(home, ".simulator")
+	}
+
+	return filepath.Join(dir, FileName)
+}
diff --git a/internal/config/config.yaml b/internal/config/config.yaml
new file mode 100644
index 00000000..c9d62b57
--- /dev/null
+++ b/internal/config/config.yaml
@@ -0,0 +1,5 @@
+name: simulator
+cli:
+  dev: false
+container:
+  image: controlplane/simulator:latest
diff --git a/internal/container/runner.go b/internal/container/runner.go
new file mode 100644
index 00000000..6f2a9bed
--- /dev/null
+++ b/internal/container/runner.go
@@ -0,0 +1,153 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"github.com/controlplaneio/simulator/controlplane"
+	"github.com/controlplaneio/simulator/controlplane/aws"
+	"github.com/controlplaneio/simulator/internal/config"
+)
+
+var (
+	NoHome       = errors.New("unable to determine your home directory")
+	NoClient     = errors.New("unable to create docker client")
+	CreateFailed = errors.New("unable to create simulator container")
+	StartFailed  = errors.New("unable to start simulator container")
+	AttachFailed = errors.New("unable to attach to simulator container")
+
+	containerAwsDir = "/home/ubuntu/.aws"
+)
+
+type Simulator interface {
+	Run(ctx context.Context, command []string) error
+}
+
+func New(config *config.Config) Simulator {
+	return &simulator{
+		Config: config,
+	}
+}
+
+type simulator struct {
+	Config *config.Config
+}
+
+func (r simulator) Run(ctx context.Context, command []string) error {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return NoHome
+	}
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		return NoClient
+	}
+
+	mounts := []mount.Mount{
+		{
+			Type:     mount.TypeBind,
+			Source:   filepath.Join(r.Config.BaseDir, controlplane.Home),
+			Target:   controlplane.HomeDir,
+			ReadOnly: false,
+		},
+		{
+			Type:   mount.TypeBind,
+			Source: filepath.Join(home, ".aws"),
+			Target: containerAwsDir,
+		},
+	}
+
+	if r.Config.Cli.Dev {
+		mounts = append(mounts, []mount.Mount{
+			{
+				Type:   mount.TypeBind,
+				Source: filepath.Join(r.Config.BaseDir, controlplane.Scenarios),
+				Target: controlplane.AnsibleDir,
+			},
+			{
+				Type:   mount.TypeBind,
+				Source: filepath.Join(r.Config.BaseDir, controlplane.Packer),
+				Target: controlplane.PackerTemplateDir,
+			},
+			{
+				Type:     mount.TypeBind,
+				Source:   filepath.Join(r.Config.BaseDir, controlplane.Terraform),
+				Target:   controlplane.TerraformDir,
+				ReadOnly: false,
+			},
+		}...)
+	}
+
+	cont, err := cli.ContainerCreate(ctx,
+		&container.Config{
+			Image:        r.Config.Container.Image,
+			Env:          aws.Env,
+			Cmd:          command,
+			Tty:          true,
+			AttachStdout: true,
+			AttachStderr: true,
+		},
+		&container.HostConfig{
+			Mounts: mounts,
+		},
+		&network.NetworkingConfig{},
+		&v1.Platform{},
+		"",
+	)
+	if err != nil {
+		return CreateFailed
+	}
+	defer func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+		defer cancel()
+
+		err = cli.ContainerStop(ctx, cont.ID, container.StopOptions{})
+		if err != nil {
+			slog.Warn("failed to stop container", "id", cont.ID, "err", err)
+		}
+
+		err = cli.ContainerRemove(ctx, cont.ID, types.ContainerRemoveOptions{})
+		if err != nil {
+			slog.Warn("failed to remove container", "id", cont.ID, "err", err)
+		}
+	}()
+
+	hijack, err := cli.ContainerAttach(ctx, cont.ID, types.ContainerAttachOptions{
+		Stream: true,
+		Stdout: true,
+		Stderr: true,
+	})
+	if err != nil {
+		return AttachFailed
+	}
+
+	err = cli.ContainerStart(ctx, cont.ID, types.ContainerStartOptions{})
+	if err != nil {
+		return StartFailed
+	}
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		_, _ = io.Copy(os.Stdout, hijack.Reader)
+		defer wg.Done()
+	}()
+
+	wg.Wait()
+
+	return nil
+}
diff --git a/scenarios/scenarios.go b/scenarios/scenarios.go
new file mode 100644
index 00000000..229246f6
--- /dev/null
+++ b/scenarios/scenarios.go
@@ -0,0 +1,66 @@
+package scenarios
+
+import (
+	"embed"
+	"errors"
+	"fmt"
+	"log/slog"
+
+	"gopkg.in/yaml.v2"
+
+	"github.com/controlplaneio/simulator/controlplane"
+)
+
+//go:embed scenarios.yaml roles/*/files/challenge.txt
+var config embed.FS
+
+func List() ([]Scenario, error) {
+	var scenarios []Scenario
+
+	b, err := config.ReadFile("scenarios.yaml")
+	if err != nil {
+		slog.Error("failed to load scenarios file")
+		return nil, err
+	}
+
+	err = yaml.Unmarshal(b, &scenarios)
+	if err != nil {
+		slog.Error("failed to unmarshall scenarios")
+		return nil, err
+	}
+
+	return scenarios, nil
+}
+
+func Find(id string) (Scenario, error) {
+	var s Scenario
+
+	scenarios, err := List()
+	if err != nil {
+		return s, err
+	}
+
+	for _, scenario := range scenarios {
+		if scenario.ID == id {
+			return scenario, nil
+		}
+	}
+
+	return s, errors.New("unable to find scenario")
+}
+
+type Scenario struct {
+	ID          string `yaml:"id"`
+	Name        string `yaml:"name"`
+	Description string `yaml:"description"`
+	Category    string `yaml:"category"`
+	Difficulty  string `yaml:"difficulty"`
+}
+
+func (s Scenario) Challenge() ([]byte, error) {
+	return config.ReadFile(fmt.Sprintf("roles/%s/files/challenge.txt", s.ID))
+}
+
+func (s Scenario) Playbook() string {
+	return fmt.Sprintf("%s/%s", controlplane.AnsiblePlaybookDir, s.ID)
+}
diff --git a/terraform/modules/cluster/bastion.tf b/terraform/modules/cluster/bastion.tf
new file mode 100644
index 00000000..9e613c71
--- /dev/null
+++ b/terraform/modules/cluster/bastion.tf
@@ -0,0 +1,77 @@
+resource "aws_instance" "bastion" {
+  ami                         = var.bastion_ami_id
+  instance_type               = var.bastion_instance_type
+  key_name                    = aws_key_pair.admin.id
+  subnet_id                   = var.public_subnet_id
+  associate_public_ip_address = true
+  vpc_security_group_ids = [
+    aws_security_group.bastion.id,
+  ]
+
+  #  metadata_options {
+  #    http_endpoint = "disabled"
+  #  }
+
+  user_data = <<EOF
+${data.template_file.cloud_config.rendered}
+hostname: bastion
+EOF
+
+  root_block_device {
+    volume_type = var.bastion_volume_type
+    volume_size = var.bastion_volume_size
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Bastion", title(var.name))
+    }
+  )
+
+  volume_tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Bastion", title(var.name))
+    }
+  )
+}
+
+resource "aws_security_group" "bastion" {
+  name   = local.bastion_sg_name
+  vpc_id = var.network_id
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Bastion", title(var.name))
+    }
+  )
+}
+
+resource "aws_security_group_rule" "bastion_ssh_ingress" {
+  security_group_id = aws_security_group.bastion.id
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 22
+  to_port           = 22
+  cidr_blocks = [
+    format("%s/32", trim(data.http.player_ip.response_body, "\n")),
+    #    "0.0.0.0/0",
+  ]
+}
+
+resource "aws_security_group_rule" "bastion_open_egress" {
+  security_group_id = aws_security_group.bastion.id
+  type              = "egress"
+  protocol          = -1
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks = [
+    "0.0.0.0/0",
+  ]
+}
+
+data "http" "player_ip" {
+  url = "https://icanhazip.com/"
+}
diff --git a/terraform/modules/cluster/cloud-config.tf b/terraform/modules/cluster/cloud-config.tf
new file mode 100644
index 00000000..47ff4d71
--- /dev/null
+++ b/terraform/modules/cluster/cloud-config.tf
@@ -0,0 +1,21 @@
+data "template_file" "cloud_config" {
+  template = file("${path.module}/templates/cloud-config.yaml")
+  vars = {
+    player_public_key = tls_private_key.player.public_key_openssh
+  }
+}
+
+
+#admin_private_key = base64encode(tls_private_key.admin.private_key_openssh)
+#ssh_config = base64encode(templatefile("${path.module}/templates/ssh_config_internal", {
+#  user      = local.ssh_config_user
+#  key_name  = "id_rsa"
+#  instances = local.ssh_config_instances
+#}))
+#ansible_config = base64encode(templatefile("${path.module}/templates/ansible.cfg", {
+#  ansible_inventory = local.ansible_inventory_file
+#}))
+#ansible_inventory = base64encode(templatefile("${path.module}/templates/inventory.yaml", {
+#  ansible_inventory_instances = local.ansible_inventory_instances
+#}))
+#sudo = false
\ No newline at end of file
diff --git a/terraform/modules/cluster/instances.tf b/terraform/modules/cluster/instances.tf
new file mode 100644
index 00000000..6ef9b808
--- /dev/null
+++ b/terraform/modules/cluster/instances.tf
@@ -0,0 +1,67 @@
+module "instances" {
+  source = "./modules/instance-group"
+
+  for_each = {
+    for index, group in var.instance_groups : index => group
+  }
+
+  name                        = format("%s %s", title(var.name), each.value.name)
+  group = each.value.name
+  instance_count              = each.value.count
+  ami_id                      = each.value.ami_id
+  instance_type               = each.value.instance_type
+  key_name                    = aws_key_pair.admin.id
+  availability_zone           = var.availability_zone
+  subnet_id                   = each.value.public ? var.public_subnet_id : var.private_subnet_id
+  associate_public_ip_address = each.value.public
+  security_group_id           = aws_security_group.instances.id
+  iam_instance_profile        = each.value.iam_instance_profile
+  volume_type                 = each.value.volume_type
+  volume_size                 = each.value.volume_size
+  user_data                   = data.template_file.cloud_config.rendered
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s %s", title(var.name), title(each.value.name))
+      "InstanceGroup" = each.value.name
+    }
+  )
+}
+
+resource "aws_security_group" "instances" {
+  name   = local.instances_sg_name
+  vpc_id = var.network_id
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Instances", title(var.name))
+    }
+  )
+}
+
+resource "aws_security_group_rule" "instances_vpc_ingress" {
+  security_group_id = aws_security_group.instances.id
+  type              = "ingress"
+  protocol          = -1
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks = [
+    data.aws_vpc.target.cidr_block,
+  ]
+}
+
+resource "aws_security_group_rule" "instances_open_egress" {
+  security_group_id = aws_security_group.instances.id
+  type              = "egress"
+  protocol          = -1
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks = [
+    "0.0.0.0/0",
+  ]
+}
+
+data "aws_vpc" "target" {
+  id = var.network_id
+}
diff --git a/terraform/modules/cluster/key-pairs.tf b/terraform/modules/cluster/key-pairs.tf
new file mode 100644
index 00000000..1ebaa6ec
--- /dev/null
+++ b/terraform/modules/cluster/key-pairs.tf
@@ -0,0 +1,33 @@
+resource "aws_key_pair" "admin" {
+  key_name   = local.admin_key_name
+  public_key = tls_private_key.admin.public_key_openssh
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Simulator Admin", var.name)
+    }
+  )
+}
+
+resource "tls_private_key" "admin" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "player" {
+  key_name   = local.player_key_name
+  public_key = tls_private_key.player.public_key_openssh
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Simulator User", var.name)
+    }
+  )
+}
+
+resource "tls_private_key" "player" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
\ No newline at end of file
diff --git a/terraform/modules/cluster/locals.tf b/terraform/modules/cluster/locals.tf
new file mode 100644
index 00000000..4ed41cb8
--- /dev/null
+++ b/terraform/modules/cluster/locals.tf
@@ -0,0 +1,32 @@
+locals {
+  bastion_sg_name   = format("%s-bastion", var.name)
+  instances_sg_name = format("%s-instances", var.name)
+  admin_key_name    = format("%s-admin-key", var.name)
+  player_key_name   = format("%s-player-key", var.name)
+
+  ssh_config_instances = merge([for i in module.instances : i.instances]...)
+  ssh_config_player = templatefile("${path.module}/templates/ssh_config", {
+    bastion_ip        = aws_instance.bastion.public_ip,
+    ssh_user          = "player"
+    ssh_force_tty     = true
+    ssh_identity_file = var.ssh_identity_filename
+    ssh_known_hosts   = var.ssh_known_hosts_filename
+    instances         = {}
+  })
+  ssh_config_admin = templatefile("${path.module}/templates/ssh_config", {
+    bastion_ip        = aws_instance.bastion.public_ip,
+    ssh_user          = "ubuntu"
+    ssh_force_tty     = false
+    ssh_identity_file = var.ssh_identity_filename
+    ssh_known_hosts   = var.ssh_known_hosts_filename
+    instances         = local.ssh_config_instances
+  })
+
+  ansible_inventory_instances = merge([for i, g in var.instance_groups : { format("%ss", lower(var.instance_groups[i].name)) = keys(module.instances[i].instances) }]...)
+  ansible_config = templatefile("${path.module}/templates/ansible.cfg", {
+    ssh_config_filename = var.ssh_config_filename
+  })
+  ansible_inventory = templatefile("${path.module}/templates/inventory.yaml", {
+    ansible_inventory_instances = local.ansible_inventory_instances
+  })
+}
diff --git a/terraform/modules/cluster/modules/instance-group/instances.tf b/terraform/modules/cluster/modules/instance-group/instances.tf
new file mode 100644
index 00000000..525ee28e
--- /dev/null
+++ b/terraform/modules/cluster/modules/instance-group/instances.tf
@@ -0,0 +1,44 @@
+resource "aws_instance" "instance" {
+  count = var.instance_count
+
+  ami                         = var.ami_id
+  instance_type               = var.instance_type
+  key_name                    = var.key_name
+  availability_zone           = var.availability_zone
+  subnet_id                   = var.subnet_id
+  associate_public_ip_address = var.associate_public_ip_address
+  hibernation                 = true
+  vpc_security_group_ids = [
+    var.security_group_id,
+  ]
+
+  #  metadata_options {
+  #    http_endpoint = local.http_endpoint
+  #  }
+
+  iam_instance_profile = var.iam_instance_profile
+
+  root_block_device {
+    volume_type = var.volume_type
+    volume_size = var.volume_size
+    encrypted   = true
+  }
+
+  user_data = <<EOF
+${var.user_data}
+hostname: ${format("%s-%s", var.group, count.index + 1)}
+EOF
+
+  tags = merge(
+    var.tags,
+    {
+      "ID" : format("%s-%s", var.group, count.index + 1)
+    }
+  )
+  volume_tags = merge(
+    var.tags,
+    {
+      "ID" : format("%s-%s", var.group, count.index + 1)
+    }
+  )
+}
diff --git a/terraform/modules/cluster/modules/instance-group/outputs.tf b/terraform/modules/cluster/modules/instance-group/outputs.tf
new file mode 100644
index 00000000..eeecf1fe
--- /dev/null
+++ b/terraform/modules/cluster/modules/instance-group/outputs.tf
@@ -0,0 +1,4 @@
+output "instances" {
+  value = zipmap(aws_instance.instance.*.tags.ID, aws_instance.instance.*.private_ip)
+}
+
diff --git a/terraform/modules/cluster/modules/instance-group/terraform.tf b/terraform/modules/cluster/modules/instance-group/terraform.tf
new file mode 100644
index 00000000..e3fbf8d3
--- /dev/null
+++ b/terraform/modules/cluster/modules/instance-group/terraform.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      version = "~> 5.20"
+    }
+    tls = {
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/terraform/modules/cluster/modules/instance-group/variables.tf b/terraform/modules/cluster/modules/instance-group/variables.tf
new file mode 100644
index 00000000..dbb9ec48
--- /dev/null
+++ b/terraform/modules/cluster/modules/instance-group/variables.tf
@@ -0,0 +1,63 @@
+variable "name" {
+  description = ""
+}
+
+variable "group" {
+  description = ""
+}
+
+variable "instance_count" {
+  description = ""
+}
+
+variable "ami_id" {
+  description = ""
+}
+
+variable "instance_type" {
+  description = ""
+}
+
+variable "key_name" {
+  description = ""
+}
+
+variable "availability_zone" {
+  description = ""
+}
+
+variable "subnet_id" {
+  description = ""
+}
+
+variable "associate_public_ip_address" {
+  description = ""
+  type        = bool
+}
+
+variable "security_group_id" {
+  description = ""
+}
+
+variable "iam_instance_profile" {
+  description = ""
+  default     = ""
+}
+
+variable "volume_type" {
+  description = ""
+}
+
+variable "volume_size" {
+  description = ""
+}
+
+variable "user_data" {
+  description = ""
+  default     = ""
+}
+
+variable "tags" {
+  description = ""
+  type        = map(string)
+}
diff --git a/terraform/modules/cluster/outputs.tf b/terraform/modules/cluster/outputs.tf
new file mode 100644
index 00000000..a4b1df51
--- /dev/null
+++ b/terraform/modules/cluster/outputs.tf
@@ -0,0 +1,27 @@
+output "player_private_key" {
+  value = base64encode(tls_private_key.player.private_key_pem)
+}
+
+output "player_ssh_config" {
+  value = base64encode(local.ssh_config_player)
+}
+
+output "admin_private_key" {
+  value = base64encode(tls_private_key.admin.private_key_pem)
+}
+
+output "admin_ssh_config" {
+  value = base64encode(local.ssh_config_admin)
+}
+
+output "ansible_config" {
+  value = base64encode(local.ansible_config)
+}
+
+output "ansible_inventory" {
+  value = base64encode(local.ansible_inventory)
+}
+
+output "bastion_ip" {
+  value = aws_instance.bastion.public_ip
+}
diff --git a/terraform/modules/cluster/templates/ansible.cfg b/terraform/modules/cluster/templates/ansible.cfg
new file mode 100644
index 00000000..0f0a8061
--- /dev/null
+++ b/terraform/modules/cluster/templates/ansible.cfg
@@ -0,0 +1,6 @@
+[defaults]
+inventory=inventory.yaml
+roles_path=../../ansible/roles
+
+[ssh_connection]
+ssh_extra_args=-F cp_simulator_config
diff --git a/terraform/modules/cluster/templates/cloud-config.yaml b/terraform/modules/cluster/templates/cloud-config.yaml
new file mode 100644
index 00000000..cf229c97
--- /dev/null
+++ b/terraform/modules/cluster/templates/cloud-config.yaml
@@ -0,0 +1,12 @@
+#cloud-config
+cloud_final_modules:
+  - [ users-groups,always ]
+users:
+  - name: default
+  - name: player
+    shell: /bin/bash
+    ssh_authorized_keys:
+#      - command="/etc/simulator/run" ${player_public_key}
+      - ${player_public_key}
+package_update: true
+package_upgrade: true
diff --git a/terraform/modules/cluster/templates/inventory.yaml b/terraform/modules/cluster/templates/inventory.yaml
new file mode 100644
index 00000000..9a5e067a
--- /dev/null
+++ b/terraform/modules/cluster/templates/inventory.yaml
@@ -0,0 +1,17 @@
+---
+all:
+  children:
+    ungrouped:
+%{ for group in keys(ansible_inventory_instances) ~}
+    ${group}:
+%{ endfor ~}
+ungrouped:
+  hosts:
+    bastion:
+%{ for group in keys(ansible_inventory_instances) ~}
+${group}:
+  hosts:
+%{ for host in ansible_inventory_instances[group] ~}
+    ${host}:
+%{ endfor ~}
+%{ endfor ~}
diff --git a/terraform/modules/cluster/templates/ssh_config b/terraform/modules/cluster/templates/ssh_config
new file mode 100644
index 00000000..301e6988
--- /dev/null
+++ b/terraform/modules/cluster/templates/ssh_config
@@ -0,0 +1,17 @@
+Host bastion ${bastion_ip}
+    Hostname ${bastion_ip}
+    User ${ssh_user}
+%{if ssh_force_tty ~}
+    RequestTTY force
+%{endif ~}
+    ForwardAgent yes
+    IdentityFile ${ssh_identity_file}
+    UserKnownHostsFile ${ssh_known_hosts}
+%{ for id in keys(instances) ~}
+Host ${id} ${instances[id]}
+    Hostname ${instances[id]}
+    User ${ssh_user}
+    IdentityFile ${ssh_identity_file}
+    UserKnownHostsFile ${ssh_known_hosts}
+    ProxyJump bastion
+%{ endfor ~}
diff --git a/terraform/modules/cluster/terraform.tf b/terraform/modules/cluster/terraform.tf
new file mode 100644
index 00000000..fc14153b
--- /dev/null
+++ b/terraform/modules/cluster/terraform.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      version = "~> 5.20"
+    }
+  }
+}
diff --git a/terraform/modules/cluster/variables.tf b/terraform/modules/cluster/variables.tf
new file mode 100644
index 00000000..ce706076
--- /dev/null
+++ b/terraform/modules/cluster/variables.tf
@@ -0,0 +1,71 @@
+variable "name" {
+  description = ""
+}
+
+variable "network_id" {
+  description = ""
+}
+
+variable "public_subnet_id" {
+  description = ""
+}
+
+variable "private_subnet_id" {
+  description = ""
+}
+
+variable "availability_zone" {
+  description = ""
+}
+
+variable "ssh_config_filename" {
+  description = ""
+}
+
+variable "ssh_identity_filename" {
+  description = ""
+}
+
+variable "ssh_known_hosts_filename" {
+  description = ""
+}
+
+variable "bastion_ami_id" {
+  description = ""
+}
+
+variable "bastion_instance_type" {
+  description = "The instance type to use for the bastion."
+  default     = "t3.micro"
+}
+
+variable "bastion_volume_type" {
+  description = "The type of the root volume in for the bastion."
+  default     = "gp2"
+}
+
+variable "bastion_volume_size" {
+  description = "The size of the root volume in for the bastion."
+  default     = "8"
+}
+
+variable "instance_groups" {
+  description = ""
+  type = list(object({
+    name                 = string
+    count                = number
+    ami_id               = string
+    public               = optional(bool, false)
+    instance_type        = optional(string, "t3.micro")
+    iam_instance_profile = optional(string, "")
+    volume_type          = optional(string, "gp2")
+    volume_size          = optional(string, "8")
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "The common tags to apply to resources that support tagging."
+  type        = map(string)
+  default     = {}
+}
diff --git a/terraform/modules/network/locals.tf b/terraform/modules/network/locals.tf
new file mode 100644
index 00000000..119b89ce
--- /dev/null
+++ b/terraform/modules/network/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  public_subnet_cidr  = cidrsubnet(var.vpc_cidr, 1, 0)
+  private_subnet_cidr = cidrsubnet(var.vpc_cidr, 1, 1)
+}
\ No newline at end of file
diff --git a/terraform/modules/network/network.tf b/terraform/modules/network/network.tf
new file mode 100644
index 00000000..ffe04e44
--- /dev/null
+++ b/terraform/modules/network/network.tf
@@ -0,0 +1,53 @@
+resource "aws_vpc" "network" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = title(var.name)
+    }
+  )
+}
+
+resource "aws_internet_gateway" "network" {
+  vpc_id = aws_vpc.network.id
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = title(var.name)
+    }
+  )
+}
+
+resource "aws_eip" "network" {
+  domain = "vpc"
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = title(var.name)
+    }
+  )
+
+  depends_on = [
+    aws_internet_gateway.network,
+  ]
+}
+
+resource "aws_nat_gateway" "network" {
+  subnet_id     = aws_subnet.public.id
+  allocation_id = aws_eip.network.id
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = title(var.name)
+    }
+  )
+
+  depends_on = [
+    aws_eip.network,
+  ]
+}
diff --git a/terraform/modules/network/outputs.tf b/terraform/modules/network/outputs.tf
new file mode 100644
index 00000000..3826485c
--- /dev/null
+++ b/terraform/modules/network/outputs.tf
@@ -0,0 +1,15 @@
+output "network_id" {
+  value = aws_vpc.network.id
+}
+
+output "network_cidr" {
+  value = aws_vpc.network.cidr_block
+}
+
+output "public_subnet_id" {
+  value = aws_subnet.public.id
+}
+
+output "private_subnet_id" {
+  value = aws_subnet.private.id
+}
diff --git a/terraform/modules/network/private.tf b/terraform/modules/network/private.tf
new file mode 100644
index 00000000..f80ad757
--- /dev/null
+++ b/terraform/modules/network/private.tf
@@ -0,0 +1,33 @@
+resource "aws_subnet" "private" {
+  vpc_id            = aws_vpc.network.id
+  cidr_block        = local.private_subnet_cidr
+  availability_zone = var.availability_zone
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Private", title(var.name))
+    }
+  )
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.network.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.network.id
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Private", title(var.name))
+    }
+  )
+}
+
+resource "aws_route_table_association" "private" {
+  route_table_id = aws_route_table.private.id
+  subnet_id      = aws_subnet.private.id
+}
diff --git a/terraform/modules/network/public.tf b/terraform/modules/network/public.tf
new file mode 100644
index 00000000..e94481df
--- /dev/null
+++ b/terraform/modules/network/public.tf
@@ -0,0 +1,33 @@
+resource "aws_subnet" "public" {
+  vpc_id            = aws_vpc.network.id
+  cidr_block        = local.public_subnet_cidr
+  availability_zone = var.availability_zone
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Public", title(var.name))
+    }
+  )
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.network.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.network.id
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s Public",title(var.name))
+    }
+  )
+}
+
+resource "aws_route_table_association" "public" {
+  route_table_id = aws_route_table.public.id
+  subnet_id      = aws_subnet.public.id
+}
diff --git a/terraform/modules/network/terraform.tf b/terraform/modules/network/terraform.tf
new file mode 100644
index 00000000..fc14153b
--- /dev/null
+++ b/terraform/modules/network/terraform.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      version = "~> 5.20"
+    }
+  }
+}
diff --git a/terraform/modules/network/variables.tf b/terraform/modules/network/variables.tf
new file mode 100644
index 00000000..fca704c8
--- /dev/null
+++ b/terraform/modules/network/variables.tf
@@ -0,0 +1,18 @@
+variable "name" {
+  description = ""
+}
+
+variable "vpc_cidr" {
+  description = "The ipv4 cidr block for the vpc."
+  default     = "10.0.0.0/16"
+}
+
+variable "availability_zone" {
+  description = ""
+}
+
+variable "tags" {
+  description = ""
+  type        = map(string)
+  default     = {}
+}
diff --git a/terraform/workspaces/simulator/.terraform.lock.hcl b/terraform/workspaces/simulator/.terraform.lock.hcl
new file mode 100644
index 00000000..71371b83
--- /dev/null
+++ b/terraform/workspaces/simulator/.terraform.lock.hcl
@@ -0,0 +1,138 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.21.0"
+  constraints = "~> 5.20"
+  hashes = [
+    "h1:N8sP6VZjHbtgmaCU6BKPox51UIypWXQRal7JMecEXQw=",
+    "zh:1ba1411e4f8c047950db94c236f146d4590790320c68320b4e56082d8746a507",
+    "zh:3185e4a34cfcad35dcf11439290a4bd0ad52d462eca2ab5d4940488a2db72833",
+    "zh:3c6b901f874b4d9a85301a653d0bd507b052992bd84fc81100f4e5f73b1adab7",
+    "zh:45d3fdbbc5804f295576b7155fdca527dedff17a014ed40c215af3bc60c329db",
+    "zh:47b64b453d2c373062e47a54f3df33335dc29bce6ddbbf2da9e7be768c560abe",
+    "zh:5cdf57ffd465288d9732d14ba13b377a8d389e0ba0ce3ac4773fd6fdfc09d6a1",
+    "zh:81ec4c662581a2446c78da7b27d7e0d5c2e4d50925294789ec13661817f4b5a4",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ac248464fd4ce1f020c05f27e3182532a7d1af4b8185a4b4be8b906b30b0ca5a",
+    "zh:bbbedc6b6eaffcce0b31b397d607464f0c21c1b9406182163d504d3f392cc68d",
+    "zh:c2afc111f9503829ed055e2ae91d873670c57bd16acc1a3246ac3957f6998d4e",
+    "zh:cd3c8175b2152848113482da70e5b9c7cb4c951f2046fc0b832715300bd88b97",
+    "zh:cf89b0c09d426d489f9477209d4084e64ad1b598036284fa688b41de626b58e6",
+    "zh:d9d127637c3b9ff6e2d0a2c30f54bd48ab1de34f725a5df1a6a3d039b021e636",
+    "zh:dccca1090e4054d6558218406385fb0421ab4ac3b75e121641973be481a81f01",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/http" {
+  version = "3.4.0"
+  hashes = [
+    "h1:h3URn6qAnP36OlSqI1tTuKgPL3GriZaJia9ZDrUvRdg=",
+    "zh:56712497a87bc4e91bbaf1a5a2be4b3f9cfa2384baeb20fc9fad0aff8f063914",
+    "zh:6661355e1090ebacab16a40ede35b029caffc279d67da73a000b6eecf0b58eba",
+    "zh:67b92d343e808b92d7e6c3bbcb9b9d5475fecfed0836963f7feb9d9908bd4c4f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86ebb9be9b685c96dbb5c024b55d87526d57a4b127796d6046344f8294d3f28e",
+    "zh:902be7cfca4308cba3e1e7ba6fc292629dfd150eb9a9f054a854fa1532b0ceba",
+    "zh:9ba26e0215cd53b21fe26a0a98c007de1348b7d13a75ae3cfaf7729e0f2c50bb",
+    "zh:a195c941e1f1526147134c257ff549bea4c89c953685acd3d48d9de7a38f39dc",
+    "zh:a7967b3d2a8c3e7e1dc9ae381ca753268f9fce756466fe2fc9e414ca2d85a92e",
+    "zh:bde56542e9a093434d96bea21c341285737c6d38fea2f05e12ba7b333f3e9c05",
+    "zh:c0306f76903024c497fd01f9fd9bace5854c263e87a97bc2e89dcc96d35ca3cc",
+    "zh:f9335a6c336171e85f8e3e99c3d31758811a19aeb21fa8c9013d427e155ae2a9",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.4.0"
+  hashes = [
+    "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=",
+    "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9",
+    "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf",
+    "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35",
+    "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04",
+    "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406",
+    "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6",
+    "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7",
+    "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2",
+    "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc",
+    "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.1"
+  hashes = [
+    "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version     = "4.0.4"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/terraform/workspaces/simulator/admin_config.tf b/terraform/workspaces/simulator/admin_config.tf
new file mode 100644
index 00000000..79a457a4
--- /dev/null
+++ b/terraform/workspaces/simulator/admin_config.tf
@@ -0,0 +1,80 @@
+resource "local_file" "admin_private_key" {
+  content_base64  = module.cluster.admin_private_key
+  filename        = format("%s/%s", var.admin_config_dir, local.ssh_identity_filename)
+  file_permission = "0600"
+}
+
+resource "aws_s3_object" "admin_private_key" {
+  content_base64 = module.cluster.admin_private_key
+  bucket         = var.bucket
+  key            = format("config/admin/%s", local.ssh_identity_filename)
+}
+
+resource "local_file" "admin_ssh_config" {
+  content_base64  = module.cluster.admin_ssh_config
+  filename        = format("%s/%s", var.admin_config_dir, local.ssh_config_filename)
+  file_permission = "0600"
+}
+
+resource "aws_s3_object" "admin_ssh_config" {
+  content_base64 = module.cluster.admin_ssh_config
+  bucket         = var.bucket
+  key            = format("config/admin/%s", local.ssh_config_filename)
+}
+
+resource "local_file" "ansible_config" {
+  content_base64 = module.cluster.ansible_config
+  filename       = format("%s/%s", var.admin_config_dir, local.ansible_config_filename)
+}
+
+resource "aws_s3_object" "ansible_config" {
+  content_base64 = module.cluster.ansible_config
+  bucket         = var.bucket
+  key            = format("config/admin/%s", local.ansible_config_filename)
+}
+
+resource "local_file" "ansible_inventory" {
+  content_base64 = module.cluster.ansible_inventory
+  filename       = format("%s/%s", var.admin_config_dir, local.ansible_inventory_filename)
+}
+
+resource "aws_s3_object" "ansible_inventory" {
+  content_base64 = module.cluster.ansible_inventory
+  bucket         = var.bucket
+  key            = format("config/admin/%s", local.ansible_inventory_filename)
+}
+
+resource "null_resource" "admin_ssh_known_hosts" {
+  provisioner "local-exec" {
+    command     = format("ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook %s/%s", var.admin_config_dir, local.ansible_playbook_update_known_hosts)
+    working_dir = var.admin_config_dir
+  }
+
+  depends_on = [
+    module.network,
+    module.cluster,
+    local_file.admin_private_key,
+    local_file.admin_ssh_config,
+  ]
+}
+
+resource "null_resource" "kubeadm_init" {
+  provisioner "local-exec" {
+    command     = format("ansible-playbook %s/%s", var.admin_config_dir, local.ansible_playbook_init_cluster)
+    working_dir = var.admin_config_dir
+  }
+
+  depends_on = [
+    null_resource.admin_ssh_known_hosts,
+  ]
+}
+
+resource "aws_s3_object" "admin_ssh_known_hosts" {
+  source = format("%s/%s", var.admin_config_dir, local.ssh_known_hosts_filename)
+  bucket = var.bucket
+  key    = format("config/admin/%s", local.ssh_known_hosts_filename)
+
+  depends_on = [
+    null_resource.admin_ssh_known_hosts,
+  ]
+}
diff --git a/terraform/workspaces/simulator/main.tf b/terraform/workspaces/simulator/main.tf
new file mode 100644
index 00000000..c220a835
--- /dev/null
+++ b/terraform/workspaces/simulator/main.tf
@@ -0,0 +1,136 @@
+variable "name" {
+  description = "Name to identity the cluster."
+  default     = "simulator"
+}
+
+variable "bucket" {
+  description = "S3 bucket where s3 bundles will be written."
+}
+
+variable "admin_config_dir" {
+  description = ""
+}
+
+variable "player_config_dir" {
+  description = ""
+}
+
+# TODO: add switch to turn off ip lookup and ingress control
+
+# TODO: add switch to turn of ip lookup and ingress control
+
+locals {
+  ssh_identity_filename    = "cp_simulator_rsa"
+  ssh_config_filename      = "cp_simulator_config"
+  ssh_known_hosts_filename = "cp_simulator_known_hosts"
+
+  ansible_config_filename    = "ansible.cfg"
+  ansible_inventory_filename = "inventory.yaml"
+
+  bastion_ami_id        = data.aws_ami.bastion.id
+  bastion_instance_type = "t2.small"
+
+  instance_groups = [
+    {
+      name                 = "master"
+      count                = 1
+      ami_id               = data.aws_ami.k8s.id
+      public               = false
+      instance_type        = "t2.medium"
+      iam_instance_profile = ""
+      volume_type          = "gp2"
+      volume_size          = "20"
+    },
+    {
+      name                 = "node"
+      count                = 2
+      ami_id               = data.aws_ami.k8s.id
+      public               = false
+      instance_type        = "t2.medium"
+      iam_instance_profile = ""
+      volume_type          = "gp2"
+      volume_size          = "20"
+    },
+    {
+      name                 = "internal"
+      count                = 1
+      ami_id               = data.aws_ami.k8s.id
+      public               = false
+      instance_type        = "t2.small"
+      iam_instance_profile = ""
+      volume_type          = "gp2"
+      volume_size          = "20"
+    }
+  ]
+  tags = {
+    Name : title(var.name)
+  }
+}
+
+module "network" {
+  source = "../../modules/network"
+
+  name              = var.name
+  availability_zone = random_shuffle.availability_zones.result[0]
+  tags              = local.tags
+}
+
+module "cluster" {
+  source = "../../modules/cluster"
+
+  name                     = var.name
+  network_id               = module.network.network_id
+  public_subnet_id         = module.network.public_subnet_id
+  private_subnet_id        = module.network.private_subnet_id
+  availability_zone        = random_shuffle.availability_zones.result[0]
+  ssh_identity_filename    = local.ssh_identity_filename
+  ssh_known_hosts_filename = local.ssh_known_hosts_filename
+  bastion_ami_id           = local.bastion_ami_id
+  bastion_instance_type    = local.bastion_instance_type
+  instance_groups          = local.instance_groups
+  ssh_config_filename      = local.ssh_config_filename
+  tags                     = local.tags
+}
+
+resource "random_shuffle" "availability_zones" {
+  input        = data.aws_availability_zones.available.names
+  result_count = 1
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+// TODO: filter these on K8s, containerd, runc versions?
+
+data "aws_ami" "bastion" {
+  most_recent = true
+  owners = [
+    "self",
+  ]
+  filter {
+    name   = "name"
+    values = [
+      "simulator-bastion-*"
+    ]
+  }
+}
+
+data "aws_ami" "k8s" {
+  most_recent = true
+  owners = [
+    "self",
+  ]
+  filter {
+    name   = "name"
+    values = [
+      "simulator-k8s-*"
+    ]
+  }
+}
+
+terraform {
+  backend "s3" {
+    key = "state/simulator.tfstate"
+  }
+}
diff --git a/terraform/workspaces/simulator/player_config.tf b/terraform/workspaces/simulator/player_config.tf
new file mode 100644
index 00000000..6cec1ab6
--- /dev/null
+++ b/terraform/workspaces/simulator/player_config.tf
@@ -0,0 +1,46 @@
+resource "local_file" "player_private_key" {
+  content_base64  = module.cluster.player_private_key
+  filename        = format("%s/%s", var.player_config_dir, local.ssh_identity_filename)
+  file_permission = "0600"
+}
+
+// TODO: think about paths in S3
+
+resource "aws_s3_object" "player_private_key" {
+  content_base64 = module.cluster.player_private_key
+  bucket         = var.bucket
+  key            = format("config/player/%s", local.ssh_identity_filename)
+}
+
+resource "local_file" "player_ssh_config" {
+  content_base64  = module.cluster.player_ssh_config
+  filename        = format("%s/%s", var.player_config_dir, local.ssh_config_filename)
+  file_permission = "0600"
+}
+
+resource "aws_s3_object" "player_ssh_config" {
+  content_base64 = module.cluster.player_ssh_config
+  bucket         = var.bucket
+  key            = format("config/player/%s", local.ssh_config_filename)
+}
+
+resource "null_resource" "player_ssh_known_hosts" {
+  provisioner "local-exec" {
+    command     = "ssh-keyscan -t rsa -H ${module.cluster.bastion_ip} 22 > ${local.ssh_known_hosts_filename}"
+    working_dir = var.player_config_dir
+  }
+
+  depends_on = [
+    null_resource.admin_ssh_known_hosts,
+  ]
+}
+
+resource "aws_s3_object" "player_ssh_known_hosts" {
+  source = format("%s/%s", var.player_config_dir, local.ssh_known_hosts_filename)
+  bucket = var.bucket
+  key    = format("config/player/%s", local.ssh_known_hosts_filename)
+
+  depends_on = [
+    null_resource.player_ssh_known_hosts,
+  ]
+}