cloud-mu 1.9.0.pre.beta → 2.0.0.pre.alpha

data/modules/mu/clouds/aws/collection.rb

@@ -118,10 +118,10 @@ module MU
             end
 
             MU.log "Creating CloudFormation stack '#{@config['name']}'", details: stack_descriptor
-            res = MU::Cloud::AWS.cloudformation(region).create_stack(stack_descriptor);
+            res = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).create_stack(stack_descriptor);
 
             sleep(10);
-            stack_response = MU::Cloud::AWS.cloudformation(region).describe_stacks({:stack_name => stack_name}).stacks.first
+            stack_response = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stacks({:stack_name => stack_name}).stacks.first
             attempts = 0
             begin
               if attempts % 5 == 0
@@ -129,7 +129,7 @@ module MU
               else
                 MU.log "Waiting for CloudFormation stack '#{@config['name']}' to be ready...", MU::DEBUG
               end
-              stack_response =MU::Cloud::AWS.cloudformation(region).describe_stacks({:stack_name => stack_name}).stacks.first
+              stack_response =MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stacks({:stack_name => stack_name}).stacks.first
               sleep 60
             end while stack_response.stack_status == "CREATE_IN_PROGRESS"
 
@@ -145,14 +145,14 @@ module MU
           end
 
           if flag == "FAIL" then
-            stack_response = MU::Cloud::AWS.cloudformation(region).delete_stack({:stack_name => stack_name})
+            stack_response = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).delete_stack({:stack_name => stack_name})
             exit 1
           end
 
           MU.log "CloudFormation stack '#{@config['name']}' complete"
 
           begin
-            resources = MU::Cloud::AWS.cloudformation(region).describe_stack_resources(:stack_name => stack_name)
+            resources = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stack_resources(:stack_name => stack_name)
 
             resources[:stack_resources].each { |resource|
 
@@ -160,7 +160,7 @@ module MU
                 when "AWS::EC2::Instance"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
                   instance_name = MU.deploy_id+"-"+@config['name']+"-"+resource.logical_resource_id
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", instance_name)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", instance_name, credentials: @config['credentials'])
 
                   instance = MU::Cloud::AWS::Server.notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
@@ -187,14 +187,14 @@ module MU
 
                 when "AWS::EC2::SecurityGroup"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   MU::Cloud::AWS::FirewallRule.notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
                       resource.physical_resource_id
                   )
                 when "AWS::EC2::Subnet"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
                       "subnet_id" => resource.physical_resource_id,
@@ -202,7 +202,7 @@ module MU
                   @deploy.notify("subnets", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::VPC"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
                       "vpc_id" => resource.physical_resource_id,
@@ -210,10 +210,10 @@ module MU
                   @deploy.notify("vpcs", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::InternetGateway"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                 when "AWS::EC2::RouteTable"
                   MU::MommaCat.createStandardTags(resource.physical_resource_id)
-                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id)
+                  MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
 
                 # The rest of these aren't anything we act on
                 when "AWS::EC2::Route"
@@ -239,15 +239,22 @@ module MU
           end
         end
 
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
         # Remove all CloudFormation stacks associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @param wait [Boolean]: Block on the removal of this stack; AWS deletion will continue in the background otherwise if false.
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, wait: false, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, wait: false, credentials: nil, flags: {})
 # XXX needs to check tags instead of name- possible?
-          resp = MU::Cloud::AWS.cloudformation(region).describe_stacks
+          resp = MU::Cloud::AWS.cloudformation(credentials: credentials, region: region).describe_stacks
           resp.stacks.each { |stack|
             ok = false
             stack.tags.each { |tag|
@@ -257,7 +264,7 @@ module MU
               MU.log "Deleting CloudFormation stack #{stack.stack_name})"
               next if noop
               if stack.stack_status != "DELETE_IN_PROGRESS"
-                MU::Cloud::AWS.cloudformation(region).delete_stack(stack_name: stack.stack_name)
+                MU::Cloud::AWS.cloudformation(credentials: credentials, region: region).delete_stack(stack_name: stack.stack_name)
               end
               if wait
                 last_status = ""
@@ -268,7 +275,7 @@ module MU
                   mystack = nil
                   sleep 30
                   retries = retries + 1
-                  desc = MU::Cloud::AWS.cloudformation(region).describe_stacks(stack_name: stack.stack_name)
+                  desc = MU::Cloud::AWS.cloudformation(credentials: credentials, region: region).describe_stacks(stack_name: stack.stack_name)
                   if desc.size > 0
                     mystack = desc.first.stacks.first
                     if mystack.size > 0 and mystack.stack_status == "DELETE_FAILED"
@@ -300,9 +307,9 @@ module MU
         end
 
         # placeholder
-        def self.find(cloud_id: nil)
+        def self.find(cloud_id: nil, region: MU.myRegion, credentials: nil)
           found = nil
-          resp = MU::Cloud::AWS::Collection.describe_stacks(
+          resp = MU::Cloud::AWS.cloudformation(region: region, credentials: credentials).describe_stacks(
             stack_name: cloud_id
           )
           if resp and resp.stacks
@@ -355,7 +362,7 @@ module MU
           region = stack['region']
           stack_name = getStackName(stack)
           begin
-            resources = MU::Cloud::AWS.cloudformation(region).describe_stack_resources(:stack_name => stack_name)
+            resources = MU::Cloud::AWS.cloudformation(region: region).describe_stack_resources(:stack_name => stack_name)
 
             MU.log "CloudFormation stack #{stack_name} failed", MU::ERR
 

data/modules/mu/clouds/aws/container_cluster.rb

@@ -40,29 +40,6 @@ module MU
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
 
-        # Generate the generic EKS Kubernetes admin role for use with 
-        # aws-iam-authenticator. Management nodes need this. We do it to
-        # our Mu Master.
-        # TODO Maybe we can convert this to BoK-speak and get this out of
-        # here?
-        def self.createK8SAdminRole(rolename)
-          resp = MU::Cloud::AWS.iam.create_role(
-            role_name: rolename,
-            assume_role_policy_document: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::'+MU.account_number+':root"},"Action":"sts:AssumeRole","Condition":{}}]}'
-          )
-          arn = resp.role.arn
-          MU.log "Created EKS Kubernetes admin role #{rolename}"
-          begin
-            MU::Cloud::AWS.iam.get_role(role_name: rolename)
-          rescue Aws::IAM::Errors::NoSuchEntity => e
-            MU.log e.inspect, MU::WARN
-            sleep 10
-            retry
-          end
-          arn
-        end
-
-
         # Called automatically by {MU::Deploy#createResources}
         def create
           if @config['flavor'] == "EKS"
@@ -85,7 +62,7 @@ module MU
             resp = nil
             begin
               MU.log "Creating EKS cluster #{@mu_name}"
-              resp = MU::Cloud::AWS.eks(@config['region']).create_cluster(
+              resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).create_cluster(
                 name: @mu_name,
                 version: @config['kubernetes']['version'],
                 role_arn: role_arn,
@@ -126,7 +103,7 @@ module MU
             status = nil
             retries = 0
             begin
-              resp = MU::Cloud::AWS.eks(@config['region']).describe_cluster(
+              resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).describe_cluster(
                 name: @mu_name
               )
               status = resp.cluster.status
@@ -150,7 +127,7 @@ module MU
 
             MU.log "Creation of EKS cluster #{@mu_name} complete"
           else
-            MU::Cloud::AWS.ecs(@config['region']).create_cluster(
+            MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).create_cluster(
               cluster_name: @mu_name
             )
           end
@@ -159,7 +136,8 @@ module MU
 
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          serverpool = @deploy.findLitterMate(type: "server_pools", name: @config["name"]+"-"+@config["flavor"].downcase)
+
+          serverpool = @deploy.findLitterMate(type: "server_pools", name: @config["name"]+"workers")
           resource_lookup = MU::Cloud::AWS.listInstanceTypes(@config['region'])[@config['region']]
 
           if @config['kubernetes']
@@ -171,21 +149,21 @@ module MU
               tagme << s.cloud_id
               tagme_elb << s.cloud_id if !s.private?
             }
-            rtbs = MU::Cloud::AWS.ec2(@config['region']).describe_route_tables(
+            rtbs = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
               filters: [ { name: "vpc-id", values: [@vpc.cloud_id] } ]
             ).route_tables
             tagme.concat(rtbs.map { |r| r.route_table_id } )
-            main_sg = @deploy.findLitterMate(type: "firewall_rules", name: "server_pool#{@config['name']}-workers")
+            main_sg = @deploy.findLitterMate(type: "firewall_rules", name: "server_pool#{@config['name']}workers")
             tagme << main_sg.cloud_id
             MU.log "Applying kubernetes.io tags to VPC resources", details: tagme
-            MU::Cloud::AWS.createTag("kubernetes.io/cluster/#{@mu_name}", "shared", tagme)
-            MU::Cloud::AWS.createTag("kubernetes.io/cluster/elb", @mu_name, tagme_elb)
+            MU::Cloud::AWS.createTag("kubernetes.io/cluster/#{@mu_name}", "shared", tagme, credentials: @config['credentials'])
+            MU::Cloud::AWS.createTag("kubernetes.io/cluster/elb", @mu_name, tagme_elb, credentials: @config['credentials'])
 
             me = cloud_desc
             @endpoint = me.endpoint
             @cacert = me.certificate_authority.data
             @cluster = @mu_name
-            resp = MU::Cloud::AWS.iam.get_role(role_name: @mu_name+"-WORKERS")
+            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role(role_name: @mu_name+"WORKERS")
             @worker_role_arn = resp.role.arn
             kube_conf = @deploy.deploy_dir+"/kubeconfig-#{@config['name']}"
             eks_auth = @deploy.deploy_dir+"/eks-auth-cm-#{@config['name']}.yaml"
@@ -237,7 +215,7 @@ module MU
 
             MU.log %Q{How to interact with your Kubernetes cluster\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml}, MU::SUMMARY
           else
-            resp = MU::Cloud::AWS.ecs(@config['region']).list_container_instances({
+            resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).list_container_instances({
               cluster: @mu_name
             })
             existing = {}
@@ -247,7 +225,7 @@ module MU
                 uuids << arn.sub(/^.*?:container-instance\//, "")
               }
               if uuids.size > 0
-                resp = MU::Cloud::AWS.ecs(@config['region']).describe_container_instances({
+                resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).describe_container_instances({
                   cluster: @mu_name,
                   container_instances: uuids
                 })
@@ -298,7 +276,7 @@ module MU
                   params[:container_instance_arn] = existing[node.cloud_id].container_instance_arn
                   MU.log "Updating ECS instance #{node} in cluster #{@mu_name}", MU::NOTICE, details: params
                 end
-                MU::Cloud::AWS.ecs(@config['region']).register_container_instance(params)
+                MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).register_container_instance(params)
   
               }
             }
@@ -310,12 +288,12 @@ module MU
         # @return [OpenStruct]
         def cloud_desc
           if @config['flavor'] == "EKS"
-            resp = MU::Cloud::AWS.eks(@config['region']).describe_cluster(
+            resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).describe_cluster(
               name: @mu_name
             )
             resp.cluster
           else
-            resp = MU::Cloud::AWS.ecs(@config['region']).describe_clusters(
+            resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).describe_clusters(
               clusters: [@mu_name]
             )
             resp.clusters.first
@@ -349,7 +327,7 @@ module MU
         # @param flavor [String]: ECS or EKS
         def self.getECSImageId(flavor = "ECS", region = MU.myRegion)
           if flavor == "ECS"
-            resp = MU::Cloud::AWS.ssm(region).get_parameters(
+            resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
               names: ["/aws/service/#{flavor.downcase}/optimized-ami/amazon-linux/recommended"]
             )
             if resp and resp.parameters and resp.parameters.size > 0
@@ -368,7 +346,7 @@ module MU
         # Use the AWS SSM API to fetch the current version of the Amazon Linux
         # EKS-optimized AMI, so we can use it as a default AMI for EKS deploys.
         def self.getEKSImageId(region = MU.myRegion)
-          resp = MU::Cloud::AWS.ssm(region).get_parameters(
+          resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
             names: ["/aws/service/ekss/optimized-ami/amazon-linux/recommended"]
           )
           if resp and resp.parameters and resp.parameters.size > 0
@@ -378,19 +356,26 @@ module MU
           nil
         end
 
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
         # Remove all container_clusters associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
-          resp = MU::Cloud::AWS.ecs(region).list_clusters
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).list_clusters
 
           if resp and resp.cluster_arns and resp.cluster_arns.size > 0
             resp.cluster_arns.each { |arn|
               if arn.match(/:cluster\/(#{MU.deploy_id}[^:]+)$/)
                 cluster = Regexp.last_match[1]
-                instances = MU::Cloud::AWS.ecs(region).list_container_instances({
+                instances = MU::Cloud::AWS.ecs(credentials: credentials, region: region).list_container_instances({
                   cluster: cluster
                 })
                 if instances
@@ -398,7 +383,7 @@ module MU
                     uuid = arn.sub(/^.*?:container-instance\//, "")
                     MU.log "Deregistering instance #{uuid} from ECS Cluster #{cluster}"
                     if !noop
-                      resp = MU::Cloud::AWS.ecs(region).deregister_container_instance({
+                      resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).deregister_container_instance({
                         cluster: cluster,
                         container_instance: uuid,
                         force: true, 
@@ -409,7 +394,7 @@ module MU
                 MU.log "Deleting ECS Cluster #{cluster}"
                 if !noop
 # TODO de-register container instances
-                  deletion = MU::Cloud::AWS.ecs(region).delete_cluster(
+                  deletion = MU::Cloud::AWS.ecs(credentials: credentials, region: region).delete_cluster(
                     cluster: cluster
                   )
                 end
@@ -419,25 +404,25 @@ module MU
           return if !MU::Cloud::AWS::ContainerCluster.EKSRegions.include?(region)
 
 
-          resp = MU::Cloud::AWS.eks(region).list_clusters
+          resp = MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
 
           if resp and resp.clusters
             resp.clusters.each { |cluster|
               if cluster.match(/^#{MU.deploy_id}-/)
 
-                desc = MU::Cloud::AWS.eks(region).describe_cluster(
+                desc = MU::Cloud::AWS.eks(credentials: credentials, region: region).describe_cluster(
                   name: cluster
                 ).cluster
 
                 untag = []
                 untag << desc.resources_vpc_config.vpc_id
-                subnets = MU::Cloud::AWS.ec2(region).describe_subnets(
+                subnets = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_subnets(
                   filters: [ { name: "vpc-id", values: [desc.resources_vpc_config.vpc_id] } ]
                 ).subnets
 
                 # subnets
                 untag.concat(subnets.map { |s| s.subnet_id } )
-                rtbs = MU::Cloud::AWS.ec2(region).describe_route_tables(
+                rtbs = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_route_tables(
                   filters: [ { name: "vpc-id", values: [desc.resources_vpc_config.vpc_id] } ]
                 ).route_tables
                 untag.concat(rtbs.map { |r| r.route_table_id } )
@@ -450,14 +435,14 @@ module MU
                 end
                 MU.log "Deleting EKS Cluster #{cluster}"
                 if !noop
-                  MU::Cloud::AWS.eks(region).delete_cluster(
+                  MU::Cloud::AWS.eks(credentials: credentials, region: region).delete_cluster(
                     name: cluster
                   )
                   begin
                     status = nil
                     retries = 0
                     begin
-                      deletion = MU::Cloud::AWS.eks(region).describe_cluster(
+                      deletion = MU::Cloud::AWS.eks(credentials: credentials, region: region).describe_cluster(
                         name: cluster
                       )
                       status = deletion.cluster.status
@@ -482,12 +467,12 @@ module MU
         # @param region [String]: The cloud provider region.
         # @param flags [Hash]: Optional flags
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching container_clusters.
-        def self.find(cloud_id: nil, region: MU.curRegion, flags: {})
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
           MU.log cloud_id, MU::WARN, details: flags
           MU.log region, MU::WARN
-          resp = MU::Cloud::AWS.ecs(region).list_clusters
-          resp = MU::Cloud::AWS.eks(region).list_clusters
-          exit
+          resp = MU::Cloud::AWS.ecs(region: region, credentials: credentials).list_clusters
+          resp = MU::Cloud::AWS.eks(region: region, credentials: credentials).list_clusters
+# XXX uh, this ain't complete
         end
 
         # Cloud-specific configuration properties.
@@ -545,6 +530,18 @@ module MU
             ok = false
           end
 
+          if cluster["flavor"] == "EKS" and !cluster["vpc"]
+            if !MU::Cloud::AWS.hosted?
+              MU.log "EKS cluster #{cluster['name']} must declare a VPC", MU::ERR
+              ok = false
+            else
+              cluster["vpc"] = {
+                "vpc_id" => MU.myVPC,
+                "subnet_pref" => "all_private"
+              }
+            end
+          end
+
           if ["ECS", "EKS"].include?(cluster["flavor"])
             std_ami = getECSImageId(cluster["flavor"], cluster['region'])
             cluster["host_image"] ||= std_ami
@@ -564,30 +561,31 @@ module MU
           if ["ECS", "EKS"].include?(cluster["flavor"])
 
             worker_pool = {
-              "name" => cluster["name"]+"-workers",
+              "name" => cluster["name"]+"workers",
+              "credentials" => cluster["credentials"],
               "region" => cluster['region'],
               "min_size" => cluster["instance_count"],
               "max_size" => cluster["instance_count"],
               "wait_for_nodes" => cluster["instance_count"],
               "ssh_user" => cluster["host_ssh_user"],
-              "ingress_rules" => [
-                "sgs" => ["container_cluster#{cluster['name']}"],
-                "port_range" => "1-65535"
-              ],
               "basis" => {
                 "launch_config" => {
-                  "name" => cluster["name"]+"-workers",
+                  "name" => cluster["name"]+"workers",
                   "size" => cluster["instance_type"]
                 }
               }
             }
+            if cluster["flavor"] == "EKS"
+              worker_pool["ingress_rules"] = [
+                "sgs" => ["container_cluster#{cluster['name']}"],
+                "port_range" => "1-65535"
+              ]
+            end
             if cluster["vpc"]
               worker_pool["vpc"] = cluster["vpc"].dup
               worker_pool["vpc"]["subnet_pref"] = cluster["instance_subnet_pref"]
               worker_pool["vpc"].delete("subnets")
             end
-            if cluster["flavor"] == "EKS"
-            end
             if cluster["host_image"]
               worker_pool["basis"]["launch_config"]["image_id"] = cluster["host_image"]
             end
@@ -618,17 +616,24 @@ module MU
 
             if cluster["flavor"] == "ECS"
               cluster["dependencies"] << {
-                "name" => cluster["name"]+"-workers",
+                "name" => cluster["name"]+"workers",
                 "type" => "server_pool",
               }
             elsif cluster["flavor"] == "EKS"
               cluster['ingress_rules'] ||= []
               cluster['ingress_rules'] << {
-                "sgs" => ["server_pool#{cluster['name']}-workers"],
+                "sgs" => ["server_pool#{cluster['name']}workers"],
                 "port" => 443
               }
               fwname = "container_cluster#{cluster['name']}"
-              acl = {"name" => fwname, "rules" => cluster['ingress_rules'], "region" => cluster['region'], "optional_tags" => cluster['optional_tags'] }
+
+              acl = {
+                "name" => fwname,
+                "credentials" => cluster["credentials"],
+                "rules" => cluster['ingress_rules'],
+                "region" => cluster['region'],
+                "optional_tags" => cluster['optional_tags']
+              }
               acl["tags"] = cluster['tags'] if cluster['tags'] && !cluster['tags'].empty?
               acl["vpc"] = cluster['vpc'].dup if cluster['vpc']
 
@@ -642,6 +647,7 @@ module MU
 
               role = {
                 "name" => cluster["name"]+"controlplane",
+                "credentials" => cluster["credentials"],
                 "can_assume" => [
                   { "entity_id" => "eks.amazonaws.com", "entity_type" => "service" }
                 ],
@@ -653,7 +659,8 @@ module MU
               configurator.insertKitten(role, "roles")
               cluster['dependencies'] << {
                 "type" => "role",
-                "name" => cluster["name"]+"controlplane"
+                "name" => cluster["name"]+"controlplane",
+                "phase" => "groom"
               }
             end
           end