cloud-mu 1.9.0.pre.beta → 2.0.0.pre.alpha

data/modules/mu/clouds/aws/dnszone.rb

@@ -64,7 +64,7 @@ module MU
               if @config['all_account_vpcs']
                 # If we've been told to make this domain available account-wide, do so
                 MU::Cloud::AWS.listRegions(@config['us_only']).each { |region|
-                  known_vpcs = MU::Cloud::AWS.ec2(region).describe_vpcs.vpcs
+                  known_vpcs = MU::Cloud::AWS.ec2(region: region).describe_vpcs.vpcs
 
                   MU.log "Enumerating VPCs in #{region}", MU::DEBUG, details: known_vpcs
 
@@ -330,11 +330,11 @@ module MU
         # @param vpc_id [String]: The cloud identifier of the VPC
         # @param region [String]: The cloud provider's region
         # @param remove [Boolean]: Whether to remove access (default: grant access)
-        def self.toggleVPCAccess(id: nil, vpc_id: nil, region: MU.curRegion, remove: false)
+        def self.toggleVPCAccess(id: nil, vpc_id: nil, region: MU.curRegion, remove: false, credentials: nil)
 
           if !remove
             MU.log "Granting VPC #{vpc_id} access to zone #{id}"
-            MU::Cloud::AWS.route53(region).associate_vpc_with_hosted_zone(
+            MU::Cloud::AWS.route53(credentials: credentials).associate_vpc_with_hosted_zone(
                 hosted_zone_id: id,
                 vpc: {
                     :vpc_id => vpc_id,
@@ -345,7 +345,7 @@ module MU
           else
             MU.log "Revoking VPC #{vpc_id} access to zone #{id}"
             begin
-              MU::Cloud::AWS.route53(region).disassociate_vpc_from_hosted_zone(
+              MU::Cloud::AWS.route53(credentials: credentials).disassociate_vpc_from_hosted_zone(
                   hosted_zone_id: id,
                   vpc: {
                       :vpc_id => vpc_id,
@@ -400,7 +400,7 @@ module MU
               target_zone = "/hostedzone/"+alias_zone if !alias_zone.match(/^\/hostedzone\//)
             else
               MU::Cloud::AWS.listRegions.each { |region|
-                MU::Cloud::AWS.elb(region).describe_load_balancers.load_balancer_descriptions.each { |elb|
+                MU::Cloud::AWS.elb(region: region).describe_load_balancers.load_balancer_descriptions.each { |elb|
                   elb_dns = elb.dns_name.downcase
                   elb_dns.chomp!(".")
                   if target_name == elb_dns
@@ -657,14 +657,21 @@ module MU
           end
         end
 
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          true
+        end
+
         # Called by {MU::Cleanup}. Locates resources that were created by the
         # currently-loaded deployment, and purges them.
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           checks_to_clean = []
           threads = []
-          MU::Cloud::AWS.route53(region).list_health_checks.health_checks.each { |check|
+          MU::Cloud::AWS.route53(credentials: credentials).list_health_checks.health_checks.each { |check|
             begin
-              tags = MU::Cloud::AWS.route53(region).list_tags_for_resource(
+              tags = MU::Cloud::AWS.route53(credentials: credentials).list_tags_for_resource(
                   resource_type: "healthcheck",
                   resource_id: check.id
               ).resource_tag_set.tags
@@ -692,7 +699,7 @@ module MU
                   MU.log "Removing health check #{check.id}"
                   retries = 5
                   begin 
-                    MU::Cloud::AWS.route53(region).delete_health_check(health_check_id: check.id) if !noop
+                    MU::Cloud::AWS.route53(credentials: credentials).delete_health_check(health_check_id: check.id) if !noop
                   rescue Aws::Route53::Errors::NoSuchHealthCheck => e
                     MU.log "Health Check '#{check.id}' disappeared before I could remove it", MU::WARN, details: e.inspect
                   rescue Aws::Route53::Errors::InvalidInput => e
@@ -721,11 +728,11 @@ module MU
             if !noop
               begin
                 # Clean up resource records first
-                rrsets = MU::Cloud::AWS.route53(region).list_resource_record_sets(hosted_zone_id: zone.id)
+                rrsets = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(hosted_zone_id: zone.id)
                 rrsets.resource_record_sets.each { |rrset|
                   next if zone.name == rrset.name and (rrset.type == "NS" or rrset.type == "SOA")
                   records = []
-                  MU::Cloud::AWS.route53(region).change_resource_record_sets(
+                  MU::Cloud::AWS.route53(credentials: credentials).change_resource_record_sets(
                       hosted_zone_id: zone.id,
                       change_batch: {
                           changes: [
@@ -738,7 +745,7 @@ module MU
                   )
                 }
 
-                MU::Cloud::AWS.route53(region).delete_hosted_zone(id: zone.id)
+                MU::Cloud::AWS.route53(credentials: credentials).delete_hosted_zone(id: zone.id)
               rescue Aws::Route53::Errors::PriorRequestNotComplete
                 MU.log "Still waiting for all records in DNS Zone '#{zone.name}' (#{zone.id}) to delete", MU::WARN
                 sleep 20
@@ -754,17 +761,17 @@ module MU
           }
 
           # Lets try cleaning MU DNS records in all zones.
-          MU::Cloud::AWS.route53(region).list_hosted_zones.hosted_zones.each { |zone|
+          MU::Cloud::AWS.route53(credentials: credentials).list_hosted_zones.hosted_zones.each { |zone|
             begin 
               zone_rrsets = []
-              rrsets = MU::Cloud::AWS.route53(region).list_resource_record_sets(hosted_zone_id: zone.id)
+              rrsets = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(hosted_zone_id: zone.id)
               rrsets.resource_record_sets.each { |record|
                 zone_rrsets << record
               }
 
               # AWS API returns a maximum of 100 results. DNS zones are likely to have more than 100 records, lets page and make sure we grab all records in a given zone
               while rrsets.next_record_name && rrsets.next_record_type
-                rrsets = MU::Cloud::AWS.route53(region).list_resource_record_sets(hosted_zone_id: zone.id, start_record_name: rrsets.next_record_name, start_record_type: rrsets.next_record_type)
+                rrsets = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(hosted_zone_id: zone.id, start_record_name: rrsets.next_record_name, start_record_type: rrsets.next_record_type)
                 rrsets.resource_record_sets.each { |record|
                   zone_rrsets << record
                 }
@@ -871,10 +878,10 @@ module MU
         # @param region [String]: The cloud provider region
         # @param flags [Hash]: Optional flags
         # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching DNSZones
-        def self.find(cloud_id: nil, deploy_id: MU.deploy_id, region: MU.curRegion, flags: {})
+        def self.find(cloud_id: nil, deploy_id: MU.deploy_id, region: MU.curRegion, credentials: nil, flags: {})
           matches = {}
 
-          resp = MU::Cloud::AWS.route53(region).list_hosted_zones(
+          resp = MU::Cloud::AWS.route53(credentials: credentials).list_hosted_zones(
               max_items: 100
           )
 
@@ -882,13 +889,13 @@ module MU
             if !cloud_id.nil? and !cloud_id.empty?
               if zone.id == cloud_id
                 begin 
-                  matches[zone.id] = MU::Cloud::AWS.route53(region).get_hosted_zone(id: zone.id).hosted_zone
+                  matches[zone.id] = MU::Cloud::AWS.route53(credentials: credentials).get_hosted_zone(id: zone.id).hosted_zone
                 rescue Aws::Route53::Errors::NoSuchHostedZone
                   MU.log "Hosted zone #{zone.id} doesn't exist"
                 end
               elsif zone.name == cloud_id or zone.name == cloud_id+"."
                 begin 
-                  matches[zone.id] = MU::Cloud::AWS.route53(region).get_hosted_zone(id: zone.id).hosted_zone
+                  matches[zone.id] = MU::Cloud::AWS.route53(credentials: credentials).get_hosted_zone(id: zone.id).hosted_zone
                 rescue Aws::Route53::Errors::NoSuchHostedZone
                   MU.log "Hosted zone #{zone.id} doesn't exist"
                 end
@@ -896,7 +903,7 @@ module MU
             end
             if !deploy_id.nil? and !deploy_id.empty? and zone.config.comment == deploy_id
               begin 
-                matches[zone.id] = MU::Cloud::AWS.route53(region).get_hosted_zone(id: zone.id).hosted_zone
+                matches[zone.id] = MU::Cloud::AWS.route53(credentials: credentials).get_hosted_zone(id: zone.id).hosted_zone
               rescue Aws::Route53::Errors::NoSuchHostedZone
                 MU.log "Hosted zone #{zone.id} doesn't exist"
               end

data/modules/mu/clouds/aws/firewall_rule.rb

@@ -51,7 +51,6 @@ module MU
           vpc_id = @vpc.cloud_id if !@vpc.nil?
           groupname = @mu_name
           description = groupname
-          MU.log "Creating EC2 Security Group #{groupname}"
 
           sg_struct = {
             :group_name => groupname,
@@ -62,14 +61,16 @@ module MU
           end
 
           begin
-            secgroup = MU::Cloud::AWS.ec2(@config['region']).create_security_group(sg_struct)
+            MU.log "Creating EC2 Security Group #{groupname}", details: sg_struct
+
+            secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_security_group(sg_struct)
             @cloud_id = secgroup.group_id
           rescue Aws::EC2::Errors::InvalidGroupDuplicate => e
             MU.log "EC2 Security Group #{groupname} already exists, using it", MU::NOTICE
             filters = [{name: "group-name", values: [groupname]}]
             filters << {name: "vpc-id", values: [vpc_id]} if !vpc_id.nil?
 
-            secgroup = MU::Cloud::AWS.ec2(@config['region']).describe_security_groups(filters: filters).security_groups.first
+            secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(filters: filters).security_groups.first
             deploy_id = @deploy.deploy_id if !@deploy_id.nil?
             if secgroup.nil?
               raise MuError, "Failed to locate security group named #{groupname}, even though EC2 says it already exists", caller
@@ -78,25 +79,25 @@ module MU
           end
 
           begin
-            MU::Cloud::AWS.ec2(@config['region']).describe_security_groups(group_ids: [secgroup.group_id])
+            MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(group_ids: [secgroup.group_id])
           rescue Aws::EC2::Errors::InvalidGroupNotFound => e
             MU.log "#{secgroup.group_id} not yet ready, waiting...", MU::NOTICE
             sleep 10
             retry
           end
 
-          MU::MommaCat.createStandardTags(secgroup.group_id, region: @config['region'])
-          MU::MommaCat.createTag(secgroup.group_id, "Name", groupname, region: @config['region'])
+          MU::MommaCat.createStandardTags(secgroup.group_id, region: @config['region'], credentials: @config['credentials'])
+          MU::MommaCat.createTag(secgroup.group_id, "Name", groupname, region: @config['region'], credentials: @config['credentials'])
 
           if @config['optional_tags']
             MU::MommaCat.listOptionalTags.each { |key, value|
-              MU::MommaCat.createTag(secgroup.group_id, key, value, region: @config['region'])
+              MU::MommaCat.createTag(secgroup.group_id, key, value, region: @config['region'], credentials: @config['credentials'])
             }
           end
 
           if @config['tags']
             @config['tags'].each { |tag|
-              MU::MommaCat.createTag(secgroup.group_id, tag['key'], tag['value'], region: @config['region'])
+              MU::MommaCat.createTag(secgroup.group_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
             }
           end
 
@@ -167,12 +168,12 @@ module MU
 
           begin
             if egress
-              MU::Cloud::AWS.ec2(@config['region']).authorize_security_group_egress(
+              MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_egress(
                   group_id: @cloud_id,
                   ip_permissions: ec2_rule
               )
             else
-              MU::Cloud::AWS.ec2(@config['region']).authorize_security_group_ingress(
+              MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_ingress(
                   group_id: @cloud_id,
                   ip_permissions: ec2_rule
               )
@@ -185,7 +186,7 @@ module MU
         # Canonical Amazon Resource Number for this resource
         # @return [String]
         def arn
-          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":ec2:"+@config['region']+":"+MU.account_number+":security-group/"+@cloud_id
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":ec2:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":security-group/"+@cloud_id
         end
 
         # Locate an existing security group or groups and return an array containing matching AWS resource descriptors for those that match.
@@ -195,11 +196,11 @@ module MU
         # @param tag_value [String]: The value of the tag specified by tag_key to match when searching by tag.
         # @param flags [Hash]: Optional flags
         # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching FirewallRules
-        def self.find(cloud_id: nil, region: MU.curRegion, tag_key: "Name", tag_value: nil, flags: {})
+        def self.find(cloud_id: nil, region: MU.curRegion, tag_key: "Name", tag_value: nil, credentials: nil, flags: {})
 
           if !cloud_id.nil? and !cloud_id.empty?
             begin
-              resp = MU::Cloud::AWS.ec2(region).describe_security_groups(group_ids: [cloud_id])
+              resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_security_groups(group_ids: [cloud_id])
               return {cloud_id => resp.data.security_groups.first}
             rescue ArgumentError => e
               MU.log "Attempting to load #{cloud_id}: #{e.inspect}", MU::WARN, details: caller
@@ -212,7 +213,7 @@ module MU
 
           map = {}
           if !tag_key.nil? and !tag_value.nil?
-            resp = MU::Cloud::AWS.ec2(region).describe_security_groups(
+            resp = MU::Cloud::AWS.ec2(region: region, credentials: credentials).describe_security_groups(
                 filters: [
                     {name: "tag:#{tag_key}", values: [tag_value]}
                 ]
@@ -227,12 +228,19 @@ module MU
           map
         end
 
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
         # Remove all security groups (firewall rulesets) associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           tagfilters = [
               {name: "tag:MU-ID", values: [MU.deploy_id]}
           ]
@@ -240,7 +248,7 @@ module MU
             tagfilters << {name: "tag:MU-MASTER-IP", values: [MU.mu_public_ip]}
           end
 
-          resp = MU::Cloud::AWS.ec2(region).describe_security_groups(
+          resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_security_groups(
               filters: tagfilters
           )
 
@@ -303,13 +311,13 @@ module MU
               begin
 
                 if ingress_to_revoke.size > 0
-                  MU::Cloud::AWS.ec2(region).revoke_security_group_ingress(
+                  MU::Cloud::AWS.ec2(credentials: credentials, region: region).revoke_security_group_ingress(
                       group_id: sg.group_id,
                       ip_permissions: ingress_to_revoke
                   )
                 end
                 if egress_to_revoke.size > 0
-                  MU::Cloud::AWS.ec2(region).revoke_security_group_egress(
+                  MU::Cloud::AWS.ec2(credentials: credentials, region: region).revoke_security_group_egress(
                       group_id: sg.group_id,
                       ip_permissions: egress_to_revoke
                   )
@@ -325,7 +333,7 @@ module MU
 
             retries = 0
             begin
-              MU::Cloud::AWS.ec2(region).delete_security_group(group_id: sg.group_id) if !noop
+              MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_security_group(group_id: sg.group_id) if !noop
             rescue Aws::EC2::Errors::InvalidGroupNotFound
               MU.log "EC2 Security Group #{sg.group_name} disappeared before I could delete it!", MU::WARN
             rescue Aws::EC2::Errors::DependencyViolation, Aws::EC2::Errors::InvalidGroupInUse
@@ -459,13 +467,13 @@ module MU
               MU.log "Rules for EC2 Security Group #{@mu_name} (#{@cloud_id}): #{ec2_rules}", MU::DEBUG
               begin
                 if ingress
-                  MU::Cloud::AWS.ec2(@config['region']).authorize_security_group_ingress(
+                  MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_ingress(
                       group_id: @cloud_id,
                       ip_permissions: ec2_rules
                   )
                 end
                 if egress
-                  MU::Cloud::AWS.ec2(@config['region']).authorize_security_group_egress(
+                  MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).authorize_security_group_egress(
                       group_id: @cloud_id,
                       ip_permissions: ec2_rules
                   )
@@ -571,7 +579,7 @@ module MU
                   if !lb.nil? and !lb.cloud_desc.nil?
                     lb.cloud_desc.security_groups.each { |lb_sg|
                       ec2_rule[:user_id_group_pairs] << {
-                        user_id: MU.account_number,
+                        user_id: MU::Cloud::AWS.credToAcct(@config['credentials']),
                         group_id: lb_sg
                       }
                     }

data/modules/mu/clouds/aws/folder.rb

@@ -48,21 +48,36 @@ module MU
           }
         end
 
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          true
+        end
+
         # Remove all logs associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
         end
 
-        # Locate an existing log group.
+        # Locate an existing AWS organization. If no identifying parameters are specified, this will return a description of the Organization which owns the account for our credentials.
         # @param cloud_id [String]: The cloud provider's identifier for this resource.
         # @param region [String]: The cloud provider region.
         # @param flags [Hash]: Optional flags
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching log group.
-        def self.find(cloud_id: nil, region: MU.curRegion, flags: {})
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
           found = nil
+
+          if cloud_id
+          else
+            resp = MU::Cloud::AWS.orgs(credentials: credentials).describe_organization
+            found ||= {}
+            found[resp.organization.id] = resp.organization
+          end
+
           found
         end
 

data/modules/mu/clouds/aws/function.rb

@@ -35,16 +35,23 @@ module MU
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
 
-        
+        # Given an IAM role name, resolve to ARN. Will attempt to identify any
+        # sibling Mu role resources by this name first, and failing that, will
+        # do a plain get_role() to the IAM API for the provided name.
+        # @param name [String]
         def get_role_arn(name)
+          sib_role = @deploy.findLitterMate(name: name, type: "roles")
+          return sib_role.cloudobj.arn if sib_role
+
           begin
-            role = MU::Cloud::AWS.iam(@config['region']).get_role({
+            role = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role({
               role_name: name.to_s
             })
             return role['role']['arn']
           rescue Exception => e
-            Mu.log "#{e}", MU::ERR
+            MU.log "#{e}", MU::ERR
           end
+          nil
         end
 
         def get_vpc_config(vpc_name, subnet_name, sg_name,region=@config['region'])
@@ -52,7 +59,7 @@ module MU
             ## get vpc_id
             ## get sub_id and verify its in the same vpc 
             ## get sg_id and verify its in the same vpc
-            ec2_client = MU::Cloud::AWS.ec2(region)
+            ec2_client = MU::Cloud::AWS.ec2(region: region, credentials: @config['credentials'])
             
             vpc_filter = ec2_client.describe_vpcs({
               filters: [{ name: 'tag-value', values: [vpc_name] }]
@@ -94,7 +101,7 @@ module MU
         def assign_tag(resource_arn, tag_list, region=@config['region'])
           begin
             tag_list.each do |each_pair|
-              tag_resp = MU::Cloud::AWS.lambda(region).tag_resource({
+              tag_resp = MU::Cloud::AWS.lambda(region: region, credentials: @config['credentials']).tag_resource({
                 resource: resource_arn,
                 tags: each_pair
               })
@@ -164,11 +171,22 @@ module MU
              lambda_properties[:vpc_config] = vpc_conf
           end
 
-          MU::Cloud::AWS.lambda(@config['region']).create_function(lambda_properties)
+          retries = 0
+          begin
+            MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).create_function(lambda_properties)
+          rescue Aws::Lambda::Errors::InvalidParameterValueException => e
+            # Freshly-made IAM roles sometimes aren't really ready
+            if retries < 5
+              sleep 10
+              retries += 1
+              retry
+            end
+            raise e
+          end
         end
 
         def groom
-          desc = MU::Cloud::AWS.lambda(@config['region']).get_function(
+          desc = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).get_function(
             function_name: @mu_name
           )
           func_arn = desc.configuration.function_arn if !desc.empty?
@@ -199,7 +217,7 @@ module MU
 
               MU.log trigger_properties, MU::DEBUG
               begin
-                add_trigger = MU::Cloud::AWS.lambda(@config['region']).add_permission(trigger_properties)
+                add_trigger = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger_properties)
               rescue Aws::Lambda::Errors::ResourceConflictException
 # XXX check properly for existence
               end
@@ -216,11 +234,11 @@ module MU
             arn = nil
             case svc.downcase
             when 'sns'
-              arn = "arn:aws:sns:#{@config['region']}:#{MU.account_number}:#{name}"
+              arn = "arn:aws:sns:#{@config['region']}:#{MU::Cloud::AWS.credToAcct(@config['credentials'])}:#{name}"
             when 'alarm','events', 'event', 'cloudwatch_event'
-              arn = "arn:aws:events:#{@config['region']}:#{MU.account_number}:rule/#{name}"
+              arn = "arn:aws:events:#{@config['region']}:#{MU::Cloud::AWS.credToAcct(@config['credentials'])}:rule/#{name}"
             when 'apigateway'
-              arn = "arn:aws:apigateway:#{@config['region']}:#{MU.account_number}:#{name}"
+              arn = "arn:aws:apigateway:#{@config['region']}:#{MU::Cloud::AWS.credToAcct(@config['credentials'])}:#{name}"
             when 's3'
               arn = ''
             end
@@ -237,15 +255,16 @@ module MU
           case trig_type
           
           when 'sns'
-            
-            sns_client = MU::Cloud::AWS.sns(@config['region'])
+           # XXX don't do this, use MU::Cloud::AWS::Notification 
+            sns_client = MU::Cloud::AWS.sns(region: @config['region'], credentials: @config['credentials'])
             sub_to_what = sns_client.subscribe({
               topic_arn: trig_arn,
               protocol: protocol,
               endpoint: func_arn
             })
           when 'event','cloudwatch_event', 'events'
-            client = MU::Cloud::AWS.cloudwatch_events(@config['region']).put_targets({
+           # XXX don't do this, use MU::Cloud::AWS::Log
+            client = MU::Cloud::AWS.cloudwatch_events(region: @config['region'], credentials: @config['credentials']).put_targets({
               rule: @config['trigger']['name'],
               targets: [
                 {
@@ -268,23 +287,27 @@ module MU
           return deploy_struct
         end
 
-
-
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
 
         # Remove all functions associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
-          MU::Cloud::AWS.lambda(region).list_functions.functions.each { |f|
-            desc = MU::Cloud::AWS.lambda(region).get_function(
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU::Cloud::AWS.lambda(credentials: credentials, region: region).list_functions.functions.each { |f|
+            desc = MU::Cloud::AWS.lambda(credentials: credentials, region: region).get_function(
               function_name: f.function_name
             )
             if desc.tags and desc.tags["MU-ID"] == MU.deploy_id
               MU.log "Deleting Lambda function #{f.function_name}"
               if !noop
-                MU::Cloud::AWS.lambda(region).delete_function(
+                MU::Cloud::AWS.lambda(credentials: credentials, region: region).delete_function(
                   function_name: f.function_name
                 )
               end
@@ -304,10 +327,10 @@ module MU
         # @param region [String]: The cloud provider region.
         # @param flags [Hash]: Optional flags
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching function.
-        def self.find(cloud_id: nil, func_name: nil, region: MU.curRegion, flags: {})
+        def self.find(cloud_id: nil, func_name: nil, region: MU.curRegion, credentials: nil, flags: {})
           func = nil
           if !func_name.nil?
-            all_functions = MU::Cloud::AWS.lambda(region).list_functions
+            all_functions = MU::Cloud::AWS.lambda(region: region, credentials: credentials).list_functions
             if all_functions.include?(func_name)
               all_functions.functions.each do |x|
                 if x.function_name == func_name
@@ -329,7 +352,13 @@ module MU
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
           toplevel_required = []
-          schema = {}
+          schema = {
+            "iam_role" => {
+              "type" => "string",
+              "description" => "The name of an IAM role for our Lambda function to assume. Can refer to an existing IAM role, or a sibling 'role' resource in Mu. If not specified, will create a default role with the AWSLambdaBasicExecutionRole policy attached. To grant other permissions for your function, create a Mu 'role' resource and use the 'import' and 'policies' parameters to add permissions. See also: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html"
+            }
+# XXX add some canned permission sets here, asking people to get the AWS weirdness right and then translate it into Mu-speak is just too much. Think about auto-populating when a target log group is asked for, mappings for the AWS canned policies in the URL above, writes to arbitrary S3 buckets, etc
+          }
           [toplevel_required, schema]
         end
 
@@ -340,6 +369,31 @@ module MU
         def self.validateConfig(function, configurator)
           ok = true
 
+          if !function['iam_role']
+            roledesc = {
+              "name" => function['name']+"execrole",
+              "credentials" => function['credentials'],
+              "can_assume" => [
+                {
+                  "entity_id" => "lambda.amazonaws.com",
+                  "entity_type" => "service"
+                }
+              ],
+              "import" => [
+                "AWSLambdaBasicExecutionRole"
+              ]
+            }
+            configurator.insertKitten(roledesc, "roles")
+
+            function['dependencies'] ||= []
+            function['iam_role'] = function['name']+"execrole"
+
+            function['dependencies'] << {
+              "type" => "role",
+              "name" => function['name']+"execrole"
+            }
+          end
+
           ok
         end