RubyGems - cloud-mu - Versions diffs - 1.9.0.pre.beta - Mend

cloud-mu 1.9.0.pre.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (618) hide show

checksums.yaml +7 -0
data/Berksfile +56 -0
data/Berksfile.lock +250 -0
data/Jenkinsfile +184 -0
data/LICENSE.md +37 -0
data/README.md +26 -0
data/bin/mu-aws-setup +376 -0
data/bin/mu-cleanup +68 -0
data/bin/mu-configure +1133 -0
data/bin/mu-deploy +166 -0
data/bin/mu-firewall-allow-clients +30 -0
data/bin/mu-gcp-setup +200 -0
data/bin/mu-gen-docs +34 -0
data/bin/mu-gen-env +42 -0
data/bin/mu-load-config.rb +158 -0
data/bin/mu-node-manage +683 -0
data/bin/mu-self-update +228 -0
data/bin/mu-ssh +23 -0
data/bin/mu-tunnel-nagios +144 -0
data/bin/mu-upload-chef-artifacts +757 -0
data/bin/mu-user-manage +275 -0
data/cookbooks/awscli/LICENSE +37 -0
data/cookbooks/awscli/README.md +58 -0
data/cookbooks/awscli/attributes/default.rb +1 -0
data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
data/cookbooks/awscli/metadata.rb +20 -0
data/cookbooks/awscli/recipes/default.rb +56 -0
data/cookbooks/awscli/templates/default/config.erb +18 -0
data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
data/cookbooks/mu-activedirectory/LICENSE +37 -0
data/cookbooks/mu-activedirectory/README.md +6 -0
data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
data/cookbooks/mu-activedirectory/metadata.rb +17 -0
data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
data/cookbooks/mu-firewall/LICENSE +37 -0
data/cookbooks/mu-firewall/README.md +5 -0
data/cookbooks/mu-firewall/attributes/default.rb +3 -0
data/cookbooks/mu-firewall/metadata.rb +16 -0
data/cookbooks/mu-firewall/recipes/default.rb +10 -0
data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
data/cookbooks/mu-glusterfs/LICENSE +37 -0
data/cookbooks/mu-glusterfs/README.md +5 -0
data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
data/cookbooks/mu-glusterfs/metadata.rb +17 -0
data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
data/cookbooks/mu-jenkins/LICENSE +37 -0
data/cookbooks/mu-jenkins/README.md +105 -0
data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
data/cookbooks/mu-jenkins/metadata.rb +21 -0
data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
data/cookbooks/mu-master/CHANGELOG.md +13 -0
data/cookbooks/mu-master/LICENSE +37 -0
data/cookbooks/mu-master/README.md +6 -0
data/cookbooks/mu-master/attributes/default.rb +95 -0
data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
data/cookbooks/mu-master/files/default/pam_sshd +18 -0
data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-master/files/default/vimrc +19 -0
data/cookbooks/mu-master/libraries/mu.rb +29 -0
data/cookbooks/mu-master/metadata.rb +30 -0
data/cookbooks/mu-master/providers/user.rb +41 -0
data/cookbooks/mu-master/recipes/389ds.rb +164 -0
data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
data/cookbooks/mu-master/recipes/default.rb +451 -0
data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
data/cookbooks/mu-master/recipes/init.rb +542 -0
data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
data/cookbooks/mu-master/recipes/sssd.rb +89 -0
data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
data/cookbooks/mu-master/recipes/vault.rb +111 -0
data/cookbooks/mu-master/resources/user.rb +19 -0
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
data/cookbooks/mu-mongo/LICENSE +37 -0
data/cookbooks/mu-mongo/README.md +5 -0
data/cookbooks/mu-mongo/attributes/default.rb +22 -0
data/cookbooks/mu-mongo/files/default/keyfile +16 -0
data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
data/cookbooks/mu-mongo/metadata.rb +17 -0
data/cookbooks/mu-mongo/recipes/default.rb +149 -0
data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
data/cookbooks/mu-openvpn/LICENSE +37 -0
data/cookbooks/mu-openvpn/README.md +6 -0
data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
data/cookbooks/mu-openvpn/metadata.rb +18 -0
data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
data/cookbooks/mu-php54/CHANGELOG.md +12 -0
data/cookbooks/mu-php54/LICENSE +37 -0
data/cookbooks/mu-php54/README.md +0 -0
data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
data/cookbooks/mu-php54/metadata.rb +21 -0
data/cookbooks/mu-php54/recipes/default.rb +97 -0
data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
data/cookbooks/mu-splunk/LICENSE +37 -0
data/cookbooks/mu-splunk/README.md +451 -0
data/cookbooks/mu-splunk/attributes/default.rb +95 -0
data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
data/cookbooks/mu-splunk/metadata.json +30 -0
data/cookbooks/mu-splunk/metadata.rb +17 -0
data/cookbooks/mu-splunk/recipes/client.rb +143 -0
data/cookbooks/mu-splunk/recipes/default.rb +31 -0
data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
data/cookbooks/mu-splunk/recipes/server.rb +53 -0
data/cookbooks/mu-splunk/recipes/service.rb +95 -0
data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
data/cookbooks/mu-splunk/recipes/user.rb +34 -0
data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
data/cookbooks/mu-tools/CHANGELOG.md +12 -0
data/cookbooks/mu-tools/LICENSE +37 -0
data/cookbooks/mu-tools/README.md +188 -0
data/cookbooks/mu-tools/attributes/default.rb +142 -0
data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
data/cookbooks/mu-tools/files/default/mypol.te +37 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
data/cookbooks/mu-tools/files/default/ntrights +0 -0
data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
data/cookbooks/mu-tools/libraries/helper.rb +292 -0
data/cookbooks/mu-tools/metadata.rb +28 -0
data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
data/cookbooks/mu-tools/recipes/efs.rb +70 -0
data/cookbooks/mu-tools/recipes/eks.rb +160 -0
data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
data/cookbooks/mu-tools/recipes/updates.rb +96 -0
data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
data/cookbooks/mu-tools/resources/disk.rb +88 -0
data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
data/cookbooks/mu-utility/CHANGELOG.md +12 -0
data/cookbooks/mu-utility/LICENSE +37 -0
data/cookbooks/mu-utility/README.md +6 -0
data/cookbooks/mu-utility/attributes/default.rb +1 -0
data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
data/cookbooks/mu-utility/metadata.rb +16 -0
data/cookbooks/mu-utility/recipes/apt.rb +23 -0
data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
data/cookbooks/mu-utility/recipes/luks.rb +18 -0
data/cookbooks/mu-utility/recipes/nat.rb +104 -0
data/cookbooks/mu-utility/recipes/php.rb +33 -0
data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
data/cookbooks/mu-utility/recipes/remi.rb +44 -0
data/cookbooks/mu-utility/recipes/vim.rb +26 -0
data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
data/cookbooks/mu-utility/recipes/zip.rb +26 -0
data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
data/cookbooks/nagios/Berksfile +8 -0
data/cookbooks/nagios/CHANGELOG.md +589 -0
data/cookbooks/nagios/CONTRIBUTING.md +11 -0
data/cookbooks/nagios/LICENSE +37 -0
data/cookbooks/nagios/README.md +328 -0
data/cookbooks/nagios/TESTING.md +2 -0
data/cookbooks/nagios/attributes/config.rb +171 -0
data/cookbooks/nagios/attributes/default.rb +228 -0
data/cookbooks/nagios/chefignore +102 -0
data/cookbooks/nagios/definitions/command.rb +33 -0
data/cookbooks/nagios/definitions/contact.rb +33 -0
data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
data/cookbooks/nagios/definitions/host.rb +33 -0
data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
data/cookbooks/nagios/definitions/resource.rb +33 -0
data/cookbooks/nagios/definitions/service.rb +33 -0
data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
data/cookbooks/nagios/libraries/base.rb +314 -0
data/cookbooks/nagios/libraries/command.rb +91 -0
data/cookbooks/nagios/libraries/contact.rb +230 -0
data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
data/cookbooks/nagios/libraries/custom_option.rb +36 -0
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/host.rb +412 -0
data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
data/cookbooks/nagios/libraries/nagios.rb +282 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +455 -0
data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.rb +25 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +48 -0
data/cookbooks/nagios/recipes/default.rb +204 -0
data/cookbooks/nagios/recipes/nginx.rb +82 -0
data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
data/cookbooks/nagios/recipes/server_package.rb +40 -0
data/cookbooks/nagios/recipes/server_source.rb +164 -0
data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
data/cookbooks/s3fs/CHANGELOG.md +13 -0
data/cookbooks/s3fs/LICENSE +37 -0
data/cookbooks/s3fs/README.md +6 -0
data/cookbooks/s3fs/attributes/default.rb +15 -0
data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
data/cookbooks/s3fs/metadata.rb +16 -0
data/cookbooks/s3fs/recipes/default.rb +91 -0
data/data_bags/demo/app.json +7 -0
data/data_bags/nagios_services/chef.json +6 -0
data/data_bags/nagios_services/linux_diskspace.json +5 -0
data/data_bags/nagios_services/momma_cat.json +6 -0
data/data_bags/nagios_services/mu-master-memory.json +5 -0
data/data_bags/nagios_services/nagios_ui.json +6 -0
data/data_bags/nagios_services/node_ssh.json +6 -0
data/data_bags/nagios_services/ssh.json +6 -0
data/demo/lambda_test.yaml +29 -0
data/environments/DEV.json +8 -0
data/environments/PROD.json +8 -0
data/environments/dev.json +8 -0
data/environments/development.json +8 -0
data/environments/prod.json +8 -0
data/extras/README.md +1 -0
data/extras/admin-role-binding.yaml +16 -0
data/extras/admin-user.yaml +6 -0
data/extras/aws-auth-cm.yaml.erb +12 -0
data/extras/clean-stock-amis +48 -0
data/extras/git-fix-permissions-hook +12 -0
data/extras/gitlab-eks-helper.sh.erb +20 -0
data/extras/image-generators/README.md +2 -0
data/extras/image-generators/aws/centos6.yaml +18 -0
data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
data/extras/image-generators/aws/centos7.yaml +17 -0
data/extras/image-generators/aws/rhel7.yaml +17 -0
data/extras/image-generators/aws/win2k12.yaml +16 -0
data/extras/image-generators/aws/win2k16.yaml +16 -0
data/extras/image-generators/aws/windows.yaml +18 -0
data/extras/image-generators/gcp/centos6.yaml +17 -0
data/extras/lambda_waf_domain_blacklist.py +103 -0
data/extras/platform_berksfile_base +50 -0
data/extras/ruby_rpm/build.sh +17 -0
data/extras/ruby_rpm/muby.spec +44 -0
data/extras/vault_tools/README.md +6 -0
data/extras/vault_tools/export_vaults.sh +3 -0
data/extras/vault_tools/recreate_vaults.sh +5 -0
data/extras/vault_tools/test_vaults.sh +5 -0
data/install/README.md +8 -0
data/install/cfn_create_mu_master.json +1034 -0
data/install/chef-server.rb.erb +19 -0
data/install/deprecated-bash-library.sh +1891 -0
data/install/images/Usage.png +0 -0
data/install/installer +71 -0
data/install/jenkinskeys.rb +8 -0
data/install/user-dot-murc.erb +14 -0
data/modules/html.erb +19 -0
data/modules/mommacat.ru +426 -0
data/modules/mu/cleanup.rb +339 -0
data/modules/mu/cloud.rb +1446 -0
data/modules/mu/clouds/README.md +201 -0
data/modules/mu/clouds/aws/alarm.rb +319 -0
data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
data/modules/mu/clouds/aws/collection.rb +373 -0
data/modules/mu/clouds/aws/container_cluster.rb +667 -0
data/modules/mu/clouds/aws/database.rb +1836 -0
data/modules/mu/clouds/aws/dnszone.rb +911 -0
data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
data/modules/mu/clouds/aws/folder.rb +92 -0
data/modules/mu/clouds/aws/function.rb +349 -0
data/modules/mu/clouds/aws/group.rb +251 -0
data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
data/modules/mu/clouds/aws/log.rb +363 -0
data/modules/mu/clouds/aws/msg_queue.rb +480 -0
data/modules/mu/clouds/aws/notification.rb +139 -0
data/modules/mu/clouds/aws/role.rb +656 -0
data/modules/mu/clouds/aws/search_domain.rb +646 -0
data/modules/mu/clouds/aws/server.rb +2294 -0
data/modules/mu/clouds/aws/server_pool.rb +1388 -0
data/modules/mu/clouds/aws/storage_pool.rb +495 -0
data/modules/mu/clouds/aws/user.rb +382 -0
data/modules/mu/clouds/aws/userdata/README.md +4 -0
data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
data/modules/mu/clouds/aws/vpc.rb +1943 -0
data/modules/mu/clouds/aws.rb +1009 -0
data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
data/modules/mu/clouds/cloudformation/collection.rb +117 -0
data/modules/mu/clouds/cloudformation/database.rb +278 -0
data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
data/modules/mu/clouds/cloudformation/log.rb +170 -0
data/modules/mu/clouds/cloudformation/server.rb +370 -0
data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
data/modules/mu/clouds/cloudformation.rb +733 -0
data/modules/mu/clouds/docker.rb +30 -0
data/modules/mu/clouds/google/container_cluster.rb +290 -0
data/modules/mu/clouds/google/database.rb +152 -0
data/modules/mu/clouds/google/firewall_rule.rb +267 -0
data/modules/mu/clouds/google/group.rb +164 -0
data/modules/mu/clouds/google/loadbalancer.rb +479 -0
data/modules/mu/clouds/google/server.rb +1510 -0
data/modules/mu/clouds/google/server_pool.rb +274 -0
data/modules/mu/clouds/google/user.rb +266 -0
data/modules/mu/clouds/google/userdata/README.md +4 -0
data/modules/mu/clouds/google/userdata/linux.erb +137 -0
data/modules/mu/clouds/google/userdata/windows.erb +275 -0
data/modules/mu/clouds/google/vpc.rb +890 -0
data/modules/mu/clouds/google.rb +811 -0
data/modules/mu/config/README.md +11 -0
data/modules/mu/config/alarm.rb +271 -0
data/modules/mu/config/cache_cluster.rb +172 -0
data/modules/mu/config/collection.rb +87 -0
data/modules/mu/config/container_cluster.rb +103 -0
data/modules/mu/config/container_cluster.yml +36 -0
data/modules/mu/config/database.rb +458 -0
data/modules/mu/config/database.yml +26 -0
data/modules/mu/config/dnszone.rb +327 -0
data/modules/mu/config/firewall_rule.rb +118 -0
data/modules/mu/config/folder.rb +70 -0
data/modules/mu/config/function.rb +140 -0
data/modules/mu/config/group.rb +64 -0
data/modules/mu/config/loadbalancer.rb +482 -0
data/modules/mu/config/log.rb +47 -0
data/modules/mu/config/log.yml +6 -0
data/modules/mu/config/msg_queue.rb +47 -0
data/modules/mu/config/msg_queue.yml +9 -0
data/modules/mu/config/notification.rb +44 -0
data/modules/mu/config/project.rb +71 -0
data/modules/mu/config/role.rb +102 -0
data/modules/mu/config/search_domain.rb +61 -0
data/modules/mu/config/search_domain.yml +25 -0
data/modules/mu/config/server.rb +587 -0
data/modules/mu/config/server.yml +8 -0
data/modules/mu/config/server_pool.rb +216 -0
data/modules/mu/config/server_pool.yml +71 -0
data/modules/mu/config/storage_pool.rb +145 -0
data/modules/mu/config/user.rb +78 -0
data/modules/mu/config/vpc.rb +743 -0
data/modules/mu/config/vpc.yml +6 -0
data/modules/mu/config.rb +2000 -0
data/modules/mu/defaults/README.md +2 -0
data/modules/mu/defaults/amazon_images.yaml +121 -0
data/modules/mu/defaults/google_images.yaml +16 -0
data/modules/mu/deploy.rb +686 -0
data/modules/mu/groomer.rb +123 -0
data/modules/mu/groomers/README.md +58 -0
data/modules/mu/groomers/chef.rb +1024 -0
data/modules/mu/kittens.rb +11319 -0
data/modules/mu/logger.rb +208 -0
data/modules/mu/master/README.md +27 -0
data/modules/mu/master/chef.rb +471 -0
data/modules/mu/master/ldap.rb +1005 -0
data/modules/mu/master.rb +415 -0
data/modules/mu/mommacat.rb +2703 -0
data/modules/mu-load-config.rb +1 -0
data/modules/mu.rb +724 -0
data/modules/scratchpad.erb +1 -0
data/modules/tests/super_complex_bok.yml +41 -0
data/modules/tests/super_simple_bok.yml +40 -0
data/mu.gemspec +62 -0
data/roles/demo-dbservice-configure.json +19 -0
data/roles/demo-portal-configure.json +19 -0
data/roles/mu-master-jenkins.json +24 -0
data/roles/mu-master-nagios-only.json +13 -0
data/roles/mu-master.json +12 -0
data/roles/mu-node.json +19 -0
data/roles/mu-splunk-server.json +13 -0
data/roles/mu-splunk.json +13 -0
data/test/clean_up.py +25 -0
data/test/demo-test-profile/README.md +3 -0
data/test/demo-test-profile/controls/flask.rb +84 -0
data/test/demo-test-profile/inspec.lock +7 -0
data/test/demo-test-profile/inspec.yml +11 -0
data/test/etco-test-profile/README.md +3 -0
data/test/etco-test-profile/controls/all-in-one.rb +182 -0
data/test/etco-test-profile/inspec.lock +7 -0
data/test/etco-test-profile/inspec.yml +11 -0
data/test/exec_inspec.py +246 -0
data/test/exec_mu_install.py +241 -0
data/test/exec_retry.py +44 -0
data/test/mu-master-test/README.md +3 -0
data/test/mu-master-test/controls/all_in_one.rb +557 -0
data/test/mu-master-test/inspec.lock +3 -0
data/test/mu-master-test/inspec.yml +11 -0
data/test/mu-tools-test/README.md +3 -0
data/test/mu-tools-test/controls/base.rb +265 -0
data/test/mu-tools-test/inspec.lock +3 -0
data/test/mu-tools-test/inspec.yml +8 -0
data/test/simple-server-php-test/README.md +3 -0
data/test/simple-server-php-test/controls/apachephp.rb +25 -0
data/test/simple-server-php-test/controls/example.rb +19 -0
data/test/simple-server-php-test/inspec.lock +7 -0
data/test/simple-server-php-test/inspec.yml +12 -0
data/test/simple-server-rails-test/README.md +3 -0
data/test/simple-server-rails-test/controls/rails.rb +188 -0
data/test/simple-server-rails-test/inspec.lock +7 -0
data/test/simple-server-rails-test/inspec.yml +11 -0
data/test/simple-windows-test/README.md +3 -0
data/test/simple-windows-test/controls/windows.rb +20 -0
data/test/simple-windows-test/inspec.lock +7 -0
data/test/simple-windows-test/inspec.yml +11 -0
data/test/smoke_test.rb +75 -0
data/test/wordpress-test/README.md +3 -0
data/test/wordpress-test/controls/wordpress.rb +97 -0
data/test/wordpress-test/inspec.lock +7 -0
data/test/wordpress-test/inspec.yml +11 -0
metadata +979 -0

data/modules/mu/clouds/aws.rb ADDED Viewed

@@ -0,0 +1,1009 @@
+# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require "net/http"
+require 'open-uri'
+require 'timeout'
+require 'inifile'
+gem 'aws-sdk-core'
+autoload :Aws, "aws-sdk-core"
+module MU
+  class Cloud
+    # Support for Amazon Web Services as a provisioning layer.
+    class AWS
+      @@myRegion_var = nil
+      @@creds_loaded = false
+      # Load some credentials for using the AWS API
+      def self.loadCredentials
+        return if @@creds_loaded
+        if $MU_CFG and $MU_CFG['aws']
+          loaded = false
+          if $MU_CFG['aws']['access_key'] and $MU_CFG['aws']['access_secret'] and
+            # access key and secret just sitting in mu.yaml
+             !$MU_CFG['aws']['access_key'].empty? and
+             !$MU_CFG['aws']['access_secret'].empty?
+            Aws.config = {
+              access_key_id: $MU_CFG['aws']['access_key'],
+              secret_access_key: $MU_CFG['aws']['access_secret'],
+              region: $MU_CFG['aws']['region']
+            }
+            loaded = true
+          elsif $MU_CFG['aws']['credentials_file'] and
+                !$MU_CFG['aws']['credentials_file'].empty?
+            # pull access key and secret from an awscli-style credentials file
+            begin
+              File.read($MU_CFG["aws"]["credentials_file"]) # make sure it's there
+              credfile = IniFile.load($MU_CFG["aws"]["credentials_file"])
+              if !credfile.sections or credfile.sections.size == 0
+                raise ::IniFile::Error, "No AWS profiles found in #{$MU_CFG["aws"]["credentials_file"]}"
+              end
+              data = credfile.has_section?("default") ? credfile["default"] : credfile[credfile.sections.first]
+              if data["aws_access_key_id"] and data["aws_secret_access_key"]
+                Aws.config = {
+                  access_key_id: data['aws_access_key_id'],
+                  secret_access_key: data['aws_secret_access_key'],
+                  region: $MU_CFG['aws']['region']
+                }
+                loaded = true
+              else
+                MU.log "AWS credentials in #{$MU_CFG["aws"]["credentials_file"]} specified, but is missing aws_access_key_id or aws_secret_access_key elements", MU::WARN
+              end
+            rescue IniFile::Error, Errno::ENOENT, Errno::EACCES => e
+              MU.log "AWS credentials file #{$MU_CFG["aws"]["credentials_file"]} is missing or invalid", MU::WARN, details: e.message
+            end
+          elsif $MU_CFG['aws']['credentials'] and
+                !$MU_CFG['aws']['credentials'].empty?
+            # pull access key and secret from a vault
+            begin
+              vault, item = $MU_CFG["aws"]["credentials"].split(/:/)
+              data = MU::Groomer::Chef.getSecret(vault: vault, item: item).to_h
+              if data["access_key"] and data["access_secret"]
+                Aws.config = {
+                  access_key_id: data['access_key'],
+                  secret_access_key: data['access_secret'],
+                  region: $MU_CFG['aws']['region']
+                }
+                loaded = true
+              else
+                MU.log "AWS credentials vault:item #{$MU_CFG["aws"]["credentials"]} specified, but is missing access_key or access_secret elements", MU::WARN
+              end
+            rescue MU::Groomer::Chef::MuNoSuchSecret
+              MU.log "AWS credentials vault:item #{$MU_CFG["aws"]["credentials"]} specified, but does not exist", MU::WARN
+            end
+          end
+          if !loaded and hosted?
+            # assume we've got an IAM profile and hope for the best
+            ENV.delete('AWS_ACCESS_KEY_ID')
+            ENV.delete('AWS_SECRET_ACCESS_KEY')
+            Aws.config = {region: ENV['EC2_REGION']}
+            loaded = true
+          end
+          @@creds_loaded = loaded
+          if !@@creds_loaded
+            raise MuError, "AWS layer is enabled in mu.yaml, but I couldn't find working API credentials anywhere"
+          end
+        end
+      end
+      # Any cloud-specific instance methods we require our resource
+      # implementations to have, above and beyond the ones specified by
+      # {MU::Cloud}
+      # @return [Array<Symbol>]
+      def self.required_instance_methods
+        [:arn]
+      end
+      # If we've configured AWS as a provider, or are simply hosted in AWS,
+      # decide what our default region is.
+      def self.myRegion
+        if $MU_CFG and (!$MU_CFG['aws'] or !account_number) and !hosted?
+          return nil
+        end
+        if $MU_CFG and $MU_CFG['aws'] and $MU_CFG['aws']['region']
+          @@myRegion_var ||= MU::Cloud::AWS.ec2($MU_CFG['aws']['region']).describe_availability_zones.availability_zones.first.region_name
+        elsif ENV.has_key?("EC2_REGION") and !ENV['EC2_REGION'].empty?
+          @@myRegion_var ||= MU::Cloud::AWS.ec2(ENV['EC2_REGION']).describe_availability_zones.availability_zones.first.region_name
+        else
+          # hacky, but useful in a pinch
+          az_str = MU::Cloud::AWS.getAWSMetaData("placement/availability-zone")
+          @@myRegion_var = az_str.sub(/[a-z]$/i, "") if az_str
+        end
+      end
+      # Is the region we're dealing with a GovCloud region?
+      # @param region [String]: The region in question, defaults to the Mu Master's local region
+      def self.isGovCloud?(region = myRegion)
+        return false if !region
+        region.match(/^us-gov-/)
+      end
+      # @param resources [Array<String>]: The cloud provider identifier of the resource to untag
+      # @param key [String]: The name of the tag to remove
+      # @param value [String]: The value of the tag to remove
+      # @param region [String]: The cloud provider region
+      def self.removeTag(key, value, resources = [], region: myRegion)
+        MU::Cloud::AWS.ec2(region).delete_tags(
+          resources: resources,
+          tags: [
+            {
+              key: key,
+              value: value
+            }
+          ]
+        )
+      end
+      # Tag EC2 resources.
+      #
+      # @param resources [Array<String>]: The cloud provider identifier of the resource to tag
+      # @param key [String]: The name of the tag to create
+      # @param value [String]: The value of the tag
+      # @param region [String]: The cloud provider region
+      # @return [void,<Hash>]
+      def self.createTag(key, value, resources = [], region: myRegion)
+        if !MU::Cloud::CloudFormation.emitCloudFormation
+          begin
+            MU::Cloud::AWS.ec2(region).create_tags(
+              resources: resources,
+              tags: [
+                {
+                  key: key,
+                  value: value
+                }
+              ]
+            )
+          rescue Aws::EC2::Errors::ServiceError => e
+            MU.log "Got #{e.inspect} tagging #{resources.size.to_s} resources with #{key}=#{value}", MU::WARN, details: resources if attempts > 1
+            if attempts < 5
+              attempts = attempts + 1
+              sleep 15
+              retry
+            else
+              raise e
+            end
+          end
+          MU.log "Created tag #{key} with value #{value}", MU::DEBUG, details: resources
+        else
+          return {
+            "Key" =>  key,
+            "Value" => value
+          }
+        end
+      end
+      @@azs = {}
+      # List the Availability Zones associated with a given Amazon Web Services
+      # region. If no region is given, search the one in which this MU master
+      # server resides.
+      # @param region [String]: The region to search.
+      # @return [Array<String>]: The Availability Zones in this region.
+      def self.listAZs(region = MU.curRegion)
+        if $MU_CFG and (!$MU_CFG['aws'] or !account_number)
+          return []
+        end
+        if !region.nil? and @@azs[region]
+          return @@azs[region]
+        end
+        if region
+          azs = MU::Cloud::AWS.ec2(region).describe_availability_zones(
+            filters: [name: "region-name", values: [region]]
+          )
+        end
+        @@azs[region] ||= []
+        azs.data.availability_zones.each { |az|
+          @@azs[region] << az.zone_name if az.state == "available"
+        }
+        return @@azs[region]
+      end
+      # Plant a Mu deploy secret into a storage bucket somewhere for so our kittens can consume it
+      # @param deploy_id [String]: The deploy for which we're writing the secret
+      # @param value [String]: The contents of the secret
+      def self.writeDeploySecret(deploy_id, value, name = nil)
+        name ||= deploy_id+"-secret"
+        begin
+          MU.log "Writing #{name} to S3 bucket #{MU.adminBucketName}"
+          MU::Cloud::AWS.s3(myRegion).put_object(
+            acl: "private",
+            bucket: MU.adminBucketName,
+            key: name,
+            body: value
+          )
+        rescue Aws::S3::Errors => e
+          raise MU::MommaCat::DeployInitializeError, "Got #{e.inspect} trying to write #{name} to #{MU.adminBucketName}"
+        end
+      end
+      @@is_in_aws = nil
+      # Alias for #{MU::Cloud::AWS.hosted?}
+      def self.hosted
+        MU::Cloud::AWS.hosted?
+      end
+      # Determine whether we (the Mu master, presumably) are hosted in this
+      # cloud.
+      # @return [Boolean]
+      def self.hosted?
+        require 'open-uri'
+        if !@@is_in_aws.nil?
+          return @@is_in_aws
+        end
+        begin
+          Timeout.timeout(2) do
+            instance_id = open("http://169.254.169.254/latest/meta-data/instance-id").read
+            if !instance_id.nil? and instance_id.size > 0
+              @@is_in_aws = true
+              return true
+            end
+          end
+        rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::EHOSTUNREACH
+        end
+        @@is_in_aws = false
+        false
+      end
+      # If we're running this cloud, return the $MU_CFG blob we'd use to
+      # describe this environment as our target one.
+      def self.hosted_config
+        return nil if !hosted?
+        region = getAWSMetaData("placement/availability-zone").sub(/[a-z]$/i, "")
+        mac = getAWSMetaData("network/interfaces/macs/").split(/\n/)[0]
+        acct_num = getAWSMetaData("network/interfaces/macs/#{mac}owner-id")
+        acct_num.chomp!
+        {
+          "region" => region,
+          "account_number" => acct_num
+        }
+      end
+      # A non-working example configuration
+      def self.config_example
+        sample = hosted_config
+        sample ||= {
+          "region" => "us-east-1",
+          "account_number" => "123456789012",
+        }
+#        sample["access_key"] = "AKIAIXKNI3JY6JVVJIHA"
+#        sample["access_secret"] = "oWjHT+2N3veyswy7+UA5i+H14KpvrOIZlnRlxpkw"
+        sample["credentials_file"] = "#{Etc.getpwuid(Process.uid).dir}/.aws/credentials"
+        sample["log_bucket_name"] = "my-mu-s3-bucket"
+        sample
+      end
+      @my_acct_num = nil
+      # Fetch the AWS account number where this Mu master resides. If it's not in
+      # AWS at all, or otherwise cannot be determined, return nil.
+      # here.
+      # XXX account for Google and non-cloud situations
+      # XXX but what about multi-account uuuugh
+      def self.account_number
+        return nil if !$MU_CFG['aws']
+        return @my_acct_num if @my_acct_num
+    		begin
+    	    user_list = MU::Cloud::AWS.iam($MU_CFG['aws']['region']).list_users.users
+#    		rescue ::Aws::IAM::Errors => e # XXX why does this NameError here?
+    		rescue Exception => e
+    			MU.log "Got #{e.inspect} while trying to figure out our account number", MU::WARN, details: caller
+    		end
+        if user_list.nil? or user_list.size == 0
+          mac = MU::Cloud::AWS.getAWSMetaData("network/interfaces/macs/").split(/\n/)[0]
+          acct_num = MU::Cloud::AWS.getAWSMetaData("network/interfaces/macs/#{mac}owner-id")
+          acct_num.chomp!
+        else
+          acct_num = MU::Cloud::AWS.iam($MU_CFG['aws']['region']).list_users.users.first.arn.split(/:/)[4]
+        end
+        MU.setVar("acct_num", acct_num)
+        @my_acct_num ||= acct_num
+        acct_num
+      end
+      @@regions = {}
+      # List the Amazon Web Services region names available to this account. The
+      # region that is local to this Mu server will be listed first.
+      # @param us_only [Boolean]: Restrict results to United States only
+      # @return [Array<String>]
+      def self.listRegions(us_only = false)
+        if $MU_CFG and (!$MU_CFG['aws'] or !account_number)
+          return []
+        end
+        if @@regions.size == 0
+          result = MU::Cloud::AWS.ec2(myRegion).describe_regions.regions
+          regions = []
+          result.each { |r|
+            @@regions[r.region_name] = Proc.new { listAZs(r.region_name) }
+          }
+        end
+        regions = if us_only
+          @@regions.keys.delete_if { |r| !r.match(/^us\-/) }.uniq
+        else
+          @@regions.keys.uniq
+        end
+# XXX GovCloud doesn't show up if you query a commercial endpoint... that's
+# *probably* ok for most purposes? We can't call listAZs on it from out here
+# apparently, so getting around it is nontrivial
+#        if !@@regions.has_key?("us-gov-west-1")
+#          @@regions["us-gov-west-1"] = Proc.new { listAZs("us-gov-west-1") }
+#        end
+        regions.sort! { |a, b|
+          val = a <=> b
+          if a == myRegion
+            val = -1
+          elsif b == myRegion
+            val = 1
+          end
+          val
+        }
+        regions
+      end
+      # Generate an EC2 keypair unique to this deployment, given a regular
+      # OpenSSH-style public key and a name.
+      # @param keyname [String]: The name of the key to create.
+      # @param public_key [String]: The public key
+      # @return [Array<String>]: keypairname, ssh_private_key, ssh_public_key
+      def self.createEc2SSHKey(keyname, public_key)
+        # We replicate this key in all regions
+        if !MU::Cloud::CloudFormation.emitCloudFormation
+          MU::Cloud::AWS.listRegions.each { |region|
+            MU.log "Replicating #{keyname} to EC2 in #{region}", MU::DEBUG, details: @ssh_public_key
+            MU::Cloud::AWS.ec2(region).import_key_pair(
+                key_name: keyname,
+                public_key_material: public_key
+            )
+          }
+        end
+      end
+      @@instance_types = nil
+      # Query the AWS API for the list of valid EC2 instance types and some of
+      # their attributes. We can use this in config validation and to help
+      # "translate" machine types across cloud providers.
+      # @param region [String]: Supported machine types can vary from region to region, so we look for the set we're interested in specifically
+      # @return [Hash]
+      def self.listInstanceTypes(region = myRegion)
+        return @@instance_types if @@instance_types and @@instance_types[region]
+        if $MU_CFG and (!$MU_CFG['aws'] or !account_number)
+          return {}
+        end
+        human_region = @@regionLookup[region]
+        @@instance_types ||= {}
+        @@instance_types[region] ||= {}
+        next_token = nil
+        begin
+          # Pricing API isn't widely available, so ask a region we know supports
+          # it
+          resp = MU::Cloud::AWS.pricing("us-east-1").get_products(
+            service_code: "AmazonEC2",
+            filters: [
+              {
+                field: "productFamily",
+                value: "Compute Instance",
+                type: "TERM_MATCH"
+              },
+              {
+                field: "tenancy",
+                value: "Shared",
+                type: "TERM_MATCH"
+              },
+              {
+                field: "location",
+                value: human_region,
+                type: "TERM_MATCH"
+              }
+            ],
+            next_token: next_token
+          )
+          resp.price_list.each { |pricing|
+            data = JSON.parse(pricing)
+            type = data["product"]["attributes"]["instanceType"]
+            next if @@instance_types[region].has_key?(type)
+            @@instance_types[region][type] = {}
+            ["ecu", "vcpu", "memory", "storage"].each { |a|
+              @@instance_types[region][type][a] = data["product"]["attributes"][a]
+            }
+            @@instance_types[region][type]["memory"].sub!(/ GiB/, "")
+            @@instance_types[region][type]["memory"] = @@instance_types[region][type]["memory"].to_f
+            @@instance_types[region][type]["vcpu"] = @@instance_types[region][type]["vcpu"].to_f
+          }
+          next_token = resp.next_token
+        end while resp and next_token
+        @@instance_types
+      end
+      # AWS can stash API-available certificates in Amazon Certificate Manager
+      # or in IAM. Rather than make people crazy trying to get the syntax
+      # correct in our Baskets of Kittens, let's have a helper that tries to do
+      # the right thing, and only raise an exception if we need help to
+      # disambiguate.
+      # @param name [String]: The name of the cert. For IAM certs this can be any IAM name; for ACM, it's usually the domain name. If multiple matches are found, or no matches, an exception is raised.
+      # @param id [String]: The ARN of a known certificate. We just validate that it exists. This is ignored if a name parameter is supplied.
+      # @return [String]: The ARN of a matching certificate that is known to exist. If it is an ACM certificate, we also know that it is not expired.
+      def self.findSSLCertificate(name: nil, id: nil, region: myRegion)
+        if name.nil? and name.empty? and id.nil? and id.empty?
+          raise MuError, "Can't call findSSLCertificate without specifying either a name or an id"
+        end
+        if !name.nil? and !name.empty?
+          matches = []
+          acmcerts = MU::Cloud::AWS.acm(region).list_certificates(
+            certificate_statuses: ["ISSUED"]
+          )
+          acmcerts.certificate_summary_list.each { |cert|
+            matches << cert.certificate_arn if cert.domain_name == name
+          }
+          begin
+            iamcert = MU::Cloud::AWS.iam.get_server_certificate(
+              server_certificate_name: name
+            )
+          rescue Aws::IAM::Errors::ValidationError, Aws::IAM::Errors::NoSuchEntity
+            # valid names for ACM certs can break here, and that's ok to ignore
+          end
+          if !iamcert.nil?
+            matches << iamcert.server_certificate.server_certificate_metadata.arn
+          end
+          if matches.size == 1
+            return matches.first
+          elsif matches.size == 0
+            raise MuError, "No IAM or ACM certificate named #{name} was found"
+          elsif matches.size > 1
+            raise MuError, "Multiple certificates named #{name} were found. Remove extras or use ssl_certificate_id to supply the exact ARN of the one you want to use."
+          end
+        end
+        if id.match(/^arn:aws(?:-us-gov)?:acm/)
+          resp = MU::Cloud::AWS.acm(region).get_certificate(
+            certificate_arn: id
+          )
+          if resp.nil?
+            raise MuError, "No such ACM certificate '#{id}'"
+          end
+        elsif id.match(/^arn:aws(?:-us-gov)?:iam/)
+          resp = MU::Cloud::AWS.iam.list_server_certificates
+          if resp.nil?
+            raise MuError, "No such IAM certificate '#{id}'"
+          end
+          resp.server_certificate_metadata_list.each { |cert|
+            if cert.arn == id
+              if cert.expiration < Time.now
+                MU.log "IAM SSL certificate #{cert.server_certificate_name} (#{id}) is EXPIRED", MU::WARN
+              end
+              return id
+            end
+          }
+          raise MuError, "No such IAM certificate '#{id}'"
+        else
+          raise MuError, "The format of '#{id}' doesn't look like an ARN for either Amazon Certificate Manager or IAM"
+        end
+        id
+      end
+      # Amazon Certificate Manager API
+      def self.acm(region = MU.curRegion)
+        region ||= myRegion
+        @@acm_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ACM", region: region)
+        @@acm_api[region]
+      end
+      # Amazon's IAM API
+      def self.iam(region = MU.curRegion)
+        region ||= myRegion
+        @@iam_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "IAM", region: region)
+        @@iam_api[region]
+      end
+      # Amazon's EC2 API
+      def self.ec2(region = MU.curRegion)
+        region ||= myRegion
+        @@ec2_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "EC2", region: region)
+        @@ec2_api[region]
+      end
+      # Amazon's Autoscaling API
+      def self.autoscale(region = MU.curRegion)
+        region ||= myRegion
+        @@autoscale_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "AutoScaling", region: region)
+        @@autoscale_api[region]
+      end
+      # Amazon's ElasticLoadBalancing API
+      def self.elb(region = MU.curRegion)
+        region ||= myRegion
+        @@elb_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ElasticLoadBalancing", region: region)
+        @@elb_api[region]
+      end
+      # Amazon's ElasticLoadBalancingV2 (ALB) API
+      def self.elb2(region = MU.curRegion)
+        region ||= myRegion
+        @@elb2_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ElasticLoadBalancingV2", region: region)
+        @@elb2_api[region]
+      end
+      # Amazon's Route53 API
+      def self.route53(region = MU.curRegion)
+        region ||= myRegion
+        @@route53_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "Route53", region: region)
+        @@route53_api[region]
+      end
+      # Amazon's RDS API
+      def self.rds(region = MU.curRegion)
+        region ||= myRegion
+        @@rds_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "RDS", region: region)
+        @@rds_api[region]
+      end
+      # Amazon's CloudFormation API
+      def self.cloudformation(region = MU.curRegion)
+        region ||= myRegion
+        @@cloudformation_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudFormation", region: region)
+        @@cloudformation_api[region]
+      end
+      # Amazon's S3 API
+      def self.s3(region = MU.curRegion)
+        region ||= myRegion
+        @@s3_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "S3", region: region)
+        @@s3_api[region]
+      end
+      # Amazon's CloudTrail API
+      def self.cloudtrail(region = MU.curRegion)
+        region ||= myRegion
+        @@cloudtrail_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudTrail", region: region)
+        @@cloudtrail_api[region]
+      end
+      # Amazon's CloudWatch API
+      def self.cloudwatch(region = MU.curRegion)
+        region ||= myRegion
+        @@cloudwatch_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudWatch", region: region)
+        @@cloudwatch_api[region]
+      end
+      # Amazon's Web Application Firewall API (Global, for CloudFront et al)
+      def self.wafglobal(region = MU.curRegion)
+        region ||= myRegion
+        @@wafglobal[region] ||= MU::Cloud::AWS::Endpoint.new(api: "WAF", region: region)
+        @@wafglobal[region]
+      end
+      # Amazon's Web Application Firewall API (Regional, for ALBs et al)
+      def self.waf(region = MU.curRegion)
+        region ||= myRegion
+        @@waf[region] ||= MU::Cloud::AWS::Endpoint.new(api: "WAFRegional", region: region)
+        @@waf[region]
+      end
+      # Amazon's CloudWatchLogs API
+      def self.cloudwatchlogs(region = MU.curRegion)
+        region ||= myRegion
+        @@cloudwatchlogs_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudWatchLogs", region: region)
+        @@cloudwatchlogs_api[region]
+      end
+      # Amazon's CloudFront API
+      def self.cloudfront(region = MU.curRegion)
+        region ||= myRegion
+        @@cloudfront_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudFront", region: region)
+        @@cloudfront_api[region]
+      end
+      # Amazon's ElastiCache API
+      def self.elasticache(region = MU.curRegion)
+        region ||= myRegion
+        @@elasticache_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ElastiCache", region: region)
+        @@elasticache_api[region]
+      end
+      # Amazon's SNS API
+      def self.sns(region = MU.curRegion)
+        region ||= myRegion
+        @@sns_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "SNS", region: region)
+        @@sns_api[region]
+      end
+      # Amazon's SQS API
+      def self.sqs(region = MU.curRegion)
+        region ||= myRegion
+        @@sqs_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "SQS", region: region)
+        @@sqs_api[region]
+      end
+      # Amazon's EFS API
+      def self.efs(region = MU.curRegion)
+        region ||= myRegion
+        @@efs_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "EFS", region: region)
+        @@efs_api[region]
+      end
+      # Amazon's Lambda API
+      def self.lambda(region = MU.curRegion)
+        region ||= myRegion
+        @@lambda_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "Lambda", region: region)
+        @@lambda_api[region]
+      end
+      # Amazon's API Gateway API
+      def self.apig(region = MU.curRegion)
+        region ||= myRegion
+        @@apig_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "APIGateway", region: region)
+        @@apig_api[region]
+      end
+      # Amazon's Cloudwatch Events API
+      def self.cloudwatch_events(region = MU.cureRegion)
+        region ||= myRegion
+        @@cloudwatch_events_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CloudWatchEvents", region: region)
+        @@cloudwatch_events_api
+      end
+      # Amazon's ECS API
+      def self.ecs(region = MU.curRegion)
+        region ||= myRegion
+        @@ecs_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ECS", region: region)
+        @@ecs_api[region]
+      end
+      # Amazon's EKS API
+      def self.eks(region = MU.curRegion)
+        region ||= myRegion
+        @@eks_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "EKS", region: region)
+        @@eks_api[region]
+      end
+      # Amazon's Pricing API
+      def self.pricing(region = MU.curRegion)
+        region ||= myRegion
+        @@pricing_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "Pricing", region: region)
+        @@pricing_api[region]
+      end
+      # Amazon's Simple Systems Manager API
+      def self.ssm(region = MU.curRegion)
+        region ||= myRegion
+        @@ssm_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "SSM", region: region)
+        @@ssm_api[region]
+      end
+      # Amazon's Elasticsearch API
+      def self.elasticsearch(region = MU.curRegion)
+        region ||= myRegion
+        @@elasticsearch_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "ElasticsearchService", region: region)
+        @@elasticsearch_api[region]
+      end
+      # Amazon's Cognito Identity API
+      def self.cognito_ident(region = MU.curRegion)
+        region ||= myRegion
+        @@cognito_ident_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CognitoIdentity", region: region)
+        @@cognito_ident_api[region]
+      end
+      # Amazon's Cognito Identity Provider API
+      def self.cognito_user(region = MU.curRegion)
+        region ||= myRegion
+        @@cognito_user_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "CognitoIdentityProvider", region: region)
+        @@cognito_user_api[region]
+      end
+      # Amazon's KMS API
+      def self.kms(region = MU.curRegion)
+        region ||= myRegion
+        @@kms_api[region] ||= MU::Cloud::AWS::Endpoint.new(api: "KMS", region: region)
+        @@kms_api[region]
+      end
+      # Fetch an Amazon instance metadata parameter (example: public-ipv4).
+      # @param param [String]: The parameter name to fetch
+      # @return [String, nil]
+      def self.getAWSMetaData(param)
+        base_url = "http://169.254.169.254/latest/meta-data/"
+        begin
+          response = nil
+          Timeout.timeout(2) do
+            response = open("#{base_url}/#{param}").read
+          end
+          response
+        rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH, Net::HTTPServerException, Errno::EHOSTUNREACH => e
+          # This is fairly normal, just handle it gracefully
+          logger = MU::Logger.new
+          logger.log "Failed metadata request #{base_url}/#{param}: #{e.inspect}", MU::DEBUG
+          return nil
+        end
+      end
+      @syslog_port_semaphore = Mutex.new
+      # Punch AWS security group holes for client nodes to talk back to us, the
+      # Mu Master, if we're in AWS.
+      # @return [void]
+      def self.openFirewallForClients
+        MU::Cloud.loadCloudType("AWS", :FirewallRule)
+        if File.exists?(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+          ::Chef::Config.from_file(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+        end
+        ::Chef::Config[:environment] = MU.environment
+        # This is the set of (TCP) ports we're opening to clients. We assume that
+        # we can and and remove these without impacting anything a human has
+        # created.
+        my_ports = [10514]
+        my_instance_id = MU::Cloud::AWS.getAWSMetaData("instance-id")
+        my_client_sg_name = "Mu Client Rules for #{MU.mu_public_ip}"
+        my_sgs = Array.new
+        MU.setVar("curRegion", myRegion) if !myRegion.nil?
+        MU.myCloudDescriptor.security_groups.each { |sg|
+          my_sgs << sg.group_id
+        }
+        resp = MU::Cloud::AWS.ec2.describe_security_groups(
+          filters: [
+            {name: "tag:MU-MASTER-IP", values: [MU.mu_public_ip]},
+            {name: "tag:Name", values: [my_client_sg_name]}
+          ]
+        )
+        if resp.nil? or resp.security_groups.nil? or resp.security_groups.size == 0
+          if MU.myCloudDescriptor.vpc_id.nil?
+            sg_id = my_sgs.first
+            resp = MU::Cloud::AWS.ec2.describe_security_groups(group_ids: [sg_id])
+            group = resp.security_groups.first
+            MU.log "We don't have a security group named '#{my_client_sg_name}' available, and we are in EC2 Classic and so cannot create a new group. Defaulting to #{group.group_name}.", MU::NOTICE
+          else
+            group = MU::Cloud::AWS.ec2.create_security_group(
+              group_name: my_client_sg_name,
+              description: my_client_sg_name,
+              vpc_id: MU.myCloudDescriptor.vpc_id
+            )
+            sg_id = group.group_id
+            my_sgs << sg_id
+            MU::MommaCat.createTag sg_id, "Name", my_client_sg_name
+            MU::MommaCat.createTag sg_id, "MU-MASTER-IP", MU.mu_public_ip
+            MU::Cloud::AWS.ec2.modify_instance_attribute(
+                instance_id: my_instance_id,
+                groups: my_sgs
+            )
+          end
+        elsif resp.security_groups.size == 1
+          sg_id = resp.security_groups.first.group_id
+          resp = MU::Cloud::AWS.ec2.describe_security_groups(group_ids: [sg_id])
+          group = resp.security_groups.first
+        else
+          MU.log "Found more than one security group named #{my_client_sg_name}, aborting", MU::ERR
+          exit 1
+        end
+        if !my_sgs.include?(sg_id)
+          my_sgs << sg_id
+          MU.log "Associating #{my_client_sg_name} with #{MU.myInstanceId}", MU::NOTICE
+          MU::Cloud::AWS.ec2.modify_instance_attribute(
+            instance_id: MU.myInstanceId,
+            groups: my_sgs
+          )
+        end
+        begin
+          MU.log "Using AWS Security Group '#{group.group_name}' (#{sg_id})"
+        rescue NoMethodError
+          MU.log "Using AWS Security Group #{sg_id}"
+        end
+        allow_ips = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+        MU::MommaCat.listAllNodes.each_pair { |node, data|
+          next if data.nil? or !data.is_a?(Hash)
+          ["public_ip_address"].each { |key|
+            if data.has_key?(key) and !data[key].nil? and !data[key].empty?
+              allow_ips << data[key] + "/32"
+            end
+          }
+        }
+        allow_ips.uniq!
+        @syslog_port_semaphore.synchronize {
+          my_ports.each { |port|
+            begin
+              group.ip_permissions.each { |rule|
+                if rule.ip_protocol == "tcp" and
+                    rule.from_port == port and rule.to_port == port
+                  MU.log "Revoking old rules for port #{port.to_s} from #{sg_id}", MU::NOTICE
+                  begin
+                    MU::Cloud::AWS.ec2(myRegion).revoke_security_group_ingress(
+                        group_id: sg_id,
+                        ip_permissions: [
+                            {
+                                ip_protocol: "tcp",
+                                from_port: port,
+                                to_port: port,
+                                ip_ranges: MU.structToHash(rule.ip_ranges)
+                            }
+                        ]
+                    )
+                  rescue Aws::EC2::Errors::InvalidPermissionNotFound => e
+                    MU.log "Permission disappeared from #{sg_id} (port #{port.to_s}) before I could remove it", MU::WARN, details: MU.structToHash(rule.ip_ranges)
+                  end
+                end
+              }
+            rescue NoMethodError
+# XXX this is ok
+            end
+            MU.log "Adding current IP list to allow rule for port #{port.to_s} in #{sg_id}", details: allow_ips
+            allow_ips_cidr = []
+            allow_ips.each { |cidr|
+              allow_ips_cidr << {"cidr_ip" => cidr}
+            }
+            begin
+              MU::Cloud::AWS.ec2(myRegion).authorize_security_group_ingress(
+                  group_id: sg_id,
+                  ip_permissions: [
+                      {
+                          ip_protocol: "tcp",
+                          from_port: 10514,
+                          to_port: 10514,
+                          ip_ranges: allow_ips_cidr
+                      }
+                  ]
+              )
+            rescue Aws::EC2::Errors::InvalidPermissionDuplicate => e
+              MU.log "Got #{e.inspect} in MU::Cloud::AWS.openFirewallForClients", MU::WARN, details: allow_ips_cidr
+            end
+          }
+        }
+      end
+      private
+      # XXX we shouldn't have to do this, but AWS does not provide a way to look
+      # it up, and the pricing API only returns the human-readable strings.
+      @@regionLookup = {
+        "us-east-1" => "US East (N. Virginia)",
+        "us-east-2" => "US East (Ohio)",
+        "us-west-1" => "US West (N. California)",
+        "us-west-2" => "US West (Oregon)",
+        "us-gov-west-1" => "AWS GovCloud (US)",
+        "us-gov-east-1" => "AWS GovCloud (US)",
+        "ap-northeast-1" => "Asia Pacific (Tokyo)",
+        "ap-northeast-2" => "Asia Pacific (Seoul)",
+        "ap-south-1" => "Asia Pacific (Mumbai)",
+        "ap-southeast-1" => "Asia Pacific (Singapore)",
+        "ap-southeast-2" => "Asia Pacific (Sydney)",
+        "ca-central-1" => "Canada (Central)",
+        "eu-central-1" => "EU (Frankfurt)",
+        "eu-west-1" => "EU (Ireland)",
+        "eu-west-2" => "EU (London)",
+        "eu-west-3" => "EU (Paris)",
+        "sa-east-1" => "South America (Sao Paulo)"
+      }.freeze
+      @@regionNameLookup = @@regionLookup.invert.freeze
+      # Wrapper class for the EC2 API, so that we can catch some common transient
+      # endpoint errors without having to spray rescues all over the codebase.
+      class Endpoint
+        @api = nil
+        @region = nil
+        # Create an AWS API client
+        # @param region [String]: Amazon region so we know what endpoint to use
+        # @param api [String]: Which API are we wrapping?
+        def initialize(region: MU.curRegion, api: "EC2")
+          @region = region
+          if region
+            @api = Object.const_get("Aws::#{api}::Client").new(region: region)
+          else
+            @api = Object.const_get("Aws::#{api}::Client").new
+          end
+        end
+        @instance_cache = {}
+        # Catch-all for AWS client methods. Essentially a pass-through with some
+        # rescues for known silly endpoint behavior.
+        def method_missing(method_sym, *arguments)
+          MU::Cloud::AWS.loadCredentials
+          retries = 0
+          begin
+            MU.log "Calling #{method_sym} in #{@region}", MU::DEBUG, details: arguments
+            retval = nil
+            if !arguments.nil? and arguments.size == 1
+              retval = @api.method(method_sym).call(arguments[0])
+            elsif !arguments.nil? and arguments.size > 0
+              retval = @api.method(method_sym).call(*arguments)
+            else
+              retval = @api.method(method_sym).call
+            end
+            return retval
+          rescue Aws::EC2::Errors::InternalError, Aws::EC2::Errors::RequestLimitExceeded, Aws::EC2::Errors::Unavailable, Aws::Route53::Errors::Throttling, Aws::ElasticLoadBalancing::Errors::HttpFailureException, Aws::EC2::Errors::Http503Error, Aws::AutoScaling::Errors::Http503Error, Aws::AutoScaling::Errors::InternalFailure, Aws::AutoScaling::Errors::ServiceUnavailable, Aws::Route53::Errors::ServiceUnavailable, Aws::ElasticLoadBalancing::Errors::Throttling, Aws::RDS::Errors::ClientUnavailable, Aws::Waiters::Errors::UnexpectedError, Aws::ElasticLoadBalancing::Errors::ServiceUnavailable, Aws::ElasticLoadBalancingV2::Errors::Throttling, Seahorse::Client::NetworkingError, Aws::IAM::Errors::Throttling => e
+            if e.class.name == "Seahorse::Client::NetworkingError" and e.message.match(/Name or service not known/)
+              MU.log e.inspect, MU::ERR
+              raise e
+            end
+            retries = retries + 1
+            debuglevel = MU::DEBUG
+            interval = 5 + Random.rand(4) - 2
+            if retries < 10 and retries > 2
+              debuglevel = MU::NOTICE
+              interval = 20 + Random.rand(10) - 3
+            # elsif retries >= 10 and retries <= 100
+            elsif retries >= 10
+              debuglevel = MU::WARN
+              interval = 40 + Random.rand(15) - 5
+            # elsif retries > 100
+              # raise MuError, "Exhausted retries after #{retries} attempts while calling EC2's #{method_sym} in #{@region}.  Args were: #{arguments}"
+            end
+            MU.log "Got #{e.inspect} calling EC2's #{method_sym} in #{@region}, waiting #{interval.to_s}s and retrying. Args were: #{arguments}", debuglevel, details: caller
+            sleep interval
+            retry
+          end
+        end
+      end
+      @@iam_api = {}
+      @@acm_api = {}
+      @@ec2_api = {}
+      @@autoscale_api = {}
+      @@elb_api = {}
+      @@elb2_api = {}
+      @@route53_api = {}
+      @@rds_api = {}
+      @@cloudformation_api = {}
+      @@s3_api = {}
+      @@cloudtrail_api = {}
+      @@cloudwatch_api = {}
+      @@wafglobal = {}
+      @@waf = {}
+      @@cloudwatchlogs_api = {}
+      @@cloudfront_api = {}
+      @@elasticache_api = {}
+      @@sns_api = {}
+      @@sqs_api = {}
+      @@efs_api ={}
+      @@lambda_api ={}
+      @@cloudwatch_events_api = {}
+      @@apig_api ={}
+      @@ecs_api ={}
+      @@eks_api ={}
+      @@pricing_api ={}
+      @@ssm_api ={}
+      @@elasticsearch_api ={}
+      @@cognito_ident_api ={}
+      @@cognito_user_api ={}
+      @@kms_api ={}
+    end
+  end
+end