RubyGems - cloud-mu - Versions diffs - 1.9.0.pre.beta - Mend

cloud-mu 1.9.0.pre.beta

Files changed (618) hide show

checksums.yaml +7 -0
data/Berksfile +56 -0
data/Berksfile.lock +250 -0
data/Jenkinsfile +184 -0
data/LICENSE.md +37 -0
data/README.md +26 -0
data/bin/mu-aws-setup +376 -0
data/bin/mu-cleanup +68 -0
data/bin/mu-configure +1133 -0
data/bin/mu-deploy +166 -0
data/bin/mu-firewall-allow-clients +30 -0
data/bin/mu-gcp-setup +200 -0
data/bin/mu-gen-docs +34 -0
data/bin/mu-gen-env +42 -0
data/bin/mu-load-config.rb +158 -0
data/bin/mu-node-manage +683 -0
data/bin/mu-self-update +228 -0
data/bin/mu-ssh +23 -0
data/bin/mu-tunnel-nagios +144 -0
data/bin/mu-upload-chef-artifacts +757 -0
data/bin/mu-user-manage +275 -0
data/cookbooks/awscli/LICENSE +37 -0
data/cookbooks/awscli/README.md +58 -0
data/cookbooks/awscli/attributes/default.rb +1 -0
data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
data/cookbooks/awscli/metadata.rb +20 -0
data/cookbooks/awscli/recipes/default.rb +56 -0
data/cookbooks/awscli/templates/default/config.erb +18 -0
data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
data/cookbooks/mu-activedirectory/LICENSE +37 -0
data/cookbooks/mu-activedirectory/README.md +6 -0
data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
data/cookbooks/mu-activedirectory/metadata.rb +17 -0
data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
data/cookbooks/mu-firewall/LICENSE +37 -0
data/cookbooks/mu-firewall/README.md +5 -0
data/cookbooks/mu-firewall/attributes/default.rb +3 -0
data/cookbooks/mu-firewall/metadata.rb +16 -0
data/cookbooks/mu-firewall/recipes/default.rb +10 -0
data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
data/cookbooks/mu-glusterfs/LICENSE +37 -0
data/cookbooks/mu-glusterfs/README.md +5 -0
data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
data/cookbooks/mu-glusterfs/metadata.rb +17 -0
data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
data/cookbooks/mu-jenkins/LICENSE +37 -0
data/cookbooks/mu-jenkins/README.md +105 -0
data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
data/cookbooks/mu-jenkins/metadata.rb +21 -0
data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
data/cookbooks/mu-master/CHANGELOG.md +13 -0
data/cookbooks/mu-master/LICENSE +37 -0
data/cookbooks/mu-master/README.md +6 -0
data/cookbooks/mu-master/attributes/default.rb +95 -0
data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
data/cookbooks/mu-master/files/default/pam_sshd +18 -0
data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-master/files/default/vimrc +19 -0
data/cookbooks/mu-master/libraries/mu.rb +29 -0
data/cookbooks/mu-master/metadata.rb +30 -0
data/cookbooks/mu-master/providers/user.rb +41 -0
data/cookbooks/mu-master/recipes/389ds.rb +164 -0
data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
data/cookbooks/mu-master/recipes/default.rb +451 -0
data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
data/cookbooks/mu-master/recipes/init.rb +542 -0
data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
data/cookbooks/mu-master/recipes/sssd.rb +89 -0
data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
data/cookbooks/mu-master/recipes/vault.rb +111 -0
data/cookbooks/mu-master/resources/user.rb +19 -0
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
data/cookbooks/mu-mongo/LICENSE +37 -0
data/cookbooks/mu-mongo/README.md +5 -0
data/cookbooks/mu-mongo/attributes/default.rb +22 -0
data/cookbooks/mu-mongo/files/default/keyfile +16 -0
data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
data/cookbooks/mu-mongo/metadata.rb +17 -0
data/cookbooks/mu-mongo/recipes/default.rb +149 -0
data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
data/cookbooks/mu-openvpn/LICENSE +37 -0
data/cookbooks/mu-openvpn/README.md +6 -0
data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
data/cookbooks/mu-openvpn/metadata.rb +18 -0
data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
data/cookbooks/mu-php54/CHANGELOG.md +12 -0
data/cookbooks/mu-php54/LICENSE +37 -0
data/cookbooks/mu-php54/README.md +0 -0
data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
data/cookbooks/mu-php54/metadata.rb +21 -0
data/cookbooks/mu-php54/recipes/default.rb +97 -0
data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
data/cookbooks/mu-splunk/LICENSE +37 -0
data/cookbooks/mu-splunk/README.md +451 -0
data/cookbooks/mu-splunk/attributes/default.rb +95 -0
data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
data/cookbooks/mu-splunk/metadata.json +30 -0
data/cookbooks/mu-splunk/metadata.rb +17 -0
data/cookbooks/mu-splunk/recipes/client.rb +143 -0
data/cookbooks/mu-splunk/recipes/default.rb +31 -0
data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
data/cookbooks/mu-splunk/recipes/server.rb +53 -0
data/cookbooks/mu-splunk/recipes/service.rb +95 -0
data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
data/cookbooks/mu-splunk/recipes/user.rb +34 -0
data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
data/cookbooks/mu-tools/CHANGELOG.md +12 -0
data/cookbooks/mu-tools/LICENSE +37 -0
data/cookbooks/mu-tools/README.md +188 -0
data/cookbooks/mu-tools/attributes/default.rb +142 -0
data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
data/cookbooks/mu-tools/files/default/mypol.te +37 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
data/cookbooks/mu-tools/files/default/ntrights +0 -0
data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
data/cookbooks/mu-tools/libraries/helper.rb +292 -0
data/cookbooks/mu-tools/metadata.rb +28 -0
data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
data/cookbooks/mu-tools/recipes/efs.rb +70 -0
data/cookbooks/mu-tools/recipes/eks.rb +160 -0
data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
data/cookbooks/mu-tools/recipes/updates.rb +96 -0
data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
data/cookbooks/mu-tools/resources/disk.rb +88 -0
data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
data/cookbooks/mu-utility/CHANGELOG.md +12 -0
data/cookbooks/mu-utility/LICENSE +37 -0
data/cookbooks/mu-utility/README.md +6 -0
data/cookbooks/mu-utility/attributes/default.rb +1 -0
data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
data/cookbooks/mu-utility/metadata.rb +16 -0
data/cookbooks/mu-utility/recipes/apt.rb +23 -0
data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
data/cookbooks/mu-utility/recipes/luks.rb +18 -0
data/cookbooks/mu-utility/recipes/nat.rb +104 -0
data/cookbooks/mu-utility/recipes/php.rb +33 -0
data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
data/cookbooks/mu-utility/recipes/remi.rb +44 -0
data/cookbooks/mu-utility/recipes/vim.rb +26 -0
data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
data/cookbooks/mu-utility/recipes/zip.rb +26 -0
data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
data/cookbooks/nagios/Berksfile +8 -0
data/cookbooks/nagios/CHANGELOG.md +589 -0
data/cookbooks/nagios/CONTRIBUTING.md +11 -0
data/cookbooks/nagios/LICENSE +37 -0
data/cookbooks/nagios/README.md +328 -0
data/cookbooks/nagios/TESTING.md +2 -0
data/cookbooks/nagios/attributes/config.rb +171 -0
data/cookbooks/nagios/attributes/default.rb +228 -0
data/cookbooks/nagios/chefignore +102 -0
data/cookbooks/nagios/definitions/command.rb +33 -0
data/cookbooks/nagios/definitions/contact.rb +33 -0
data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
data/cookbooks/nagios/definitions/host.rb +33 -0
data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
data/cookbooks/nagios/definitions/resource.rb +33 -0
data/cookbooks/nagios/definitions/service.rb +33 -0
data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
data/cookbooks/nagios/libraries/base.rb +314 -0
data/cookbooks/nagios/libraries/command.rb +91 -0
data/cookbooks/nagios/libraries/contact.rb +230 -0
data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
data/cookbooks/nagios/libraries/custom_option.rb +36 -0
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/host.rb +412 -0
data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
data/cookbooks/nagios/libraries/nagios.rb +282 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +455 -0
data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.rb +25 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +48 -0
data/cookbooks/nagios/recipes/default.rb +204 -0
data/cookbooks/nagios/recipes/nginx.rb +82 -0
data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
data/cookbooks/nagios/recipes/server_package.rb +40 -0
data/cookbooks/nagios/recipes/server_source.rb +164 -0
data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
data/cookbooks/s3fs/CHANGELOG.md +13 -0
data/cookbooks/s3fs/LICENSE +37 -0
data/cookbooks/s3fs/README.md +6 -0
data/cookbooks/s3fs/attributes/default.rb +15 -0
data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
data/cookbooks/s3fs/metadata.rb +16 -0
data/cookbooks/s3fs/recipes/default.rb +91 -0
data/data_bags/demo/app.json +7 -0
data/data_bags/nagios_services/chef.json +6 -0
data/data_bags/nagios_services/linux_diskspace.json +5 -0
data/data_bags/nagios_services/momma_cat.json +6 -0
data/data_bags/nagios_services/mu-master-memory.json +5 -0
data/data_bags/nagios_services/nagios_ui.json +6 -0
data/data_bags/nagios_services/node_ssh.json +6 -0
data/data_bags/nagios_services/ssh.json +6 -0
data/demo/lambda_test.yaml +29 -0
data/environments/DEV.json +8 -0
data/environments/PROD.json +8 -0
data/environments/dev.json +8 -0
data/environments/development.json +8 -0
data/environments/prod.json +8 -0
data/extras/README.md +1 -0
data/extras/admin-role-binding.yaml +16 -0
data/extras/admin-user.yaml +6 -0
data/extras/aws-auth-cm.yaml.erb +12 -0
data/extras/clean-stock-amis +48 -0
data/extras/git-fix-permissions-hook +12 -0
data/extras/gitlab-eks-helper.sh.erb +20 -0
data/extras/image-generators/README.md +2 -0
data/extras/image-generators/aws/centos6.yaml +18 -0
data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
data/extras/image-generators/aws/centos7.yaml +17 -0
data/extras/image-generators/aws/rhel7.yaml +17 -0
data/extras/image-generators/aws/win2k12.yaml +16 -0
data/extras/image-generators/aws/win2k16.yaml +16 -0
data/extras/image-generators/aws/windows.yaml +18 -0
data/extras/image-generators/gcp/centos6.yaml +17 -0
data/extras/lambda_waf_domain_blacklist.py +103 -0
data/extras/platform_berksfile_base +50 -0
data/extras/ruby_rpm/build.sh +17 -0
data/extras/ruby_rpm/muby.spec +44 -0
data/extras/vault_tools/README.md +6 -0
data/extras/vault_tools/export_vaults.sh +3 -0
data/extras/vault_tools/recreate_vaults.sh +5 -0
data/extras/vault_tools/test_vaults.sh +5 -0
data/install/README.md +8 -0
data/install/cfn_create_mu_master.json +1034 -0
data/install/chef-server.rb.erb +19 -0
data/install/deprecated-bash-library.sh +1891 -0
data/install/images/Usage.png +0 -0
data/install/installer +71 -0
data/install/jenkinskeys.rb +8 -0
data/install/user-dot-murc.erb +14 -0
data/modules/html.erb +19 -0
data/modules/mommacat.ru +426 -0
data/modules/mu/cleanup.rb +339 -0
data/modules/mu/cloud.rb +1446 -0
data/modules/mu/clouds/README.md +201 -0
data/modules/mu/clouds/aws/alarm.rb +319 -0
data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
data/modules/mu/clouds/aws/collection.rb +373 -0
data/modules/mu/clouds/aws/container_cluster.rb +667 -0
data/modules/mu/clouds/aws/database.rb +1836 -0
data/modules/mu/clouds/aws/dnszone.rb +911 -0
data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
data/modules/mu/clouds/aws/folder.rb +92 -0
data/modules/mu/clouds/aws/function.rb +349 -0
data/modules/mu/clouds/aws/group.rb +251 -0
data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
data/modules/mu/clouds/aws/log.rb +363 -0
data/modules/mu/clouds/aws/msg_queue.rb +480 -0
data/modules/mu/clouds/aws/notification.rb +139 -0
data/modules/mu/clouds/aws/role.rb +656 -0
data/modules/mu/clouds/aws/search_domain.rb +646 -0
data/modules/mu/clouds/aws/server.rb +2294 -0
data/modules/mu/clouds/aws/server_pool.rb +1388 -0
data/modules/mu/clouds/aws/storage_pool.rb +495 -0
data/modules/mu/clouds/aws/user.rb +382 -0
data/modules/mu/clouds/aws/userdata/README.md +4 -0
data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
data/modules/mu/clouds/aws/vpc.rb +1943 -0
data/modules/mu/clouds/aws.rb +1009 -0
data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
data/modules/mu/clouds/cloudformation/collection.rb +117 -0
data/modules/mu/clouds/cloudformation/database.rb +278 -0
data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
data/modules/mu/clouds/cloudformation/log.rb +170 -0
data/modules/mu/clouds/cloudformation/server.rb +370 -0
data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
data/modules/mu/clouds/cloudformation.rb +733 -0
data/modules/mu/clouds/docker.rb +30 -0
data/modules/mu/clouds/google/container_cluster.rb +290 -0
data/modules/mu/clouds/google/database.rb +152 -0
data/modules/mu/clouds/google/firewall_rule.rb +267 -0
data/modules/mu/clouds/google/group.rb +164 -0
data/modules/mu/clouds/google/loadbalancer.rb +479 -0
data/modules/mu/clouds/google/server.rb +1510 -0
data/modules/mu/clouds/google/server_pool.rb +274 -0
data/modules/mu/clouds/google/user.rb +266 -0
data/modules/mu/clouds/google/userdata/README.md +4 -0
data/modules/mu/clouds/google/userdata/linux.erb +137 -0
data/modules/mu/clouds/google/userdata/windows.erb +275 -0
data/modules/mu/clouds/google/vpc.rb +890 -0
data/modules/mu/clouds/google.rb +811 -0
data/modules/mu/config/README.md +11 -0
data/modules/mu/config/alarm.rb +271 -0
data/modules/mu/config/cache_cluster.rb +172 -0
data/modules/mu/config/collection.rb +87 -0
data/modules/mu/config/container_cluster.rb +103 -0
data/modules/mu/config/container_cluster.yml +36 -0
data/modules/mu/config/database.rb +458 -0
data/modules/mu/config/database.yml +26 -0
data/modules/mu/config/dnszone.rb +327 -0
data/modules/mu/config/firewall_rule.rb +118 -0
data/modules/mu/config/folder.rb +70 -0
data/modules/mu/config/function.rb +140 -0
data/modules/mu/config/group.rb +64 -0
data/modules/mu/config/loadbalancer.rb +482 -0
data/modules/mu/config/log.rb +47 -0
data/modules/mu/config/log.yml +6 -0
data/modules/mu/config/msg_queue.rb +47 -0
data/modules/mu/config/msg_queue.yml +9 -0
data/modules/mu/config/notification.rb +44 -0
data/modules/mu/config/project.rb +71 -0
data/modules/mu/config/role.rb +102 -0
data/modules/mu/config/search_domain.rb +61 -0
data/modules/mu/config/search_domain.yml +25 -0
data/modules/mu/config/server.rb +587 -0
data/modules/mu/config/server.yml +8 -0
data/modules/mu/config/server_pool.rb +216 -0
data/modules/mu/config/server_pool.yml +71 -0
data/modules/mu/config/storage_pool.rb +145 -0
data/modules/mu/config/user.rb +78 -0
data/modules/mu/config/vpc.rb +743 -0
data/modules/mu/config/vpc.yml +6 -0
data/modules/mu/config.rb +2000 -0
data/modules/mu/defaults/README.md +2 -0
data/modules/mu/defaults/amazon_images.yaml +121 -0
data/modules/mu/defaults/google_images.yaml +16 -0
data/modules/mu/deploy.rb +686 -0
data/modules/mu/groomer.rb +123 -0
data/modules/mu/groomers/README.md +58 -0
data/modules/mu/groomers/chef.rb +1024 -0
data/modules/mu/kittens.rb +11319 -0
data/modules/mu/logger.rb +208 -0
data/modules/mu/master/README.md +27 -0
data/modules/mu/master/chef.rb +471 -0
data/modules/mu/master/ldap.rb +1005 -0
data/modules/mu/master.rb +415 -0
data/modules/mu/mommacat.rb +2703 -0
data/modules/mu-load-config.rb +1 -0
data/modules/mu.rb +724 -0
data/modules/scratchpad.erb +1 -0
data/modules/tests/super_complex_bok.yml +41 -0
data/modules/tests/super_simple_bok.yml +40 -0
data/mu.gemspec +62 -0
data/roles/demo-dbservice-configure.json +19 -0
data/roles/demo-portal-configure.json +19 -0
data/roles/mu-master-jenkins.json +24 -0
data/roles/mu-master-nagios-only.json +13 -0
data/roles/mu-master.json +12 -0
data/roles/mu-node.json +19 -0
data/roles/mu-splunk-server.json +13 -0
data/roles/mu-splunk.json +13 -0
data/test/clean_up.py +25 -0
data/test/demo-test-profile/README.md +3 -0
data/test/demo-test-profile/controls/flask.rb +84 -0
data/test/demo-test-profile/inspec.lock +7 -0
data/test/demo-test-profile/inspec.yml +11 -0
data/test/etco-test-profile/README.md +3 -0
data/test/etco-test-profile/controls/all-in-one.rb +182 -0
data/test/etco-test-profile/inspec.lock +7 -0
data/test/etco-test-profile/inspec.yml +11 -0
data/test/exec_inspec.py +246 -0
data/test/exec_mu_install.py +241 -0
data/test/exec_retry.py +44 -0
data/test/mu-master-test/README.md +3 -0
data/test/mu-master-test/controls/all_in_one.rb +557 -0
data/test/mu-master-test/inspec.lock +3 -0
data/test/mu-master-test/inspec.yml +11 -0
data/test/mu-tools-test/README.md +3 -0
data/test/mu-tools-test/controls/base.rb +265 -0
data/test/mu-tools-test/inspec.lock +3 -0
data/test/mu-tools-test/inspec.yml +8 -0
data/test/simple-server-php-test/README.md +3 -0
data/test/simple-server-php-test/controls/apachephp.rb +25 -0
data/test/simple-server-php-test/controls/example.rb +19 -0
data/test/simple-server-php-test/inspec.lock +7 -0
data/test/simple-server-php-test/inspec.yml +12 -0
data/test/simple-server-rails-test/README.md +3 -0
data/test/simple-server-rails-test/controls/rails.rb +188 -0
data/test/simple-server-rails-test/inspec.lock +7 -0
data/test/simple-server-rails-test/inspec.yml +11 -0
data/test/simple-windows-test/README.md +3 -0
data/test/simple-windows-test/controls/windows.rb +20 -0
data/test/simple-windows-test/inspec.lock +7 -0
data/test/simple-windows-test/inspec.yml +11 -0
data/test/smoke_test.rb +75 -0
data/test/wordpress-test/README.md +3 -0
data/test/wordpress-test/controls/wordpress.rb +97 -0
data/test/wordpress-test/inspec.lock +7 -0
data/test/wordpress-test/inspec.yml +11 -0
metadata +979 -0

data/modules/mu/clouds/google/vpc.rb ADDED Viewed

@@ -0,0 +1,890 @@
+# Copyright:: Copyright (c) 2017 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+module MU
+  class Cloud
+    class Google
+      # Creation of Virtual Private Clouds and associated artifacts (routes, subnets, etc).
+      class VPC < MU::Cloud::VPC
+        @deploy = nil
+        @config = nil
+        attr_reader :mu_name
+        attr_reader :cloud_id
+        attr_reader :url
+        attr_reader :config
+        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
+        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::vpcs}
+        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
+          @deploy = mommacat
+          @config = MU::Config.manxify(kitten_cfg)
+          @subnets = []
+          @subnetcachesemaphore = Mutex.new
+          if cloud_id and cloud_id.match(/^https:\/\//)
+            @url = cloud_id.clone
+            @cloud_id = cloud_id.to_s.gsub(/.*?\//, "")
+          elsif cloud_id and !cloud_id.empty?
+            @cloud_id = cloud_id.to_s
+          end
+          if !mu_name.nil?
+            @mu_name = mu_name
+            if @cloud_id.nil? or @cloud_id.empty?
+              @cloud_id = MU::Cloud::Google.nameStr(@mu_name)
+            end
+            loadSubnets
+          elsif @config['scrub_mu_isms']
+            @mu_name = @config['name']
+          else
+            @mu_name = @deploy.getResourceName(@config['name'])
+          end
+        end
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          networkobj = MU::Cloud::Google.compute(:Network).new(
+            name: MU::Cloud::Google.nameStr(@mu_name),
+            description: @deploy.deploy_id,
+            auto_create_subnetworks: false
+#            i_pv4_range: @config['ip_block']
+          )
+          MU.log "Creating network #{@mu_name} (#{@config['ip_block']}) in project #{@config['project']}", details: networkobj
+          resp = MU::Cloud::Google.compute.insert_network(@config['project'], networkobj)
+          @url = resp.self_link # XXX needs to go in notify
+          @cloud_id = resp.name
+          if @config['subnets']
+            subnetthreads = []
+            parent_thread_id = Thread.current.object_id
+            @config['subnets'].each { |subnet|
+              subnetthreads << Thread.new {
+                MU.dupGlobals(parent_thread_id)
+                subnet_name = @config['name']+"-"+subnet['name']
+                subnet_mu_name = MU::Cloud::Google.nameStr(@deploy.getResourceName(subnet_name))
+                MU.log "Creating subnetwork #{subnet_mu_name} (#{subnet['ip_block']}) in project #{@config['project']}", details: subnet
+                subnetobj = MU::Cloud::Google.compute(:Subnetwork).new(
+                  name: subnet_mu_name,
+                  description: @deploy.deploy_id,
+                  ip_cidr_range: subnet['ip_block'],
+                  network: @url,
+                  region: subnet['availability_zone']
+                )
+                resp = MU::Cloud::Google.compute.insert_subnetwork(@config['project'], subnet['availability_zone'], subnetobj)
+              }
+            }
+            subnetthreads.each do |t|
+              t.join
+            end
+          end
+          route_table_ids = []
+          if !@config['route_tables'].nil?
+            @config['route_tables'].each { |rtb|
+              rtb['routes'].each { |route|
+                # GCP does these for us, by default
+                next if route['destination_network'] == "0.0.0.0/0" and
+                        route['gateway'] == "#INTERNET"
+                # sibling NAT host routes will get set up our groom phrase
+                next if route['gateway'] == "#NAT" and !route['nat_host_name'].nil?
+                createRoute(route, network: @url)
+              }
+            }
+          end
+        end
+        # Configure IP traffic logging on a given VPC/Subnet. Logs are saved in cloudwatch based on the network interface ID of each instance.
+        # @param log_group_name [String]: The name of the CloudWatch log group all logs will be saved in.
+        # @param resource_id [String]: The cloud provider's identifier of the resource that traffic logging will be enabled on.
+        # @param resource_type [String]: What resource type to enable logging on (VPC or Subnet).
+        # @param traffic_type [String]: What traffic to log (ALL, ACCEPT or REJECT).
+        def trafficLogging(log_group_name: nil, resource_id: nil, resource_type: "VPC", traffic_type: "ALL")
+        end
+        # Describe this VPC
+        # @return [Hash]
+        def notify
+          base = MU.structToHash(cloud_desc)
+          base["cloud_id"] = @cloud_id
+          base.merge!(@config.to_h)
+          base
+        end
+        # Describe this VPC from the cloud platform's perspective
+        # @return [Hash]
+        def cloud_desc
+          @config['project'] ||= MU::Cloud::Google.defaultProject
+          resp = MU::Cloud::Google.compute.get_network(@config['project'], @cloud_id)
+          if @cloud_id.nil? or @cloud_id == ""
+            MU.log "Couldn't describe #{self}, @cloud_id #{@cloud_id.nil? ? "undefined" : "empty" }", MU::ERR
+            return nil
+          end
+          resp = resp.to_h
+          @url ||= resp[:self_link]
+          routes = MU::Cloud::Google.compute.list_routes(
+            @config['project'],
+            filter: "network eq #{@cloud_id}"
+          ).items
+          resp[:routes] = routes.map { |r| r.to_h } if routes
+# XXX subnets too
+          resp
+        end
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          rtb = @config['route_tables'].first
+          rtb['routes'].each { |route|
+            # If we had a sibling server being spun up as a NAT, rig up the
+            # route that the hosts behind it will need.
+            if route['gateway'] == "#NAT" and !route['nat_host_name'].nil?
+              createRoute(route, network: @url)
+            end
+          }
+          if !@config['peers'].nil?
+            count = 0
+            @config['peers'].each { |peer|
+              tag_key, tag_value = peer['vpc']['tag'].split(/=/, 2) if !peer['vpc']['tag'].nil?
+              if peer['vpc']['deploy_id'].nil? and peer['vpc']['vpc_id'].nil? and tag_key.nil?
+                peer['vpc']['deploy_id'] = @deploy.deploy_id
+              end
+              peer_obj = MU::MommaCat.findStray(
+                  "Google",
+                  "vpcs",
+                  deploy_id: peer['vpc']['deploy_id'],
+                  cloud_id: peer['vpc']['vpc_id'],
+                  name: peer['vpc']['vpc_name'],
+                  tag_key: tag_key,
+                  tag_value: tag_value,
+                  dummy_ok: true
+              )
+              raise MuError, "No result looking for #{@mu_name}'s peer VPCs (#{peer['vpc']})" if peer_obj.nil? or peer_obj.first.nil?
+              url = peer_obj.first.cloudobj.url || peer_obj.first.cloudobj.deploydata['self_link']
+              peerreq = MU::Cloud::Google.compute(:NetworksAddPeeringRequest).new(
+                name: MU::Cloud::Google.nameStr(@mu_name+"-peer-"+count.to_s),
+                auto_create_routes: true,
+                peer_network: url
+              )
+              MU.log "Peering #{@mu_name} with #{url}", details: peerreq
+              MU::Cloud::Google.compute.add_network_peering(
+                @config['project'],
+                @cloud_id,
+                peerreq
+              )
+            }
+          end
+        end
+        # Locate an existing VPC or VPCs and return an array containing matching Google cloud resource descriptors for those that match.
+        # @param cloud_id [String]: The cloud provider's identifier for this resource.
+        # @param region [String]: The cloud provider region
+        # @param tag_key [String]: A tag key to search.
+        # @param tag_value [String]: The value of the tag specified by tag_key to match when searching by tag.
+        # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching VPCs
+        def self.find(cloud_id: nil, region: MU.curRegion, tag_key: "Name", tag_value: nil, flags: {})
+          flags["project"] ||= MU::Cloud::Google.defaultProject
+#MU.log "CALLED MU::Cloud::Google::VPC.find(#{cloud_id}, #{region}, #{tag_key}, #{tag_value}) from #{caller[0]}", MU::NOTICE, details: flags
+          resp = {}
+          if cloud_id
+            vpc = MU::Cloud::Google.compute.get_network(
+              flags['project'],
+              cloud_id.to_s.sub(/^.*?\/([^\/]+)$/, '\1')
+            )
+            resp[cloud_id] = vpc if !vpc.nil?
+          else # XXX other criteria
+            MU::Cloud::Google.compute.list_networks(
+              flags["project"]
+            ).items.each { |vpc|
+              resp[vpc.name] = vpc
+            }
+          end
+#MU.log "THINGY", MU::WARN, details: resp
+          resp.each_pair { |cloud_id, vpc|
+            routes = MU::Cloud::Google.compute.list_routes(
+              flags["project"],
+              filter: "network eq #{vpc.self_link}"
+            ).items
+#            pp routes
+          }
+#MU.log "RETURNING RESPONSE FROM VPC FIND (#{resp.class.name})", MU::WARN, details: resp
+          resp
+        end
+        # Return an array of MU::Cloud::Google::VPC::Subnet objects describe the
+        # member subnets of this VPC.
+        #
+        # @return [Array<MU::Cloud::Google::VPC::Subnet>]
+        def subnets
+          if @subnets.nil? or @subnets.size == 0
+            return loadSubnets
+          end
+          return @subnets
+        end
+        # Describe subnets associated with this VPC. We'll compose identifying
+        # information similar to what MU::Cloud.describe builds for first-class
+        # resources.
+        # @return [Array<Hash>]: A list of cloud provider identifiers of subnets associated with this VPC.
+        def loadSubnets
+          network = cloud_desc
+          if network.nil?
+            MU.log "Unabled to load cloud description in #{self}", MU::ERR
+            return nil
+          end
+          found = []
+          resp = nil
+          MU::Cloud::Google.listRegions(@config['us_only']).each { |r|
+            resp = MU::Cloud::Google.compute.list_subnetworks(
+              @config['project'],
+              r,
+              filter: "network eq #{network[:self_link]}"
+            )
+            next if resp.nil? or resp.items.nil?
+            resp.items.each { |subnet|
+              found << subnet
+            }
+          }
+          @subnetcachesemaphore.synchronize {
+            @subnets ||= []
+            ext_ids = @subnets.each.collect { |s| s.cloud_id }
+            # If we're a plain old Mu resource, load our config and deployment
+            # metadata. Like ya do.
+            if !@config.nil? and @config.has_key?("subnets")
+              @config['subnets'].each { |subnet|
+                subnet['mu_name'] = @mu_name+"-"+subnet['name'] if !subnet.has_key?("mu_name")
+                subnet['region'] = @config['region']
+                found.each { |desc|
+                  if desc.ip_cidr_range == subnet["ip_block"]
+                    subnet["cloud_id"] = desc.name
+                    subnet["url"] = desc.self_link
+                    subnet['az'] = desc.region.gsub(/.*?\//, "")
+                    break
+                  end
+                }
+                if !ext_ids.include?(subnet["cloud_id"])
+                  @subnets << MU::Cloud::Google::VPC::Subnet.new(self, subnet)
+                end
+              }
+            # Of course we might be loading up a dummy subnet object from a
+            # foreign or non-Mu-created VPC and subnet. So make something up.
+            elsif !found.nil?
+              found.each { |desc|
+                subnet = {}
+                subnet["ip_block"] = desc.ip_cidr_range
+                subnet["name"] = subnet["ip_block"].gsub(/[\.\/]/, "_")
+                subnet['mu_name'] = @mu_name+"-"+subnet['name']
+                subnet["cloud_id"] = desc.name
+                subnet['az'] = subnet['region'] = desc.region.gsub(/.*?\//, "")
+                if !ext_ids.include?(desc.name)
+                  @subnets << MU::Cloud::Google::VPC::Subnet.new(self, subnet)
+                end
+              }
+            end
+          }
+          return @subnets
+        end
+        # Given some search criteria try locating a NAT Gaateway in this VPC.
+        # @param nat_cloud_id [String]: The cloud provider's identifier for this NAT.
+        # @param nat_filter_key [String]: A cloud provider filter to help identify the resource, used in conjunction with nat_filter_value.
+        # @param nat_filter_value [String]: A cloud provider filter to help identify the resource, used in conjunction with nat_filter_key.
+        # @param region [String]: The cloud provider region of the target instance.
+        def findNat(nat_cloud_id: nil, nat_filter_key: nil, nat_filter_value: nil, region: MU.curRegion)
+        end
+        # Given some search criteria for a {MU::Cloud::Server}, see if we can
+        # locate a NAT host in this VPC.
+        # @param nat_name [String]: The name of the resource as defined in its 'name' Basket of Kittens field, typically used in conjunction with deploy_id.
+        # @param nat_cloud_id [String]: The cloud provider's identifier for this NAT.
+        # @param nat_tag_key [String]: A cloud provider tag to help identify the resource, used in conjunction with tag_value.
+        # @param nat_tag_value [String]: A cloud provider tag to help identify the resource, used in conjunction with tag_key.
+        # @param nat_ip [String]: An IP address associated with the NAT instance.
+        def findBastion(nat_name: nil, nat_cloud_id: nil, nat_tag_key: nil, nat_tag_value: nil, nat_ip: nil)
+          nat = nil
+          deploy_id = nil
+          nat_name = nat_name.to_s if !nat_name.nil? and nat_name.class.to_s == "MU::Config::Tail"
+          nat_ip = nat_ip.to_s if !nat_ip.nil? and nat_ip.class.to_s == "MU::Config::Tail"
+          nat_cloud_id = nat_cloud_id.to_s if !nat_cloud_id.nil? and nat_cloud_id.class.to_s == "MU::Config::Tail"
+          nat_tag_key = nat_tag_key.to_s if !nat_tag_key.nil? and nat_tag_key.class.to_s == "MU::Config::Tail"
+          nat_tag_value = nat_tag_value.to_s if !nat_tag_value.nil? and nat_tag_value.class.to_s == "MU::Config::Tail"
+          # If we're searching by name, assume it's part of this here deploy.
+          if nat_cloud_id.nil? and !@deploy.nil?
+            deploy_id = @deploy.deploy_id
+          end
+          found = MU::MommaCat.findStray(
+            "Google",
+            "server",
+            name: nat_name,
+            cloud_id: nat_cloud_id,
+            deploy_id: deploy_id,
+            tag_key: nat_tag_key,
+            tag_value: nat_tag_value,
+            allow_multi: true,
+            dummy_ok: true,
+            calling_deploy: @deploy
+          )
+# XXX wat
+          return nil if found.nil? || found.empty?
+          if found.size > 1
+            found.each { |nat|
+              # Try some cloud-specific criteria
+              cloud_desc = nat.cloud_desc
+              if !nat_host_ip.nil? and
+# XXX this is AWS code, is wrong here
+                  (cloud_desc.private_ip_address == nat_host_ip or cloud_desc.public_ip_address == nat_host_ip)
+                return nat
+              elsif cloud_desc.vpc_id == @cloud_id
+                # XXX Strictly speaking we could have different NATs in different
+                # subnets, so this can be wrong in corner cases. Why you'd
+                # architect something that obnoxiously, I have no idea.
+                return nat
+              end
+            }
+          elsif found.size == 1
+            return found.first
+          end
+          return nil
+        end
+        # Check for a subnet in this VPC matching one or more of the specified
+        # criteria, and return it if found.
+        def getSubnet(cloud_id: nil, name: nil, tag_key: nil, tag_value: nil, ip_block: nil)
+          loadSubnets
+          if !cloud_id.nil? and cloud_id.match(/^https:\/\//)
+            cloud_id.gsub!(/.*?\//, "")
+          end
+          MU.log "getSubnet(cloud_id: #{cloud_id}, name: #{name}, tag_key: #{tag_key}, tag_value: #{tag_value}, ip_block: #{ip_block})", MU::DEBUG, details: caller[0]
+          @subnets.each { |subnet|
+            if !cloud_id.nil? and !subnet.cloud_id.nil? and subnet.cloud_id.to_s == cloud_id.to_s
+              return subnet
+            elsif !name.nil? and !subnet.name.nil? and subnet.name.to_s == name.to_s
+              return subnet
+            end
+          }
+          return nil
+        end
+        # Get the subnets associated with an instance.
+        # @param instance_id [String]: The cloud identifier of the instance
+        # @param instance [String]: A cloud descriptor for the instance, to save us an API call if we already have it
+        # @param region [String]: The cloud provider region of the target instance
+        # @return [Array<String>]
+        def self.getInstanceSubnets(instance_id: nil, instance: nil, region: MU.curRegion)
+        end
+        @route_cache = {}
+        @rtb_cache = {}
+        @rtb_cache_semaphore = Mutex.new
+        # Check whether we (the Mu Master) have a direct route to a particular
+        # instance. Useful for skipping hops through bastion hosts to get
+        # directly at child nodes in peered VPCs, the public internet, and the
+        # like.
+        # @param target_instance [OpenStruct]: The cloud descriptor of the instance to check.
+        # @param region [String]: The cloud provider region of the target subnet.
+        # @return [Boolean]
+        def self.haveRouteToInstance?(target_instance, region: MU.curRegion)
+          project ||= MU::Cloud::Google.defaultProject
+          return false if MU.myCloud != "Google"
+# XXX see if we reside in the same Network and overlap subnets
+# XXX see if we peer with the target's Network
+          target_instance.network_interfaces.each { |iface|
+            resp = MU::Cloud::Google.compute.list_routes(
+              project,
+              filter: "network eq #{iface.network}"
+            )
+            if resp and resp.items
+MU.log "ROUTES TO #{target_instance.name}", MU::WARN, details: resp
+            end
+          }
+          false
+        end
+        # updates the route table cache (@rtb_cache).
+        # @param subnet_key [String]: The subnet/subnets route tables will be extracted from.
+        # @param use_cache [Boolean]: If to use the existing cache and add records to cache only if missing, or to also replace exising records in cache.
+        # @param region [String]: The cloud provider region of the target subnet.
+        def self.update_route_tables_cache(subnet_key, use_cache: true, region: MU.curRegion)
+        end
+        # Checks if the MU master has a route to a subnet in a peered VPC. Can be used on any subnets
+        # @param source_subnets_key [String]: The subnet/subnets on one side of the peered VPC.
+        # @param target_subnets_key [String]: The subnet/subnets on the other side of the peered VPC.
+        # @param instance_id [String]: The instance ID in the target subnet/subnets.
+        # @return [Boolean]
+        def self.have_route_peered_vpc?(source_subnets_key, target_subnets_key, instance_id)
+        end
+        # Retrieves the route tables of used by subnets
+        # @param subnet_ids [Array]: The cloud identifier of the subnets to retrieve the route tables for.
+        # @param vpc_ids [Array]: The cloud identifier of the VPCs to retrieve route tables for.
+        # @param region [String]: The cloud provider region of the target subnet.
+        # @return [Array<OpenStruct>]: The cloud provider's complete descriptions of the route tables
+        def self.get_route_tables(subnet_ids: [], vpc_ids: [], region: MU.curRegion)
+        end
+        # Remove all VPC resources associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, flags: {})
+          flags["project"] ||= MU::Cloud::Google.defaultProject
+          purge_subnets(noop, project: flags['project'])
+          ["route", "network"].each { |type|
+# XXX tagged routes aren't showing up in list, and the networks that own them
+# fail to delete silently
+            MU::Cloud::Google.compute.delete(
+              type,
+              flags["project"],
+              nil,
+              noop
+            )
+          }
+        end
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = []
+          schema = {
+            "regions" => {
+              "type" => "array",
+              "items" => MU::Config.region_primitive
+            },
+            "project" => {
+              "type" => "string",
+              "description" => "The project into which to deploy resources"
+            }
+          }
+          [toplevel_required, schema]
+        end
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::vpcs}, bare and unvalidated.
+        # @param vpc [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(vpc, configurator)
+          ok = true
+          if vpc['create_standard_subnets']
+            # Manufacture some generic routes, if applicable.
+            if !vpc['route_tables'] or vpc['route_tables'].empty?
+              vpc['route_tables'] = [
+                {
+                  "name" => "internet",
+                  "routes" => [ { "destination_network" => "0.0.0.0/0", "gateway" => "#INTERNET" } ]
+                },
+                {
+                  "name" => "private",
+                  "routes" => [ { "destination_network" => "0.0.0.0/0", "gateway" => "#NAT" } ]
+                }
+              ]
+            end
+            # Generate a set of subnets per route, if none are declared
+            if !vpc['subnets'] or vpc['subnets'].empty?
+              if vpc['regions'].nil? or vpc['regions'].empty?
+                vpc['regions'] = MU::Cloud::Google.listRegions(vpc['us_only'])
+              end
+              blocks = configurator.divideNetwork(vpc['ip_block'], vpc['regions'].size*vpc['route_tables'].size, 29)
+              ok = false if blocks.nil?
+              vpc["subnets"] = []
+              vpc['route_tables'].each { |t|
+                count = 0
+                vpc['regions'].each { |r|
+                  block = blocks.shift
+                  vpc["subnets"] << {
+                    "availability_zone" => r,
+                    "route_table" => t["name"],
+                    "ip_block" => block.to_s,
+                    "name" => "Subnet"+count.to_s+t["name"].capitalize,
+                    "map_public_ips" => true
+                  }
+                  count = count + 1
+                }
+              }
+            end
+          end
+          # Google VPCs can't have routes that are anything other than global
+          # (they can be tied to individual instances by tags, but w/e). So we
+          # decompose our VPCs into littler VPCs, one for each declared route
+          # table, so that the routes therein will only apply to the portion of
+          # our network we want them to.
+          if vpc['route_tables'].size > 1
+            blocks = configurator.divideNetwork(vpc['ip_block'], vpc['route_tables'].size*2, 29)
+            peernames = []
+            vpc['route_tables'].each { |tbl|
+              peernames << vpc['name']+"-"+tbl['name']
+            }
+            vpc['route_tables'].each { |tbl|
+              newvpc = {
+                "name" => vpc['name']+"-"+tbl['name'],
+                "ip_block" => blocks.shift,
+                "route_tables" => [tbl],
+                "parent_block" => vpc['ip_block'],
+                "subnets" => []
+              }
+              MU.log "Splitting VPC #{newvpc['name']} off from #{vpc['name']}", MU::NOTICE
+              vpc.each_pair { |key, val|
+                next if ["name", "route_tables", "subnets", "ip_block"].include?(key)
+                newvpc[key] = val
+              }
+              newvpc['peers'] ||= []
+              peernames.each { |peer|
+                if peer != vpc['name']+"-"+tbl['name']
+                  newvpc['peers'] << { "vpc" => { "vpc_name" => peer } }
+                end
+              }
+              vpc["subnets"].each { |subnet|
+                newvpc["subnets"] << subnet if subnet["route_table"] == tbl["name"]
+              }
+              ok = false if !configurator.insertKitten(newvpc, "vpcs", true)
+            }
+            configurator.removeKitten(vpc['name'], "vpcs")
+          else
+            has_nat = vpc['route_tables'].first["routes"].include?({"gateway"=>"#NAT", "destination_network"=>"0.0.0.0/0"})
+            has_deny = vpc['route_tables'].first["routes"].include?({"gateway"=>"#DENY", "destination_network"=>"0.0.0.0/0"})
+# XXX we need routes to peered Networks too
+            if has_nat or has_deny
+              ok = false if !genStandardSubnetACLs(vpc['parent_block'] || vpc['ip_block'], vpc['name'], configurator, vpc["project"], false)
+            else
+              ok = false if !genStandardSubnetACLs(vpc['parent_block'] || vpc['ip_block'], vpc['name'], configurator, vpc["project"])
+            end
+            if has_nat and !has_deny
+              vpc['route_tables'].first["routes"] << {
+                "gateway"=>"#DENY",
+                "destination_network"=>"0.0.0.0/0"
+              }
+            end
+            nat_count = 0
+            # You know what, let's just guarantee that we'll have a route from
+            # this master, always
+            # XXX this confuses machines that don't have public IPs
+            if !vpc['scrub_mu_isms']
+#              vpc['route_tables'].first["routes"] << {
+#                'gateway' => "#INTERNET",
+#                'destination_network' => MU.mu_public_ip+"/32"
+#              }
+            end
+            vpc['route_tables'].first["routes"].each { |route|
+              # No such thing as a NAT gateway in Google... so make an instance
+              # that'll do the deed.
+              if route['gateway'] == "#NAT"
+                nat_cfg = MU::Cloud::Google::Server.genericNAT
+                nat_cfg['name'] = vpc['name']+"-natstion-"+nat_count.to_s
+                # XXX ingress/egress rules?
+                # XXX for master too if applicable
+                nat_cfg["application_attributes"] = {
+                  "nat" => {
+                    "private_net" => vpc["parent_block"].to_s
+                  }
+                }
+                route['nat_host_name'] = nat_cfg['name']
+                route['priority'] = 100
+                vpc["dependencies"] << {
+                  "type" => "server",
+                  "name" => nat_cfg['name'],
+                }
+                nat_cfg['vpc'] = {
+                  "vpc_name" => vpc["name"],
+                  "subnet_pref" => "any"
+                }
+                nat_count = nat_count + 1
+                ok = false if !configurator.insertKitten(nat_cfg, "servers", true)
+              end
+            }
+          end
+#          MU.log "GOOGLE VPC", MU::WARN, details: vpc
+          ok
+        end
+        # @param route [Hash]: A route description, per the Basket of Kittens schema
+        # @param server [MU::Cloud::Google::Server]: Instance to which this route will apply
+        def createRouteForInstance(route, server)
+          createRoute(route, network: @url, tags: [MU::Cloud::Google.nameStr(server.mu_name)])
+        end
+        private
+        def self.genStandardSubnetACLs(vpc_cidr, vpc_name, configurator, project, publicroute = true)
+          private_acl = {
+            "name" => vpc_name+"-routables",
+            "cloud" => "Google",
+            "project" => project,
+            "vpc" => { "vpc_name" => vpc_name },
+            "dependencies" => [ { "type" => "vpc", "name" => vpc_name } ],
+            "rules" => [
+              { "ingress" => true, "proto" => "all", "hosts" => [vpc_cidr] }
+            ]
+          }
+#          if publicroute
+#          XXX distinguish between "I have a NAT" and "I really shouldn't be
+#          able to talk to the world"
+            private_acl["rules"] << {
+              "egress" => true, "proto" => "all", "hosts" => ["0.0.0.0/0"]
+            }
+#          else
+#            private_acl["rules"] << {
+#              "egress" => true, "proto" => "all", "hosts" => [vpc_cidr], "weight" => 999
+#            }
+#            private_acl["rules"] << {
+#              "egress" => true, "proto" => "all", "hosts" => ["0.0.0.0/0"], "deny" => true
+#            }
+#          end
+          configurator.insertKitten(private_acl, "firewall_rules", true)
+        end
+        # Helper method for manufacturing routes. Expect to be called from
+        # {MU::Cloud::Google::VPC#create} or {MU::Cloud::Google::VPC#groom}.
+        # @param route [Hash]: A route description, per the Basket of Kittens schema
+        # @param network [String]: Cloud identifier of the VPC to which we're adding this route
+        # @param tags [Array<String>]: Instance tags to which this route applies. If empty, applies to entire VPC.
+        # @return [Hash]: The modified configuration that was originally passed in.
+        def createRoute(route, network: @url, tags: [])
+          routename = MU::Cloud::Google.nameStr(@mu_name+"-route-"+route['destination_network'])
+          if !tags.nil? and tags.size > 0
+            routename = MU::Cloud::Google.nameStr(routename+"-"+tags.first).slice(0,63)
+          end
+          route["priority"] ||= 999
+          if route['gateway'] == "#NAT"
+            if !route['nat_host_name'].nil? or !route['nat_host_id'].nil?
+                sleep 5
+              nat_instance = findBastion(
+                nat_name: route["nat_host_name"],
+                nat_cloud_id: route["nat_host_id"]
+              )
+              if nat_instance.nil? or nat_instance.cloud_desc.nil?
+                raise MuError, "Failed to find NAT host for #NAT route in #{@mu_name} (#{route})"
+              end
+              routeobj = ::Google::Apis::ComputeBeta::Route.new(
+                name: routename,
+                next_hop_instance: nat_instance.cloud_desc.self_link,
+                dest_range: route['destination_network'],
+                priority: route["priority"],
+                description: @deploy.deploy_id,
+                tags: tags,
+                network: network
+              )
+            end
+# several other cases missing for various types of routers (raw IPs, instance ids, etc) XXX
+          elsif route['gateway'] == "#DENY"
+            resp = MU::Cloud::Google.compute.list_routes(
+              @config['project'],
+              filter: "network eq #{network}"
+            )
+            if !resp.nil? and !resp.items.nil?
+              resp.items.each { |r|
+                next if r.next_hop_gateway.nil? or !r.next_hop_gateway.match(/\/global\/gateways\/default-internet-gateway$/)
+                MU.log "Removing standard route #{r.name} per our #DENY entry"
+                MU::Cloud::Google.compute.delete_route(@config['project'], r.name)
+              }
+            end
+          elsif route['gateway'] == "#INTERNET"
+            routeobj = ::Google::Apis::ComputeBeta::Route.new(
+              name: routename,
+              next_hop_gateway: "global/gateways/default-internet-gateway",
+              dest_range: route['destination_network'],
+              priority: route["priority"],
+              description: @deploy.deploy_id,
+              tags: tags,
+              network: network
+            )
+          else
+            routeobj = ::Google::Apis::ComputeBeta::Route.new(
+              name: routename,
+              dest_range: route['destination_network'],
+              network: network,
+              priority: route["priority"],
+              description: @deploy.deploy_id,
+              tags: tags,
+              next_hop_network: network
+            )
+          end
+          if route['gateway'] != "#DENY"
+            begin
+              MU::Cloud::Google.compute.get_route(@config['project'], routename)
+            rescue ::Google::Apis::ClientError, MU::MuError => e
+              if e.message.match(/notFound/)
+                MU.log "Creating route #{routename} in project #{@config['project']}", details: routeobj
+                resp = MU::Cloud::Google.compute.insert_route(@config['project'], routeobj)
+              else
+                # TODO can't update GCP routes, would have to delete and re-create
+              end
+            end
+          end
+        end
+        # Remove all network gateways associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_gateways(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion)
+        end
+        # Remove all NAT gateways associated with the VPC of the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param vpc_id [String]: The cloud provider's unique VPC identifier
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_nat_gateways(noop = false, vpc_id: nil, region: MU.curRegion)
+        end
+        # Remove all VPC endpoints associated with the VPC of the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param vpc_id [String]: The cloud provider's unique VPC identifier
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_endpoints(noop = false, vpc_id: nil, region: MU.curRegion)
+        end
+        # Remove all network interfaces associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_interfaces(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion)
+        end
+        # Remove all subnets associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
+        # @param regions [Array<String>]: The cloud provider regions to check
+        # @return [void]
+        def self.purge_subnets(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], regions: MU::Cloud::Google.listRegions, project: MU::Cloud::Google.defaultProject)
+          parent_thread_id = Thread.current.object_id
+          regionthreads = []
+          regions.each { |r|
+            regionthreads << Thread.new {
+              MU.dupGlobals(parent_thread_id)
+              MU::Cloud::Google.compute.delete(
+                "subnetwork",
+                project,
+                r,
+                noop
+              )
+            }
+          }
+          regionthreads.each do |t|
+            t.join
+          end
+        end
+        # Remove all DHCP options sets associated with the currently loaded
+        # deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_dhcpopts(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion)
+        end
+        # Remove all VPCs associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_vpcs(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion)
+        end
+        protected
+        # Subnets are almost a first-class resource. So let's kinda sorta treat
+        # them like one. This should only be invoked on objects that already
+        # exists in the cloud layer.
+        class Subnet < MU::Cloud::Google::VPC
+          attr_reader :cloud_id
+          attr_reader :url
+          attr_reader :ip_block
+          attr_reader :mu_name
+          attr_reader :name
+          attr_reader :az
+          # @param parent [MU::Cloud::Google::VPC]: The parent VPC of this subnet.
+          # @param config [Hash<String>]:
+          def initialize(parent, config)
+            @parent = parent
+            @config = MU::Config.manxify(config)
+            @cloud_id = config['cloud_id']
+            @url = config['url']
+            @mu_name = config['mu_name']
+            @name = config['name']
+            @deploydata = config # This is a dummy for the sake of describe()
+            @az = config['az']
+            @ip_block = config['ip_block']
+          end
+          # Return the cloud identifier for the default route of this subnet.
+          def defaultRoute
+          end
+          # Is this subnet privately-routable only, or public?
+          # @return [Boolean]
+          def private?
+            routes = MU::Cloud::Google.compute.list_routes(
+              @parent.config['project'],
+              filter: "network eq #{@parent.url}"
+            ).items
+            routes.map { |r|
+              if r.dest_range == "0.0.0.0/0" and !r.next_hop_gateway.nil? and
+                 (r.tags.nil? or r.tags.size == 0) and
+                 r.next_hop_gateway.match(/\/global\/gateways\/default-internet-gateway/)
+                return false
+              end
+            }
+            return true
+          end
+        end
+      end #class
+    end #class
+  end
+end #module