cloud-mu 2.0.0.pre.alpha9 → 2.0.0.pre.beta1

data/modules/mu/clouds/aws/bucket.rb

@@ -0,0 +1,287 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class AWS
+      # Support for AWS S3
+      class Bucket < MU::Cloud::Bucket
+        @deploy = nil
+        @config = nil
+
+        @@region_cache = {}
+        @@region_cache_semaphore = Mutex.new
+
+        attr_reader :mu_name
+        attr_reader :config
+        attr_reader :cloud_id
+
+        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
+        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::logs}
+        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
+          @deploy = mommacat
+          @config = MU::Config.manxify(kitten_cfg)
+          @cloud_id ||= cloud_id
+          @mu_name ||= @deploy.getResourceName(@config["name"])
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          bucket_name = @deploy.getResourceName(@config["name"], max_length: 63).downcase
+          MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).create_bucket(
+            acl: @config['acl'],
+            bucket: bucket_name
+          )
+          @cloud_id = bucket_name
+
+          @@region_cache_semaphore.synchronize {
+            @@region_cache[@cloud_id] ||= @config['region']
+          }
+
+          tagBucket if !@config['scrub_mu_isms']
+        end
+
+        # Apply tags to this bucket object
+        def tagBucket
+          tagset = []
+
+          MU::MommaCat.listStandardTags.each_pair { |key, value|
+            tagset << { :key => key, :value => value }
+          }
+
+          if @config['tags']
+            @config['tags'].each { |tag|
+              tagset << { :key => tag['key'], :value => tag['value'] }
+            }
+          end
+
+          if @config['optional_tags']
+            MU::MommaCat.listOptionalTags.each { |key, value|
+              tagset << { :key => key, :value => value }
+            }
+          end
+
+          MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_tagging(
+            bucket: @cloud_id,
+            tagging: {
+              tag_set: tagset
+            }
+          )
+
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          @@region_cache_semaphore.synchronize {
+            @@region_cache[@cloud_id] ||= @config['region']
+          }
+          tagBucket if !@config['scrub_mu_isms']
+
+          current = cloud_desc
+
+          if @config['web'] and current["website"].nil?
+            MU.log "Enabling web service on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_website(
+              bucket: @cloud_id,
+              website_configuration: {
+                error_document: {
+                  key: @config['web_error_object']
+                },
+                index_document: {
+                  suffix: @config['web_index_object']
+                }
+              }
+            )
+          elsif !@config['web'] and !current["website"].nil?
+            MU.log "Disabling web service on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).delete_bucket_website(
+              bucket: @cloud_id
+            )
+          end
+
+          if @config['versioning'] and current["versioning"].status != "Enabled"
+            MU.log "Enabling versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Enabled"
+              }
+            )
+          elsif !@config['versioning'] and current["versioning"].status == "Enabled"
+            MU.log "Suspending versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Suspended"
+              }
+            )
+          end
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Remove all buckets associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+
+          resp = MU::Cloud::AWS.s3(credentials: credentials, region: region).list_buckets
+          if resp and resp.buckets
+            resp.buckets.each { |bucket|
+              @@region_cache_semaphore.synchronize {
+                if @@region_cache[bucket.name]
+                  next if @@region_cache[bucket.name] != region
+                else
+                  location = MU::Cloud::AWS.s3(credentials: credentials, region: region).get_bucket_location(bucket: bucket.name).location_constraint
+
+                  if location.nil? or location.empty?
+                    @@region_cache[bucket.name] = region
+                  else
+                    @@region_cache[bucket.name] = location
+                  end
+                end
+              }
+
+              if @@region_cache[bucket.name] != region
+                MU.log "#{bucket.name} is in #{@@region_cache[bucket.name]} but I'm checking from #{region}, skipping", MU::DEBUG
+                next
+              end
+
+              begin
+                tags = MU::Cloud::AWS.s3(credentials: credentials, region: region).get_bucket_tagging(bucket: bucket.name).tag_set
+                tags.each { |tag|
+                  if tag.key == "MU-ID" and tag.value == MU.deploy_id
+                    MU.log "Deleting S3 Bucket #{bucket.name}"
+                    if !noop
+                      MU::Cloud::AWS.s3(credentials: credentials, region: region).delete_bucket(bucket: bucket.name)
+                    end
+                    break
+                  end
+                }
+              rescue Aws::S3::Errors::NoSuchTagSet, Aws::S3::Errors::PermanentRedirect
+                next
+              end
+            }
+          end
+        end
+
+        # Canonical Amazon Resource Number for this resource
+        # @return [String]
+        def arn
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":s3:::"+@cloud_id
+        end
+
+        # Return the metadata for this user cofiguration
+        # @return [Hash]
+        def notify
+          desc = MU::Cloud::AWS::Bucket.describe_bucket(@cloud_id, credentials: @config['credentials'], region: @config['region'])
+          MU.structToHash(desc)
+        end
+
+        # Locate an existing bucket.
+        # @param cloud_id [String]: The cloud provider's identifier for this resource.
+        # @param region [String]: The cloud provider region.
+        # @param flags [Hash]: Optional flags
+        # @return [OpenStruct]: The cloud provider's complete descriptions of matching bucket.
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
+          found = {}
+          if cloud_id
+            found[cloud_id] = describe_bucket(cloud_id, minimal: true, credentials: credentials, region: region)
+          end
+          found
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = []
+          schema = {
+            "acl" => {
+              "type" => "string",
+              "enum" => ["private", "public-read", "public-read-write", "authenticated-read"],
+              "default" => "private"
+            },
+            "storage_class" => {
+              "type" => "string",
+              "enum" => ["STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER"],
+              "default" => "STANDARD"
+            }
+          }
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::bucket}, bare and unvalidated.
+
+        # @param bucket [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(bucket, configurator)
+          ok = true
+
+          ok
+        end
+
+        private
+
+        # AWS doesn't really implement a useful describe_ method for S3 buckets;
+        # instead we run the million little individual API calls to construct
+        # an approximation for our uses
+        def self.describe_bucket(bucket, minimal: false, credentials: nil, region: nil)
+          @@region_cache = {}
+          @@region_cache_semaphore = Mutex.new
+          calls = if minimal
+            %w{encryption lifecycle lifecycle_configuration location logging policy replication tagging versioning website}
+          else
+            %w{accelerate_configuration acl cors encryption lifecycle lifecycle_configuration location logging notification notification_configuration policy policy_status replication request_payment tagging versioning website} # XXX analytics_configuration, inventory_configuration, metrics_configuration all require an id of some sort
+          end
+
+          desc = {}
+
+          calls.each { |method|
+            method_sym = ("get_bucket_"+method).to_sym
+            # "The horrors of this place claw at your mind"
+            begin
+              desc[method] = MU::Cloud::AWS.s3(credentials: credentials, region: region).method_missing(method_sym, {:bucket => bucket})
+              if method == "location"
+                @@region_cache_semaphore.synchronize {
+                  if desc[method].location_constraint.nil? or desc[method].location_constraint.empty?
+                    @@region_cache[bucket] = region
+                  else
+                    @@region_cache[bucket] = desc[method].location_constraint
+                  end
+                }
+              end
+
+            rescue Aws::S3::Errors::NoSuchCORSConfiguration, Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError, Aws::S3::Errors::NoSuchLifecycleConfiguration, Aws::S3::Errors::NoSuchBucketPolicy, Aws::S3::Errors::ReplicationConfigurationNotFoundError, Aws::S3::Errors::NoSuchTagSet, Aws::S3::Errors::NoSuchWebsiteConfiguration => e
+              desc[method] = nil
+              next
+            end
+          }
+          desc
+        end
+
+      end
+    end
+  end
+end

data/modules/mu/clouds/aws/database.rb

@@ -364,18 +364,16 @@ module MU
               end
             elsif @config["creation_style"] == "new"
               MU.log "Creating pristine database instance #{@config['identifier']} (#{@config['name']}) in #{@config['region']}"
-puts @config['credentials']
-pp config
               resp = MU::Cloud::AWS.rds(region: @config['region'], credentials: @config['credentials']).create_db_instance(config)
             end
           rescue Aws::RDS::Errors::InvalidParameterValue => e
             if attempts < 5
-              MU.log "Got #{e.inspect} creating #{@config['identifier']}, will retry a few times in case of transient errors.", MU::WARN
+              MU.log "Got #{e.inspect} creating #{@config['identifier']}, will retry a few times in case of transient errors.", MU::WARN, details: config
               attempts += 1
               sleep 10
               retry
             else
-              raise MuError, "Exhausted retries trying to create database instance #{@config['identifier']}: e.inspect"
+              raise MuError, "Exhausted retries trying to create database instance #{@config['identifier']}: #{e.inspect}"
             end
           end
 
@@ -497,6 +495,18 @@ pp config
           }
           cluster_config_struct[:port] = @config["port"] if @config["port"]
 
+          if @config['cluster_mode']
+            cluster_config_struct[:engine_mode] = @config['cluster_mode']
+            if @config['cluster_mode'] == "serverless"
+              cluster_config_struct[:scaling_configuration] = {
+                :auto_pause => @config['serverless_scaling']['auto_pause'],
+                :min_capacity => @config['serverless_scaling']['min_capacity'],
+                :max_capacity => @config['serverless_scaling']['max_capacity'],
+                :seconds_until_auto_pause => @config['serverless_scaling']['seconds_until_auto_pause']
+              }
+            end
+          end
+
           if %w{existing_snapshot new_snapshot}.include?(@config["creation_style"])
             cluster_config_struct[:snapshot_identifier] = @config["snapshot_id"]
             cluster_config_struct[:engine] = @config["engine"]
@@ -537,12 +547,13 @@ pp config
               end
           rescue Aws::RDS::Errors::InvalidParameterValue => e
             if attempts < 5
-              MU.log "Got #{e.inspect} while creating database cluster #{@config['identifier']}, will retry a few times in case of transient errors.", MU::WARN
+              MU.log "Got #{e.inspect} while creating database cluster #{@config['identifier']}, will retry a few times in case of transient errors.", MU::WARN, details: cluster_config_struct
               attempts += 1
               sleep 10
               retry
             else
-              raise MuError, "Exhausted retries trying to create database cluster #{@config['identifier']}", MU::ERR, details: e.inspect
+              MU.log "Exhausted retries trying to create database cluster #{@config['identifier']}", MU::ERR, details: e.inspect
+              raise MuError, "Exhausted retries trying to create database cluster #{@config['identifier']}"
             end
           end
 
@@ -1414,6 +1425,45 @@ pp config
           schema = {
             "db_parameter_group_parameters" => rds_parameters_primitive,
             "cluster_parameter_group_parameters" => rds_parameters_primitive,
+            "cluster_mode" => {
+              "type" => "string",
+              "description" => "The DB engine mode of the DB cluster",
+              "enum" => ["provisioned", "serverless", "parallelquery", "global"],
+              "default" => "provisioned"
+            },
+            "serverless_scaling" => {
+              "type" => "object",
+              "descriptions" => "Scaling configuration for a +serverless+ Aurora cluster",
+              "default" => {
+                "auto_pause" => false,
+                "min_capacity" => 2,
+                "max_capacity" => 2
+              },
+              "properties" => {
+                "auto_pause" => {
+                  "type" => "boolean",
+                  "description" => "A value that specifies whether to allow or disallow automatic pause for an Aurora DB cluster in serverless DB engine mode",
+                  "default" => false
+                },
+                "min_capacity" => {
+                  "type" => "integer",
+                  "description" => "The minimum capacity for an Aurora DB cluster in serverless DB engine mode.",
+                  "default" => 2,
+                  "enum" => [2, 4, 8, 16, 32, 64, 128, 256]
+                },
+                "max_capacity" => {
+                  "type" => "integer",
+                  "description" => "The maximum capacity for an Aurora DB cluster in serverless DB engine mode.",
+                  "default" => 2,
+                  "enum" => [2, 4, 8, 16, 32, 64, 128, 256]
+                },
+                "seconds_until_auto_pause" => {
+                  "type" => "integer",
+                  "description" => "A DB cluster can be paused only when it's idle (it has no connections). If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.",
+                  "default" => 86400
+                }
+              }
+            },
             "license_model" => {
               "type" => "string",
               "enum" => ["license-included", "bring-your-own-license", "general-public-license", "postgresql-license"]
@@ -1452,7 +1502,11 @@ pp config
           if db['create_cluster'] or db['engine'] == "aurora" or db["member_of_cluster"]
             case db['engine']
             when "mysql", "aurora", "aurora-mysql"
-              db["engine"] = "aurora-mysql"
+              if db["engine_version"] == "5.6" or db["cluster_mode"] == "serverless"
+                db["engine"] = "aurora"
+              else
+                db["engine"] = "aurora-mysql"
+              end
             when "postgres", "postgresql", "postgresql-mysql"
               db["engine"] = "aurora-postgresql"
             else
@@ -1671,14 +1725,14 @@ pp config
           end
 
           # Cleanup the database vault
-          grommer = 
+          groomer = 
             if database_obj
               database_obj.config.has_key?("groomer") ? database_obj.config["groomer"] : MU::Config.defaultGroomer
             else
               MU::Config.defaultGroomer
             end
 
-          groomclass = MU::Groomer.loadGroomer(grommer)
+          groomclass = MU::Groomer.loadGroomer(groomer)
           groomclass.deleteSecret(vault: db_id.upcase) if !noop
           MU.log "#{db_id} has been terminated"
         end
@@ -1761,14 +1815,14 @@ pp config
           end
 
           # Cleanup the cluster vault
-          grommer = 
+          groomer = 
             if cluster_obj
               cluster_obj.config.has_key?("groomer") ? cluster_obj.config["groomer"] : MU::Config.defaultGroomer
             else
               MU::Config.defaultGroomer
             end
 
-          groomclass = MU::Groomer.loadGroomer(grommer)
+          groomclass = MU::Groomer.loadGroomer(groomer)
           groomclass.deleteSecret(vault: cluster_id.upcase) if !noop
 
           MU.log "#{cluster_id} has been terminated"

data/modules/mu/clouds/aws/endpoint.rb

@@ -0,0 +1,592 @@
+module MU
+  class Cloud
+    class AWS
+      # An API as configured in {MU::Config::BasketofKittens::endpoints}
+      class Endpoint < MU::Cloud::Endpoint
+        @deploy = nil
+        @config = nil
+        attr_reader :mu_name
+        attr_reader :config
+        attr_reader :cloud_id
+
+        @cloudformation_data = {}
+        attr_reader :cloudformation_data
+
+        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
+        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::endpoints}
+        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
+          @deploy = mommacat
+          @config = MU::Config.manxify(kitten_cfg)
+          @cloud_id ||= cloud_id
+          @mu_name ||= @deploy.getResourceName(@config["name"])
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_rest_api(
+            name: @mu_name,
+            description: @deploy.deploy_id,
+            endpoint_configuration: {
+              types: ["REGIONAL"] # XXX expose in BoK ["REGIONAL", "EDGE", "PRIVATE"]
+            }
+          )
+          @cloud_id = resp.id
+          generate_methods
+
+
+        end
+
+        # Create/update all of the methods declared for this endpoint
+        def generate_methods
+          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_resources(
+            rest_api_id: @cloud_id,
+          )
+          root_resource = resp.items.first.id
+
+          # TODO guard this crap so we don't touch it if there are no changes
+          @config['methods'].each { |m|
+            method_arn = "arn:#{MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws"}:execute-api:#{@config["region"]}:#{MU::Cloud::AWS.credToAcct(@config['credentials'])}:#{@cloud_id}/*/#{m['type']}/#{m['path']}"
+
+            resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_resources(
+              rest_api_id: @cloud_id
+            )
+            ext_resource = nil
+            resp.items.each { |resource|
+              if resource.path_part == m['path']
+                ext_resource = resource.id
+              end
+            }
+
+            resp = if ext_resource
+MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_resource(
+  rest_api_id: @cloud_id,
+  resource_id: ext_resource,
+)
+#              MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).update_resource(
+#                rest_api_id: @cloud_id,
+#                resource_id: ext_resource,
+#                patch_operations: [
+#                  {
+#                    op: "replace",
+#                    path: "XXX ??",
+#                    value: m["path"]
+#                  }
+#                ]
+#              )
+            else
+              MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_resource(
+                rest_api_id: @cloud_id,
+                parent_id: root_resource,
+                path_part: m['path']
+              )
+            end
+            parent_id = resp.id
+
+            resp = begin
+              MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_method(
+                rest_api_id: @cloud_id,
+                resource_id: parent_id,
+                http_method: m['type']
+              )
+            rescue Aws::APIGateway::Errors::NotFoundException
+              resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).put_method(
+                rest_api_id: @cloud_id,
+                resource_id: parent_id,
+                authorization_type: m['auth'],
+                http_method: m['type']
+              )
+            end
+
+            # XXX effectively a placeholder default
+            begin
+              m['responses'].each { |r|
+                params = {
+                  :rest_api_id => @cloud_id,
+                  :resource_id => parent_id,
+                  :http_method => m['type'],
+                  :status_code => r['code'].to_s
+                }
+                if r['headers']
+                  params[:response_parameters] = r['headers'].map { |h|
+                    ["method.response.header."+h['header'], h['required']]
+                  }.to_h
+                end
+
+                if r['body']
+# XXX I'm guessing we can also have arbirary user-defined models somehow, so is_error is probably inadequate to the demand of the times
+                  params[:response_models] = r['body'].map { |b| [b['content_type'], b['is_error'] ? "Error" : "Empty"] }.to_h
+                end
+
+                MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).put_method_response(params)
+              }
+            rescue Aws::APIGateway::Errors::ConflictException
+              # fine to ignore
+            end
+
+            if m['integrate_with']
+              role_arn = if m['iam_role']
+                if m['iam_role'].match(/^arn:/)
+                  m['iam_role']
+                else
+                  sib_role = @deploy.findLitterMate(name: m['iam_role'], type: "roles")
+                  sib_role.cloudobj.arn
+# XXX make this more like get_role_arn in Function, or just use Role.find?
+                end
+              end
+
+              function_obj = nil
+
+              uri, type = if m['integrate_with']['type'] == "aws_generic"
+                svc, action = m['integrate_with']['aws_generic_action'].split(/:/)
+                ["arn:aws:apigateway:"+@config['region']+":#{svc}:action/#{action}", "AWS"]
+              elsif m['integrate_with']['type'] == "function"
+                function_obj = @deploy.findLitterMate(name: m['integrate_with']['name'], type: "functions").cloudobj
+                ["arn:aws:apigateway:"+@config['region']+":lambda:path/2015-03-31/functions/"+function_obj.arn+"/invocations", "AWS"]
+              elsif m['integrate_with']['type'] == "mock"
+                [nil, "MOCK"]
+              end
+
+              params = {
+                :rest_api_id => @cloud_id,
+                :resource_id => parent_id,
+                :type => type, # XXX Lambda and Firehose can do AWS_PROXY
+                :content_handling => "CONVERT_TO_TEXT", # XXX expose in BoK
+                :http_method => m['type']
+#                  credentials: role_arn
+              }
+              params[:uri] = uri if uri
+
+              if m['integrate_with']['type'] != "mock"
+                params[:integration_http_method] = m['integrate_with']['backend_http_method']
+              else
+                params[:integration_http_method] = nil
+              end
+
+              if m['integrate_with']['passthrough_behavior']
+                params[:passthrough_behavior] = m['integrate_with']['passthrough_behavior']
+              end
+              if m['integrate_with']['request_templates']
+                params[:request_templates] = {}
+                m['integrate_with']['request_templates'].each { |rt|
+                  params[:request_templates][rt['content_type']] = rt['template']
+                }
+              end
+
+              resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).put_integration(params)
+
+              if m['integrate_with']['type'] == "function"
+                function_obj.addTrigger(method_arn, "apigateway", @config['name'])
+              end
+
+              m['responses'].each { |r|
+                params = {
+                  :rest_api_id => @cloud_id,
+                  :resource_id => parent_id,
+                  :http_method => m['type'],
+                  :status_code => r['code'].to_s,
+                  :selection_pattern => ""
+                }
+                if r['headers']
+                  params[:response_parameters] = r['headers'].map { |h|
+                    ["method.response.header."+h['header'], "'"+h['value']+"'"]
+                  }.to_h
+                end
+
+                MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).put_integration_response(params)
+
+              }
+
+            end
+
+          }
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          generate_methods
+
+          MU.log "Deploying API Gateway #{@config['name']} to #{@config['deploy_to']}"
+          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_deployment(
+            rest_api_id: @cloud_id,
+            stage_name: @config['deploy_to']
+#            cache_cluster_enabled: false,
+#            cache_cluster_size: 0.5,
+          )
+          deployment_id = resp.id
+          # this automatically creates a stage with the same name, so we don't
+          # have to deal with that
+
+          my_url = "https://"+@cloud_id+".execute-api."+@config['region']+".amazonaws.com/"+@config['deploy_to']
+          MU.log "API Endpoint #{@config['name']}: "+my_url, MU::SUMMARY
+
+#          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_authorizer(
+#            rest_api_id: @cloud_id,
+#          )
+
+#          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_vpc_link(
+#          )
+ 
+        end
+
+        # @return [Struct]
+        def cloud_desc
+          MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_rest_api(
+            rest_api_id: @cloud_id
+          )
+        end
+
+        # Return the metadata for this API
+        # @return [Hash]
+        def notify
+          deploy_struct = MU.structToHash(cloud_desc)
+# XXX stages and whatnot
+          return deploy_struct
+        end
+
+        # Remove all APIs associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          resp = MU::Cloud::AWS.apig(region: region, credentials: credentials).get_rest_apis
+          if resp and resp.items
+            resp.items.each { |api|
+              # The stupid things don't have tags
+              if api.description == MU.deploy_id
+                MU.log "Deleting API Gateway #{api.name} (#{api.id})"
+                if !noop
+                  MU::Cloud::AWS.apig(region: region, credentials: credentials).delete_rest_api(
+                    rest_api_id: api.id
+                  )
+                end
+              end
+            }
+          end
+        end
+
+        # Locate an existing API.
+        # @param cloud_id [String]: The cloud provider's identifier for this resource.
+        # @param region [String]: The cloud provider region.
+        # @param flags [Hash]: Optional flags
+        # @return [OpenStruct]: The cloud provider's complete descriptions of matching API.
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
+          if cloud_id
+            return MU::Cloud::AWS.apig(region: region, credentials: credentials).get_rest_api(
+              rest_api_id: cloud_id
+            )
+          end
+#          resp = MU::Cloud::AWS.apig(region: region, credentials: credentials).get_rest_apis
+#          if resp and resp.items
+#            resp.items.each { |api|
+#            }
+#          end
+          nil
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = []
+          schema = {
+            "deploy_to" => {
+              "type" => "string",
+              "description" => "The name of an environment under which to deploy our API. If not specified, will deploy to the name of the global Mu environment for this deployment."
+            },
+            "methods" => {
+              "items" => {
+                "type" => "object",
+                "description" => "Other cloud resources to integrate as a back end to this API Gateway",
+                "required" => ["integrate_with"],
+                "properties" => {
+                  "integrate_with" => {
+                    "type" => "object",
+                    "description" => "Specify what application backend to invoke under this path/method combination",
+                    "properties" => {
+                      "proxy" => {
+                        "type" => "boolean",
+                        "default" => false,
+                        "description" => "For HTTP or AWS integrations, specify whether the target is a proxy (((docs unclear, is that actually what this means?)))" # XXX is that actually what this means?
+                      },
+                      "backend_http_method" => {
+                        "type" => "string",
+                        "description" => "The HTTP method to use when contacting our integrated backend. If not specified, this will be set to match our front end.",
+                        "enum" => ["GET", "POST", "PUT", "HEAD", "DELETE", "CONNECT", "OPTIONS", "TRACE"],
+                      },
+                      "url" => {
+                        "type" => "string",
+                        "description" => "For HTTP or HTTP_PROXY integrations, this should be a fully-qualified URL"
+                      },
+                      "responses"=> {
+                        "type" => "array",
+                        "items" => {
+                          "type" => "object",
+                          "description" => "Customize the response to the client for this method, by adding headers or transforming through a template. If not specified, we will default to returning an un-transformed HTTP 200 for this method.",
+                          "properties" => {
+                            "code" => {
+                              "type" => "integer",
+                              "description" => "The HTTP status code to return",
+                              "default" => 200
+                            },
+                            "headers" => {
+                              "type" => "array",
+                              "items" => {
+                                "description" => "One or more headers, used by the API Gateway integration response and filtered through the method response before returning to the client",
+                                "type" => "object",
+                                "properties" => {
+                                  "header" => {
+                                    "type" => "string",
+                                    "description" => "The name of a header to return, such as +Access-Control-Allow-Methods+"
+                                  },
+                                  "value" => {
+                                    "type" => "string",
+                                    "description" => "The string to map to this header (ex +GET,OPTIONS+)"
+                                  },
+                                  "required" => {
+                                    "type" => "boolean",
+                                    "description" => "Indicate whether this header is required in order to return a response",
+                                    "default" => true
+                                  }
+                                }
+                              }
+                            },
+                            "body" => {
+                              "type" => "array",
+                              "items" => {
+                                "type" => "object",
+                                "description" => "Model for the body of our backend integration's response",
+                                "properties" => {
+                                  "content_type" => {
+                                    "type" => "string",
+                                    "description" => "An HTTP content type to match to a response, such as +application/json+."
+                                  },
+                                  "is_error" => {
+                                    "type" => "boolean",
+                                    "description" => "Whether this response should be considered an error",
+                                    "default" => false
+                                  }
+                                }
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "arn" => {
+                        "type" => "string",
+                        "description" => "For AWS or AWS_PROXY integrations with a compatible Amazon resource outside of Mu, a full-qualified ARN such as `arn:aws:apigateway:us-west-2:s3:action/GetObject&Bucket=`bucket&Key=key`"
+                      },
+                      "name" => {
+                        "type" => "string",
+                        "description" => "A Mu resource name, for integrations with a sibling resource (e.g. a Function)"
+                      },
+                      "cors" => {
+                        "type" => "boolean",
+                        "description" => "When enabled, this will create an +OPTIONS+ method under this path with request and response header mappings that implement Cross-Origin Resource Sharing",
+                        "default" => true
+                      },
+                      "type" => {
+                        "type" => "string",
+                        "description" => "A Mu resource type, for integrations with a sibling resource (e.g. a function), or the string +aws_generic+, which we can use in combination with +aws_generic_action+ to integrate with arbitrary AWS services.",
+                        "enum" => ["aws_generic"].concat(MU::Cloud.resource_types.values.map { |t| t[:cfg_name] }.sort)
+                      },
+                      "aws_generic_action" => {
+                        "type" => "string",
+                        "description" => "For use when +type+ is set to +aws_generic+, this should specify the action to be performed in the style of an IAM policy action, e.g. +acm:ListCertificates+ for this integration to return a list of Certificate Manager SSL certificates." 
+                      },
+                      "deploy_id" => {
+                        "type" => "string",
+                        "description" => "A Mu deploy id (e.g. DEMO-DEV-2014111400-NG), for integrations with a sibling resource (e.g. a Function)"
+                      },
+                      "iam_role" => {
+                        "type" => "string",
+                        "description" => "The name of an IAM role used to grant usage of other AWS artifacts for this integration. If not specified, we will automatically generate an appropriate role."
+                      },
+                      "passthrough_behavior" => {
+                        "type" => "string",
+                        "description" => "Specifies the pass-through behavior for incoming requests based on the +Content-Type+ header in the request, and the available mapping templates specified in +request_templates+. +WHEN_NO_MATCH+ passes the request body for unmapped content types through to the integration back end without transformation. +WHEN_NO_TEMPLATES+ allows pass-through when the integration has NO content types mapped to templates. +NEVER+ rejects unmapped content types with an HTTP +415+.",
+                        "enum" => ["WHEN_NO_MATCH", "WHEN_NO_TEMPLATES", "NEVER"],
+                        "default" => "WHEN_NO_MATCH"
+                      },
+                      "request_templates" => {
+                        "type" => "array",
+                        "description" => "A JSON-encoded string which represents a map of Velocity templates that are applied on the request payload based on the value of the +Content-Type+ header sent by the client. The content type value is the key in this map, and the template (as a String) is the value.",
+                        "items" => {
+                          "type" => "object",
+                          "description" => "A JSON-encoded string which represents a map of Velocity templates that are applied on the request payload based on the value of the +Content-Type+ header sent by the client. The content type value is the key in this map, and the template (as a String) is the value.",
+                          "require" => ["content_type", "template"],
+                          "properties" => {
+                            "content_type" => {
+                              "type" => "string",
+                              "description" => "An HTTP content type to match with a template, such as +application/json+."
+                            },
+                            "template" => {
+                              "type" => "string",
+                              "description" => "A Velocity template to apply to our reques payload, encoded as a one-line string, like: "+'<tt>"#set($allParams = $input.params())\\n{\\n\\"url_data_json_encoded\\":\\"$input.params(\'url\')\\"\\n}"</tt>'
+                            }
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "auth" => {
+                    "type" => "string",
+                    "enum" => ["NONE", "CUSTOM", "AWS_IAM", "COGNITO_USER_POOLS"],
+                    "default" => "NONE"
+                  }
+                }
+              }
+            }
+          }
+          [toplevel_required, schema]
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Canonical Amazon Resource Number for this resource
+        # @return [String]
+        def arn
+          "arn:#{MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws"}:execute-api:#{@config["region"]}:#{MU::Cloud::AWS.credToAcct(@config['credentials'])}:#{@cloud_id}"
+        end
+
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::endpoints}, bare and unvalidated.
+        # @param endpoint [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(endpoint, configurator)
+          ok = true
+
+          append = []
+          endpoint['deploy_to'] ||= MU.environment || $environment || "dev"
+          endpoint['methods'].each { |m|
+            if m['integrate_with'] and m['integrate_with']['name']
+              if m['integrate_with']['type'] != "aws_generic"
+                endpoint['dependencies'] ||= []
+                endpoint['dependencies'] << {
+                  "type" => m['integrate_with']['type'],
+                  "name" => m['integrate_with']['name']
+                }
+              end
+
+              m['integrate_with']['backend_http_method'] ||= m['type']
+
+              m['responses'] ||= [
+                "code" => 200
+              ]
+
+              if m['cors']
+                m['responses'].each { |r|
+                  r['headers'] ||= []
+                  r['headers'] << {
+                    "header" => "Access-Control-Allow-Origin",
+                    "value" => "*",
+                    "required" => true
+                  }
+                  r['headers'].uniq!
+                }
+
+                append << cors_option_integrations(m['path'])
+              end
+
+              if !m['iam_role']
+                m['uri'] ||= "*" if m['integrate_with']['type'] == "aws_generic"
+
+                roledesc = {
+                  "name" => endpoint['name']+"-"+m['integrate_with']['name'],
+                  "credentials" => endpoint['credentials'],
+                  "can_assume" => [
+                    {
+                      "entity_id" => "apigateway.amazonaws.com",
+                      "entity_type" => "service"
+                    }
+                  ],
+                }
+                if m['integrate_with']['type'] == "aws_generic"
+                  roledesc["policies"] = [
+                    {
+                      "name" => m['integrate_with']['aws_generic_action'].gsub(/[^a-z]/i, ""),
+                      "permissions" => [m['integrate_with']['aws_generic_action']],
+                      "targets" => [{ "identifier" => m['uri'] }]
+                    }
+                  ]
+                elsif m['integrate_with']['type'] == "function"
+                  roledesc["import"] = ["AWSLambdaBasicExecutionRole"]
+                end
+                configurator.insertKitten(roledesc, "roles")
+
+                endpoint['dependencies'] ||= []
+                m['iam_role'] = endpoint['name']+"-"+m['integrate_with']['name']
+
+                endpoint['dependencies'] << {
+                  "type" => "role",
+                  "name" => endpoint['name']+"-"+m['integrate_with']['name']
+                }
+              end
+            end
+          }
+          endpoint['methods'].concat(append.uniq) if endpoint['methods']
+#          if something_bad
+#            ok = false
+#          end
+
+          ok
+        end
+
+        private
+
+        def self.cors_option_integrations(path)
+          {
+            "type" => "OPTIONS",
+            "path" => path,
+            "auth" => "NONE",
+            "responses" => [
+              {
+                "code" => 200,
+                "headers" => [
+                  {
+                    "header" => "Access-Control-Allow-Headers",
+                    "value" => "Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token",
+                    "required" => true
+                  },
+                  {
+                    "header" => "Access-Control-Allow-Methods",
+                    "value" => "GET,OPTIONS",
+                    "required" => true
+                  },
+                  {
+                    "header" => "Access-Control-Allow-Origin",
+                    "value" => "*",
+                    "required" => true
+                  }
+                ],
+                "body" => [
+                  {
+                    "content_type" => "application/json"
+                  }
+                ]
+              }
+            ],
+            "integrate_with" => {
+              "type" => "mock",
+              "passthrough_behavior" => "WHEN_NO_MATCH",
+              "backend_http_method" => "OPTIONS",
+              "request_templates" => [
+                {
+                  "content_type" => "application/json",
+                  "template" => '{"statusCode": 200}'
+                }
+              ]
+            }
+          }
+        end
+
+      end
+    end
+  end
+end