cloud-mu 2.0.0.pre.alpha9 → 2.0.0.pre.beta1

data/modules/mu/clouds/aws/firewall_rule.rb

@@ -248,6 +248,10 @@ module MU
             tagfilters << {name: "tag:MU-MASTER-IP", values: [MU.mu_public_ip]}
           end
 
+          # Some services create sneaky rogue ENIs which then block removal of
+          # associated security groups. Find them and fry them.
+          MU::Cloud::AWS::VPC.purge_interfaces(noop, tagfilters, region: region, credentials: credentials)
+
           resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_security_groups(
               filters: tagfilters
           )

data/modules/mu/clouds/aws/function.rb

@@ -35,69 +35,7 @@ module MU
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
 
-        # Given an IAM role name, resolve to ARN. Will attempt to identify any
-        # sibling Mu role resources by this name first, and failing that, will
-        # do a plain get_role() to the IAM API for the provided name.
-        # @param name [String]
-        def get_role_arn(name)
-          sib_role = @deploy.findLitterMate(name: name, type: "roles")
-          return sib_role.cloudobj.arn if sib_role
-
-          begin
-            role = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role({
-              role_name: name.to_s
-            })
-            return role['role']['arn']
-          rescue Exception => e
-            MU.log "#{e}", MU::ERR
-          end
-          nil
-        end
-
-        def get_vpc_config(vpc_name, subnet_name, sg_name,region=@config['region'])
-          if !subnet_name.nil? and !sg_name.nil? and !vpc_name.nil?
-            ## get vpc_id
-            ## get sub_id and verify its in the same vpc 
-            ## get sg_id and verify its in the same vpc
-            ec2_client = MU::Cloud::AWS.ec2(region: region, credentials: @config['credentials'])
-            
-            vpc_filter = ec2_client.describe_vpcs({
-              filters: [{ name: 'tag-value', values: [vpc_name] }]
-            })
-            bok_vpc_id = vpc_filter.vpcs[0].vpc_id
-            
-            sub_filter = ec2_client.describe_subnets({
-              filters: [{ name: 'tag-value', values: [subnet_name] }]
-            })
-            
-            sub_id = nil 
-            sub_filter.subnets.each do |each|
-              if each.vpc_id == bok_vpc_id
-                sub_id = each.subnet_id
-                break
-              end
-            end
-            
-            sg_filter = ec2_client.describe_security_groups({
-              filters: [{ name: 'group-name', values: [sg_name] }]
-            })
-            
-
-            if sg_filter.security_groups[0].vpc_id.to_s != bok_vpc_id
-              MU.log "Security Group: #{sg_name} is not part of the VPC: #{vpc_name}", MU::ERR
-              raise MuError, "Please provide security group name that exists in the vpc"
-            end
-
-            #sub_id = sub_filter.subnets[0].subnet_id
-            sg_id = sg_filter.security_groups[0].group_id
-            return {subnet_ids: [sub_id], security_group_ids: [sg_id]}
-          else
-            MU.log "Function: #{@config['name']}, Missing either subnet_name or security_group_name or vpc_name in the vpc stanza!", MU::ERR
-            raise MuError, "Insufficient parameters for locating vpc resource ids ==> #{@config['name']}"
-          end
-        end
-
-
+        # Tag this Lambda function
         def assign_tag(resource_arn, tag_list, region=@config['region'])
           begin
             tag_list.each do |each_pair|
@@ -162,17 +100,21 @@ module MU
           end
 
           if @config.has_key?('vpc')
-             ### get vpc and subnet_name
-             ### find the subnet_id
-             sub_name = @config['vpc']['subnet_name']
-             vpc_name = @config['vpc']['vpc_name']
-             sg_name =  @config['vpc']['security_group_name']
-             vpc_conf = get_vpc_config(vpc_name,sub_name,sg_name)
-             lambda_properties[:vpc_config] = vpc_conf
+            sgs = []
+            if @config['add_firewall_rules']
+              @config['add_firewall_rules'].each { |sg|
+                sg = @deploy.findLitterMate(type: "firewall_rule", name: sg['rule_name'])
+                sgs << sg.cloud_id if sg and sg.cloud_id
+              }
+            end
+            lambda_properties[:vpc_config] = {
+              :subnet_ids => @config['vpc']['subnets'].map { |s| s["subnet_id"] },
+              :security_group_ids => sgs
+            }
           end
 
           retries = 0
-          begin
+          resp = begin
             MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).create_function(lambda_properties)
           rescue Aws::Lambda::Errors::InvalidParameterValueException => e
             # Freshly-made IAM roles sometimes aren't really ready
@@ -183,8 +125,12 @@ module MU
             end
             raise e
           end
+
+
+          @cloud_id = resp.function_name
         end
 
+        # Called automatically by {MU::Deploy#createResources}
         def groom
           desc = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).get_function(
             function_name: @mu_name
@@ -212,14 +158,11 @@ module MU
                 source_arn: trigger_arn, 
                 statement_id: "#{@mu_name}-ID-1",
               }
-              p trigger_arn
-              p trigger_properties           
 
               MU.log trigger_properties, MU::DEBUG
               begin
                 add_trigger = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger_properties)
               rescue Aws::Lambda::Errors::ResourceConflictException
-# XXX check properly for existence
               end
               adjust_trigger(tr['service'], trigger_arn, func_arn, @mu_name) 
             }
@@ -227,7 +170,36 @@ module MU
           end 
         end
 
+        # Intended to be called by other Mu resources, such as Endpoints (API
+        # Gateways) to add themselves as triggers for this Lambda function.
+        def addTrigger(calling_arn, calling_service, calling_name)
+          trigger = {
+            action: "lambda:InvokeFunction", 
+            function_name: @mu_name, 
+            principal: "#{calling_service}.amazonaws.com", 
+            source_arn: calling_arn, 
+            statement_id: "#{calling_service}-#{calling_name}",
+          }
 
+          begin
+            # XXX There doesn't seem to be an API call to list or view existing
+            # permissions, wtaf. This means we can't intelligently guard this.
+            add_trigger = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger)
+          rescue Aws::Lambda::Errors::ResourceConflictException => e
+            if e.message.match(/already exists/)
+              MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).remove_permission(
+                function_name: @mu_name,
+                statement_id: "#{calling_service}-#{calling_name}"
+              )
+              retry
+            else
+              MU.log "Error trying to add trigger to Lambda #{@mu_name}: #{e.message}", MU::ERR, details: trigger
+              raise e
+            end
+          end
+        end
+
+        # Look up an ARN for a given trigger type and resource name
         def assume_trigger_arns(svc, name)
           supported_triggers = %w(apigateway sns events event cloudwatch_event)
           if supported_triggers.include?(svc.downcase)
@@ -249,7 +221,7 @@ module MU
           return arn
         end
         
-        
+        # XXX placeholder, really; this is going end up being done from Endpoint, Log and Notification resources, I think
         def adjust_trigger(trig_type, trig_arn, func_arn, func_id=nil, protocol='lambda',region=@config['region'])
           
           case trig_type
@@ -274,7 +246,8 @@ module MU
               ]
             })
           when 'apigateway'
-            MU.log "Creation of API Gateway integrations not yet implemented, you'll have to do this manually", MU::WARN, details: "(because we'll basically have to implement all of APIG for this)"
+# XXX this is actually happening in ::Endpoint... maybe...            
+#            MU.log "Creation of API Gateway integrations not yet implemented, you'll have to do this manually", MU::WARN, details: "(because we'll basically have to implement all of APIG for this)"
           end 
         end
 
@@ -282,8 +255,8 @@ module MU
         # Return the metadata for this Function rule
         # @return [Hash]
         def notify
-          deploy_struct = {
-          }
+          deploy_struct = MU.structToHash(MU::Cloud::AWS::Function.find(cloud_id: @cloud_id, credentials: @config['credentials'], region: @config['region']).values.first)
+          deploy_struct['mu_name'] = @mu_name
           return deploy_struct
         end
 
@@ -327,21 +300,20 @@ module MU
         # @param region [String]: The cloud provider region.
         # @param flags [Hash]: Optional flags
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching function.
-        def self.find(cloud_id: nil, func_name: nil, region: MU.curRegion, credentials: nil, flags: {})
-          func = nil
-          if !func_name.nil?
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
+          matches = {}
+
+          if !cloud_id.nil?
             all_functions = MU::Cloud::AWS.lambda(region: region, credentials: credentials).list_functions
-            if all_functions.include?(func_name)
-              all_functions.functions.each do |x|
-                if x.function_name == func_name
-                  func = x
-                  break
-                end
+            all_functions.functions.each do |x|
+              if x.function_name == cloud_id
+                matches[x.function_name] = x
+                break
               end
             end
           end
 
-          return func
+          return matches
         end
 
 
@@ -355,8 +327,17 @@ module MU
           schema = {
             "iam_role" => {
               "type" => "string",
-              "description" => "The name of an IAM role for our Lambda function to assume. Can refer to an existing IAM role, or a sibling 'role' resource in Mu. If not specified, will create a default role with the AWSLambdaBasicExecutionRole policy attached. To grant other permissions for your function, create a Mu 'role' resource and use the 'import' and 'policies' parameters to add permissions. See also: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html"
-            }
+              "description" => "The name of an IAM role for our Lambda function to assume. Can refer to an existing IAM role, or a sibling 'role' resource in Mu. If not specified, will create a default role with permissions listed in `permissions` (and if none are listed, we will set `AWSLambdaBasicExecutionRole`)."
+            },
+            "permissions" => {
+              "type" => "array",
+              "description" => "if `iam_role` is unspecified, we will create a default execution role for our function, and add one or more permissions to it.",
+              "items" => {
+                "type" => "string",
+                "description" => "A permission to add to our Lambda function's default role, corresponding to standard AWS policies (see https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)",
+                "enum" => ["basic", "kinesis", "dynamo", "sqs", "network", "xray"]
+              }
+            },
 # XXX add some canned permission sets here, asking people to get the AWS weirdness right and then translate it into Mu-speak is just too much. Think about auto-populating when a target log group is asked for, mappings for the AWS canned policies in the URL above, writes to arbitrary S3 buckets, etc
           }
           [toplevel_required, schema]
@@ -369,7 +350,52 @@ module MU
         def self.validateConfig(function, configurator)
           ok = true
 
+          if function['vpc']
+            fwname = "lambda-#{function['name']}"
+            # default to allowing pings, if no ingress_rules were specified
+            function['ingress_rules'] ||= [ 
+              {
+                "proto" => "icmp",
+                "hosts" => ["0.0.0.0/0"]
+              }
+            ]
+            acl = {
+              "name" => fwname,
+              "rules" => function['ingress_rules'],
+              "region" => function['region'],
+              "credentials" => function['credentials'],
+              "optional_tags" => function['optional_tags']
+            }
+            acl["tags"] = function['tags'] if function['tags'] && !function['tags'].empty?
+            acl["vpc"] = function['vpc'].dup if function['vpc']
+            ok = false if !configurator.insertKitten(acl, "firewall_rules")
+            function["add_firewall_rules"] = [] if function["add_firewall_rules"].nil?
+            function["add_firewall_rules"] << {"rule_name" => fwname}
+            function["permissions"] ||= []
+            function["permissions"] << "network"
+            function['dependencies'] ||= []
+            function['dependencies'] << {
+              "name" => fwname,
+              "type" => "firewall_rule"
+            }
+          end
+
           if !function['iam_role']
+            policy_map = {
+              "basic" => "AWSLambdaBasicExecutionRole",
+              "kinesis" => "AWSLambdaKinesisExecutionRole",
+              "dynamo" => "AWSLambdaDynamoDBExecutionRole",
+              "sqs" => "AWSLambdaSQSQueueExecutionRole ",
+              "network" => "AWSLambdaVPCAccessExecutionRole",
+              "xray" => "AWSXrayWriteOnlyAccess"
+            }
+            policies = if function['permissions']
+              function['permissions'].map { |p|
+                policy_map[p]
+              }
+            else
+              ["AWSLambdaBasicExecutionRole"]
+            end
             roledesc = {
               "name" => function['name']+"execrole",
               "credentials" => function['credentials'],
@@ -379,9 +405,7 @@ module MU
                   "entity_type" => "service"
                 }
               ],
-              "import" => [
-                "AWSLambdaBasicExecutionRole"
-              ]
+              "import" => policies
             }
             configurator.insertKitten(roledesc, "roles")
 
@@ -397,6 +421,27 @@ module MU
           ok
         end
 
+        private
+
+        # Given an IAM role name, resolve to ARN. Will attempt to identify any
+        # sibling Mu role resources by this name first, and failing that, will
+        # do a plain get_role() to the IAM API for the provided name.
+        # @param name [String]
+        def get_role_arn(name)
+          sib_role = @deploy.findLitterMate(name: name, type: "roles")
+          return sib_role.cloudobj.arn if sib_role
+
+          begin
+            role = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role({
+              role_name: name.to_s
+            })
+            return role['role']['arn']
+          rescue Exception => e
+            MU.log "#{e}", MU::ERR
+          end
+          nil
+        end
+
       end
     end
   end

data/modules/mu/clouds/aws/nosqldb.rb

@@ -0,0 +1,387 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class AWS
+      # Support for AWS DynamoDB
+      class NoSQLDB < MU::Cloud::NoSQLDB
+        @deploy = nil
+        @config = nil
+
+        @@region_cache = {}
+        @@region_cache_semaphore = Mutex.new
+
+        attr_reader :mu_name
+        attr_reader :config
+        attr_reader :cloud_id
+
+        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
+        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::logs}
+        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
+          @deploy = mommacat
+          @config = MU::Config.manxify(kitten_cfg)
+          @cloud_id ||= cloud_id
+          @mu_name ||= @deploy.getResourceName(@config["name"])
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          params = {
+            :table_name => @mu_name,
+            :attribute_definitions => [],
+            :key_schema => [],
+            :provisioned_throughput => {
+              :read_capacity_units => @config['read_capacity'],
+              :write_capacity_units => @config['write_capacity']
+            }
+          }
+
+          if @config['stream']
+            params[:stream_specification] = {
+              :stream_enabled => true,
+              :stream_view_type => @config['stream']
+            }
+          end
+
+          @config['attributes'].each { |attr|
+            params[:attribute_definitions] << {
+              :attribute_name => attr['name'],
+              :attribute_type => attr['type']
+            }
+
+            if attr['primary_partition']
+              params[:key_schema] << {
+                :attribute_name => attr['name'],
+                :key_type => "HASH"
+              }
+            end
+
+            if attr['primary_sort']
+              params[:key_schema] << {
+                :attribute_name => attr['name'],
+                :key_type => "RANGE"
+              }
+            end
+          }
+
+          if @config['secondary_indexes']
+            @config['secondary_indexes'].each { |idx|
+              idx_cfg = {
+                :index_name => idx['index_name'],
+                :projection => {
+                  :projection_type => idx['projection']['type'],
+                  :non_key_attributes => idx['projection']['non_key_attributes']
+                },
+                :key_schema => []
+              }
+              idx['key_schema'].each { |attr|
+                idx_cfg[:key_schema] << {
+                  :attribute_name => attr['attribute'],
+                  :key_type => attr['type']
+                }
+              }
+              if idx['type'] == "global"
+
+                idx_cfg[:provisioned_throughput] = {
+                  :read_capacity_units => idx['read_capacity'],
+                  :write_capacity_units => idx['write_capacity']
+                }
+                params[:global_secondary_indexes] ||= []
+                params[:global_secondary_indexes] << idx_cfg
+              else
+                params[:local_secondary_indexes] ||= []
+                params[:local_secondary_indexes] << idx_cfg
+              end
+            }
+          end
+pp params
+          MU.log "Creating DynamoDB table #{@mu_name}", details: params
+
+          resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).create_table(params)
+          @cloud_id = @mu_name
+
+          begin
+            resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).describe_table(table_name: @cloud_id)
+            sleep 5 if resp.table.table_status == "CREATING"
+          end while resp.table.table_status == "CREATING"
+
+
+          tagTable if !@config['scrub_mu_isms']
+        end
+
+        # Apply tags to this DynamoDB table
+        def tagTable
+          tagset = []
+
+          MU::MommaCat.listStandardTags.each_pair { |key, value|
+            tagset << { :key => key, :value => value }
+          }
+
+          if @config['tags']
+            @config['tags'].each { |tag|
+              tagset << { :key => tag['key'], :value => tag['value'] }
+            }
+          end
+
+          if @config['optional_tags']
+            MU::MommaCat.listOptionalTags.each { |key, value|
+              tagset << { :key => key, :value => value }
+            }
+          end
+
+          MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).tag_resource(
+            resource_arn: arn,
+            tags: tagset
+          )
+
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          tagTable if !@config['scrub_mu_isms']
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Remove all buckets associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          resp = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).list_tables
+          if resp and resp.table_names
+            resp.table_names.each { |table|
+              desc = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).describe_table(table_name: table).table
+              next if desc.table_status == "DELETING"
+              tags = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).list_tags_of_resource(resource_arn: desc.table_arn)
+              if tags and tags.tags
+                tags.tags.each { |tag|
+                  if tag.key == "MU-ID" and tag.value == MU.deploy_id
+                    MU.log "Deleting DynamoDB table #{desc.table_name}"
+                    if !noop
+                      MU::Cloud::AWS.dynamo(credentials: credentials, region: region).delete_table(table_name: desc.table_name)
+                    end
+                  end
+                }
+              end
+
+            }
+          end
+
+        end
+
+        # Canonical Amazon Resource Number for this resource
+        # @return [String]
+        def arn
+          return nil if cloud_desc.nil?
+          cloud_desc.table_arn 
+        end
+
+        # Return the metadata for this user cofiguration
+        # @return [Hash]
+        def notify
+          MU.structToHash(cloud_desc)
+        end
+
+        # Locate an existing DynamoDB table
+        # @param cloud_id [String]: The cloud provider's identifier for this resource.
+        # @param region [String]: The cloud provider region.
+        # @param flags [Hash]: Optional flags
+        # @return [OpenStruct]: The cloud provider's complete descriptions of matching bucket.
+        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {})
+          found = {}
+          if cloud_id
+            resp = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).describe_table(table_name: cloud_id)
+            found[cloud_id] = resp.table if resp and resp.table
+          end
+          found
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = ["attributes"]
+
+
+          schema = {
+            "attributes" => {
+              "type" => "array",
+              "minItems" => 1,
+              "items" => {
+                "type" => "object",
+                "description" => "Fields for data we'll be storing in this database, somewhat akin to SQL columns. Note that all attributes declared here must be a +primary_partition+, +primary_sort+, or named in a +secondary_index+.",
+                "properties" => {
+                  "name" => {
+                    "type" => "string",
+                    "description" => "The name of this attribute"
+                  },
+                  "type" => {
+                    "type" => "string",
+                    "description" => "The type of attribute; S = String, N = Number, B = Binary",
+                    "enum" => ["S", "N", "B"]
+                  },
+                  "primary_partition" => {
+                    "type" => "boolean",
+                    "default" => false
+                  },
+                  "primary_sort" => {
+                    "type" => "boolean",
+                    "default" => false
+                  }
+                }
+              }
+            },
+            "read_capacity" => {
+              "type" => "integer",
+              "description" => "Provisioned read throughput. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ProvisionedThroughput.html",
+              "default" => 1
+            },
+            "write_capacity" => {
+              "type" => "integer",
+              "description" => "Provisioned write throughput. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ProvisionedThroughput.html",
+              "default" => 1
+            },
+            "stream" => {
+              "type" => "string",
+              "description" => "If specified, enables a streaming log of changes to this DynamoDB table. See also https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html",
+              "enum" => ["NEW_IMAGE", "OLD_IMAGE", "NEW_AND_OLD_IMAGES", "KEYS_ONLY"]
+            },
+            "secondary_indexes" => {
+              "type" => "array",
+              "description" => "Define a global and/or a local secondary index.",
+              "items" => {
+                "type" => "object",
+                "description" => "An index with a partition key and a sort key that can be different from those on the base table; queries on the index can span all of the data in the base table, across all partitions",
+                "required" => ["index_name", "key_schema", "projection"],
+                "properties" => {
+                  "index_name" => {
+                    "type" => "string",
+                    "description" => "A name for this index"
+                  },
+                  "type" => {
+                    "type" => "string",
+                    "description" => "Whether to create a global or local secondary index. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/SecondaryIndexes.html",
+                    "enum" => ["global", "local"],
+                    "default" => "global"
+                  },
+                  "projection" => {
+                    "type" => "object",
+                    "description" => "The set of attributes to return for queries against this index.",
+                    "properties" => {
+                      "type" => {
+                        "type" => "string",
+                        "enum" => ["ALL", "KEYS_ONLY", "INCLUDE"],
+                        "default" => "ALL"
+                      },
+                      "non_key_attributes" => {
+                        "type" => "array",
+                        "items" => {
+                          "type" => "string",
+                          "description" => "The name of an extra attribute to include in results for queries against this index"
+                        }
+                      }
+                    },
+                    "default" => { "type" => "ALL" }
+                  },
+                  "read_capacity" => {
+                    "type" => "integer",
+                    "description" => "Provisioned read throughput. Only valid for global secondary indexes. Defaults to the read capacity of the whole table.",
+                  },
+                  "write_capacity" => {
+                    "type" => "integer",
+                    "description" => "Provisioned write throughput. Only valid for global secondary indexes. Defaults to the read capacity of the whole table.",
+                  },
+                  "key_schema" => {
+                    "type" => "array",
+                    "minItems" => 1,
+                    "items" => {
+                      "type" => "object",
+                      "description" => "Define the key for this index, which most be composed of one or more declared +attributes+ for this table. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/SecondaryIndexes.html",
+                      "properties" => {
+                        "type" => {
+                          "type" => "string",
+                          "enum" => ["HASH", "RANGE"]
+                        },
+                        "attribute" => {
+                          "description" => "This must refer to a declared +attribute+ by name",
+                          "type" => "string",
+                        }
+
+                      }
+                    }
+                  }
+                }
+
+              }
+            }
+          }
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::nosqldbs}, bare and unvalidated.
+
+        # @param db [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(db, configurator)
+          ok = true
+
+          partition = nil
+          db['attributes'].each { |attr|
+            if attr['primary_partition']
+              partition = attr['name']
+            end
+          }
+          if !partition
+            if db['attributes'].size == 1
+              MU.log "NoSQL database '#{db['name']}' only declares one attribute; setting '#{db['attributes'].first['name']}' as primary partition key", MU::NOTICE
+              db['attributes'].first['primary_partition'] = true
+            else
+              MU.log "NoSQL database '#{db['name']}' must have an attribute flagged as primary_partition", MU::ERR
+              ok = false
+            end
+          end
+          db['attributes'].each { |attr|
+            if attr['primary_partition'] and attr['primary_sort']
+              MU.log "NoSQL database '#{db['name']}' attribute '#{attr['name']}' cannot be both primary_partition and primary_sort", MU::ERR
+              ok = false
+            end
+          }
+
+          if db['secondary_indexes']
+             db['secondary_indexes'].each { |idx|
+               if idx['type'] == "global"
+                 idx['read_capacity'] ||= db['read_capacity']
+                 idx['write_capacity'] ||= db['write_capacity']
+               end
+             }
+          end
+
+          ok
+        end
+
+        private
+
+      end
+    end
+  end
+end