RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/cleanup.rb CHANGED

@@ -41,7 +41,7 @@ module MU
     # @param web [Boolean]: Generate web-friendly output.
     # @param ignoremaster [Boolean]: Ignore the tags indicating the originating MU master server when deleting.
     # @return [void]
-    def self.run(deploy_id, noop: false, skipsnapshots: false, onlycloud: false, verbosity: MU::Logger::NORMAL, web: false, ignoremaster: false, skipcloud: false, mommacat: nil)
+    def self.run(deploy_id, noop: false, skipsnapshots: false, onlycloud: false, verbosity: MU::Logger::NORMAL, web: false, ignoremaster: false, skipcloud: false, mommacat: nil, credsets: nil, regions: nil)
       MU.setLogging(verbosity, web)
       @noop = noop
       @skipsnapshots = skipsnapshots
@@ -61,7 +61,7 @@ module MU
       end
-      types_in_order = ["Collection", "Endpoint", "Function", "ServerPool", "ContainerCluster", "SearchDomain", "Server", "MsgQueue", "Database", "CacheCluster", "StoragePool", "LoadBalancer", "NoSQLDB", "FirewallRule", "Alarm", "Notifier", "Log", "VPC", "Role", "Group", "User", "Bucket", "DNSZone", "Collection", "Habitat", "Folder"]
+      types_in_order = ["Collection", "Endpoint", "Function", "ServerPool", "ContainerCluster", "SearchDomain", "Server", "MsgQueue", "Database", "CacheCluster", "StoragePool", "LoadBalancer", "NoSQLDB", "FirewallRule", "Alarm", "Notifier", "Log", "VPC", "Role", "Group", "User", "Bucket", "DNSZone", "Collection"]
       # Load up our deployment metadata
       if !mommacat.nil?
@@ -75,190 +75,229 @@ module MU
             FileUtils.touch("#{deploy_dir}/.cleanup") if !@noop
           else
             MU.log "I don't see a deploy named #{deploy_id}.", MU::WARN
-            MU.log "Known deployments:\n#{Dir.entries(deploy_dir).reject { |item| item.match(/^\./) or !File.exists?(deploy_dir+"/"+item+"/public_key") }.join("\n")}", MU::WARN
+            MU.log "Known deployments:\n#{Dir.entries(deploy_dir).reject { |item| item.match(/^\./) or !File.exist?(deploy_dir+"/"+item+"/public_key") }.join("\n")}", MU::WARN
             MU.log "Searching for remnants of #{deploy_id}, though this may be an invalid MU-ID.", MU::WARN
           end
-          @mommacat = MU::MommaCat.new(deploy_id, mu_user: MU.mu_user)
+          @mommacat = MU::MommaCat.new(deploy_id, mu_user: MU.mu_user, delay_descriptor_load: true)
         rescue Exception => e
           MU.log "Can't load a deploy record for #{deploy_id} (#{e.inspect}), cleaning up resources by guesswork", MU::WARN, details: e.backtrace
           MU.setVar("deploy_id", deploy_id)
         end
       end
+      regionsused = @mommacat.regionsUsed if @mommacat
+      credsused = @mommacat.credsUsed if @mommacat
       if !@skipcloud
         creds = {}
-        MU::Cloud.supportedClouds.each { |cloud|
+        MU::Cloud.availableClouds.each { |cloud|
           if $MU_CFG[cloud.downcase] and $MU_CFG[cloud.downcase].size > 0
             cloudclass = Object.const_get("MU").const_get("Cloud").const_get(cloud)
             creds[cloud] ||= {}
             cloudclass.listCredentials.each { |credset|
+              next if credsets and credsets.size > 0 and !credsets.include?(credset)
+              next if credsused and credsused.size > 0 and !credsused.include?(credset)
+              MU.log "Will scan #{cloud} with credentials #{credset}"
               creds[cloud][credset] = cloudclass.listRegions(credentials: credset)
             }
           end
         }
         parent_thread_id = Thread.current.object_id
         deleted_nodes = 0
-        @regionthreads = []
+        cloudthreads = []
         keyname = "deploy-#{MU.deploy_id}"
-# XXX blindly checking for all of these resources in all clouds is now prohibitively slow. We should only do this when we don't see deployment metadata to work from.
-        creds.each_pair { |provider, credsets|
-          credsets.each_pair { |credset, regions|
-            global_vs_region_semaphore = Mutex.new
-            global_done = []
-            regions.each { |r|
-              @regionthreads << Thread.new {
-                MU.dupGlobals(parent_thread_id)
-                MU.setVar("curRegion", r)
-                projects = []
-                if $MU_CFG[provider.downcase][credset]["project"]
-# XXX GCP credential schema needs an array for projects
-                  projects << $MU_CFG[provider.downcase][credset]["project"]
-                end
-                if projects == []
-                  projects << "" # dummy
-                  MU.log "Checking for #{provider}/#{credset} resources from #{MU.deploy_id} in #{r}", MU::NOTICE
+        creds.each_pair { |provider, credsets_outer|
+          cloudthreads << Thread.new(provider, credsets_outer) { |cloud, credsets_inner|
+            MU.dupGlobals(parent_thread_id)
+            Thread.abort_on_exception = false
+            cloudclass = Object.const_get("MU").const_get("Cloud").const_get(cloud)
+            habitatclass = Object.const_get("MU").const_get("Cloud").const_get(cloud).const_get("Habitat")
+            credsets_inner.each_pair { |credset, acct_regions|
+              next if credsused and !credsused.include?(credset)
+              global_vs_region_semaphore = Mutex.new
+              global_done = {}
+              habitats_done = {}
+              regionthreads = []
+              acct_regions.each { |r|
+                if regionsused
+                  if regionsused.size > 0
+                    next if !regionsused.include?(r)
+                  else
+                    next if r != cloudclass.myRegion(credset)
+                  end
                 end
-                # We do these in an order that unrolls dependent resources
-                # sensibly, and we hit :Collection twice because AWS
-                # CloudFormation sometimes fails internally.
-                projectthreads = []
-                projects.each { |project|
-                  projectthreads << Thread.new {
-                    MU.dupGlobals(parent_thread_id)
-                    MU.setVar("curRegion", r)
-                    if project != ""
-                      MU.log "Checking for #{provider}/#{credset} resources from #{MU.deploy_id} in #{r}, project #{project}", MU::NOTICE
-                    end
-                    MU.dupGlobals(parent_thread_id)
-                    flags = {
-                      "project" => project,
-                      "onlycloud" => @onlycloud,
-                      "skipsnapshots" => @skipsnapshots,
-                    }
-                    types_in_order.each { |t|
-                      begin
-                        skipme = false
-                        global_vs_region_semaphore.synchronize {
-                          if Object.const_get("MU").const_get("Cloud").const_get(provider).const_get(t).isGlobal?
-                            if !global_done.include?(t)
-                              global_done << t
-                              flags['global'] = true
-                            else
-                              skipme = true
-                            end
-                          end
-                        }
-                        next if skipme
-                      rescue MU::Cloud::MuCloudResourceNotImplemented => e
-                        next
-                      rescue MU::MuError, NoMethodError => e
-                        MU.log e.message, MU::WARN
-                        next
-                      rescue ::Aws::EC2::Errors::AuthFailure => e
-                        # AWS has been having transient auth problems with ap-east-1 lately
-                        MU.log e.message+" in "+r, MU::ERR
-                        next
+                if regions and !regions.empty?
+                  next if !regions.include?(r)
+                  MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}...", MU::NOTICE
+                end
+                regionthreads << Thread.new {
+                  MU.dupGlobals(parent_thread_id)
+                  Thread.abort_on_exception = false
+                  MU.setVar("curRegion", r)
+                  projects = []
+                  if $MU_CFG[cloud.downcase][credset]["project"]
+# XXX GCP credential schema needs an array for projects
+                    projects << $MU_CFG[cloud.downcase][credset]["project"]
+                  end
+                  begin
+                    projects.concat(cloudclass.listProjects(credset))
+                  rescue NoMethodError
+                  end
+                  if projects == []
+                    projects << "" # dummy
+                    MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}", MU::NOTICE
+                  end
+                  projects.uniq!
+                  # We do these in an order that unrolls dependent resources
+                  # sensibly, and we hit :Collection twice because AWS
+                  # CloudFormation sometimes fails internally.
+                  projectthreads = []
+                  projects.each { |project|
+                    next if !habitatclass.isLive?(project, credset)
+                    projectthreads << Thread.new {
+                      MU.dupGlobals(parent_thread_id)
+                      MU.setVar("curRegion", r)
+                      Thread.abort_on_exception = false
+                      if project != ""
+                        MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}, project #{project}", MU::NOTICE
                       end
-                      if @mommacat.nil? or @mommacat.numKittens(types: [t]) > 0
-                        if @mommacat
-                          found = @mommacat.findLitterMate(type: t, return_all: true, credentials: credset)
-                          flags['known'] ||= []
-                          if found.is_a?(Array)
-                            found.each { |k|
-                              flags['known'] << k.cloud_id
-                            }
-                          elsif found and found.is_a?(Hash)
-                            flags['known'] << found['cloud_id']
-                          elsif found
-                            flags['known'] << found.cloud_id
-                          end
+                      MU.dupGlobals(parent_thread_id)
+                      flags = {
+                        "project" => project,
+                        "onlycloud" => @onlycloud,
+                        "skipsnapshots" => @skipsnapshots,
+                      }
+                      types_in_order.each { |t|
+                        shortclass, cfg_name, cfg_plural, classname = MU::Cloud.getResourceNames(t)
+                        begin
+                          skipme = false
+                          global_vs_region_semaphore.synchronize {
+                            MU::Cloud.loadCloudType(cloud, t)
+                            if Object.const_get("MU").const_get("Cloud").const_get(cloud).const_get(t).isGlobal?
+                              global_done[project] ||= []
+                              if !global_done[project].include?(t)
+                                global_done[project] << t
+                                flags['global'] = true
+                              else
+                                skipme = true
+                              end
+                            end
+                          }
+                          next if skipme
+                        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented => e
+                          next
+                        rescue MU::MuError, NoMethodError => e
+                          MU.log "While checking mu/clouds/#{cloud.downcase}/#{cloudclass.cfg_name} for global-ness in cleanup: "+e.message, MU::WARN
+                          next
+                        rescue ::Aws::EC2::Errors::AuthFailure, ::Google::Apis::ClientError => e
+                          MU.log e.message+" in "+r, MU::ERR
+                          next
                         end
                         begin
-                          resclass = Object.const_get("MU").const_get("Cloud").const_get(t)
-                          resclass.cleanup(
-                            noop: @noop,
-                            ignoremaster: @ignoremaster,
-                            region: r,
-                            cloud: provider,
-                            flags: flags,
-                            credentials: credset
-                          )
-                        rescue Seahorse::Client::NetworkingError => e
-                          MU.log "Service not available in AWS region #{r}, skipping", MU::DEBUG, details: e.message
+                          self.call_cleanup(t, credset, cloud, flags, r)
+                        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented => e
+                          next
                         end
-                      end
+                      }
+                    } # types_in_order.each { |t|
+                  } # projects.each { |project|
+                  projectthreads.each do |t|
+                    t.join
+                  end
+                  # XXX move to MU::AWS
+                  if cloud == "AWS"
+                    resp = MU::Cloud::AWS.ec2(region: r, credentials: credset).describe_key_pairs(
+                      filters: [{name: "key-name", values: [keyname]}]
+                    )
+                    resp.data.key_pairs.each { |keypair|
+                      MU.log "Deleting key pair #{keypair.key_name} from #{r}"
+                      MU::Cloud::AWS.ec2(region: r, credentials: credset).delete_key_pair(key_name: keypair.key_name) if !@noop
                     }
-                  }
-                }
-                projectthreads.each do |t|
-                  t.join
-                end
+                  end
+                } # regionthreads << Thread.new {
+              } # acct_regions.each { |r|
+              regionthreads.each do |t|
+                t.join
+              end
-                # XXX move to MU::AWS
-                if provider == "AWS"
-                  resp = MU::Cloud::AWS.ec2(region: r, credentials: credset).describe_key_pairs(
-                    filters: [{name: "key-name", values: [keyname]}]
-                  )
-                  resp.data.key_pairs.each { |keypair|
-                    MU.log "Deleting key pair #{keypair.key_name} from #{r}"
-                    MU::Cloud::AWS.ec2(region: r, credentials: credset).delete_key_pair(key_name: keypair.key_name) if !@noop
-                  }
-                end
+            } # credsets.each_pair { |credset, acct_regions|
+          } # cloudthreads << Thread.new(provider, credsets) { |cloud, credsets_outer|
+          cloudthreads.each do |t|
+            t.join
+          end
+        } # creds.each_pair { |provider, credsets|
+        # Knock habitats and folders, which would contain the above resources,
+        # once they're all done.
+        creds.each_pair { |provider, credsets_inner|
+          credsets_inner.keys.each { |credset|
+            next if credsused and !credsused.include?(credset)
+            ["Habitat", "Folder"].each { |t|
+              flags = {
+                "onlycloud" => @onlycloud,
+                "skipsnapshots" => @skipsnapshots
               }
+              self.call_cleanup(t, credset, provider, flags, nil)
             }
           }
         }
-        @regionthreads.each do |t|
-          t.join
-        end
-        @projectthreads = []
-        @projectthreads.each do |t|
-          t.join
-        end
         MU::Cloud::Google.removeDeploySecretsAndRoles(MU.deploy_id)
 # XXX port AWS equivalent behavior and add a MU::Cloud wrapper
+        creds.each_pair { |provider, credsets_inner|
+          cloudclass = Object.const_get("MU").const_get("Cloud").const_get(provider)
+          credsets_inner.keys.each { |c|
+            cloudclass.cleanDeploy(MU.deploy_id, credentials: c, noop: @noop)
+          }
+        }
       end
       # Scrub any residual Chef records with matching tags
-      if !@onlycloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0)
-        MU::Groomer::Chef.loadChefLib
-        if File.exists?(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
-          Chef::Config.from_file(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
-        end
-        deadnodes = []
-        Chef::Config[:environment] = MU.environment
-        q = Chef::Search::Query.new
+      if !@onlycloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0) and !(Gem.paths and Gem.paths.home and !Dir.exist?("/opt/mu/lib"))
         begin
-          q.search("node", "tags_MU-ID:#{MU.deploy_id}").each { |item|
-            next if item.is_a?(Integer)
-            item.each { |node|
-              deadnodes << node.name
+          MU::Groomer::Chef.loadChefLib
+          if File.exist?(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+            Chef::Config.from_file(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+          end
+          deadnodes = []
+          Chef::Config[:environment] = MU.environment
+          q = Chef::Search::Query.new
+          begin
+            q.search("node", "tags_MU-ID:#{MU.deploy_id}").each { |item|
+              next if item.is_a?(Integer)
+              item.each { |node|
+                deadnodes << node.name
+              }
             }
-          }
-        rescue Net::HTTPServerException
-        end
+          rescue Net::HTTPServerException
+          end
-        begin
-          q.search("node", "name:#{MU.deploy_id}-*").each { |item|
-            next if item.is_a?(Integer)
-            item.each { |node|
-              deadnodes << node.name
+          begin
+            q.search("node", "name:#{MU.deploy_id}-*").each { |item|
+              next if item.is_a?(Integer)
+              item.each { |node|
+                deadnodes << node.name
+              }
             }
+          rescue Net::HTTPServerException
+          end
+          MU.log "Missed some Chef resources in node cleanup, purging now", MU::NOTICE if deadnodes.size > 0
+          deadnodes.uniq.each { |node|
+            MU::Groomer::Chef.cleanup(node, [], noop)
           }
-        rescue Net::HTTPServerException
+        rescue LoadError
         end
-        MU.log "Missed some Chef resources in node cleanup, purging now", MU::NOTICE if deadnodes.size > 0
-        deadnodes.uniq.each { |node|
-          MU::Groomer::Chef.cleanup(node, [], noop)
-        }
       end
       if !@onlycloud and !@noop and @mommacat
@@ -270,18 +309,18 @@ module MU
       sshconf = "#{sshdir}/config"
       ssharchive = "#{sshdir}/archive"
-      Dir.mkdir(sshdir, 0700) if !Dir.exists?(sshdir) and !@noop
-      Dir.mkdir(ssharchive, 0700) if !Dir.exists?(ssharchive) and !@noop
+      Dir.mkdir(sshdir, 0700) if !Dir.exist?(sshdir) and !@noop
+      Dir.mkdir(ssharchive, 0700) if !Dir.exist?(ssharchive) and !@noop
       keyname = "deploy-#{MU.deploy_id}"
-      if File.exists?("#{sshdir}/#{keyname}")
+      if File.exist?("#{sshdir}/#{keyname}")
         MU.log "Moving #{sshdir}/#{keyname} to #{ssharchive}/#{keyname}"
         if !@noop
           File.rename("#{sshdir}/#{keyname}", "#{ssharchive}/#{keyname}")
         end
       end
-      if File.exists?(sshconf) and File.open(sshconf).read.match(/\/deploy\-#{MU.deploy_id}$/)
+      if File.exist?(sshconf) and File.open(sshconf).read.match(/\/deploy\-#{MU.deploy_id}$/)
         MU.log "Expunging #{MU.deploy_id} from #{sshconf}"
         if !@noop
           FileUtils.copy(sshconf, "#{ssharchive}/config-#{MU.deploy_id}")
@@ -309,21 +348,25 @@ module MU
       # XXX refactor with above? They're similar, ish.
       hostsfile = "/etc/hosts"
       if File.open(hostsfile).read.match(/ #{MU.deploy_id}\-/)
-        MU.log "Expunging traces of #{MU.deploy_id} from #{hostsfile}"
-        if !@noop
-          FileUtils.copy(hostsfile, "#{hostsfile}.cleanup-#{deploy_id}")
-          File.open(hostsfile, File::CREAT|File::RDWR, 0644) { |f|
-            f.flock(File::LOCK_EX)
-            newlines = Array.new
-            f.readlines.each { |line|
-              newlines << line if !line.match(/ #{MU.deploy_id}\-/)
+        if Process.uid == 0
+          MU.log "Expunging traces of #{MU.deploy_id} from #{hostsfile}"
+          if !@noop
+            FileUtils.copy(hostsfile, "#{hostsfile}.cleanup-#{deploy_id}")
+            File.open(hostsfile, File::CREAT|File::RDWR, 0644) { |f|
+              f.flock(File::LOCK_EX)
+              newlines = Array.new
+              f.readlines.each { |line|
+                newlines << line if !line.match(/ #{MU.deploy_id}\-/)
+              }
+              f.rewind
+              f.truncate(0)
+              f.puts(newlines)
+              f.flush
+              f.flock(File::LOCK_UN)
             }
-            f.rewind
-            f.truncate(0)
-            f.puts(newlines)
-            f.flush
-            f.flock(File::LOCK_UN)
-          }
+          end
+        else
+          MU.log "Residual /etc/hosts entries for #{MU.deploy_id} must be removed by root user", MU::WARN
         end
       end
@@ -354,5 +397,39 @@ module MU
       end
     end
+    private
+    def self.call_cleanup(type, credset, provider, flags, region)
+      if @mommacat.nil? or @mommacat.numKittens(types: [type]) > 0
+        if @mommacat
+          found = @mommacat.findLitterMate(type: type, return_all: true, credentials: credset)
+          flags['known'] ||= []
+          if found.is_a?(Array)
+            found.each { |k|
+              flags['known'] << k.cloud_id
+            }
+          elsif found and found.is_a?(Hash)
+            flags['known'] << found['cloud_id']
+          elsif found
+            flags['known'] << found.cloud_id
+          end
+        end
+#        begin
+          resclass = Object.const_get("MU").const_get("Cloud").const_get(type)
+          resclass.cleanup(
+            noop: @noop,
+            ignoremaster: @ignoremaster,
+            region: region,
+            cloud: provider,
+            flags: flags,
+            credentials: credset
+          )
+#                        rescue ::Seahorse::Client::NetworkingError => e
+#                          MU.log "Service not available in AWS region #{r}, skipping", MU::DEBUG, details: e.message
+#                        end
+      end
+    end
   end #class
 end #module