RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/clouds/aws/collection.rb CHANGED

@@ -20,21 +20,11 @@ module MU
       # An Amazon CloudFormation stack as configured in {MU::Config::BasketofKittens::collections}
       class Collection < MU::Cloud::Collection
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :cloud_id
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::vpcs}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          if !mu_name.nil?
-            @mu_name = mu_name
-          else
-            @mu_name = @deploy.getResourceName(@config['name'], need_unique_string: true)
-          end
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          @mu_name ||= @deploy.getResourceName(@config['name'], need_unique_string: true)
           MU.setVar("curRegion", @config['region']) if !@config['region'].nil?
         end
@@ -104,7 +94,7 @@ module MU
               else
                 # json file and template path is same
                 file_dir =File.dirname(ARGV[0])
-                if File.exists? file_dir+"/"+@config["template_file"] then
+                if File.exist? file_dir+"/"+@config["template_file"] then
                   template_body=File.read(file_dir+"/"+@config["template_file"]);
                 end
               end
@@ -158,7 +148,7 @@ module MU
               case resource.resource_type
                 when "AWS::EC2::Instance"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   instance_name = MU.deploy_id+"-"+@config['name']+"-"+resource.logical_resource_id
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", instance_name, credentials: @config['credentials'])
@@ -186,14 +176,14 @@ module MU
                   end
                 when "AWS::EC2::SecurityGroup"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   MU::Cloud::AWS::FirewallRule.notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
                       resource.physical_resource_id
                   )
                 when "AWS::EC2::Subnet"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
@@ -201,7 +191,7 @@ module MU
                   }
                   @deploy.notify("subnets", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::VPC"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
@@ -209,10 +199,10 @@ module MU
                   }
                   @deploy.notify("vpcs", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::InternetGateway"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                 when "AWS::EC2::RouteTable"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                 # The rest of these aren't anything we act on

data/modules/mu/clouds/aws/container_cluster.rb CHANGED

@@ -17,26 +17,12 @@ module MU
     class AWS
       # A ContainerCluster as configured in {MU::Config::BasketofKittens::container_clusters}
       class ContainerCluster < MU::Cloud::ContainerCluster
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-        @cloudformation_data = {}
-        attr_reader :cloudformation_data
-        # Return the list of regions where we know EKS is supported.
-        def self.EKSRegions
-          # XXX would prefer to query service API for this
-          ["us-east-1", "us-west-2", "eu-west-1"]
-        end
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::container_clusters}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
@@ -101,14 +87,13 @@ module MU
                 retry
               end
             rescue Aws::EKS::Errors::InvalidParameterException => e
-              if e.message.match(/role with arn: #{Regexp.quote(role_arn)}.*?(could not be assumed|does not exist)/)
+              if e.message.match(/role with arn: #{Regexp.quote(role_arn)}.*?(could not be assumed|does not exist)/i)
                 sleep 5
                 retry
               else
                 MU.log e.message, MU::WARN, details: role_arn
                 sleep 5
                 retry
-                puts e.message
               end
             end
@@ -119,6 +104,9 @@ module MU
                 name: @mu_name
               )
               status = resp.cluster.status
+              if status == "FAILED"
+                raise MuError, "EKS cluster #{@mu_name} had FAILED status"
+              end
               if retries > 0 and (retries % 3) == 0 and status != "ACTIVE"
                 MU.log "Waiting for EKS cluster #{@mu_name} to become active (currently #{status})", MU::NOTICE
               end
@@ -153,8 +141,18 @@ module MU
           serverpool = @deploy.findLitterMate(type: "server_pools", name: @config["name"]+"workers")
           resource_lookup = MU::Cloud::AWS.listInstanceTypes(@config['region'])[@config['region']]
-          if @config['kubernetes']
-            kube = ERB.new(File.read(MU.myRoot+"/cookbooks/mu-tools/templates/default/kubeconfig.erb"))
+          if @config['flavor'] == "EKS"
+            # This will be needed if a loadbalancer has never been created in
+            # this account; EKS applications might want one, but will fail in
+            # confusing ways if this hasn't been done.
+            begin
+              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_service_linked_role(
+                aws_service_name: "elasticloadbalancing.amazonaws.com"
+              )
+            rescue ::Aws::IAM::Errors::InvalidInput
+            end
+            kube = ERB.new(File.read(MU.myRoot+"/cookbooks/mu-tools/templates/default/kubeconfig-eks.erb"))
             configmap = ERB.new(File.read(MU.myRoot+"/extras/aws-auth-cm.yaml.erb"))
             tagme = [@vpc.cloud_id]
             tagme_elb = []
@@ -167,7 +165,7 @@ module MU
             ).route_tables
             tagme.concat(rtbs.map { |r| r.route_table_id } )
             main_sg = @deploy.findLitterMate(type: "firewall_rules", name: "server_pool#{@config['name']}workers")
-            tagme << main_sg.cloud_id
+            tagme << main_sg.cloud_id if main_sg
             MU.log "Applying kubernetes.io tags to VPC resources", details: tagme
             MU::Cloud::AWS.createTag("kubernetes.io/cluster/#{@mu_name}", "shared", tagme, credentials: @config['credentials'])
             MU::Cloud::AWS.createTag("kubernetes.io/cluster/elb", @mu_name, tagme_elb, credentials: @config['credentials'])
@@ -192,38 +190,27 @@ module MU
             File.open(gitlab_helper, "w"){ |k|
               k.puts gitlab.result(binding)
             }
+            authmap_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
-            authmap_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
+            authmap_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
             MU.log "Configuring Kubernetes <=> IAM mapping for worker nodes", MU::NOTICE, details: authmap_cmd
 # maybe guard this mess
             %x{#{authmap_cmd}}
 # and this one
-            admin_user_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-user.yaml"}
-            admin_role_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-role-binding.yaml"}
+            admin_user_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-user.yaml"}
+            admin_role_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-role-binding.yaml"}
             MU.log "Configuring Kubernetes admin-user and role", MU::NOTICE, details: admin_user_cmd+"\n"+admin_role_cmd
             %x{#{admin_user_cmd}}
             %x{#{admin_role_cmd}}
             if @config['kubernetes_resources']
-              count = 0
-              @config['kubernetes_resources'].each { |blob|
-                blobfile = @deploy.deploy_dir+"/k8s-resource-#{count.to_s}-#{@config['name']}"
-                File.open(blobfile, "w") { |f|
-                  f.puts blob.to_yaml
-                }
-                %x{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" get -f #{blobfile} > /dev/null 2>&1}
-                arg = $?.exitstatus == 0 ? "replace" : "create"
-                cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" #{arg} -f #{blobfile}}
-                MU.log "Applying Kubernetes resource #{count.to_s} with kubectl #{arg}", details: cmd
-                output = %x{#{cmd} 2>&1}
-                if $?.exitstatus == 0
-                  MU.log "Kuberentes resource #{count.to_s} #{arg} was successful: #{output}", details: blob.to_yaml
-                else
-                  MU.log "Kuberentes resource #{count.to_s} #{arg} failed: #{output}", MU::WARN, details: blob.to_yaml
-                end
-                count += 1
-              }
+              MU::Master.applyKubernetesResources(
+                @config['name'],
+                @config['kubernetes_resources'],
+                kubeconfig: kube_conf,
+                outputdir: @deploy.deploy_dir
+              )
             end
             MU.log %Q{How to interact with your Kubernetes cluster\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml\nkubectl --kubeconfig "#{kube_conf}" get nodes}, MU::SUMMARY
@@ -329,7 +316,7 @@ module MU
             created_generic_loggroup = false
             @config['containers'].each { |c|
-              service_name = c['service'] ? @mu_name+"-"+c['service'].upcase : @mu_name+"-"+c['name'].upcase
+              service_name = c['service'] ? @mu_name+"-"+c['service'].upcase : @mu_name
               tasks[service_name] ||= []
               tasks[service_name] << c
             }
@@ -339,8 +326,10 @@ module MU
               cpu_total = 0
               mem_total = 0
               role_arn = nil
+              lbs = []
               container_definitions = containers.map { |c|
+                container_name = @mu_name+"-"+c['name'].upcase
                 cpu_total += c['cpu']
                 mem_total += c['memory']
@@ -362,6 +351,50 @@ module MU
                     raise MuError, "Unable to find execution role from #{c["role"]}"
                   end
                 end
+                if c['loadbalancers'] != []
+                  c['loadbalancers'].each {|lb|
+                    found = @deploy.findLitterMate(name: lb['name'], type: "loadbalancer")
+                    if found
+                      MU.log "Mapping LB #{found.mu_name} to service #{c['name']}", MU::INFO
+                      if found.cloud_desc.type != "classic"
+                        elb_groups = MU::Cloud::AWS.elb2(region: @config['region'], credentials: @config['credentials']).describe_target_groups({
+                            load_balancer_arn: found.cloud_desc.load_balancer_arn
+                          })
+                          matching_target_groups = []
+                          elb_groups.target_groups.each { |tg|
+                            if tg.port.to_i == lb['container_port'].to_i
+                              matching_target_groups << {
+                                arn: tg['target_group_arn'],
+                                name: tg['target_group_name']
+                              }
+                            end
+                          }
+                          if matching_target_groups.length >= 1
+                            MU.log "#{matching_target_groups.length} matching target groups found. Mapping #{container_name} to target group #{matching_target_groups.first['name']}", MU::INFO
+                            lbs << {
+                              container_name: container_name,
+                              container_port: lb['container_port'],
+                              target_group_arn: matching_target_groups.first[:arn]
+                            }
+                          else
+                            raise MuError, "No matching target groups found"
+                          end
+                      elsif @config['flavor'] == "Fargate" && found.cloud_desc.type == "classic"
+                        raise MuError, "Classic Load Balancers are not supported with Fargate."
+                      else
+                        MU.log "Mapping Classic LB #{found.mu_name} to service #{container_name}", MU::INFO
+                        lbs << {
+                          container_name: container_name,
+                          container_port: lb['container_port'],
+                          load_balancer_name: found.mu_name
+                        }
+                      end
+                    else
+                      raise MuError, "Unable to find loadbalancers from #{c["loadbalancers"].first['name']}"
+                    end
+                  }
+                end
                 params = {
                   name: @mu_name+"-"+c['name'].upcase,
@@ -451,13 +484,13 @@ module MU
               resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).register_task_definition(task_params)
               task_def = resp.task_definition.task_definition_arn
               service_params = {
                 :cluster => @mu_name,
                 :desired_count => @config['instance_count'], # XXX this makes no sense
                 :service_name => service_name,
                 :launch_type => launch_type,
-                :task_definition => task_def
+                :task_definition => task_def,
+                :load_balancers => lbs
               }
               if @config['vpc']
                 subnet_ids = []
@@ -651,52 +684,68 @@ MU.log c.name, MU::NOTICE, details: t
           return deploy_struct
         end
+        @@eks_versions = {}
+        @@eks_version_semaphore = Mutex.new
         # Use the AWS SSM API to fetch the current version of the Amazon Linux
         # ECS-optimized AMI, so we can use it as a default AMI for ECS deploys.
         # @param flavor [String]: ECS or EKS
-        def self.getECSImageId(flavor = "ECS", region = MU.myRegion)
-          if flavor == "ECS"
-            resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
+        # @param region [String]: Target AWS region
+        # @param version [String]: Version of Kubernetes, if +flavor+ is set to +EKS+
+        # @param gpu [Boolean]: Whether to request an image with GPU support
+        def self.getStandardImage(flavor = "ECS", region = MU.myRegion, version: nil, gpu: false)
+          resp = if flavor == "ECS"
+            MU::Cloud::AWS.ssm(region: region).get_parameters(
               names: ["/aws/service/#{flavor.downcase}/optimized-ami/amazon-linux/recommended"]
             )
-            if resp and resp.parameters and resp.parameters.size > 0
-              image_details = JSON.parse(resp.parameters.first.value)
-              return image_details['image_id']
-            end
-          elsif flavor == "EKS"
-            # XXX this is absurd, but these don't appear to be available from an API anywhere
-            # Here's their Packer build, should just convert to Chef: https://github.com/awslabs/amazon-eks-ami
-            amis = {
-              "us-east-1" => "ami-0abcb9f9190e867ab",
-              "us-east-2" => "ami-04ea7cb66af82ae4a",
-              "us-west-2" => "ami-0923e4b35a30a5f53",
-              "eu-west-1" => "ami-08716b70cac884aaa",
-              "eu-west-2" => "ami-0c7388116d474ee10",
-              "eu-west-3" => "ami-0560aea042fec8b12",
-              "ap-northeast-1" => "ami-0bfedee6a7845c26d",
-              "ap-northeast-2" => "ami-0a904348b703e620c",
-              "ap-south-1" => "ami-09c3eb35bb3be46a4",
-              "ap-southeast-1" => "ami-07b922b9b94d9a6d2",
-              "ap-southeast-2" => "ami-0f0121e9e64ebd3dc"
+          else
+            @@eks_version_semaphore.synchronize {
+              if !@@eks_versions[region]
+                @@eks_versions[region] ||= []
+                versions = {}
+                resp = nil
+                next_token = nil
+                begin
+                  resp = MU::Cloud::AWS.ssm(region: region).get_parameters_by_path(
+                    path: "/aws/service/#{flavor.downcase}",
+                    recursive: true,
+                    next_token: next_token
+                  )
+                  resp.parameters.each { |p|
+                    p.name.match(/\/aws\/service\/eks\/optimized-ami\/([^\/]+?)\//)
+                    versions[Regexp.last_match[1]] = true
+                  }
+                  next_token = resp.next_token
+                end while !next_token.nil?
+                @@eks_versions[region] = versions.keys.sort { |a, b| MU.version_sort(a, b) }
+              end
             }
-            return amis[region]
+            if !version or version == "latest"
+              version = @@eks_versions[region].last
+            end
+            MU::Cloud::AWS.ssm(region: region).get_parameters(
+              names: ["/aws/service/#{flavor.downcase}/optimized-ami/#{version}/amazon-linux-2#{gpu ? "-gpu" : ""}/recommended"]
+            )
           end
-          nil
-        end
-        # Use the AWS SSM API to fetch the current version of the Amazon Linux
-        # EKS-optimized AMI, so we can use it as a default AMI for EKS deploys.
-        def self.getEKSImageId(region = MU.myRegion)
-          resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
-            names: ["/aws/service/ekss/optimized-ami/amazon-linux/recommended"]
-          )
           if resp and resp.parameters and resp.parameters.size > 0
             image_details = JSON.parse(resp.parameters.first.value)
             return image_details['image_id']
           end
           nil
         end
+        # Return the list of regions where we know EKS is supported.
+        def self.EKSRegions(credentials = nil)
+          eks_regions = []
+          MU::Cloud::AWS.listRegions(credentials: credentials).each { |r|
+            ami = getStandardImage("EKS", r)
+            eks_regions << r if ami
+          }
+          eks_regions
+        end
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
@@ -718,6 +767,7 @@ MU.log c.name, MU::NOTICE, details: t
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).list_clusters
           if resp and resp.cluster_arns and resp.cluster_arns.size > 0
             resp.cluster_arns.each { |arn|
               if arn.match(/:cluster\/(#{MU.deploy_id}[^:]+)$/)
@@ -744,8 +794,8 @@ MU.log c.name, MU::NOTICE, details: t
                   cluster: cluster
                 })
                 if instances
-                  instances.container_instance_arns.each { |arn|
-                    uuid = arn.sub(/^.*?:container-instance\//, "")
+                  instances.container_instance_arns.each { |instance_arn|
+                    uuid = instance_arn.sub(/^.*?:container-instance\//, "")
                     MU.log "Deregistering instance #{uuid} from ECS Cluster #{cluster}"
                     if !noop
                       resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).deregister_container_instance({
@@ -775,6 +825,7 @@ MU.log c.name, MU::NOTICE, details: t
           tasks = MU::Cloud::AWS.ecs(region: region, credentials: credentials).list_task_definitions(
             family_prefix: MU.deploy_id
           )
           if tasks and tasks.task_definition_arns
             tasks.task_definition_arns.each { |arn|
               MU.log "Deregistering Fargate task definition #{arn}"
@@ -788,8 +839,14 @@ MU.log c.name, MU::NOTICE, details: t
           return if !MU::Cloud::AWS::ContainerCluster.EKSRegions.include?(region)
+          resp = begin
+            MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
+          rescue Aws::EKS::Errors::AccessDeniedException
+            # EKS isn't actually live in this region, even though SSM lists
+            # base images for it
+            return
+          end
-          resp = MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
           if resp and resp.clusters
             resp.clusters.each { |cluster|
@@ -865,17 +922,24 @@ MU.log c.name, MU::NOTICE, details: t
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
           toplevel_required = []
           schema = {
             "flavor" => {
-              "enum" => ["ECS", "EKS", "Fargate"],
+              "enum" => ["ECS", "EKS", "Fargate", "Kubernetes"],
+              "type" => "string",
+              "description" => "The AWS container platform to deploy",
               "default" => "ECS"
             },
             "kubernetes" => {
-              "default" => { "version" => "1.11" }
+              "default" => { "version" => "latest" }
+            },
+            "gpu" => {
+              "type" => "boolean",
+              "default" => false,
+              "description" => "Enable worker nodes with GPU capabilities"
             },
             "platform" => {
-              "description" => "The platform to choose for worker nodes. Will default to Amazon Linux for ECS, CentOS 7 for everything else. Only valid for EKS and ECS flavors.",
-              "default" => "centos7"
+              "description" => "The platform to choose for worker nodes."
             },
             "ami_id" => {
               "type" => "string",
@@ -1415,6 +1479,25 @@ MU.log c.name, MU::NOTICE, details: t
                         "description" => "Per-driver configuration options. See also: https://docs.aws.amazon.com/sdkforruby/api/Aws/ECS/Types/ContainerDefinition.html#log_configuration-instance_method"
                       }
                     }
+                  },
+                  "loadbalancers" => {
+                    "type" => "array",
+                    "description" => "Array of loadbalancers to associate with this container servvice See also: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ECS/Client.html#create_service-instance_method",
+                    "default" => [],
+                    "items" => {
+                      "description" => "Load Balancers to associate with the container services",
+                      "type" => "object",
+                      "properties" => {
+                        "name" => {
+                          "type" => "string",
+                          "description" => "Name of the loadbalancer to associate"
+                        },
+                        "container_port" => {
+                          "type" => "integer",
+                          "description" => "container port to map to the loadbalancer"
+                        }
+                      }
+                    }
                   }
                 }
               }
@@ -1433,6 +1516,8 @@ MU.log c.name, MU::NOTICE, details: t
           cluster['size'] = MU::Cloud::AWS::Server.validateInstanceType(cluster["instance_type"], cluster["region"])
           ok = false if cluster['size'].nil?
+          cluster["flavor"] = "EKS" if cluster["flavor"].match(/^Kubernetes$/i)
           if cluster["flavor"] == "ECS" and cluster["kubernetes"] and !MU::Cloud::AWS.isGovCloud?(cluster["region"])
             cluster["flavor"] = "EKS"
             MU.log "Setting flavor of ContainerCluster '#{cluster['name']}' to EKS ('kubernetes' stanza was specified)", MU::NOTICE
@@ -1455,6 +1540,7 @@ MU.log c.name, MU::NOTICE, details: t
           end
           if cluster["flavor"] != "EKS" and cluster["containers"]
+            cluster.delete("kubernetes")
             created_generic_loggroup = false
             cluster['containers'].each { |c|
               if c['log_configuration'] and
@@ -1485,14 +1571,14 @@ MU.log c.name, MU::NOTICE, details: t
                   logdesc = {
                     "name" => logname,
                     "region" => cluster["region"],
-                    "cloud" => cluster["cloud"]
+                    "cloud" => "AWS"
                   }
                   configurator.insertKitten(logdesc, "logs")
                   if !c['role']
                     roledesc = {
                       "name" => rolename,
-                      "cloud" => cluster["cloud"],
+                      "cloud" => "AWS",
                       "can_assume" => [
                         {
                           "entity_id" => "ecs-tasks.amazonaws.com",
@@ -1542,19 +1628,28 @@ MU.log c.name, MU::NOTICE, details: t
           end
           if cluster["flavor"] == "EKS" and !cluster["vpc"]
-            if !MU::Cloud::AWS.hosted?
-              MU.log "EKS cluster #{cluster['name']} must declare a VPC", MU::ERR
-              ok = false
+            if !MU::Cloud::AWS.hosted? or !MU::Cloud::AWS.myVPCObj
+              siblings = configurator.haveLitterMate?(nil, "vpcs", has_multiple: true)
+              if siblings.size == 1
+                MU.log "EKS cluster #{cluster['name']} did not declare a VPC. Inserting into an available sibling VPC.", MU::WARN
+                cluster["vpc"] = {
+                  "name" => siblings[0]['name'],
+                  "subnet_pref" => "all_private"
+                }
+              else
+                MU.log "EKS cluster #{cluster['name']} must declare a VPC", MU::ERR
+                ok = false
+              end
             else
               cluster["vpc"] = {
-                "vpc_id" => MU.myVPC,
+                "id" => MU.myVPC,
                 "subnet_pref" => "all_private"
               }
             end
           end
           if ["ECS", "EKS"].include?(cluster["flavor"])
-            std_ami = getECSImageId(cluster["flavor"], cluster['region'])
+            std_ami = getStandardImage(cluster["flavor"], cluster['region'], version: cluster['kubernetes']['version'], gpu: cluster['gpu'])
             cluster["host_image"] ||= std_ami
             if cluster["host_image"] != std_ami
               if cluster["flavor"] == "ECS"
@@ -1582,41 +1677,36 @@ MU.log c.name, MU::NOTICE, details: t
           end
+          fwname = "container_cluster#{cluster['name']}"
           cluster['ingress_rules'] ||= []
-          if cluster['flavor'] == "ECS"
+          if ["ECS", "EKS"].include?(cluster["flavor"])
             cluster['ingress_rules'] << {
-              "sgs" => ["server_pool#{cluster['name']}workers"],
-              "port" => 443
+              "sgs" => ["server_pool"+cluster["name"]+"workers"],
+              "port" => 443,
+              "proto" => "tcp",
+              "ingress" => true,
+              "comment" => "Allow worker nodes to access API"
             }
+            ruleset = configurator.haveLitterMate?(fwname, "firewall_rules")
+            if ruleset
+              ruleset["rules"].concat(cluster['ingress_rules'])
+              ruleset["rules"].uniq!
+            end
           end
-          fwname = "container_cluster#{cluster['name']}"
-          acl = {
-            "name" => fwname,
-            "credentials" => cluster["credentials"],
-            "rules" => cluster['ingress_rules'],
-            "region" => cluster['region'],
-            "optional_tags" => cluster['optional_tags']
-          }
-          acl["tags"] = cluster['tags'] if cluster['tags'] && !cluster['tags'].empty?
-          acl["vpc"] = cluster['vpc'].dup if cluster['vpc']
-          ok = false if !configurator.insertKitten(acl, "firewall_rules")
-          cluster["add_firewall_rules"] = [] if cluster["add_firewall_rules"].nil?
-          cluster["add_firewall_rules"] << {"rule_name" => fwname}
-          cluster["dependencies"] << {
-            "name" => fwname,
-            "type" => "firewall_rule",
-          }
           if ["ECS", "EKS"].include?(cluster["flavor"])
+            cluster["max_size"] ||= cluster["instance_count"]
+            cluster["min_size"] ||= cluster["instance_count"]
             worker_pool = {
               "name" => cluster["name"]+"workers",
+              "cloud" => "AWS",
+              "skipinitialupdates" => (cluster["flavor"] == "EKS"),
               "credentials" => cluster["credentials"],
               "region" => cluster['region'],
-              "min_size" => cluster["instance_count"],
-              "max_size" => cluster["instance_count"],
+              "min_size" => cluster["min_size"],
+              "max_size" => cluster["max_size"],
               "wait_for_nodes" => cluster["instance_count"],
               "ssh_user" => cluster["host_ssh_user"],
               "role_strip_path" => true,
@@ -1629,7 +1719,7 @@ MU.log c.name, MU::NOTICE, details: t
             }
             if cluster["flavor"] == "EKS"
               worker_pool["ingress_rules"] = [
-                "sgs" => ["container_cluster#{cluster['name']}"],
+                "sgs" => [fwname],
                 "port_range" => "1-65535"
               ]
               worker_pool["application_attributes"] ||= {}
@@ -1681,6 +1771,7 @@ MU.log c.name, MU::NOTICE, details: t
               role = {
                 "name" => cluster["name"]+"controlplane",
                 "credentials" => cluster["credentials"],
+                "cloud" => "AWS",
                 "can_assume" => [
                   { "entity_id" => "eks.amazonaws.com", "entity_type" => "service" }
                 ],