cloud-mu 2.1.0beta → 3.0.0beta

data/modules/mu/clouds/azure/container_cluster.rb

@@ -0,0 +1,413 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#	http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class Azure
+      # A Kubernetes cluster as configured in {MU::Config::BasketofKittens::container_clusters}
+      class ContainerCluster < MU::Cloud::ContainerCluster
+
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+
+          # @mu_name = mu_name ? mu_name : @deploy.getResourceName(@config["name"])
+          if !mu_name.nil?
+            @mu_name = mu_name
+            @cloud_id = Id.new(cloud_desc.id) if @cloud_id
+          else
+            @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 31)
+          end
+        end
+
+
+        # Called automatically by {MU::Deploy#createResources}
+        # @return [String]: The cloud provider's identifier for this GKE instance.
+        def create
+          create_update
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          create_update
+
+          kube_conf = @deploy.deploy_dir+"/kubeconfig-#{@config['name']}"
+
+          admin_creds = MU::Cloud::Azure.containers(credentials: @config['credentials']).managed_clusters.list_cluster_admin_credentials(
+            @resource_group,
+            @mu_name
+          )
+          admin_creds.kubeconfigs.each { |kube|
+            next if kube.name != "clusterAdmin"
+
+            cfgfile = ""
+            kube.value.each { |ord|
+              cfgfile += ord.chr
+            }
+
+            File.open(kube_conf, "w"){ |k|
+              k.puts cfgfile
+            }
+          }
+
+          if @config['kubernetes_resources']
+            MU::Master.applyKubernetesResources(
+              @config['name'], 
+              @config['kubernetes_resources'],
+              kubeconfig: kube_conf,
+              outputdir: @deploy.deploy_dir
+            )
+          end
+
+          MU.log %Q{How to interact with your Kubernetes cluster\nkubectl --kubeconfig "#{kube_conf}" get events --all-namespaces\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml\nkubectl --kubeconfig "#{kube_conf}" get nodes}, MU::SUMMARY
+
+        end
+
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+
+          # Azure resources are namedspaced by resource group. If we weren't
+          # told one, we may have to search all the ones we can see.
+          resource_groups = if args[:resource_group]
+            [args[:resource_group]]
+          elsif args[:cloud_id] and args[:cloud_id].is_a?(MU::Cloud::Azure::Id)
+            [args[:cloud_id].resource_group]
+          else
+            MU::Cloud::Azure.resources(credentials: args[:credentials]).resource_groups.list.map { |rg| rg.name }
+          end
+
+          if args[:cloud_id]
+            id_str = args[:cloud_id].is_a?(MU::Cloud::Azure::Id) ? args[:cloud_id].name : args[:cloud_id]
+            resource_groups.each { |rg|
+              resp = MU::Cloud::Azure.containers(credentials: args[:credentials]).managed_clusters.get(rg, id_str)
+              found[Id.new(resp.id)] = resp if resp
+            }
+          else
+            if args[:resource_group]
+              MU::Cloud::Azure.containers(credentials: args[:credentials]).managed_clusters.list_by_resource_group(args[:resource_group]).each { |cluster|
+                found[Id.new(cluster.id)] = cluster
+              }
+            else
+              MU::Cloud::Azure.containers(credentials: args[:credentials]).managed_clusters.list.each { |cluster|
+                found[Id.new(cluster.id)] = cluster
+              }
+            end
+          end
+
+          found
+        end
+
+        # Register a description of this cluster instance with this deployment's metadata.
+        def notify
+          base = {}
+          base = MU.structToHash(cloud_desc)
+          base["cloud_id"] = @cloud_id.name
+          base.merge!(@config.to_h)
+          base
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Denote whether this resource implementation is experiment, ready for
+        # testing, or ready for production use.
+        def self.quality
+          MU::Cloud::BETA
+        end
+
+        # Stub method. Azure resources are cleaned up by removing the parent
+        # resource group.
+        # @return [void]
+        def self.cleanup(**args)
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = []
+          schema = {
+            "flavor" => {
+              "enum" => ["Kubernetes", "OpenShift", "Swarm", "DC/OS"],
+              "description" => "The Azure container platform to deploy. Currently only +Kubernetes+ is supported.",
+              "default" => "Kubernetes"
+            },
+            "platform" => {
+              "description" => "The OS platform to deploy for workers and containers.",
+              "default" => "Linux",
+              "enum" => ["Linux", "Windows"]
+            },
+            "max_pods" => {
+              "type" => "integer",
+              "description" => "Maximum number of pods allowed on this cluster",
+              "default" => 30
+            },
+            "kubernetes" => {
+              "default" => { "version" => "1.12.8" }
+            },
+            "dns_prefix" => {
+              "type" => "string",
+              "description" => "DNS name prefix to use with the hosted Kubernetes API server FQDN. Will default to the global +appname+ value if not specified."
+            },
+            "disk_size_gb" => {
+              "type" => "integer",
+              "description" => "Size of the disk attached to each worker, specified in GB. The smallest allowed disk size is 30, the largest 1024.",
+              "default" => 100
+            },
+          }
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::container_clusters}, bare and unvalidated.
+        # @param cluster [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(cluster, configurator)
+          ok = true
+# XXX validate k8s versions (master and node)
+# XXX validate image types
+# MU::Cloud::Azure.container.get_project_zone_serverconfig(@config["project"], @config['availability_zone'])
+          cluster["dns_prefix"] ||= $myAppName # XXX woof globals wtf
+          cluster['region'] ||= MU::Cloud::Azure.myRegion(cluster['credentials'])
+
+          if cluster["disk_size_gb"] < 30 or cluster["disk_size_gb"] > 1024
+            MU.log "Azure ContainerCluster disk_size_gb must be between 30 and 1024.", MU::ERR
+            ok = false
+          end
+
+          if cluster['min_size'] and cluster['instance_count'] < cluster['min_size']
+            cluster['instance_count'] = cluster['min_size']
+          end
+          if cluster['max_size'] and cluster['instance_count'] < cluster['max_size']
+            cluster['instance_count'] = cluster['max_size']
+          end
+
+          cluster['instance_type'] ||= "Standard_DS2_v2" # TODO when Server is implemented, it should have a validateInstanceType method we can use here
+
+          svcacct_desc = {
+            "name" => cluster["name"]+"user",
+            "region" => cluster["region"],
+            "type" => "service",
+            "cloud" => "Azure",
+            "create_api_key" => true,
+            "credentials" => cluster["credentials"],
+            "roles" => [
+              "Azure Kubernetes Service Cluster Admin Role"
+            ]
+          }
+          cluster['dependencies'] ||= []
+          cluster['dependencies'] << {
+            "type" => "user",
+            "name" => cluster["name"]+"user"
+          }
+
+          ok = false if !configurator.insertKitten(svcacct_desc, "users")
+
+          ok
+        end
+
+        private
+
+        def create_update
+          need_apply = false
+
+          ext_cluster = MU::Cloud::Azure.containers(credentials: @config[:credentials]).managed_clusters.get(
+            @resource_group,
+            @mu_name
+          )
+          if ext_cluster
+            @cloud_id = MU::Cloud::Azure::Id.new(ext_cluster.id)
+          end
+
+          key_obj = MU::Cloud::Azure.containers(:ContainerServiceSshPublicKey).new
+          key_obj.key_data = @deploy.ssh_public_key
+
+          ssh_obj = MU::Cloud::Azure.containers(:ContainerServiceSshConfiguration).new
+          ssh_obj.public_keys = [key_obj]
+
+          os_profile_obj = if !ext_cluster
+            if @config['platform'] == "Windows"
+              os_obj = MU::Cloud::Azure.containers(:ContainerServiceWindowsProfile, model_version: "V2019_02_01").new
+              os_obj.admin_username = "muadmin"
+              # Azure password constraints are extra-annoying
+              winpass = MU.generateWindowsPassword(safe_pattern: '!@#$%^&*()', retries: 150)
+# TODO store this somewhere the user can get at it
+              os_obj.admin_password = winpass
+              os_obj
+            else
+              os_obj = MU::Cloud::Azure.containers(:ContainerServiceLinuxProfile).new
+              os_obj.admin_username = "muadmin"
+              os_obj.ssh = ssh_obj
+              os_obj
+            end
+          else
+            # Azure does not support updates to this parameter
+            @config['platform'] == "Windows" ? ext_cluster.windows_profile : ext_cluster.linux_profile
+          end
+
+          svc_principal_obj = MU::Cloud::Azure.containers(:ManagedClusterServicePrincipalProfile).new
+# XXX this should come from a MU::Cloud::Azure::User object, but right now
+# there's no way to get the 'secret' field from a user-assigned identity afaict
+# For now, we'll cheat with Mu's system credentials.
+          creds = MU::Cloud::Azure.credConfig(@config['credentials'])
+          svc_principal_obj.client_id = creds["client_id"]
+          svc_principal_obj.secret = creds["client_secret"]
+
+#          svc_acct = @deploy.findLitterMate(type: "user", name: @config['name']+"user")
+#          raise MuError, "Failed to locate service account #{@config['name']}user" if !svc_acct
+#          svc_principal_obj.client_id = svc_acct.cloud_desc.client_id
+#          svc_principal_obj.secret = svc_acct.getSecret
+
+          agent_profiles = if !ext_cluster
+            profile_obj = MU::Cloud::Azure.containers(:ManagedClusterAgentPoolProfile).new
+            profile_obj.name = @deploy.getResourceName(@config["name"], max_length: 11).downcase.gsub(/[^0-9a-z]/, "")
+            if @config['min_size'] and @config['max_size']
+              # Special API features need to be enabled for scaling
+              MU::Cloud::Azure.ensureFeature("Microsoft.ContainerService/WindowsPreview", credentials: @config['credentials'])
+              MU::Cloud::Azure.ensureFeature("Microsoft.ContainerService/VMSSPreview", credentials: @config['credentials'])
+
+              profile_obj.min_count = @config['min_size']
+              profile_obj.max_count = @config['max_size']
+              profile_obj.enable_auto_scaling = true
+              profile_obj.type = MU::Cloud::Azure.containers(:AgentPoolType)::VirtualMachineScaleSets
+# XXX if you actually try to do this:
+# BadRequest: Virtual Machine Scale Set agent nodes are not allowed since feature "Microsoft.ContainerService/WindowsPreview" is not enabled.
+            end
+            profile_obj.count = @config['instance_count']
+            profile_obj.vm_size = @config['instance_type']
+            profile_obj.max_pods = @config['max_pods']
+            profile_obj.os_type = @config['platform']
+            profile_obj.os_disk_size_gb = @config['disk_size_gb']
+# XXX correlate this with the one(s) we configured in @config['vpc']
+#          profile_obj.vnet_subnet_id = @vpc.subnets.first.cloud_desc.id # XXX has to have its own subnet for k8s apparently
+            [profile_obj]
+          else
+            # Azure does not support adding/removing agent profiles to a live
+            # cluster, but it does support changing some values on an existing
+            # one.
+            profile_obj = ext_cluster.agent_pool_profiles.first
+
+            nochange_map = {
+              "disk_size_gb" => :os_disk_size_gb,
+              "instance_type" => :vm_size,
+              "platform" => :os_type,
+              "max_pods" => :max_pods,
+            }
+
+            tried_to_change =[]
+            nochange_map.each_pair { |cfg, attribute|
+              if @config.has_key?(cfg) and
+                 @config[cfg] != profile_obj.send(attribute)
+                tried_to_change << cfg
+              end
+            }
+            if @config['min_size'] and @config['max_size'] and
+               !profile_obj.enable_auto_scaling
+              tried_to_change << "enable_auto_scaling"
+            end
+            if tried_to_change.size > 0
+              MU.log "Changes specified to one or more immutable AKS Agent Pool parameters in cluster #{@mu_name}, ignoring.", MU::NOTICE, details: tried_to_change
+            end
+
+            if @config['min_size'] and @config['max_size'] and
+               profile_obj.enable_auto_scaling and
+               (
+                 profile_obj.min_count != @config['min_size'] or
+                 profile_obj.max_count != @config['max_size']
+               )
+              profile_obj.min_count = @config['min_size']
+              profile_obj.max_count = @config['max_size']
+              need_apply = true
+            end
+
+            if profile_obj.count != @config['instance_count']
+              profile_obj.count = @config['instance_count']
+              need_apply = true
+            end
+
+            [profile_obj]
+          end
+
+          cluster_obj = MU::Cloud::Azure.containers(:ManagedCluster).new
+
+          if ext_cluster
+            cluster_obj.dns_prefix = ext_cluster.dns_prefix
+            cluster_obj.location = ext_cluster.location
+          else
+            # Azure does not support updates to these parameters
+            cluster_obj.dns_prefix = @config['dns_prefix']
+            cluster_obj.location = @config['region']
+          end
+
+          cluster_obj.tags = @tags
+
+          cluster_obj.service_principal_profile = svc_principal_obj
+          if @config['platform'] == "Windows"
+            cluster_obj.windows_profile = os_profile_obj
+          else
+            cluster_obj.linux_profile = os_profile_obj
+          end
+#          cluster_obj.api_server_authorized_ipranges = [MU.mu_public_ip+"/32", MU.my_private_ip+"/32"] # XXX only allowed with Microsoft.ContainerService/APIServerSecurityPreview enabled
+          cluster_obj.agent_pool_profiles = agent_profiles
+
+          if @config['flavor'] == "Kubernetes"
+            cluster_obj.kubernetes_version = @config['kubernetes']['version'].to_s
+            if ext_cluster and @config['kubernetes']['version'] != ext_cluster.kubernetes_version
+              need_apply = true
+            end
+          end
+
+# XXX it may be possible to create a new AgentPool and fall forward into it?
+# API behavior suggests otherwise. Project for later.
+#          pool_obj = MU::Cloud::Azure.containers(:AgentPool).new
+#          pool_obj.count = @config['instance_count']
+#          pool_obj.vm_size = "Standard_DS2_v2"
+
+          if !ext_cluster
+pp cluster_obj
+            MU.log "Creating AKS cluster #{@mu_name}", details: cluster_obj
+            need_apply = true
+          elsif need_apply
+            MU.log "Updating AKS cluster #{@mu_name}", MU::NOTICE, details: cluster_obj
+          end
+
+          if need_apply
+            resp = MU::Cloud::Azure.containers(credentials: @config['credentials']).managed_clusters.create_or_update(
+              @resource_group,
+              @mu_name,
+              cluster_obj
+            )
+
+            @cloud_id = Id.new(resp.id)
+          end
+
+        end
+
+      end #class
+    end #class
+  end
+end #module

data/modules/mu/clouds/azure/firewall_rule.rb

@@ -0,0 +1,500 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+
+  class Cloud
+    class Azure
+      # A firewall ruleset as configured in {MU::Config::BasketofKittens::firewall_rules}
+      class FirewallRule < MU::Cloud::FirewallRule
+
+        @admin_sgs = Hash.new
+        @admin_sg_semaphore = Mutex.new
+
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+
+          if !mu_name.nil?
+            @mu_name = mu_name
+          else
+            @mu_name = @deploy.getResourceName(@config['name'], max_length: 61)
+          end
+
+        end
+
+        attr_reader :rulesets
+
+        # Called by {MU::Deploy#createResources}
+        def create
+          create_update
+        end
+
+        # Called by {MU::Deploy#createResources}
+        def groom
+          create_update
+
+          oldrules = {}
+          newrules = {}
+          cloud_desc.security_rules.each { |rule|
+            if rule.description and rule.description.match(/^#{Regexp.quote(@mu_name)} \d+:/)
+              oldrules[rule.name] = rule
+            end
+          }
+          used_priorities = oldrules.values.map { |r| r.priority }
+
+          newrules_semaphore = Mutex.new
+          num_rules = 0
+
+          rulethreads = []
+          return if !@config['rules']
+          @config['rules'].each { |rule_cfg|
+            num_rules += 1
+            rulethreads << Thread.new(rule_cfg, num_rules) { |rule, num|
+              was_new, desc = addRule(
+                rule["hosts"],
+                proto: rule["proto"],
+                port: rule["port"],
+                egress: rule["egress"],
+                port_range: rule["port_range"],
+                sgs: rule["sgs"],
+                lbs: rule["lbs"],
+                deny: rule["deny"],
+                weight: rule["weight"],
+                oldrules: oldrules,
+                num: num
+              )
+
+              newrules_semaphore.synchronize {
+                newrules[desc.name] = desc
+                if !was_new
+                  oldrules[desc.name] = desc
+                end
+              }
+
+            } # rulethreads
+          }
+
+          rulethreads.each { |t|
+            t.join
+          }
+
+          # Purge old rules that we own (according to the description) but
+          # which are not part of our current configuration.
+          (oldrules.keys - newrules.keys).each { |oldrule|
+            MU.log "Dropping unused rule #{oldrule} from #{@mu_name}", MU::NOTICE
+            MU::Cloud::Azure.network(credentials: @config['credentials']).security_rules.delete(@resource_group, @mu_name, oldrule)
+          }
+
+        end
+
+        # Log metadata about this ruleset to the currently running deployment
+        def notify
+          MU.structToHash(cloud_desc)
+        end
+
+        # Insert a rule into an existing security group.
+        #
+        # @param hosts [Array<String>]: An array of CIDR network addresses to which this rule will apply.
+        # @param proto [String]: One of "tcp," "udp," or "icmp"
+        # @param port [Integer]: A port number. Only valid with udp or tcp.
+        # @param egress [Boolean]: Whether this is an egress ruleset, instead of ingress.
+        # @param port_range [String]: A port range descriptor (e.g. 0-65535). Only valid with udp or tcp.
+        # @return [Array<Boolean,OpenStruct>]
+        def addRule(hosts, proto: "tcp", port: nil, egress: false, port_range: "0-65535", sgs: [], lbs: [], deny: false, weight: nil, oldrules: nil, num: 0, description: "")
+          if !oldrules
+            oldrules = {}
+            cloud_desc(use_cache: false).security_rules.each { |rule|
+              if rule.description and rule.description.match(/^#{Regexp.quote(@mu_name)} \d+:/)
+                oldrules[rule.name] = rule
+              end
+            }
+          end
+          used_priorities = oldrules.values.map { |r| r.priority }
+
+          rule_obj = MU::Cloud::Azure.network(:SecurityRule).new
+          resolved_sgs = []
+# XXX these are *Application* Security Groups, which are a different kind of
+# artifact. They take no parameters. Are they essentially a stub that can be
+# attached to certain artifacts to allow them to be referenced here?
+# http://54.175.86.194/docs/azure/Azure/Network/Mgmt/V2019_02_01/ApplicationSecurityGroups.html#create_or_update-instance_method
+          if sgs
+            sgs.each { |sg|
+# look up cloud id for... whatever these are
+            }
+          end
+
+          resolved_lbs = []
+          if lbs
+            lbs.each { |lb|
+# TODO awaiting LoadBalancer implementation
+            }
+          end
+
+          if egress
+            rule_obj.direction = MU::Cloud::Azure.network(:SecurityRuleDirection)::Outbound
+            if hosts and !hosts.empty?
+              rule_obj.source_address_prefix = "*"
+              if hosts == ["*"]
+                rule_obj.destination_address_prefix = "*"
+              else
+                rule_obj.destination_address_prefixes = hosts
+              end
+            end
+            if !resolved_sgs.empty?
+              rule_obj.destination_application_security_groups = resolved_sgs
+            end
+            if !rule_obj.destination_application_security_groups and
+               !rule_obj.destination_address_prefix and
+               !rule_obj.destination_address_prefixes
+              rule_obj.source_address_prefix = "*"
+              rule_obj.destination_address_prefix = "*"
+            end
+          else
+            rule_obj.direction = MU::Cloud::Azure.network(:SecurityRuleDirection)::Inbound
+            if hosts and !hosts.empty?
+              if hosts == ["*"]
+                rule_obj.source_address_prefix = "*"
+              else
+                rule_obj.source_address_prefixes = hosts
+              end
+              rule_obj.destination_address_prefix = "*"
+            end
+            if !resolved_sgs.empty?
+              rule_obj.source_application_security_groups = resolved_sgs
+            end
+            if !rule_obj.source_application_security_groups and
+               !rule_obj.source_address_prefix and
+               !rule_obj.source_address_prefixes
+              # should probably only do this if a port or port_range is named
+              rule_obj.source_address_prefix = "*"
+              rule_obj.destination_address_prefix = "*"
+            end
+          end
+
+          rname_port = "port-"
+          if port and port.to_s != "-1"
+            rule_obj.destination_port_range = port.to_s
+            rname_port += port.to_s
+          elsif port_range and port_range != "-1"
+            rule_obj.destination_port_range = port_range
+            rname_port += port_range
+          else
+            rule_obj.destination_port_range = "*"
+            rname_port += "all"
+          end
+
+          # We don't bother supporting restrictions on originating ports,
+          # because practically nobody does that.
+          rule_obj.source_port_range = "*"
+
+          rule_obj.protocol = MU::Cloud::Azure.network(:SecurityRuleProtocol).const_get(proto.capitalize)
+          rname_proto = "proto-"+ (proto == "asterisk" ? "all" : proto)
+
+          if deny
+            rule_obj.access = MU::Cloud::Azure.network(:SecurityRuleAccess)::Deny
+          else
+            rule_obj.access = MU::Cloud::Azure.network(:SecurityRuleAccess)::Allow
+          end
+
+          rname = rule_obj.access.downcase+"-"+rule_obj.direction.downcase+"-"+rname_proto+"-"+rname_port+"-"+num.to_s
+
+          if weight
+            rule_obj.priority = weight
+          elsif oldrules[rname]
+            rule_obj.priority = oldrules[rname].priority
+          else
+            default_priority = 999
+            begin
+              default_priority += 1 + num
+              rule_obj.priority = default_priority
+            end while used_priorities.include?(default_priority)
+          end
+          used_priorities << rule_obj.priority
+
+          rule_obj.description = "#{@mu_name} #{num.to_s}: #{rname}"
+       
+          # Now compare this to existing rules, and see if we need to update
+          # anything.
+          need_update = false
+          if oldrules[rname]
+            rule_obj.instance_variables.each { |var|
+              oldval = oldrules[rname].instance_variable_get(var)
+              newval = rule_obj.instance_variable_get(var)
+              need_update = true if oldval != newval
+            }
+
+            [:@destination_address_prefix, :@destination_address_prefixes,
+             :@destination_application_security_groups,
+             :@destination_address_prefix,
+             :@destination_address_prefixes,
+             :@destination_application_security_groups].each { |var|
+              next if !oldrules[rname].instance_variables.include?(var)
+              oldval = oldrules[rname].instance_variable_get(var)
+              newval = rule_obj.instance_variable_get(var)
+              if newval.nil? and !oldval.nil? and !oldval.empty?
+                need_update = true
+              end
+            }
+          else
+            need_update = true
+          end
+
+          if need_update
+            if oldrules[rname]
+              MU.log "Updating rule #{rname} in #{@mu_name}", MU::NOTICE, details: rule_obj
+            else
+              MU.log "Creating rule #{rname} in #{@mu_name}", details: rule_obj
+            end
+
+            resp = MU::Cloud::Azure.network(credentials: @config['credentials']).security_rules.create_or_update(@resource_group, @mu_name, rname, rule_obj)
+            return [!oldrules[rname].nil?, resp]
+          else
+            return [false, oldrules[rname]]
+          end
+
+        end
+
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+
+          # Azure resources are namedspaced by resource group. If we weren't
+          # told one, we may have to search all the ones we can see.
+          resource_groups = if args[:resource_group]
+            [args[:resource_group]]
+          elsif args[:cloud_id] and args[:cloud_id].is_a?(MU::Cloud::Azure::Id)
+            [args[:cloud_id].resource_group]
+          else
+            MU::Cloud::Azure.resources(credentials: args[:credentials]).resource_groups.list.map { |rg| rg.name }
+          end
+
+          if args[:cloud_id]
+            id_str = args[:cloud_id].is_a?(MU::Cloud::Azure::Id) ? args[:cloud_id].name : args[:cloud_id]
+            resource_groups.each { |rg|
+              begin
+                resp = MU::Cloud::Azure.network(credentials: args[:credentials]).network_security_groups.get(rg, id_str)
+                next if resp.nil?
+                found[Id.new(resp.id)] = resp
+              rescue MU::Cloud::Azure::APIError => e
+                # this is fine, we're doing a blind search after all
+              end
+            }
+          else
+            if args[:resource_group]
+              MU::Cloud::Azure.network(credentials: args[:credentials]).network_security_groups.list(args[:resource_group]).each { |net|
+                found[Id.new(net.id)] = net
+              }
+            else
+              MU::Cloud::Azure.network(credentials: args[:credentials]).network_security_groups.list_all.each { |net|
+                found[Id.new(net.id)] = net
+              }
+            end
+          end
+
+          found
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Denote whether this resource implementation is experiment, ready for
+        # testing, or ready for production use.
+        def self.quality
+          MU::Cloud::BETA
+        end
+
+        # Stub method. Azure resources are cleaned up by removing the parent
+        # resource group.
+        # @return [void]
+        def self.cleanup(**args)
+        end
+
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(rootparent: nil, billing: nil)
+          bok = {}
+
+          bok
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config = nil)
+          toplevel_required = []
+          hosts_schema = MU::Config::CIDR_PRIMITIVE
+          hosts_schema["pattern"] = "^(\\d+\\.\\d+\\.\\d+\\.\\d+\/[0-9]{1,2}|\\*)$"
+          schema = {
+            "rules" => {
+              "items" => {
+                "properties" => {
+                  "hosts" => {
+                    "type" => "array",
+                    "items" => hosts_schema
+                  },
+                  "weight" => {
+                    "type" => "integer",
+                    "description" => "Explicitly set a priority for this firewall rule, between 100 and 2096, with lower numbered priority rules having greater precedence."
+                  },
+                  "deny" => {
+                    "type" => "boolean",
+                    "default" => false,
+                    "description" => "Set this rule to +DENY+ traffic instead of +ALLOW+"
+                  },
+                  "proto" => {
+                    "description" => "The protocol to allow with this rule. The +standard+ keyword will expand to a series of identical rules covering +tcp+ and +udp; the +all+ keyword will allow all supported protocols. Currently only +tcp+ and +udp+ are supported by Azure, so the end result of these two keywords is identical.",
+                    "enum" => ["all", "standard", "tcp", "udp"],
+                    "default" => "standard"
+                  },
+#                  "source_tags" => {
+#                    "type" => "array",
+#                    "description" => "VMs with these tags, from which traffic will be allowed",
+#                    "items" => {
+#                      "type" => "string"
+#                    }
+#                  },
+#                  "source_service_accounts" => {
+#                    "type" => "array",
+#                    "description" => "Resources using these service accounts, from which traffic will be allowed",
+#                    "items" => {
+#                      "type" => "string"
+#                    }
+#                  },
+#                  "target_tags" => {
+#                    "type" => "array",
+#                    "description" => "VMs with these tags, to which traffic will be allowed",
+#                    "items" => {
+#                      "type" => "string"
+#                    }
+#                  },
+#                  "target_service_accounts" => {
+#                    "type" => "array",
+#                    "description" => "Resources using these service accounts, to which traffic will be allowed",
+#                    "items" => {
+#                      "type" => "string"
+#                    }
+#                  }
+                }
+              }
+            },
+          }
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::firewall_rules}, bare and unvalidated.
+        # @param acl [Hash]: The resource to process and validate
+        # @param config [MU::Config]: The overall deployment config of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(acl, config)
+          ok = true
+          acl['region'] ||= MU::Cloud::Azure.myRegion(acl['credentials'])
+
+          append = []
+          delete = []
+          acl['rules'] ||= []
+          acl['rules'].concat(config.adminFirewallRuleset(cloud: "Azure", region: acl['region'], rules_only: true))
+          acl['rules'].each { |r|
+            if r["weight"] and (r["weight"] < 100 or r["weight"] > 4096)
+              MU.log "FirewallRule #{acl['name']} weight must be between 100 and 4096", MU::ERR
+              ok = false
+            end
+            if r["hosts"]
+              r["hosts"].each { |cidr|
+                r["hosts"] << "*" if cidr == "0.0.0.0/0"
+              }
+              r["hosts"].delete("0.0.0.0/0")
+            end
+
+            if (!r['hosts'] or r['hosts'].empty?) and
+               (!r['lbs'] or r['lbs'].empty?) and
+               (!r['sgs'] or r['sgs'].empty?)
+              r["hosts"] = ["*"]
+              MU.log "FirewallRule #{acl['name']} did not specify any hosts, sgs or lbs, defaulting this rule to allow 0.0.0.0/0", MU::NOTICE
+            end
+
+
+            if r['proto'] == "standard"
+              ["tcp", "udp"].each { |p|
+                newrule = r.dup
+                newrule['proto'] = p
+                append << newrule
+              }
+              delete << r
+            elsif r['proto'] == "all" or !r['proto']
+              r['proto'] = "asterisk" # legit, the name of the constant
+            end
+          }
+          delete.each { |r|
+            acl['rules'].delete(r)
+          }
+          acl['rules'].concat(append)
+
+          ok
+        end
+
+        private
+
+        def create_update
+
+          fw_obj = MU::Cloud::Azure.network(:NetworkSecurityGroup).new
+          fw_obj.location = @config['region']
+          fw_obj.tags = @tags
+
+          need_apply = false
+          ext_ruleset = MU::Cloud::Azure.network(credentials: @config['credentials']).network_security_groups.get(
+            @resource_group,
+            @mu_name
+          )
+          if ext_ruleset
+            @cloud_id = MU::Cloud::Azure::Id.new(ext_ruleset.id)
+          end
+
+          if !ext_ruleset
+            MU.log "Creating Network Security Group #{@mu_name} in #{@config['region']}", details: fw_obj
+            need_apply = true
+          elsif ext_ruleset.location != fw_obj.location or
+                ext_ruleset.tags != fw_obj.tags
+            MU.log "Updating Network Security Group #{@mu_name} in #{@config['region']}", MU::NOTICE, details: fw_obj
+            need_apply = true
+          end
+
+          if need_apply
+            resp = MU::Cloud::Azure.network(credentials: @config['credentials']).network_security_groups.create_or_update(
+              @resource_group,
+              @mu_name,
+              fw_obj
+            )
+
+            @cloud_id = MU::Cloud::Azure::Id.new(resp.id)
+          end
+        end
+
+      end #class
+    end #class
+  end
+end #module