cloud-mu 2.1.0beta → 3.0.0beta

data/modules/mu/clouds/azure/user.rb

@@ -0,0 +1,257 @@
+# Copyright:: Copyright (c) 2018 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class Azure
+      # A user as configured in {MU::Config::BasketofKittens::users}
+      class User < MU::Cloud::User
+
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+
+          if !mu_name.nil?
+            @mu_name = mu_name
+            @cloud_id = Id.new(cloud_desc.id) if @cloud_id
+          else
+            @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 31)
+          end
+
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          @config['region'] ||= MU::Cloud::Azure.myRegion(@config['credentials'])
+          rgroup_name = @deploy.deploy_id+"-"+@config['region'].upcase
+
+          tags = {}
+          if !@config['scrub_mu_isms']
+            tags = MU::MommaCat.listStandardTags
+          end
+          if @config['tags']
+            @config['tags'].each { |tag|
+              tags[tag['key']] = tag['value']
+            }
+          end
+
+          if @config['type'] == "interactive"
+            raise Mu::MuError, "I don't know how to make interactive users in Azure yet"
+          else
+            ident_obj = MU::Cloud::Azure.serviceaccts(:Identity).new
+#            ident_obj.name = @mu_name
+            ident_obj.location = @config['region']
+            ident_obj.tags = tags
+            begin
+              MU.log "Creating service account #{@mu_name}"
+              resp = MU::Cloud::Azure.serviceaccts(credentials: @config['credentials']).user_assigned_identities.create_or_update(rgroup_name, @mu_name, ident_obj)
+              @cloud_id = Id.new(resp.id)
+            rescue ::MsRestAzure::AzureOperationError => e
+              MU::Cloud::Azure.handleError(e)
+            end
+
+            begin
+              sleep 1
+            end while cloud_desc(use_cache: false).nil? or cloud_desc.client_id.nil?
+
+          end
+        end
+
+        # If we're a managed service identity or otherwise have a URL for
+        # fetching our client secret, fetch it and return it.
+        # XXX this doesn't work, and may not be intended to
+        # @return [String]
+        def getSecret
+          if cloud_desc and cloud_desc.client_secret_url
+            cred_hash = MU::Cloud::Azure.getSDKOptions(@credentials)
+
+            token_provider = MsRestAzure::ApplicationTokenProvider.new(
+              cred_hash[:tenant_id],
+              cred_hash[:client_id],
+              cred_hash[:client_secret]
+            )
+            cred_obj = MsRest::TokenCredentials.new(token_provider)
+
+            client = ::MsRest::ServiceClient.new(cred_obj)
+            cloud_desc.client_secret_url.match(/^(http.*?\.azure\.net)(\/.*)/)
+            base = Regexp.last_match[1]
+            path = Regexp.last_match[2]
+#MU.log "Calling into #{base} #{path}"
+            promise = client.make_request_async(
+              cloud_desc.client_secret_url,
+              :get,
+              path
+            )
+
+            # XXX this is async, need to stop and wait somehow
+            promise.then do | result|
+              resp = result.response
+#              MU.log "RESPONSE", MU::WARN, details: resp
+            end
+          end
+          nil
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          rgroup_name = @deploy.deploy_id+"-"+@config['region'].upcase
+          if @config['roles']
+            @config['roles'].each { |role|
+              MU::Cloud::Azure::Role.assignTo(cloud_desc.principal_id, role_name: role, credentials: @config['credentials'])
+            }
+          end
+        end
+
+        # Return the metadata for this user configuration
+        # @return [Hash]
+        def notify
+          description = MU.structToHash(cloud_desc)
+          if description
+            description.delete(:etag)
+            return description
+          end
+          {
+          }
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+
+        # Denote whether this resource implementation is experiment, ready for
+        # testing, or ready for production use.
+        def self.quality
+          MU::Cloud::ALPHA
+        end
+
+        # Stub method. Azure resources are cleaned up by removing the parent
+        # resource group.
+        # @return [void]
+        def self.cleanup(**args)
+        end
+
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+
+# XXX Had to register Microsoft.ApiManagement at https://portal.azure.com/#@eglobaltechlabs.onmicrosoft.com/resource/subscriptions/3d20ddd8-4652-4074-adda-0d127ef1f0e0/resourceproviders
+# ffs automate this process, it's just like API enabling in GCP
+
+          # Azure resources are namedspaced by resource group. If we weren't
+          # told one, we may have to search all the ones we can see.
+          resource_groups = if args[:resource_group]
+            [args[:resource_group]]
+          elsif args[:cloud_id] and args[:cloud_id].is_a?(MU::Cloud::Azure::Id)
+            [args[:cloud_id].resource_group]
+          else
+            MU::Cloud::Azure.resources(credentials: args[:credentials]).resource_groups.list.map { |rg| rg.name }
+          end
+
+          if args[:cloud_id]
+            id_str = args[:cloud_id].is_a?(MU::Cloud::Azure::Id) ? args[:cloud_id].name : args[:cloud_id]
+            resource_groups.each { |rg|
+              resp = MU::Cloud::Azure.serviceaccts(credentials: args[:credentials]).user_assigned_identities.get(rg, id_str)
+              found[Id.new(resp.id)] = resp if resp
+            }
+          else
+            if args[:resource_group]
+              MU::Cloud::Azure.serviceaccts(credentials: args[:credentials]).user_assigned_identities.list_by_resource_group.each { |ident|
+                found[Id.new(ident.id)] = ident
+              }
+            else
+              MU::Cloud::Azure.serviceaccts(credentials: args[:credentials]).user_assigned_identities.list_by_subscription.each { |ident|
+                found[Id.new(ident.id)] = ident
+              }
+            end
+          end
+
+          found
+        end
+
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config)
+          toplevel_required = []
+          schema = {
+            "region" => MU::Config.region_primitive,
+            "name" => {
+              "type" => "string",
+              "description" => "The name of a account to create. Currently, +service+ is the only account type we support in Azure."
+            },
+            "type" => {
+              "type" => "string",
+              "description" => "'service' will create a service account (machine credentials) and generate API keys",
+              "enum" => ["service"]
+            },
+            "roles" => {
+              "type" => "array",
+              "description" => "One or more Azure Authorization roles to associate with this resource.",
+              "default" => ["Reader"],
+              "items" => {
+                "type" => "string",
+                "description" => "One or more Azure Authorization roles to associate with this resource. If no roles are specified, we default to +Reader+, which permits read-only access subscription-wide."
+              }
+            }
+          }
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::users}, bare and unvalidated.
+        # @param user [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(user, configurator)
+          ok = true
+          user['region'] ||= MU::Cloud::Azure.myRegion(user['credentials'])
+
+#          if user['groups'] and user['groups'].size > 0 and
+#             !MU::Cloud::Azure.credConfig(user['credentials'])['masquerade_as']
+#            MU.log "Cannot change Azure group memberships in non-GSuite environments.\nVisit https://groups.google.com to manage groups.", MU::ERR
+#            ok = false
+#          end
+
+          if user['type'] != "service" and user["create_api_key"]
+            MU.log "Only service accounts can have API keys in Azure", MU::ERR
+            ok = false
+          end
+
+          if user['type'] != "service"
+            MU.log "Human accounts not yet supported in Azure::User", MU::ERR
+            ok = false
+          end
+
+          ok
+        end
+
+        private
+
+        def bind_human_user
+        end
+
+      end
+    end
+  end
+end

data/modules/mu/clouds/azure/userdata/README.md

@@ -0,0 +1,4 @@
+
+Baseline CloudInit userdata scripts for MU nodes to self-configure.
+
+See also: https://help.ubuntu.com/community/CloudInit

data/modules/mu/clouds/azure/userdata/linux.erb

@@ -0,0 +1,137 @@
+#!/bin/sh
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+updates_run=0
+need_reboot=0
+instance_id="`curl http://metadata.google.internal/computeMetadata/v1/instance/name`"
+if [ -f /etc/debian_version ];then
+	if ! grep '^/bin/sh /var/lib/cloud/instance/user-data.txt$' /etc/rc.local > /dev/null;then
+		echo "/bin/sh /var/lib/cloud/instance/user-data.txt" >> /etc/rc.local
+	fi
+	apt-get update -y
+	if [ ! -f /usr/bin/curl ] ;then /usr/bin/apt-get --fix-missing -y install curl;fi
+<% if !$mu.skipApplyUpdates %>
+	if [ ! -f /.mu-installer-ran-updates ];then
+		service ssh stop
+		apt-get --fix-missing -y upgrade 
+		if [ $? -eq 0 ]
+		then
+		  echo "Successfully updated packages"
+		  updates_run=1
+		else
+		  echo "FAILED PACKAGE UPDATE" >&2
+		fi
+		# Proceed regardless
+		touch /.mu-installer-ran-updates
+
+		# XXX this logic works on Ubuntu, is it Debian-friendly?
+		latest_kernel="`ls -1 /boot/vmlinuz-* | sed -r 's/^\/boot\/vmlinuz-//' | tail -1`"
+		running_kernel="`uname -r`"
+		if [ "$running_kernel" != "$latest_kernel" -a "$latest_kernel" != "" ];then
+			need_reboot=1
+		else
+			service ssh start
+		fi
+	fi
+<% end %>
+elif [ -x /usr/bin/yum ];then
+	version=`/bin/rpm -qa \*-release | grep -Ei "redhat|centos" | cut -d"-" -f3`
+	if [ -z "$version" ];then
+		amazon_version=`/bin/rpm -qa \*-release | grep -Ei "system-release"| cut -d"-" -f3 | cut -d"." -f1`
+		if [ "$amazon_version" == "2014" ] || [ "$amazon_version" == "2015" ] || [ "$amazon_version" == "2016" ];then
+			version=6
+		fi
+	fi
+	if [ $version -eq 7 ];then
+		userdata_dir="/var/lib/cloud/instances/$instance_id"
+	else
+		userdata_dir="/var/lib/cloud/instance"
+	fi
+	if ! grep "^/bin/sh $userdata_dir/user-data.txt$" /etc/rc.d/rc.local > /dev/null;then
+		echo "/bin/sh $userdata_dir/user-data.txt" >> /etc/rc.d/rc.local
+	fi
+
+  sed -i 's/^Defaults.*requiretty$/Defaults   !requiretty/' /etc/sudoers
+
+	if [ $version == 7 ];then
+		chmod 755 /etc/rc.d/rc.local
+	fi
+	if [ ! -f /usr/bin/curl ] ;then /usr/bin/yum -y install curl;fi
+	# Ugh, rando EPEL mirror
+	if [ ! -f /etc/yum.repos.d/epel.repo ];then
+		/bin/rpm -ivh http://mirror.metrocast.net/fedora/epel/epel-release-latest-$version.noarch.rpm
+	fi
+<% if !$mu.skipApplyUpdates %>
+	if [ ! -f /.mu-installer-ran-updates ];then
+		service sshd stop
+		kernel_update=`yum list updates | grep kernel`
+		yum -y update
+		if [ $? -eq 0 ]
+		then
+		  echo "Successfully updated packages"
+		  updates_run=1
+		else
+		  echo "FAILED PACKAGE UPDATE" >&2
+		fi
+		# Proceed regardless
+		touch /.mu-installer-ran-updates
+		if [ -n "$kernel_update" ]; then
+			need_reboot=1
+		else
+			service sshd start
+		fi
+	fi
+<% end %>
+fi
+
+umask 0077
+
+# Install Chef now, because why not?
+if [ ! -f /opt/chef/embedded/bin/ruby ];then
+	curl https://www.chef.io/chef/install.sh > chef-install.sh
+	set +e
+	# We may run afoul of a synchronous bootstrap process doing the same thing. So
+	# wait until we've managed to run successfully.
+	while ! sh chef-install.sh -v <%= $mu.chefVersion %>;do
+		sleep 10
+	done
+	touch /opt/mu_installed_chef
+	set -e
+fi
+
+<% if !$mu.skipApplyUpdates %>
+if [ "$need_reboot" == "1" ];then
+	shutdown -r now "Applying new kernel"
+fi
+<% end %>
+
+gsutil cp gs://<%= $mu.adminBucketName %>/<%= $mu.muID %>-secret .
+
+echo '
+require "openssl"
+require "base64"
+key = OpenSSL::PKey::RSA.new(Base64.urlsafe_decode64("<%= $mu.deployKey %>"))
+print Base64.urlsafe_encode64(key.public_encrypt(File.read("<%= $mu.muID %>-secret")))
+' > encrypt_deploy_secret.rb
+
+deploykey="<%= $mu.deployKey %>"
+instance_id="`curl http://metadata.google.internal/computeMetadata/v1/instance/name`"
+
+# Make double-sure sshd is actually up
+service sshd restart
+
+/usr/bin/curl -k --data mu_id="<%= $mu.muID %>" --data mu_resource_name="<%= $mu.resourceName %>" --data mu_resource_type="<%= $mu.resourceType %>" --data mu_instance_id="$instance_id" --data mu_bootstrap="1" --data mu_user="<%= $mu.muUser %>" --data mu_deploy_secret="`/opt/chef/embedded/bin/ruby encrypt_deploy_secret.rb`" https://<%= $mu.publicIP %>:<%= $mu.mommaCatPort %>/
+/bin/rm -f <%= $mu.muID %>-secret mu_deploy_key.pub chef-install.sh encrypt_deploy_secret.rb
+touch /.mu_userdata_complete

data/modules/mu/clouds/azure/userdata/windows.erb

@@ -0,0 +1,275 @@
+<powershell>
+Set-ExecutionPolicy Unrestricted -Force -Scope CurrentUser
+
+$sshdUser = "sshd_service"
+$tmp = "$env:Temp\mu-userdata"
+mkdir $tmp
+$logfile = "c:/Mu-Bootstrap-$([Environment]::UserName).log"
+$basedir = 'c:/bin'
+$cygwin_dir = "$basedir/cygwin"
+$username = (whoami).Split('\')[1]
+$WebClient = New-Object System.Net.WebClient
+$awsmeta = "http://169.254.169.254/latest"
+$pydir = 'c:\bin\python\python27'
+$pyv = '2.7.14'
+$env:Path += ";$pydir\Scripts;$pydir"
+
+function log
+{
+  Write-Host $args
+  Add-Content "c:/Mu-Bootstrap-$([Environment]::UserName).log" "$(Get-Date -f MM-dd-yyyy_HH:mm:ss) $args"
+  Add-Content "c:/Mu-Bootstrap-GLOBAL.log" "$(Get-Date -f MM-dd-yyyy_HH:mm:ss) $args"
+}
+
+function fetchSecret([string]$file){
+  log "Fetching s3://<%= $mu.adminBucketName %>/$file to $tmp/$file"
+  aws.cmd s3 cp s3://<%= $mu.adminBucketName %>/$file $tmp/$file
+}
+
+function importCert([string]$cert, [string]$store){
+  fetchSecret($cert)
+  if(!(Test-Path "$tmp/$cert")){
+    return $null
+  }
+  # XXX guard better (check thumbprint & CN)
+  if($store -ne "Root"){
+    Remove-Item -Path Cert:/LocalMachine/$store/* -Force -Recurse
+  }
+  if($cert -Match ".pfx$"){
+    return Import-PfxCertificate -FilePath $tmp/$cert -CertStoreLocation Cert:\LocalMachine\$store
+  } else {
+    return Import-Certificate -FilePath $tmp/$cert -CertStoreLocation Cert:\LocalMachine\$store
+  }
+  Remove-Item -Force "$tmp/$cert"
+}
+
+log "- Invoked as $([Environment]::UserName) (system started at $(Get-CimInstance -ClassName win32_operatingsystem | select lastbootuptime)) -"
+<% if !$mu.skipApplyUpdates %>
+If (!(Test-Path "c:/mu-installer-ran-updates")){
+  Stop-Service -ErrorAction SilentlyContinue sshd
+}
+<% end %>
+<% if $mu.platform != "win2k16" %>
+If ([Environment]::OSVersion.Version.Major -lt 10) {
+  If ("$($myInvocation.MyCommand.Path)" -ne "$tmp/realuserdata_stripped.ps1"){
+    $Error.Clear()
+    Invoke-WebRequest -Uri "$awsmeta/user-data" -OutFile $tmp/realuserdata.ps1
+    while($Error.count -gt 0){
+      $Error.Clear()
+      log "Failed to retrieve current userdata from $awsmeta/user-data, waiting 15s and retrying"
+      sleep 15
+      Invoke-WebRequest -Uri "$awsmeta/user-data" -OutFile $tmp/realuserdata.ps1
+    }
+    Get-Content $tmp/realuserdata.ps1 | Select-String -pattern '^#','^<' -notmatch | Set-Content $tmp/realuserdata_stripped.ps1
+    If (Compare-Object (Get-Content $myInvocation.MyCommand.Path) (Get-Content $tmp/realuserdata_stripped.ps1)){
+      log "Invoking $tmp/realuserdata.ps1 in lieu of $($myInvocation.MyCommand.Path)"
+      Invoke-Expression $tmp/realuserdata_stripped.ps1
+      exit
+    }
+  }
+}
+<% end %>
+$admin_username = (Get-WmiObject -Query 'Select * from Win32_UserAccount Where (LocalAccount=True and SID like "%-500")').name
+log "Local admin: $admin_username"
+
+Add-Type -Assembly System.Web
+$password = [Web.Security.Membership]::GeneratePassword(15,2)
+
+If (!(Test-Path $basedir)){
+  mkdir $basedir
+}
+
+<% if $mu.platform != "win2k16" %>
+If ([Environment]::OSVersion.Version.Major -lt 10) {
+  If (!(Get-ScheduledTask -TaskName 'run-userdata')){
+    log "Adding run-userdata scheduled task (user NT AUTHORITY\SYSTEM)"
+    Invoke-WebRequest -Uri "https://s3.amazonaws.com/cloudamatic/run-userdata_scheduledtask.xml" -OutFile $tmp/run-userdata_scheduledtask.xml
+    Register-ScheduledTask -Xml (Get-Content "$tmp/run-userdata_scheduledtask.xml" | out-string) -TaskName 'run-userdata' -Force -User ".\$admin_username"
+  }
+}
+<% end %>
+
+If (!(Test-Path "$pydir\python.exe")){
+  If (!(Test-Path $tmp\python-$pyv.msi)){
+    log "Downloading Python installer"
+    $WebClient.DownloadFile("https://www.python.org/ftp/python/$pyv/python-$pyv.msi","$tmp/python-$pyv.msi")
+  }
+  log "Running Python installer"
+  (Start-Process -FilePath msiexec -ArgumentList "/i $tmp\python-$pyv.msi /qn ALLUSERS=1 TARGETDIR=$pydir" -Wait -Passthru).ExitCode
+}
+
+If (!(Test-Path "$pydir\Scripts\aws.cmd")){
+  If (!(Test-Path $tmp/get-pip.py)){
+    log "Downloading get-pip.py"
+    $WebClient.DownloadFile("https://bootstrap.pypa.io/get-pip.py","$tmp/get-pip.py")
+  }
+  python $tmp/get-pip.py
+  log "Running pip install awscli"
+  pip install awscli
+}
+
+function removeChef($location){
+  $install_chef = $false
+  $my_chef = (Get-ItemProperty $location | Where-Object {$_.DisplayName -like "chef client*"}).DisplayName
+  if ($my_chef) {
+    if ($my_chef -match '<%= $mu.chefVersion %>'.split('-')[0]) {
+      $install_chef = $false
+    } else{
+      log "Uninstalling Chef"
+      $uninstall_string = (Get-ItemProperty $location | Where-Object {$_.DisplayName -like "chef client*"}).UninstallString
+      $uninstall_string = ($uninstall_string -Replace "msiexec.exe","" -Replace "/I","" -Replace "/X","").Trim()
+      $($uninstall_string -Replace '[\s\t]+', ' ').Split() | ForEach {
+        log "msiexec.exe /X $_ /gn"
+        start-process "msiexec.exe" -arg "/X $_ /qn" -Wait
+      }
+      $install_chef = $true
+    }
+  }
+  
+  return $install_chef
+}
+
+If (!(Test-Path "c:\opscode\chef\embedded\bin\ruby.exe")){
+  $install_chef = $true
+} else {
+  if (removeChef("HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*")){
+    $install_chef = $true
+  } elseif (removeChef("HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*")) {
+    $install_chef = $true
+  } else {
+    $install_chef = $false
+  }
+}
+
+If ($install_chef){
+  log "Installing Chef <%= $mu.chefVersion %>"
+  If (!(Test-Path $env:Temp/chef-installer-<%= $mu.chefVersion %>.msi)){
+    log "Downloading Chef installer"
+    $WebClient.DownloadFile("https://www.chef.io/chef/download?p=windows&pv=2012&m=x86_64&v=<%= $mu.chefVersion %>","$env:Temp/chef-installer-<%= $mu.chefVersion %>.msi")
+  }
+  log "Running Chef installer"
+  (Start-Process -FilePath msiexec -ArgumentList "/i $env:Temp\chef-installer-<%= $mu.chefVersion %>.msi ALLUSERS=1 /le $env:Temp\chef-client-install.log /qn" -Wait -Passthru).ExitCode
+  Set-Content "c:/mu_installed_chef" "yup"
+}
+
+fetchSecret("<%= $mu.muID %>-secret")
+log "Encrypting Mu deploy secret"
+$deploy_secret = & "c:\opscode\chef\embedded\bin\ruby" -ropenssl -rbase64 -e "key = OpenSSL::PKey::RSA.new(Base64.urlsafe_decode64('<%= $mu.deployKey %>'))" -e "print Base64.urlsafe_encode64(key.public_encrypt(File.read('$tmp\<%= $mu.muID %>-secret')))"
+
+function callMomma([string]$act)
+{
+  $params = @{mu_id='<%= $mu.muID %>';mu_resource_name='<%= $mu.resourceName %>';mu_resource_type='<%= $mu.resourceType %>';mu_instance_id="$awsid";mu_user='<%= $mu.muUser %>';mu_deploy_secret="$deploy_secret";$act="1"}
+  log "Calling Momma Cat at https://<%= $mu.publicIP %>:<%= $mu.mommaCatPort %> with $act"
+  [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} # XXX
+  $resp = Invoke-WebRequest -Uri https://<%= $mu.publicIP %>:<%= $mu.mommaCatPort %> -Method POST -Body $params
+  return $resp.Content
+}
+
+$awsid=(New-Object System.Net.WebClient).DownloadString("$awsmeta/meta-data/instance-id")
+
+$credstr = callMomma "mu_windows_admin_creds"
+$creds = $false
+$real_admin_user = $admin_username
+if($credstr){
+  $credparts = $credstr.Split(";", 2)
+  $creds = New-Object System.Management.Automation.PSCredential($credparts[0], (ConvertTo-SecureString $credparts[1] -AsPlainText -Force))
+  if($admin_username -ne $credparts[0]){
+    if ((Get-WmiObject win32_computersystem).partofdomain -ne $true){
+      (([adsi]("WinNT://./$admin_username, user")).psbase.invoke("SetPassword", $credparts[1]))
+      log "Changing local admin account from $admin_username to $($credparts[0])"
+      ([adsi]("WinNT://./$admin_username, user")).psbase.rename($credparts[0])
+      $need_reboot = $TRUE
+      $real_admin_user = $credparts[0]
+    } ElseIf(!$admin_username){
+      $admin_username = $credparts[0]
+    }
+  } ElseIf($creds){
+    log "Setting $admin_username password"
+    (([adsi]("WinNT://./$admin_username, user")).psbase.invoke("SetPassword", $credparts[1]))
+  }
+} else {
+  log "Failed to get credentials from Momma Cat for some reason $($credstr)"
+}
+
+If (!(Test-Path $tmp/PSWindowsUpdate.zip)){
+  If (!(Test-Path c:/Users/$admin_username/Documents/WindowsPowerShell/Modules)){
+    mkdir c:/Users/$admin_username/Documents/WindowsPowerShell/Modules
+  }
+
+  $WebClient.DownloadFile("https://s3.amazonaws.com/cloudamatic/PSWindowsUpdate.zip","$tmp/PSWindowsUpdate.zip")
+  Add-Type -A 'System.IO.Compression.FileSystem'
+
+  If (!(Test-Path c:/windows/System32/WindowsPowerShell/v1.0/Modules/PSWindowsUpdate)){
+    log "Extracting PSWindowsUpdate module to c:/windows/System32/WindowsPowerShell/v1.0/Modules"
+    [IO.Compression.ZipFile]::ExtractToDirectory("$tmp/PSWindowsUpdate.zip", "c:/windows/System32/WindowsPowerShell/v1.0/Modules")
+  }
+  If (!(Test-Path c:/Users/$admin_username/Documents/WindowsPowerShell/Modules/PSWindowsUpdate)){
+    log "Extracting PSWindowsUpdate module to c:/Users/$admin_username/Documents/WindowsPowerShell"
+    [IO.Compression.ZipFile]::ExtractToDirectory("$tmp/PSWindowsUpdate.zip", "c:/Users/$admin_username/Documents/WindowsPowerShell/Modules")
+  }
+}
+
+<% if !$mu.skipApplyUpdates %>
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name AUOptions -Value 3
+If (!(Test-Path "c:/mu-installer-ran-updates")){
+  log "Applying Windows updates"
+  Import-Module PSWindowsUpdate
+  Get-WUInstall -AcceptAll -IgnoreReboot
+  Start-Sleep -s 60
+  If (Test-Path "HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/WindowsUpdate/Auto Update/RebootRequired"){
+    $need_reboot = $TRUE
+  }
+}
+<% end %>
+
+if((Get-WURebootStatus -Silent) -eq $true){
+  log "Get-WURebootStatus says to reboot"
+  $need_reboot = $TRUE
+}
+
+$muca = importCert "Mu_CA.pem" "Root"
+
+$myname = "<%= $mu.muID %>-<%= $mu.resourceName.upcase %>"
+
+$nodecert = importCert "$myname.pfx" "My"
+$thumb = $nodecert.Thumbprint
+# XXX guard this properly
+winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
+winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"$myname`";CertificateThumbprint=`"$thumb`"}"
+$ingroup = net localgroup WinRMRemoteWMIUsers__ | Where-Object {$_ -eq $admin_username}
+if($ingroup -ne $admin_username){
+  net localgroup WinRMRemoteWMIUsers__ /add $admin_username
+}
+
+$winrmcert = importCert "$myname-winrm.crt" "TrustedPeople"
+Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 1
+if($creds){
+  log "Enabling WinRM cert auth for $real_admin_user"
+  New-Item -Path WSMan:\localhost\ClientCertificate -Subject "$real_admin_user@localhost" -URI * -Issuer $muca.Thumbprint -Force -Credential $creds
+}
+winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="8192"}'
+winrm set winrm/config '@{MaxTimeoutms="1800000"}'
+Restart-Service WinRm
+
+if ($need_reboot){
+  log "- REBOOT -"
+  Restart-Computer -Force
+  exit
+}
+
+if (!(Get-NetFirewallRule -DisplayName "Allow SSH" -ErrorAction SilentlyContinue)){
+  log "Opening port 22 in Windows Firewall"
+  New-NetFirewallRule -DisplayName "Allow SSH" -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow
+}
+if (!(Get-NetFirewallRule -DisplayName "Allow WinRM SSL" -ErrorAction SilentlyContinue)){
+  New-NetFirewallRule -DisplayName "Allow WinRM SSL" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
+}
+
+Add-Content c:/mu-installer-ran-updates "$(Get-Date -f MM-dd-yyyy_HH:mm:ss)"
+callMomma "mu_bootstrap"
+Set-Content "c:/mu_userdata_complete" "yup"
+Remove-Item -Recurse $tmp
+Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Undefined
+</powershell>
+<persist>true</persist>