RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/clouds/azure/vpc.rb ADDED

@@ -0,0 +1,782 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+module MU
+  class Cloud
+    class Azure
+      # Creation of Virtual Private Clouds and associated artifacts (routes, subnets, etc).
+      class VPC < MU::Cloud::VPC
+        attr_reader :cloud_desc_cache
+        attr_reader :resource_group
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          @subnets = []
+          @subnetcachesemaphore = Mutex.new
+          if !mu_name.nil?
+            @mu_name = mu_name
+            if @cloud_id
+              cloud_desc
+              @cloud_id = Id.new(cloud_desc.id)
+              @resource_group ||= @cloud_id.resource_group
+              loadSubnets(use_cache: true)
+            end
+          elsif @config['scrub_mu_isms']
+            @mu_name = @config['name']
+          else
+            @mu_name = @deploy.getResourceName(@config['name'])
+          end
+        end
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          create_update
+        end
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          if @config['peers']
+            count = 0
+            @config['peers'].each { |peer|
+              if peer['vpc']['name']
+                peer_obj = @deploy.findLitterMate(name: peer['vpc']['name'], type: "vpcs", habitat: peer['vpc']['project'])
+                next if peer_obj.mu_name < @mu_name # both of us would try to create this peering, otherwise, so don't step on each other
+              else
+                tag_key, tag_value = peer['vpc']['tag'].split(/=/, 2) if !peer['vpc']['tag'].nil?
+                if peer['vpc']['deploy_id'].nil? and peer['vpc']['id'].nil? and tag_key.nil?
+                  peer['vpc']['deploy_id'] = @deploy.deploy_id
+                end
+                peer_obj = MU::MommaCat.findStray(
+                  "Azure",
+                  "vpcs",
+                  deploy_id: peer['vpc']['deploy_id'],
+                  cloud_id: peer['vpc']['id'],
+                  name: peer['vpc']['name'],
+                  tag_key: tag_key,
+                  tag_value: tag_value,
+                  dummy_ok: true
+                ).first
+              end
+              raise MuError, "No result looking for #{@mu_name}'s peer VPCs (#{peer['vpc']})" if peer_obj.nil?
+              ext_peerings = MU::Cloud::Azure.network(credentials: @credentials).virtual_network_peerings.list(@resource_group, @cloud_id)
+              peer_name = @mu_name+"-"+@config['name'].upcase+"-"+peer_obj.config['name'].upcase
+              peer_params = MU::Cloud::Azure.network(:VirtualNetworkPeering).new
+              peer_params.remote_virtual_network = peer_obj.cloud_desc
+              peer['allow_forwarded_traffic'] ||= false
+              peer_params.allow_forwarded_traffic = peer['allow_forwarded_traffic']
+              peer['allow_gateway_traffic'] ||= false
+              peer_params.allow_gateway_transit = peer['allow_gateway_traffic']
+              need_update = true
+              exists = false
+              ext_peerings.each { |ext_peering|
+                if ext_peering.remote_virtual_network.id == peer_obj.cloud_desc.id
+                  exists = true
+                  need_update = (ext_peering.allow_forwarded_traffic != peer_params.allow_forwarded_traffic or ext_peering.allow_gateway_transit != peer_params.allow_gateway_transit)
+                end
+              }
+              if need_update
+                if !exists
+                  MU.log "Creating peering connection from #{@mu_name} to #{peer_obj.mu_name}", details: peer_params
+                else
+                  MU.log "Updating peering connection from #{@mu_name} to #{peer_obj.mu_name}", MU::NOTICE, details: peer_params
+                end
+                MU::Cloud::Azure.network(credentials: @credentials).virtual_network_peerings.create_or_update(@resource_group, @cloud_id, peer_name, peer_params)
+              end
+            }
+          end
+          create_update
+        end
+        # Describe this VPC
+        # @return [Hash]
+        def notify
+          base = {}
+          base = MU.structToHash(cloud_desc)
+          base["cloud_id"] = @cloud_id.name
+          base.merge!(@config.to_h)
+          base
+        end
+#
+        # Describe this VPC from the cloud platform's perspective
+        # @return [Hash]
+        def cloud_desc
+          if @cloud_desc_cache
+            return @cloud_desc_cache
+          end
+          @cloud_desc_cache = MU::Cloud::Azure::VPC.find(cloud_id: @cloud_id, resource_group: @resource_group).values.first
+          @cloud_id ||= Id.new(@cloud_desc_cache.id)
+          @cloud_desc_cache
+        end
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+          # Azure resources are namedspaced by resource group. If we weren't
+          # told one, we may have to search all the ones we can see.
+          resource_groups = if args[:resource_group]
+            [args[:resource_group]]
+          elsif args[:cloud_id] and args[:cloud_id].is_a?(MU::Cloud::Azure::Id)
+            [args[:cloud_id].resource_group]
+          else
+            MU::Cloud::Azure.resources(credentials: args[:credentials]).resource_groups.list.map { |rg| rg.name }
+          end
+          if args[:cloud_id]
+            id_str = args[:cloud_id].is_a?(MU::Cloud::Azure::Id) ? args[:cloud_id].name : args[:cloud_id]
+            resource_groups.each { |rg|
+              resp = MU::Cloud::Azure.network(credentials: args[:credentials]).virtual_networks.get(rg, id_str)
+              found[Id.new(resp.id)] = resp if resp
+            }
+          else
+            if args[:resource_group]
+              MU::Cloud::Azure.network(credentials: args[:credentials]).virtual_networks.list(args[:resource_group]).each { |net|
+                found[Id.new(net.id)] = net
+              }
+            else
+              MU::Cloud::Azure.network(credentials: args[:credentials]).virtual_networks.list_all.each { |net|
+                found[Id.new(net.id)] = net
+              }
+            end
+          end
+          found
+        end
+        # Return an array of MU::Cloud::Azure::VPC::Subnet objects describe the
+        # member subnets of this VPC.
+        #
+        # @return [Array<MU::Cloud::Azure::VPC::Subnet>]
+        def subnets
+          if @subnets.nil? or @subnets.size == 0
+            return loadSubnets
+          end
+          return @subnets
+        end
+        # Describe subnets associated with this VPC. We'll compose identifying
+        # information similar to what MU::Cloud.describe builds for first-class
+        # resources.
+        # @param use_cache [Boolean]: If available, use saved deployment metadata to describe subnets, instead of querying the cloud API
+        # @return [Array<Hash>]: A list of cloud provider identifiers of subnets associated with this VPC.
+        def loadSubnets(use_cache: false)
+          desc = cloud_desc
+          @subnets = []
+          MU::Cloud::Azure.network(credentials: @credentials).subnets.list(@resource_group, cloud_desc.name).each { |subnet|
+            subnet_cfg = {
+              "cloud_id" => subnet.name,
+              "mu_name" => subnet.name,
+              "credentials" => @config['credentials'],
+              "region" => @config['region'],
+              "ip_block" => subnet.address_prefix
+            }
+            if @config['subnets']
+              @config['subnets'].each { |s|
+                if s['ip_block'] == subnet_cfg['ip_block']
+                  subnet_cfg['name'] = s['name']
+                  break
+                end
+              }
+            end
+            subnet_cfg['name'] ||= subnet.name
+            @subnets << MU::Cloud::Azure::VPC::Subnet.new(self, subnet_cfg)
+          }
+          @subnets
+        end
+        # Given some search criteria try locating a NAT Gaateway in this VPC.
+        # @param nat_cloud_id [String]: The cloud provider's identifier for this NAT.
+        # @param nat_filter_key [String]: A cloud provider filter to help identify the resource, used in conjunction with nat_filter_value.
+        # @param nat_filter_value [String]: A cloud provider filter to help identify the resource, used in conjunction with nat_filter_key.
+        # @param region [String]: The cloud provider region of the target instance.
+        def findNat(nat_cloud_id: nil, nat_filter_key: nil, nat_filter_value: nil, region: MU.curRegion)
+          nil
+        end
+        # Given some search criteria for a {MU::Cloud::Server}, see if we can
+        # locate a NAT host in this VPC.
+        # @param nat_name [String]: The name of the resource as defined in its 'name' Basket of Kittens field, typically used in conjunction with deploy_id.
+        # @param nat_cloud_id [String]: The cloud provider's identifier for this NAT.
+        # @param nat_tag_key [String]: A cloud provider tag to help identify the resource, used in conjunction with tag_value.
+        # @param nat_tag_value [String]: A cloud provider tag to help identify the resource, used in conjunction with tag_key.
+        # @param nat_ip [String]: An IP address associated with the NAT instance.
+        def findBastion(nat_name: nil, nat_cloud_id: nil, nat_tag_key: nil, nat_tag_value: nil, nat_ip: nil)
+          [:nat_name, :nat_cloud_id, :nat_tag_key, :nat_tag_value, :nat_ip].each { |var|
+            if binding.local_variable_get(var) != nil
+              binding.local_variable_set(var, var.to_s)
+            end
+            # If we're searching by name, assume it's part of this here deploy.
+            if nat_cloud_id.nil? and !@deploy.nil?
+              deploy_id = @deploy.deploy_id
+            end
+            found = MU::MommaCat.findStray(
+              "Azure",
+              "server",
+              name: nat_name,
+              cloud_id: nat_cloud_id,
+              deploy_id: deploy_id,
+              tag_key: nat_tag_key,
+              tag_value: nat_tag_value,
+              allow_multi: true,
+              dummy_ok: true,
+              calling_deploy: @deploy
+            )
+            return nil if found.nil? || found.empty?
+            if found.size == 1
+              return found.first
+            end
+          }
+          nil
+        end
+        # Check for a subnet in this VPC matching one or more of the specified
+        # criteria, and return it if found.
+        def getSubnet(cloud_id: nil, name: nil, tag_key: nil, tag_value: nil, ip_block: nil)
+          loadSubnets
+          if !cloud_id.nil? and cloud_id.match(/^https:\/\//)
+            cloud_id.gsub!(/.*?\//, "")
+          end
+          MU.log "getSubnet(cloud_id: #{cloud_id}, name: #{name}, tag_key: #{tag_key}, tag_value: #{tag_value}, ip_block: #{ip_block})", MU::DEBUG, details: caller[0]
+          @subnets.each { |subnet|
+            if !cloud_id.nil? and !subnet.cloud_id.nil? and subnet.cloud_id.to_s == cloud_id.to_s
+              return subnet
+            elsif !name.nil? and !subnet.name.nil? and subnet.name.to_s == name.to_s
+              return subnet
+            end
+          }
+          return nil
+        end
+        @route_cache = {}
+        @rtb_cache = {}
+        @rtb_cache_semaphore = Mutex.new
+        # Check whether we (the Mu Master) have a direct route to a particular
+        # instance. Useful for skipping hops through bastion hosts to get
+        # directly at child nodes in peered VPCs, the public internet, and the
+        # like.
+        # @param target_instance [OpenStruct]: The cloud descriptor of the instance to check.
+        # @param region [String]: The cloud provider region of the target subnet.
+        # @return [Boolean]
+        def self.haveRouteToInstance?(target_instance, region: MU.curRegion, credentials: nil)
+#          target_instance.network_profile.network_interfaces.each { |iface|
+#            iface_id = Id.new(iface.is_a?(Hash) ? iface['id'] : iface.id)
+#            iface_desc = MU::Cloud::Azure.network(credentials: credentials).network_interfaces.get(iface_id.resource_group, iface_id.to_s)
+#            iface_desc.ip_configurations.each { |ipcfg|
+#              if ipcfg.respond_to?(:public_ipaddress) and ipcfg.public_ipaddress
+#                return true # XXX invalid if Mu can't talk to the internet
+#              end
+#            }
+#          }
+          return false if MU.myCloud != "Azure"
+# XXX if we're in Azure, see if this is in our VPC or if we're peered to its VPC
+          false
+        end
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          false
+        end
+        # Denote whether this resource implementation is experiment, ready for
+        # testing, or ready for production use.
+        def self.quality
+          MU::Cloud::BETA
+        end
+        # Stub method. Azure resources are cleaned up by removing the parent
+        # resource group.
+        # @return [void]
+        def self.cleanup(**args)
+        end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        # XXX add flag to return the diff between @config and live cloud
+        def toKitten(rootparent: nil, billing: nil)
+          return nil if cloud_desc.name == "default" # parent project builds these
+          bok = {
+            "cloud" => "Azure",
+            "project" => @config['project'],
+            "credentials" => @config['credentials']
+          }
+          bok
+        end
+        # Cloud-specific configuration properties.
+        # @param config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(config = nil)
+          toplevel_required = []
+          schema = {
+            "peers" => {
+              "items" => {
+                "properties" => {
+                  "allow_forwarded_traffic" => {
+                    "type" => "boolean",
+                    "default" => false,
+                    "description" => "Allow traffic originating from outside peered networks"
+                  },
+                  "allow_gateway_traffic" => {
+                    "type" => "boolean",
+                    "default" => false,
+                    "description" => "Permit peered networks to use each others' VPN gateways"
+                  }
+                }
+              }
+            }
+          }
+          [toplevel_required, schema]
+        end
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::vpcs}, bare and unvalidated.
+        # @param vpc [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(vpc, configurator)
+          ok = true
+          vpc['region'] ||= MU::Cloud::Azure.myRegion(vpc['credentials'])
+          if vpc['subnets']
+            vpc['subnets'].each { |subnet|
+              subnet_routes[subnet['route_table']] = Array.new if subnet_routes[subnet['route_table']].nil?
+              subnet_routes[subnet['route_table']] << subnet['name']
+            }
+          end
+          if (!vpc['subnets'] or vpc['subnets'].empty?) and vpc['create_standard_subnets']
+            subnets = configurator.divideNetwork(vpc['ip_block'], vpc['route_tables'].size, 28)
+            vpc['subnets'] ||= []
+            vpc['route_tables'].each { |rtb|
+              is_public = false
+              rtb['routes'].each { |route|
+                if route['gateway'] == "#INTERNET"
+                  is_public = true
+                  break
+                end
+              }
+              vpc['subnets'] << {
+                "name" => "Subnet#{rtb['name'].capitalize}",
+                "is_public" => is_public,
+                "ip_block" => subnets.shift,
+                "route_table" => rtb['name']
+              }
+            }
+          end
+          vpc['route_tables'].each { |rtb|
+            rtb['routes'] ||= []
+            rtb['routes'] << { "destination_network" => vpc['ip_block'] }
+            rtb['routes'].uniq!
+          }
+          default_acl = {
+            "name" => vpc['name']+"-defaultfw",
+            "cloud" => "Azure",
+            "region" => vpc['region'],
+            "credentials" => vpc['credentials'],
+            "rules" => [
+              {
+                "ingress" => true, "proto" => "all", "hosts" => [vpc['ip_block']]
+              },
+              {
+                "egress" => true, "proto" => "all", "hosts" => [vpc['ip_block']]
+              }
+            ]
+          }
+          vpc["dependencies"] ||= []
+          vpc["dependencies"] << {
+            "type" => "firewall_rule",
+            "name" => vpc['name']+"-defaultfw"
+          }
+          if !configurator.insertKitten(default_acl, "firewall_rules", true)
+            ok = false
+          end
+          ok
+        end
+        # @param route [Hash]: A route description, per the Basket of Kittens schema
+        # @param server [MU::Cloud::Azure::Server]: Instance to which this route will apply
+        def createRouteForInstance(route, server)
+          createRoute(route, network: @url, tags: [MU::Cloud::Azure.nameStr(server.mu_name)])
+        end
+        private
+        def create_update
+          @config = MU::Config.manxify(@config)
+          @config['region'] ||= MU::Cloud::Azure.myRegion(@config['credentials'])
+          tags = {}
+          if !@config['scrub_mu_isms']
+            tags = MU::MommaCat.listStandardTags
+          end
+          if @config['tags']
+            @config['tags'].each { |tag|
+              tags[tag['key']] = tag['value']
+            }
+          end
+          vpc_obj =  MU::Cloud::Azure.network(:VirtualNetwork).new
+          addr_space_obj = MU::Cloud::Azure.network(:AddressSpace).new
+          addr_space_obj.address_prefixes = [
+            @config['ip_block']
+          ]
+          vpc_obj.address_space = addr_space_obj
+          vpc_obj.location = @config['region']
+          vpc_obj.tags = tags
+          my_fw = deploy.findLitterMate(type: "firewall_rule", name: @config['name']+"-defaultfw")
+          @resource_group = @deploy.deploy_id+"-"+@config['region'].upcase
+          need_apply = false
+          ext_vpc = nil
+          begin
+            ext_vpc = MU::Cloud::Azure.network(credentials: @config['credentials']).virtual_networks.get(
+              @resource_group,
+              @mu_name
+            )
+          rescue ::MU::Cloud::Azure::APIError => e
+            if e.message.match(/: ResourceNotFound:/)
+              need_apply = true
+            else
+              raise e
+            end
+          end
+# XXX raw update seems to destroy child resources; if we just need to update
+# tags, do that with .update_tags
+          if !ext_vpc
+            MU.log "Creating VPC #{@mu_name} (#{@config['ip_block']}) in #{@config['region']}", details: vpc_obj
+            need_apply = true
+          elsif ext_vpc.location != vpc_obj.location or
+                ext_vpc.tags != vpc_obj.tags or
+                ext_vpc.address_space.address_prefixes != vpc_obj.address_space.address_prefixes
+            MU.log "Updating VPC #{@mu_name} (#{@config['ip_block']}) in #{@config['region']}", MU::NOTICE, details: vpc_obj
+            need_apply = true
+          end
+          if need_apply
+            resp = MU::Cloud::Azure.network(credentials: @config['credentials']).virtual_networks.create_or_update(
+              @resource_group,
+              @mu_name,
+              vpc_obj
+            )
+            @cloud_id = Id.new(resp.id)
+          end
+          # this is slow, so maybe thread it
+          rtb_map = {}
+          routethreads = []
+          create_nat_gateway = false
+          @config['route_tables'].each { |rtb_cfg|
+            routethreads << Thread.new(rtb_cfg) { |rtb|
+              rtb_name = @mu_name+"-"+rtb['name'].upcase
+              rtb_obj = MU::Cloud::Azure.network(:RouteTable).new
+              rtb_obj.location = @config['region']
+              rtb_obj.tags = tags
+              rtb_ref_obj = MU::Cloud::Azure.network(:RouteTable).new
+              rtb_ref_obj.name = rtb_name
+              rtb_map[rtb['name']] = rtb_ref_obj
+              need_apply = false
+              ext_rtb = nil
+              begin
+                ext_rtb = MU::Cloud::Azure.network(credentials: @config['credentials']).route_tables.get(
+                  @resource_group,
+                  rtb_name
+                )
+                rtb_map[rtb['name']] = ext_rtb
+              rescue MU::Cloud::Azure::APIError => e
+                if e.message.match(/: ResourceNotFound:/)
+                  need_apply = true
+                else
+                  raise e
+                end
+              end
+              if !ext_rtb
+                MU.log "Creating route table #{rtb_name} in VPC #{@mu_name}", details: rtb_obj
+                need_apply = true
+              elsif ext_rtb.location != rtb_obj.location or
+                    ext_rtb.tags != rtb_obj.tags
+                need_apply = true
+                MU.log "Updating route table #{rtb_name} in VPC #{@mu_name}", MU::NOTICE, details: rtb_obj
+              end
+              if need_apply
+                rtb_map[rtb['name']] = MU::Cloud::Azure.network(credentials: @config['credentials']).route_tables.create_or_update(
+                  @resource_group,
+                  rtb_name,
+                  rtb_obj
+                )
+              end
+              rtb['routes'].each { |route|
+                route_obj = MU::Cloud::Azure.network(:Route).new
+                route_obj.address_prefix = route['destination_network']
+                routename = rtb_name+"-"+route['destination_network'].gsub(/[^a-z0-9]/i, "_")
+                route_obj.next_hop_type = if route['gateway'] == "#NAT" and @config['bastion']
+                  routename = rtb_name+"-NAT"
+                  bastion_ref = MU::Config::Ref.get(@config['bastion'])
+                  if bastion_ref.kitten and bastion_ref.kitten.cloud_desc
+                    iface_id = Id.new(bastion_ref.kitten.cloud_desc.network_profile.network_interfaces.first.id)
+                    iface_desc = MU::Cloud::Azure.network(credentials: @credentials).network_interfaces.get(@resource_group, iface_id.name)
+                    if iface_desc and iface_desc.ip_configurations and iface_desc.ip_configurations.size > 0
+                      route_obj.next_hop_ip_address = iface_desc.ip_configurations.first.private_ipaddress
+                      "VirtualAppliance"
+                    else
+                      "VnetLocal"
+                    end
+                  else
+                    "VnetLocal"
+                  end
+#                  create_nat_gateway = true
+                elsif route['gateway'] == "#INTERNET"
+                  routename = rtb_name+"-INTERNET"
+                  "Internet"
+                else
+                  routename = rtb_name+"-LOCAL"
+                  "VnetLocal"
+                end
+#next_hop_type 'VirtualNetworkGateway' is for VPNs I think
+                need_apply = false
+                ext_route = nil
+                begin
+                  ext_route = MU::Cloud::Azure.network(credentials: @config['credentials']).routes.get(
+                    @resource_group,
+                    rtb_name,
+                    routename
+                  )
+                rescue MU::Cloud::Azure::APIError => e
+                  if e.message.match(/\bNotFound\b/)
+                    need_apply = true
+                  else
+                    raise e
+                  end
+                end
+                if !ext_route
+                  MU.log "Creating route #{routename} for #{route['destination_network']} in route table #{rtb_name}", details: rtb_obj
+                  need_apply = true
+                elsif ext_route.next_hop_type != route_obj.next_hop_type or
+                      ext_route.address_prefix != route_obj.address_prefix
+                  MU.log "Updating route #{routename} for #{route['destination_network']} in route table #{rtb_name}", MU::NOTICE, details: [route_obj, ext_route]
+                  need_apply = true
+                end
+                if need_apply
+                  MU::Cloud::Azure.network(credentials: @config['credentials']).routes.create_or_update(
+                    @resource_group,
+                    rtb_name,
+                    routename,
+                    route_obj
+                  )
+                end
+              }
+            }
+          }
+          routethreads.each { |t|
+            t.join
+          }
+# TODO this is only available in westus as of 2019-09-29
+#          if create_nat_gateway
+#            nat_obj = MU::Cloud::Azure.network(:NatGateway).new
+#            nat_obj.location = @config['region']
+#            nat_obj.tags = tags
+#            MU.log "Creating NAT Gateway #{@mu_name}-NAT", details: nat_obj
+#            MU::Cloud::Azure.network(credentials: @config['credentials']).nat_gateways.create_or_update(
+#              @resource_group,
+#              @mu_name+"-NAT",
+#              nat_obj
+#            )
+#          end
+          if @config['subnets']
+            subnetthreads = []
+            @config['subnets'].each { |subnet_cfg|
+              subnetthreads << Thread.new(subnet_cfg) { |subnet|
+                subnet_obj = MU::Cloud::Azure.network(:Subnet).new
+                subnet_name = @mu_name+"-"+subnet['name'].upcase
+                subnet_obj.address_prefix = subnet['ip_block']
+                subnet_obj.route_table = rtb_map[subnet['route_table']]
+                if my_fw and my_fw.cloud_desc
+                  subnet_obj.network_security_group = my_fw.cloud_desc
+                end
+                need_apply = false
+                ext_subnet = nil
+                begin
+                  ext_subnet = MU::Cloud::Azure.network(credentials: @config['credentials']).subnets.get(
+                    @resource_group,
+                    @cloud_id.to_s,
+                    subnet_name
+                  )
+                rescue APIError => e
+                  if e.message.match(/\bNotFound\b/)
+                    need_apply = true
+                  else
+#                raise e
+                  end
+                end
+                if !ext_subnet
+                  MU.log "Creating Subnet #{subnet_name} in VPC #{@mu_name}", details: subnet_obj
+                  need_apply = true
+                elsif (!ext_subnet.route_table.nil? and !subnet_obj.route_table.nil? and ext_subnet.route_table.id != subnet_obj.route_table.id) or
+                      ext_subnet.address_prefix != subnet_obj.address_prefix or
+                      ext_subnet.network_security_group.nil? and !subnet_obj.network_security_group.nil? or
+                      (!ext_subnet.network_security_group.nil? and !subnet_obj.network_security_group.nil? and ext_subnet.network_security_group.id != subnet_obj.network_security_group.id)
+                  MU.log "Updating Subnet #{subnet_name} in VPC #{@mu_name}", MU::NOTICE, details: subnet_obj
+                  need_apply = true
+                end
+                if need_apply
+                  MU::Cloud::Azure.network(credentials: @config['credentials']).subnets.create_or_update(
+                    @resource_group,
+                    @cloud_id.to_s,
+                    subnet_name,
+                    subnet_obj
+                  )
+                end
+              }
+            }
+            subnetthreads.each { |t|
+              t.join
+            }
+          end
+          loadSubnets
+        end
+        protected
+        # Subnets are almost a first-class resource. So let's kinda sorta treat
+        # them like one. This should only be invoked on objects that already
+        # exists in the cloud layer.
+        class Subnet < MU::Cloud::Azure::VPC
+          attr_reader :cloud_id
+          attr_reader :id
+          attr_reader :ip_block
+          attr_reader :mu_name
+          attr_reader :name
+          attr_reader :cloud_desc_cache
+          attr_reader :resource_group
+          attr_reader :az
+          # @param parent [MU::Cloud::Azure::VPC]: The parent VPC of this subnet.
+          # @param config [Hash<String>]:
+          def initialize(parent, config, precache_description: true)
+            @parent = parent
+            @deploy = parent.deploy
+            @config = MU::Config.manxify(config)
+            @cloud_id = config['cloud_id']
+            @mu_name = config['mu_name']
+            @name = config['name']
+            @deploydata = config # This is a dummy for the sake of describe()
+            @ip_block = config['ip_block']
+            @cloud_desc_cache = nil
+            @az = parent.config['region']
+            cloud_desc if precache_description
+          end
+          # Return the cloud identifier for the default route of this subnet.
+          def defaultRoute
+            if cloud_desc and cloud_desc.route_table
+              rtb_id = MU::Cloud::Azure::Id.new(cloud_desc.route_table.id)
+              routes = MU::Cloud::Azure.network(credentials: @config['credentials']).routes.list(
+                rtb_id.resource_group,
+                rtb_id.name
+              )
+              routes.each { |route|
+                return route if route.address_prefix == "0.0.0.0/0"
+              }
+            end
+            nil
+          end
+          # Describe this VPC Subnet
+          # @return [Hash]
+          def notify
+            MU.structToHash(cloud_desc)
+          end
+          # Describe this VPC Subnet from the cloud platform's perspective
+          def cloud_desc
+            return @cloud_desc_cache if !@cloud_desc_cache.nil?
+            @cloud_desc_cache = MU::Cloud::Azure.network(credentials: @parent.credentials).subnets.get(@parent.resource_group, @parent.cloud_desc.name, @cloud_id.to_s)
+            @cloud_desc_cache
+          end
+          # Is this subnet privately-routable only, or public?
+          # @return [Boolean]
+          def private?
+            if cloud_desc and cloud_desc.route_table
+              rtb_id = MU::Cloud::Azure::Id.new(cloud_desc.route_table.id)
+              routes = MU::Cloud::Azure.network(credentials: @config['credentials']).routes.list(
+                rtb_id.resource_group,
+                rtb_id.name
+              )
+              routes.each { |route|
+                return false if route.next_hop_type == "Internet"
+              }
+              true
+            end
+          end
+        end
+      end #class
+    end #class
+  end
+end #module