RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/clouds/google/folder.rb CHANGED

@@ -15,30 +15,16 @@
 module MU
   class Cloud
     class Google
-      # Creates an Google project as configured in {MU::Config::BasketofKittens::folders}
+      # Creates a Google folder as configured in {MU::Config::BasketofKittens::folders}
       class Folder < MU::Cloud::Folder
-        @deploy = nil
-        @config = nil
-        @parent = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::folders}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
-          if !mu_name.nil?
-            @mu_name = mu_name
-          elsif @config['scrub_mu_isms']
-            @mu_name = @config['name']
-          else
-            @mu_name = @deploy.getResourceName(@config['name'])
-          end
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          cloud_desc if @cloud_id # XXX this maybe isn't my job
+          @mu_name ||= @deploy.getResourceName(@config['name'])
         end
         # Called automatically by {MU::Deploy#createResources}
@@ -54,6 +40,9 @@ module MU
             display_name: name_string
           }
+          if @config['parent']['name'] and !@config['parent']['id']
+            @config['parent']['deploy_id'] = @deploy.deploy_id
+          end
           parent = MU::Cloud::Google::Folder.resolveParent(@config['parent'], credentials: @config['credentials'])
           folder_obj = MU::Cloud::Google.folder(:Folder).new(params)
@@ -79,6 +68,20 @@ module MU
             end
           end while found.size == 0
+          @habitat = parent
+        end
+        # Retrieve the IAM bindings for this folder (associates between IAM roles and groups/users)
+        def bindings
+          MU::Cloud::Google::Folder.bindings(@cloud_id, credentials: @config['credentials'])
+        end
+        # Retrieve the IAM bindings for this folder (associates between IAM roles and groups/users)
+        # @param folder [String]:
+        # @param credentials [String]:
+        def self.bindings(folder, credentials: nil)
+          MU::Cloud::Google.folder(credentials: credentials).get_folder_iam_policy(folder).bindings
         end
         # Given a {MU::Config::Folder.reference} configuration block, resolve
@@ -88,9 +91,9 @@ module MU
         # @return [String]
         def self.resolveParent(parentblock, credentials: nil)
           my_org = MU::Cloud::Google.getOrg(credentials)
-          if !parentblock or parentblock['id'] == my_org.name or
+          if my_org and (!parentblock or parentblock['id'] == my_org.name or
              parentblock['name'] == my_org.display_name or (parentblock['id'] and
-             "organizations/"+parentblock['id'] == my_org.name)
+             "organizations/"+parentblock['id'] == my_org.name))
             return my_org.name
           end
@@ -103,12 +106,12 @@ module MU
               name: parentblock['name']
             ).first
             if sib_folder
-              return "folders/"+sib_folder.cloudobj.cloud_id
+              return sib_folder.cloud_desc.name
             end
           end
           begin
-          found = MU::Cloud::Google::Folder.find(cloud_id: parentblock['id'], credentials: credentials, flags: { 'display_name' => parentblock['name'] })
+            found = MU::Cloud::Google::Folder.find(cloud_id: parentblock['id'], credentials: credentials, flags: { 'display_name' => parentblock['name'] })
           rescue ::Google::Apis::ClientError => e
             if !e.message.match(/Invalid request status_code: 404/)
               raise e
@@ -123,11 +126,14 @@ module MU
         end
         # Return the cloud descriptor for the Folder
+        # @return [Google::Apis::Core::Hashable]
         def cloud_desc
-          MU::Cloud::Google::Folder.find(cloud_id: @cloud_id).values.first
+          @cached_cloud_desc ||= MU::Cloud::Google::Folder.find(cloud_id: @cloud_id, credentials: @config['credentials']).values.first
+          @habitat_id ||= @cached_cloud_desc.parent.sub(/^(folders|organizations)\//, "")
+          @cached_cloud_desc
         end
-        # Return the metadata for this project's configuration
+        # Return the metadata for this folders's configuration
         # @return [Hash]
         def notify
           desc = MU.structToHash(MU::Cloud::Google.folder(credentials: @config['credentials']).get_folder("folders/"+@cloud_id))
@@ -147,7 +153,7 @@ module MU
         # Denote whether this resource implementation is experiment, ready for
         # testing, or ready for production use.
         def self.quality
-          MU::Cloud::BETA
+          MU::Cloud::RELEASE
         end
         # Remove all Google projects associated with the currently loaded deployment. Try to, anyway.
@@ -158,54 +164,70 @@ module MU
           # We can't label GCP folders, and their names are too short to encode
           # Mu deploy IDs, so all we can do is rely on flags['known'] passed in
           # from cleanup, which relies on our metadata to know what's ours.
+#noop = true
           if flags and flags['known']
+            threads = []
             flags['known'].each { |cloud_id|
-              found = self.find(cloud_id: cloud_id, credentials: credentials)
-              if found.size > 0 and found.values.first.lifecycle_state == "ACTIVE"
-                MU.log "Deleting folder #{found.values.first.display_name} (#{found.keys.first})"
-                if !noop
-                  max_retries = 10
-                  retries = 0
-                  success = false
-                  begin
-                    MU::Cloud::Google.folder(credentials: credentials).delete_folder(
-                      "folders/"+found.keys.first
-                    )
-                    found = self.find(cloud_id: cloud_id, credentials: credentials)
-                    if found and found.size > 0 and found.values.first.lifecycle_state != "DELETE_REQUESTED"
-                      if retries < max_retries
+              threads << Thread.new {
+                found = self.find(cloud_id: cloud_id, credentials: credentials)
+                if found.size > 0 and found.values.first.lifecycle_state == "ACTIVE"
+                  MU.log "Deleting folder #{found.values.first.display_name} (#{found.keys.first})"
+                  if !noop
+                    max_retries = 10
+                    retries = 0
+                    success = false
+                    begin
+                      MU::Cloud::Google.folder(credentials: credentials).delete_folder(
+                        "folders/"+found.keys.first
+                      )
+                      found = self.find(cloud_id: cloud_id, credentials: credentials)
+                      if found and found.size > 0 and found.values.first.lifecycle_state != "DELETE_REQUESTED"
+                        if retries < max_retries
+                          sleep 30
+                          retries += 1
+                          puts retries
+                        else
+                          MU.log "Folder #{cloud_id} still exists after #{max_retries.to_s} attempts to delete", MU::ERR
+                          break
+                        end
+                      else
+                        success = true
+                      end
+                    rescue ::Google::Apis::ClientError => e
+# XXX maybe see if the folder has disappeared already?
+# XXX look for child folders that haven't been deleted, that's what this tends
+# to mean
+                      if e.message.match(/failedPrecondition/) and retries < max_retries
                         sleep 30
                         retries += 1
-                        puts retries
+                        retry
                       else
-                        MU.log "Folder #{cloud_id} still exists after #{max_retries.to_s} attempts to delete", MU::ERR
+                        MU.log "Got 'failedPrecondition' a bunch while trying to delete #{found.values.first.display_name} (#{found.keys.first})", MU::ERR
                         break
                       end
-                    else
-                      success = true
-                    end
-                  rescue ::Google::Apis::ClientError => e
-                    if e.message.match(/failedPrecondition/) and retries < max_retries
-                      sleep 30
-                      retries += 1
-                      retry
-                    else
-                      raise e
-                    end
-                  end while !success
+                    end while !success
+                  end
                 end
-              end
+              }
+            }
+            threads.each { |t|
+              t.join
             }
           end
         end
-        # Locate an existing project
-        # @param cloud_id [String]: The cloud provider's identifier for this resource.
-        # @param flags [Hash]: Optional flags
-        # @return [OpenStruct]: The cloud provider's complete descriptions of matching project
-        def self.find(cloud_id: nil, credentials: nil, flags: {}, tag_key: nil, tag_value: nil)
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
           found = {}
           # Recursively search a GCP folder hierarchy for a folder matching our
@@ -227,33 +249,88 @@ module MU
             nil
           end
-          if cloud_id
-            found[cloud_id.sub(/^folders\//, "")] = MU::Cloud::Google.folder(credentials: credentials).get_folder("folders/"+cloud_id.sub(/^folders\//, ""))
-          elsif flags['display_name']
-            parent = if flags['parent_id']
-              flags['parent_id']
-            else
-              my_org = MU::Cloud::Google.getOrg(credentials)
-              my_org.name
-            end
+          parent = if args[:flags] and args[:flags]['parent_id']
+            args[:flags]['parent_id']
+          else
+            my_org = MU::Cloud::Google.getOrg(args[:credentials])
+            my_org.name
+          end
+          if args[:cloud_id]
+            raw_id = args[:cloud_id].sub(/^folders\//, "")
+            resp = MU::Cloud::Google.folder(credentials: args[:credentials]).get_folder("folders/"+raw_id)
+            found[resp.name] = resp if resp
+          elsif args[:flags] and args[:flags]['display_name']
             if parent
-              resp = self.find_matching_folder(parent, name: flags['display_name'], credentials: credentials)
+              resp = self.find_matching_folder(parent, name: args[:flags]['display_name'], credentials: args[:credentials])
               if resp
-                found[resp.name.sub(/^folders\//, "")] = resp
+                found[resp.name] = resp
               end
             end
+          else
+            resp = MU::Cloud::Google.folder(credentials: args[:credentials]).list_folders(parent: parent)
+            if resp and resp.folders
+              resp.folders.each { |folder|
+                next if folder.lifecycle_state == "DELETE_REQUESTED"
+                found[folder.name] = folder
+                # recurse so that we'll pick up child folders
+                children = self.find(
+                  credentials: args[:credentials],
+                  flags: { 'parent_id' => folder.name }
+                )
+                if !children.nil? and !children.empty?
+                  found.merge!(children)
+                end
+              }
+            end
           end
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+          bok = {
+            "cloud" => "Google",
+            "credentials" => @config['credentials']
+          }
+          bok['display_name'] = cloud_desc.display_name
+          bok['cloud_id'] = cloud_desc.name
+          bok['name'] = cloud_desc.display_name#+bok['cloud_id'] # only way to guarantee uniqueness
+          if cloud_desc.parent.match(/^folders\/(.*)/)
+MU.log bok['display_name']+" generating reference", MU::NOTICE, details: cloud_desc.parent
+            bok['parent'] = MU::Config::Ref.get(
+              id: cloud_desc.parent,
+              cloud: "Google",
+              credentials: @config['credentials'],
+              type: "folders"
+            )
+          elsif rootparent
+            bok['parent'] = {
+              'id' => rootparent.is_a?(String) ? rootparent : rootparent.cloud_desc.name
+            }
+          else
+            bok['parent'] = { 'id' => cloud_desc.parent }
+          end
+          bok
+        end
         # Cloud-specific configuration properties.
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
           toplevel_required = []
           schema = {
+            "display_name" => {
+              "type" => "string",
+              "description" => "The +display_name+ field of this folder, specified only if we want it to be something other than the automatically-generated string derived from the +name+ field.",
+            }
           }
           [toplevel_required, schema]
         end
@@ -266,7 +343,7 @@ module MU
           ok = true
           if !MU::Cloud::Google.getOrg(folder['credentials'])
-            MU.log "Cannot manage Google Cloud projects in environments without an organization. See also: https://cloud.google.com/resource-manager/docs/creating-managing-organization", MU::ERR
+            MU.log "Cannot manage Google Cloud folders in environments without an organization", MU::ERR
             ok = false
           end

data/modules/mu/clouds/google/group.rb CHANGED

@@ -17,36 +17,102 @@ module MU
     class Google
       # A group as configured in {MU::Config::BasketofKittens::groups}
       class Group < MU::Cloud::Group
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::groups}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
         # Called automatically by {MU::Deploy#createResources}
         def create
-          bind_group
+          if !@config['external']
+            if !@config['email']
+              domains = MU::Cloud::Google.admin_directory(credentials: @credentials).list_domains(@customer)
+              @config['email'] = @mu_name.downcase+"@"+domains.domains.first.domain_name
+            end
+            group_obj = MU::Cloud::Google.admin_directory(:Group).new(
+              name: @mu_name,
+              email: @config['email'],
+              description: @deploy.deploy_id
+            )
+            MU.log "Creating group #{@mu_name}", details: group_obj
+            resp = MU::Cloud::Google.admin_directory(credentials: @credentials).insert_group(group_obj)
+            @cloud_id = resp.email
+            MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'])
+          else
+            @cloud_id = @config['name'].sub(/@.*/, "")+"@"+@config['domain']
+          end
         end
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          bind_group
+          MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'], debug: true)
+          if @config['members']
+            resolved_desired = []
+            @config['members'].each { |m|
+              sibling_user = @deploy.findLitterMate(name: m, type: "users")
+              usermail = if sibling_user
+                sibling_user.cloud_id
+              elsif !m.match(/@/)
+                domains = MU::Cloud::Google.admin_directory(credentials: @credentials).list_domains(@customer)
+                m+"@"+domains.domains.first.domain_name
+              else
+                m
+              end
+              resolved_desired << usermail
+              next if members.include?(usermail)
+              MU.log "Adding user #{usermail} to group #{@mu_name}"
+              MU::Cloud::Google.admin_directory(credentials: @credentials).insert_member(
+                @cloud_id,
+                MU::Cloud::Google.admin_directory(:Member).new(
+                  email: usermail
+                )
+              )
+            }
+            deletia = members - resolved_desired
+            deletia.each { |m|
+              MU.log "Removing user #{m} from group #{@mu_name}", MU::NOTICE
+              MU::Cloud::Google.admin_directory(credentials: @credentials).delete_member(@cloud_id, m)
+            }
+            # Theoretically there can be a delay
+            begin
+              if members.sort != resolved_desired.sort
+                sleep 3
+              end
+            end while members.sort != resolved_desired.sort
+          end
+        end
+        # Retrieve a list of users (by cloud id) of this group
+        def members
+          resp = MU::Cloud::Google.admin_directory(credentials: @credentials).list_members(@cloud_id)
+          members = []
+          if resp and resp.members
+            members = resp.members.map { |m| m.email }
+# XXX reject status != "ACTIVE" ?
+          end
+          members
         end
         # Return the metadata for this group configuration
         # @return [Hash]
         def notify
-          {
-          }
+          if !@config['external']
+            base = MU.structToHash(cloud_desc)
+          end
+          base ||= {}
+          base
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
@@ -56,10 +122,18 @@ module MU
           true
         end
+        # Return the list of "container" resource types in which this resource
+        # can reside. The list will include an explicit nil if this resource
+        # can exist outside of any container.
+        # @return [Array<Symbol,nil>]
+        def self.canLiveIn
+          [nil]
+        end
         # Denote whether this resource implementation is experiment, ready for
         # testing, or ready for production use.
         def self.quality
-          MU::Cloud::ALPHA
+          MU::Cloud::BETA
         end
         # Remove all groups associated with the currently loaded deployment.
@@ -68,19 +142,90 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          my_domains = MU::Cloud::Google.getDomains(credentials)
+          my_org = MU::Cloud::Google.getOrg(credentials)
+          if my_org
+            groups = MU::Cloud::Google.admin_directory(credentials: credentials).list_groups(customer: MU::Cloud::Google.customerID(credentials)).groups
+            if groups
+              groups.each { |group|
+                if group.description == MU.deploy_id
+                  MU.log "Deleting group #{group.name} from #{my_org.display_name}", details: group
+                  if !noop
+                    MU::Cloud::Google.admin_directory(credentials: credentials).delete_group(group.id)
+                  end
+                end
+              }
+            end
+          end
+          if flags['known']
+            flags['known'].each { |group|
+              MU::Cloud::Google::Role.removeBindings("group", group, credentials: credentials, noop: noop)
+            }
+          end
         end
-        # Locate an existing group group.
-        # @param cloud_id [String]: The cloud provider's identifier for this resource.
-        # @param region [String]: The cloud provider region.
-        # @param flags [Hash]: Optional flags
-        # @return [OpenStruct]: The cloud provider's complete descriptions of matching group group.
-        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {}, tag_key: nil, tag_value: nil)
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          found = nil
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+          # The API treats the email address field as its main identifier, so
+          # we'll go ahead and respect that.
+          if args[:cloud_id]
+            begin
+              resp = MU::Cloud::Google.admin_directory(credentials: args[:credentials]).get_group(args[:cloud_id])
+              found[resp.email] = resp if resp
+            rescue ::Google::Apis::ClientError => e
+              raise e if !e.message.match(/forbidden: /)
+            end
+          else
+            resp = MU::Cloud::Google.admin_directory(credentials: args[:credentials]).list_groups(customer: MU::Cloud::Google.customerID(args[:credentials]))
+            if resp and resp.groups
+              found = Hash[resp.groups.map { |g| [g.email, g] }]
+            end
+          end
+# XXX what about Google Groups groups and other external groups? Where do we fish for those? Do we even need to?
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+          bok = {
+            "cloud" => "Google",
+            "credentials" => @config['credentials']
+          }
+          bok['name'] = cloud_desc.name
+          bok['cloud_id'] = cloud_desc.email
+          bok['members'] = members
+          bok['members'].each { |m|
+            m = MU::Config::Ref.get(
+              id: m,
+              cloud: "Google",
+              credentials: @config['credentials'],
+              type: "users"
+            )
+          }
+          group_roles = MU::Cloud::Google::Role.getAllBindings(@config['credentials'])["by_entity"]
+          if group_roles["group"] and group_roles["group"][bok['cloud_id']] and
+             group_roles["group"][bok['cloud_id']].size > 0
+            bok['roles'] = MU::Cloud::Google::Role.entityBindingsToSchema(group_roles["group"][bok['cloud_id']], credentials: @config['credentials'])
+          end
+          bok
+       end
         # Cloud-specific configuration properties.
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
@@ -89,20 +234,32 @@ module MU
           schema = {
             "name" => {
               "type" => "string",
-              "description" => "This must be the email address of an existing Google Group (+foo@googlegroups.com+), or of a federated GSuite or Cloud Identity domain group from your organization."
+              "description" => "This can include an optional @domain component (<tt>foo@example.com</tt>).
+If the domain portion is not specified, and we manage exactly one GSuite or Cloud Identity domain, we will attempt to create the group in that domain.
+If we do not manage any domains, and none are specified, we will assume <tt>@googlegroups.com</tt> for the domain and attempt to bind an existing external Google Group to roles under our jurisdiction.
+If the domain portion is specified, and our credentials can manage that domain via GSuite or Cloud Identity, we will attempt to create the group in that domain.
+If it is a domain we do not manage, we will attempt to bind an existing external group from that domain to roles under our jurisdiction.
+If we are binding (rather than creating) a group and no roles are specified, we will default to +roles/viewer+ at the organization scope. If our credentials do not manage an organization, we will grant this role in our default project.
+"
+            },
+            "domain" => {
+              "type" => "string",
+              "description" => "The domain from which the group originates or in which it should be created. This can instead be embedded in the {name} field: +foo@example.com+."
             },
+            "external" => {
+              "type" => "boolean",
+              "description" => "Explicitly flag this group as originating from an external domain. This should always autodetect correctly."
+            },
             "roles" => {
               "type" => "array",
-              "description" => "One or more Google IAM roles to associate with this group.",
-              "default" => ["roles/viewer"],
-              "items" => {
-                "type" => "string",
-                "description" => "One or more Google IAM roles to associate with this group. Google Cloud groups are not created directly; pre-existing Google Groups are associated with a project by being bound to one or more roles in that project. If no roles are specified, we default to +roles/viewer+, which permits read-only access project-wide."
-              }
-            },
-            "project" => {
-              "type" => "string",
-              "description" => "The project into which to deploy resources"
+              "items" => MU::Cloud::Google::Role.ref_schema
             }
           }
           [toplevel_required, schema]
@@ -114,64 +271,97 @@ module MU
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(group, configurator)
           ok = true
-          if group['members'] and group['members'].size > 0 and
-             !$MU_CFG['google']['masquerade_as']
-            MU.log "Cannot change Google group memberships in non-GSuite environments.\nVisit https://groups.google.com to manage groups.", MU::ERR
-            ok = false
-          end
-          ok
-        end
+          my_domains = MU::Cloud::Google.getDomains(group['credentials'])
+          my_org = MU::Cloud::Google.getOrg(group['credentials'])
-        private
+          if group['name'].match(/@(.*+)$/)
+            domain = Regexp.last_match[1].downcase
+            if domain and group['domain'] and domain != group['domain'].downcase
+              MU.log "Group #{group['name']} had a domain component, but the domain field was also specified (#{group['domain']}) and they don't match."
+              ok = false
+            end
+            group['domain'] = domain
+            if !my_domains or !my_domains.include?(domain)
+              group['external'] = true
-        def bind_group
-          bindings = []
-          ext_policy = MU::Cloud::Google.resource_manager(credentials: @config['credentials']).get_project_iam_policy(
-            @config['project']
-          )
-          change_needed = false
-          @config['roles'].each { |role|
-            seen = false
-            ext_policy.bindings.each { |b|
-              if b.role == role
-                seen = true
-                if !b.members.include?("user:"+@config['name'])
-                  change_needed = true
-                  b.members << "group:"+@config['name']
+              if !["googlegroups.com", "google.com"].include?(domain)
+                MU.log "#{group['name']} appears to be a member of a domain that our credentials (#{group['credentials']}) do not manage; attempts to grant access for this group may fail!", MU::WARN
+              end
+              if !group['roles'] or group['roles'].empty?
+                group['roles'] = [
+                  {
+                    "role" => {
+                      "id" => "roles/viewer"
+                    }
+                  }
+                ]
+                if my_org
+                  group['roles'][0]["organizations"] = [my_org.name]
+                else
+                  group['roles'][0]["projects"] = {
+                    "id" => group["project"]
+                  }
                 end
+                MU.log "External Google group specified with no role binding, will grant 'viewer' in #{my_org ? "organization #{my_org.display_name}" : "project #{group['project']}"}", MU::WARN
               end
-            }
-            if !seen
-              ext_policy.bindings << MU::Cloud::Google.resource_manager(:Binding).new(
-                role: role,
-                members: ["group:"+@config['name']]
-              )
-              change_needed = true
             end
-          }
+          else
+            if !group['domain']
+              if my_domains.size == 1
+                group['domain'] = my_domains.first
+              elsif my_domains.size > 1
+                MU.log "Google interactive User #{group['name']} did not specify a domain, and we have multiple defaults available. Must specify exactly one.", MU::ERR, details: my_domains
+                ok = false
+              else
+                group['domain'] = "googlegroups.com"
+              end
+            end
+          end
-          if change_needed
-            req_obj = MU::Cloud::Google.resource_manager(:SetIamPolicyRequest).new(
-              policy: ext_policy
-            )
-            MU.log "Adding group #{@config['name']} to Google Cloud project #{@config['project']}", details: @config['roles']
-            begin
-              MU::Cloud::Google.resource_manager(credentials: @config['credentials']).set_project_iam_policy(
-                @config['project'],
-                req_obj
-              )
-            rescue ::Google::Apis::ClientError => e
-              if e.message.match(/does not exist/i) and !MU::Cloud::Google.credConfig(@config['credentials'])['masquerade_as']
-                raise MuError, "Group #{@config['name']} does not exist, and we cannot create Google groups in non-GSuite environments.\nVisit https://groups.google.com to manage groups."
-              end
-              raise e
+          credcfg = MU::Cloud::Google.credConfig(group['credentials'])
+          if group['external'] and group['members']
+            MU.log "Cannot manage memberships for external group #{group['name']}", MU::ERR
+            if group['domain'] == "googlegroups.com"
+              MU.log "Visit https://groups.google.com to manage Google Groups.", MU::ERR
             end
+            ok = false
           end
+          if group['members']
+            group['members'].each { |m|
+              if configurator.haveLitterMate?(m, "users")
+                group['dependencies'] ||= []
+                group['dependencies'] << {
+                  "name" => m,
+                  "type" => "user"
+                }
+              end
+            }
+          end
+          if group['roles']
+            group['roles'].each { |r|
+              if r['role'] and r['role']['name'] and
+                 (!r['role']['deploy_id'] and !r['role']['id'])
+                group['dependencies'] ||= []
+                group['dependencies'] << {
+                  "type" => "role",
+                  "name" => r['role']['name']
+                }
+              end
+            }
+          end
+          ok
         end
+        private
       end
     end
   end