RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/clouds/google/folder.rb CHANGED

@@ -15,30 +15,16 @@
 module MU
   class Cloud
     class Google
-      # Creates an Google project as configured in {MU::Config::BasketofKittens::folders}
+      # Creates a Google folder as configured in {MU::Config::BasketofKittens::folders}
       class Folder < MU::Cloud::Folder
-        @deploy = nil
-        @config = nil
-        @parent = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::folders}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
-          if !mu_name.nil?
-            @mu_name = mu_name
-          elsif @config['scrub_mu_isms']
-            @mu_name = @config['name']
-          else
-            @mu_name = @deploy.getResourceName(@config['name'])
-          end
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          cloud_desc if @cloud_id # XXX this maybe isn't my job
+          @mu_name ||= @deploy.getResourceName(@config['name'])
         end
         # Called automatically by {MU::Deploy#createResources}
@@ -54,6 +40,9 @@ module MU
             display_name: name_string
           }
+          if @config['parent']['name'] and !@config['parent']['id']
+            @config['parent']['deploy_id'] = @deploy.deploy_id
+          end
           parent = MU::Cloud::Google::Folder.resolveParent(@config['parent'], credentials: @config['credentials'])
           folder_obj = MU::Cloud::Google.folder(:Folder).new(params)
@@ -79,6 +68,20 @@ module MU
             end
           end while found.size == 0
+          @habitat = parent
+        end
+        # Retrieve the IAM bindings for this folder (associates between IAM roles and groups/users)
+        def bindings
+          MU::Cloud::Google::Folder.bindings(@cloud_id, credentials: @config['credentials'])
+        end
+        # Retrieve the IAM bindings for this folder (associates between IAM roles and groups/users)
+        # @param folder [String]:
+        # @param credentials [String]:
+        def self.bindings(folder, credentials: nil)
+          MU::Cloud::Google.folder(credentials: credentials).get_folder_iam_policy(folder).bindings
         end
         # Given a {MU::Config::Folder.reference} configuration block, resolve
@@ -88,9 +91,9 @@ module MU
         # @return [String]
         def self.resolveParent(parentblock, credentials: nil)
           my_org = MU::Cloud::Google.getOrg(credentials)
-          if !parentblock or parentblock['id'] == my_org.name or
+          if my_org and (!parentblock or parentblock['id'] == my_org.name or
              parentblock['name'] == my_org.display_name or (parentblock['id'] and
-             "organizations/"+parentblock['id'] == my_org.name)
+             "organizations/"+parentblock['id'] == my_org.name))
             return my_org.name
           end
@@ -103,12 +106,12 @@ module MU
               name: parentblock['name']
             ).first
             if sib_folder
-              return "folders/"+sib_folder.cloudobj.cloud_id
+              return sib_folder.cloud_desc.name
             end
           end
           begin
-          found = MU::Cloud::Google::Folder.find(cloud_id: parentblock['id'], credentials: credentials, flags: { 'display_name' => parentblock['name'] })
+            found = MU::Cloud::Google::Folder.find(cloud_id: parentblock['id'], credentials: credentials, flags: { 'display_name' => parentblock['name'] })
           rescue ::Google::Apis::ClientError => e
             if !e.message.match(/Invalid request status_code: 404/)
               raise e
@@ -123,11 +126,14 @@ module MU
         end
         # Return the cloud descriptor for the Folder
+        # @return [Google::Apis::Core::Hashable]
         def cloud_desc
-          MU::Cloud::Google::Folder.find(cloud_id: @cloud_id).values.first
+          @cached_cloud_desc ||= MU::Cloud::Google::Folder.find(cloud_id: @cloud_id, credentials: @config['credentials']).values.first
+          @habitat_id ||= @cached_cloud_desc.parent.sub(/^(folders|organizations)\//, "")
+          @cached_cloud_desc
         end
-        # Return the metadata for this project's configuration
+        # Return the metadata for this folders's configuration
         # @return [Hash]
         def notify
           desc = MU.structToHash(MU::Cloud::Google.folder(credentials: @config['credentials']).get_folder("folders/"+@cloud_id))
@@ -147,7 +153,7 @@ module MU
         # Denote whether this resource implementation is experiment, ready for
         # testing, or ready for production use.
         def self.quality
-          MU::Cloud::BETA
+          MU::Cloud::RELEASE
         end
         # Remove all Google projects associated with the currently loaded deployment. Try to, anyway.
@@ -158,54 +164,70 @@ module MU
           # We can't label GCP folders, and their names are too short to encode
           # Mu deploy IDs, so all we can do is rely on flags['known'] passed in
           # from cleanup, which relies on our metadata to know what's ours.
+#noop = true
           if flags and flags['known']
+            threads = []
             flags['known'].each { |cloud_id|
-              found = self.find(cloud_id: cloud_id, credentials: credentials)
-              if found.size > 0 and found.values.first.lifecycle_state == "ACTIVE"
-                MU.log "Deleting folder #{found.values.first.display_name} (#{found.keys.first})"
-                if !noop
-                  max_retries = 10
-                  retries = 0
-                  success = false
-                  begin
-                    MU::Cloud::Google.folder(credentials: credentials).delete_folder(
-                      "folders/"+found.keys.first
-                    )
-                    found = self.find(cloud_id: cloud_id, credentials: credentials)
-                    if found and found.size > 0 and found.values.first.lifecycle_state != "DELETE_REQUESTED"
-                      if retries < max_retries
+              threads << Thread.new {
+                found = self.find(cloud_id: cloud_id, credentials: credentials)
+                if found.size > 0 and found.values.first.lifecycle_state == "ACTIVE"
+                  MU.log "Deleting folder #{found.values.first.display_name} (#{found.keys.first})"
+                  if !noop
+                    max_retries = 10
+                    retries = 0
+                    success = false
+                    begin
+                      MU::Cloud::Google.folder(credentials: credentials).delete_folder(
+                        "folders/"+found.keys.first
+                      )
+                      found = self.find(cloud_id: cloud_id, credentials: credentials)
+                      if found and found.size > 0 and found.values.first.lifecycle_state != "DELETE_REQUESTED"
+                        if retries < max_retries
+                          sleep 30
+                          retries += 1
+                          puts retries
+                        else
+                          MU.log "Folder #{cloud_id} still exists after #{max_retries.to_s} attempts to delete", MU::ERR
+                          break
+                        end
+                      else
+                        success = true
+                      end
+                    rescue ::Google::Apis::ClientError => e
+# XXX maybe see if the folder has disappeared already?
+# XXX look for child folders that haven't been deleted, that's what this tends
+# to mean
+                      if e.message.match(/failedPrecondition/) and retries < max_retries
                         sleep 30
                         retries += 1
-                        puts retries
+                        retry
                       else
-                        MU.log "Folder #{cloud_id} still exists after #{max_retries.to_s} attempts to delete", MU::ERR
+                        MU.log "Got 'failedPrecondition' a bunch while trying to delete #{found.values.first.display_name} (#{found.keys.first})", MU::ERR
                         break
                       end
-                    else
-                      success = true
-                    end
-                  rescue ::Google::Apis::ClientError => e
-                    if e.message.match(/failedPrecondition/) and retries < max_retries
-                      sleep 30
-                      retries += 1
-                      retry
-                    else
-                      raise e
-                    end
-                  end while !success
+                    end while !success
+                  end
                 end
-              end
+              }
+            }
+            threads.each { |t|
+              t.join
             }
           end
         end
-        # Locate an existing project
-        # @param cloud_id [String]: The cloud provider's identifier for this resource.
-        # @param flags [Hash]: Optional flags
-        # @return [OpenStruct]: The cloud provider's complete descriptions of matching project
-        def self.find(cloud_id: nil, credentials: nil, flags: {}, tag_key: nil, tag_value: nil)
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
           found = {}
           # Recursively search a GCP folder hierarchy for a folder matching our
@@ -227,33 +249,88 @@ module MU
             nil
           end
-          if cloud_id
-            found[cloud_id.sub(/^folders\//, "")] = MU::Cloud::Google.folder(credentials: credentials).get_folder("folders/"+cloud_id.sub(/^folders\//, ""))
-          elsif flags['display_name']
-            parent = if flags['parent_id']
-              flags['parent_id']
-            else
-              my_org = MU::Cloud::Google.getOrg(credentials)
-              my_org.name
-            end
+          parent = if args[:flags] and args[:flags]['parent_id']
+            args[:flags]['parent_id']
+          else
+            my_org = MU::Cloud::Google.getOrg(args[:credentials])
+            my_org.name
+          end
+          if args[:cloud_id]
+            raw_id = args[:cloud_id].sub(/^folders\//, "")
+            resp = MU::Cloud::Google.folder(credentials: args[:credentials]).get_folder("folders/"+raw_id)
+            found[resp.name] = resp if resp
+          elsif args[:flags] and args[:flags]['display_name']
             if parent
-              resp = self.find_matching_folder(parent, name: flags['display_name'], credentials: credentials)
+              resp = self.find_matching_folder(parent, name: args[:flags]['display_name'], credentials: args[:credentials])
               if resp
-                found[resp.name.sub(/^folders\//, "")] = resp
+                found[resp.name] = resp
               end
             end
+          else
+            resp = MU::Cloud::Google.folder(credentials: args[:credentials]).list_folders(parent: parent)
+            if resp and resp.folders
+              resp.folders.each { |folder|
+                next if folder.lifecycle_state == "DELETE_REQUESTED"
+                found[folder.name] = folder
+                # recurse so that we'll pick up child folders
+                children = self.find(
+                  credentials: args[:credentials],
+                  flags: { 'parent_id' => folder.name }
+                )
+                if !children.nil? and !children.empty?
+                  found.merge!(children)
+                end
+              }
+            end
           end
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+          bok = {
+            "cloud" => "Google",
+            "credentials" => @config['credentials']
+          }
+          bok['display_name'] = cloud_desc.display_name
+          bok['cloud_id'] = cloud_desc.name
+          bok['name'] = cloud_desc.display_name#+bok['cloud_id'] # only way to guarantee uniqueness
+          if cloud_desc.parent.match(/^folders\/(.*)/)
+MU.log bok['display_name']+" generating reference", MU::NOTICE, details: cloud_desc.parent
+            bok['parent'] = MU::Config::Ref.get(
+              id: cloud_desc.parent,
+              cloud: "Google",
+              credentials: @config['credentials'],
+              type: "folders"
+            )
+          elsif rootparent
+            bok['parent'] = {
+              'id' => rootparent.is_a?(String) ? rootparent : rootparent.cloud_desc.name
+            }
+          else
+            bok['parent'] = { 'id' => cloud_desc.parent }
+          end
+          bok
+        end
         # Cloud-specific configuration properties.
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
           toplevel_required = []
           schema = {
+            "display_name" => {
+              "type" => "string",
+              "description" => "The +display_name+ field of this folder, specified only if we want it to be something other than the automatically-generated string derived from the +name+ field.",
+            }
           }
           [toplevel_required, schema]
         end
@@ -266,7 +343,7 @@ module MU
           ok = true
           if !MU::Cloud::Google.getOrg(folder['credentials'])
-            MU.log "Cannot manage Google Cloud projects in environments without an organization. See also: https://cloud.google.com/resource-manager/docs/creating-managing-organization", MU::ERR
+            MU.log "Cannot manage Google Cloud folders in environments without an organization", MU::ERR
             ok = false
           end

data/modules/mu/clouds/google/group.rb CHANGED

@@ -17,36 +17,102 @@ module MU
     class Google
       # A group as configured in {MU::Config::BasketofKittens::groups}
       class Group < MU::Cloud::Group
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::groups}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like <tt>@vpc</tt>, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
         # Called automatically by {MU::Deploy#createResources}
         def create
-          bind_group
+          if !@config['external']
+            if !@config['email']
+              domains = MU::Cloud::Google.admin_directory(credentials: @credentials).list_domains(@customer)
+              @config['email'] = @mu_name.downcase+"@"+domains.domains.first.domain_name
+            end
+            group_obj = MU::Cloud::Google.admin_directory(:Group).new(
+              name: @mu_name,
+              email: @config['email'],
+              description: @deploy.deploy_id
+            )
+            MU.log "Creating group #{@mu_name}", details: group_obj
+            resp = MU::Cloud::Google.admin_directory(credentials: @credentials).insert_group(group_obj)
+            @cloud_id = resp.email
+            MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'])
+          else
+            @cloud_id = @config['name'].sub(/@.*/, "")+"@"+@config['domain']
+          end
         end
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          bind_group
+          MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'], debug: true)
+          if @config['members']
+            resolved_desired = []
+            @config['members'].each { |m|
+              sibling_user = @deploy.findLitterMate(name: m, type: "users")
+              usermail = if sibling_user
+                sibling_user.cloud_id
+              elsif !m.match(/@/)
+                domains = MU::Cloud::Google.admin_directory(credentials: @credentials).list_domains(@customer)
+                m+"@"+domains.domains.first.domain_name
+              else
+                m
+              end
+              resolved_desired << usermail
+              next if members.include?(usermail)
+              MU.log "Adding user #{usermail} to group #{@mu_name}"
+              MU::Cloud::Google.admin_directory(credentials: @credentials).insert_member(
+                @cloud_id,
+                MU::Cloud::Google.admin_directory(:Member).new(
+                  email: usermail
+                )
+              )
+            }
+            deletia = members - resolved_desired
+            deletia.each { |m|
+              MU.log "Removing user #{m} from group #{@mu_name}", MU::NOTICE
+              MU::Cloud::Google.admin_directory(credentials: @credentials).delete_member(@cloud_id, m)
+            }
+            # Theoretically there can be a delay
+            begin
+              if members.sort != resolved_desired.sort
+                sleep 3
+              end
+            end while members.sort != resolved_desired.sort
+          end
+        end
+        # Retrieve a list of users (by cloud id) of this group
+        def members
+          resp = MU::Cloud::Google.admin_directory(credentials: @credentials).list_members(@cloud_id)
+          members = []
+          if resp and resp.members
+            members = resp.members.map { |m| m.email }
+# XXX reject status != "ACTIVE" ?
+          end
+          members
         end
         # Return the metadata for this group configuration
         # @return [Hash]
         def notify
-          {
-          }
+          if !@config['external']
+            base = MU.structToHash(cloud_desc)
+          end
+          base ||= {}
+          base
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
@@ -56,10 +122,18 @@ module MU
           true
         end
+        # Return the list of "container" resource types in which this resource
+        # can reside. The list will include an explicit nil if this resource
+        # can exist outside of any container.
+        # @return [Array<Symbol,nil>]
+        def self.canLiveIn
+          [nil]
+        end
         # Denote whether this resource implementation is experiment, ready for
         # testing, or ready for production use.
         def self.quality
-          MU::Cloud::ALPHA
+          MU::Cloud::BETA
         end
         # Remove all groups associated with the currently loaded deployment.
@@ -68,19 +142,90 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          my_domains = MU::Cloud::Google.getDomains(credentials)
+          my_org = MU::Cloud::Google.getOrg(credentials)
+          if my_org
+            groups = MU::Cloud::Google.admin_directory(credentials: credentials).list_groups(customer: MU::Cloud::Google.customerID(credentials)).groups
+            if groups
+              groups.each { |group|
+                if group.description == MU.deploy_id
+                  MU.log "Deleting group #{group.name} from #{my_org.display_name}", details: group
+                  if !noop
+                    MU::Cloud::Google.admin_directory(credentials: credentials).delete_group(group.id)
+                  end
+                end
+              }
+            end
+          end
+          if flags['known']
+            flags['known'].each { |group|
+              MU::Cloud::Google::Role.removeBindings("group", group, credentials: credentials, noop: noop)
+            }
+          end
         end
-        # Locate an existing group group.
-        # @param cloud_id [String]: The cloud provider's identifier for this resource.
-        # @param region [String]: The cloud provider region.
-        # @param flags [Hash]: Optional flags
-        # @return [OpenStruct]: The cloud provider's complete descriptions of matching group group.
-        def self.find(cloud_id: nil, region: MU.curRegion, credentials: nil, flags: {}, tag_key: nil, tag_value: nil)
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          found = nil
+        # Locate and return cloud provider descriptors of this resource type
+        # which match the provided parameters, or all visible resources if no
+        # filters are specified. At minimum, implementations of +find+ must
+        # honor +credentials+ and +cloud_id+ arguments. We may optionally
+        # support other search methods, such as +tag_key+ and +tag_value+, or
+        # cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching resources
+        def self.find(**args)
+          found = {}
+          # The API treats the email address field as its main identifier, so
+          # we'll go ahead and respect that.
+          if args[:cloud_id]
+            begin
+              resp = MU::Cloud::Google.admin_directory(credentials: args[:credentials]).get_group(args[:cloud_id])
+              found[resp.email] = resp if resp
+            rescue ::Google::Apis::ClientError => e
+              raise e if !e.message.match(/forbidden: /)
+            end
+          else
+            resp = MU::Cloud::Google.admin_directory(credentials: args[:credentials]).list_groups(customer: MU::Cloud::Google.customerID(args[:credentials]))
+            if resp and resp.groups
+              found = Hash[resp.groups.map { |g| [g.email, g] }]
+            end
+          end
+# XXX what about Google Groups groups and other external groups? Where do we fish for those? Do we even need to?
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+          bok = {
+            "cloud" => "Google",
+            "credentials" => @config['credentials']
+          }
+          bok['name'] = cloud_desc.name
+          bok['cloud_id'] = cloud_desc.email
+          bok['members'] = members
+          bok['members'].each { |m|
+            m = MU::Config::Ref.get(
+              id: m,
+              cloud: "Google",
+              credentials: @config['credentials'],
+              type: "users"
+            )
+          }
+          group_roles = MU::Cloud::Google::Role.getAllBindings(@config['credentials'])["by_entity"]
+          if group_roles["group"] and group_roles["group"][bok['cloud_id']] and
+             group_roles["group"][bok['cloud_id']].size > 0
+            bok['roles'] = MU::Cloud::Google::Role.entityBindingsToSchema(group_roles["group"][bok['cloud_id']], credentials: @config['credentials'])
+          end
+          bok
+       end
         # Cloud-specific configuration properties.
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
@@ -89,20 +234,32 @@ module MU
           schema = {
             "name" => {
               "type" => "string",
-              "description" => "This must be the email address of an existing Google Group (+foo@googlegroups.com+), or of a federated GSuite or Cloud Identity domain group from your organization."
+              "description" => "This can include an optional @domain component (<tt>foo@example.com</tt>).
+If the domain portion is not specified, and we manage exactly one GSuite or Cloud Identity domain, we will attempt to create the group in that domain.
+If we do not manage any domains, and none are specified, we will assume <tt>@googlegroups.com</tt> for the domain and attempt to bind an existing external Google Group to roles under our jurisdiction.
+If the domain portion is specified, and our credentials can manage that domain via GSuite or Cloud Identity, we will attempt to create the group in that domain.
+If it is a domain we do not manage, we will attempt to bind an existing external group from that domain to roles under our jurisdiction.
+If we are binding (rather than creating) a group and no roles are specified, we will default to +roles/viewer+ at the organization scope. If our credentials do not manage an organization, we will grant this role in our default project.
+"
+            },
+            "domain" => {
+              "type" => "string",
+              "description" => "The domain from which the group originates or in which it should be created. This can instead be embedded in the {name} field: +foo@example.com+."
             },
+            "external" => {
+              "type" => "boolean",
+              "description" => "Explicitly flag this group as originating from an external domain. This should always autodetect correctly."
+            },
             "roles" => {
               "type" => "array",
-              "description" => "One or more Google IAM roles to associate with this group.",
-              "default" => ["roles/viewer"],
-              "items" => {
-                "type" => "string",
-                "description" => "One or more Google IAM roles to associate with this group. Google Cloud groups are not created directly; pre-existing Google Groups are associated with a project by being bound to one or more roles in that project. If no roles are specified, we default to +roles/viewer+, which permits read-only access project-wide."
-              }
-            },
-            "project" => {
-              "type" => "string",
-              "description" => "The project into which to deploy resources"
+              "items" => MU::Cloud::Google::Role.ref_schema
             }
           }
           [toplevel_required, schema]
@@ -114,64 +271,97 @@ module MU
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(group, configurator)
           ok = true
-          if group['members'] and group['members'].size > 0 and
-             !$MU_CFG['google']['masquerade_as']
-            MU.log "Cannot change Google group memberships in non-GSuite environments.\nVisit https://groups.google.com to manage groups.", MU::ERR
-            ok = false
-          end
-          ok
-        end
+          my_domains = MU::Cloud::Google.getDomains(group['credentials'])
+          my_org = MU::Cloud::Google.getOrg(group['credentials'])
-        private
+          if group['name'].match(/@(.*+)$/)
+            domain = Regexp.last_match[1].downcase
+            if domain and group['domain'] and domain != group['domain'].downcase
+              MU.log "Group #{group['name']} had a domain component, but the domain field was also specified (#{group['domain']}) and they don't match."
+              ok = false
+            end
+            group['domain'] = domain
+            if !my_domains or !my_domains.include?(domain)
+              group['external'] = true
-        def bind_group
-          bindings = []
-          ext_policy = MU::Cloud::Google.resource_manager(credentials: @config['credentials']).get_project_iam_policy(
-            @config['project']
-          )
-          change_needed = false
-          @config['roles'].each { |role|
-            seen = false
-            ext_policy.bindings.each { |b|
-              if b.role == role
-                seen = true
-                if !b.members.include?("user:"+@config['name'])
-                  change_needed = true
-                  b.members << "group:"+@config['name']
+              if !["googlegroups.com", "google.com"].include?(domain)
+                MU.log "#{group['name']} appears to be a member of a domain that our credentials (#{group['credentials']}) do not manage; attempts to grant access for this group may fail!", MU::WARN
+              end
+              if !group['roles'] or group['roles'].empty?
+                group['roles'] = [
+                  {
+                    "role" => {
+                      "id" => "roles/viewer"
+                    }
+                  }
+                ]
+                if my_org
+                  group['roles'][0]["organizations"] = [my_org.name]
+                else
+                  group['roles'][0]["projects"] = {
+                    "id" => group["project"]
+                  }
                 end
+                MU.log "External Google group specified with no role binding, will grant 'viewer' in #{my_org ? "organization #{my_org.display_name}" : "project #{group['project']}"}", MU::WARN
               end
-            }
-            if !seen
-              ext_policy.bindings << MU::Cloud::Google.resource_manager(:Binding).new(
-                role: role,
-                members: ["group:"+@config['name']]
-              )
-              change_needed = true
             end
-          }
+          else
+            if !group['domain']
+              if my_domains.size == 1
+                group['domain'] = my_domains.first
+              elsif my_domains.size > 1
+                MU.log "Google interactive User #{group['name']} did not specify a domain, and we have multiple defaults available. Must specify exactly one.", MU::ERR, details: my_domains
+                ok = false
+              else
+                group['domain'] = "googlegroups.com"
+              end
+            end
+          end
-          if change_needed
-            req_obj = MU::Cloud::Google.resource_manager(:SetIamPolicyRequest).new(
-              policy: ext_policy
-            )
-            MU.log "Adding group #{@config['name']} to Google Cloud project #{@config['project']}", details: @config['roles']
-            begin
-              MU::Cloud::Google.resource_manager(credentials: @config['credentials']).set_project_iam_policy(
-                @config['project'],
-                req_obj
-              )
-            rescue ::Google::Apis::ClientError => e
-              if e.message.match(/does not exist/i) and !MU::Cloud::Google.credConfig(@config['credentials'])['masquerade_as']
-                raise MuError, "Group #{@config['name']} does not exist, and we cannot create Google groups in non-GSuite environments.\nVisit https://groups.google.com to manage groups."
-              end
-              raise e
+          credcfg = MU::Cloud::Google.credConfig(group['credentials'])
+          if group['external'] and group['members']
+            MU.log "Cannot manage memberships for external group #{group['name']}", MU::ERR
+            if group['domain'] == "googlegroups.com"
+              MU.log "Visit https://groups.google.com to manage Google Groups.", MU::ERR
             end
+            ok = false
           end
+          if group['members']
+            group['members'].each { |m|
+              if configurator.haveLitterMate?(m, "users")
+                group['dependencies'] ||= []
+                group['dependencies'] << {
+                  "name" => m,
+                  "type" => "user"
+                }
+              end
+            }
+          end
+          if group['roles']
+            group['roles'].each { |r|
+              if r['role'] and r['role']['name'] and
+                 (!r['role']['deploy_id'] and !r['role']['id'])
+                group['dependencies'] ||= []
+                group['dependencies'] << {
+                  "type" => "role",
+                  "name" => r['role']['name']
+                }
+              end
+            }
+          end
+          ok
         end
+        private
       end
     end
   end