cloud-mu 3.1.2 → 3.2.0

data/modules/mu/config/notifier.rb

@@ -14,7 +14,7 @@
 
 module MU
   class Config
-    # Basket of Kittens config schema and parser logic. See modules/mu/clouds/*/notifier.rb
+    # Basket of Kittens config schema and parser logic. See modules/mu/providers/*/notifier.rb
     class Notifier
 
       # Base configuration schema for a Notifier
@@ -51,9 +51,9 @@ module MU
 
       # Generic pre-processing of {MU::Config::BasketofKittens::notifiers}, bare and unvalidated.
       # @param notifier [Hash]: The resource to process and validate
-      # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+      # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
       # @return [Boolean]: True if validation succeeded, False otherwise
-      def self.validate(notifier, configurator)
+      def self.validate(notifier, _configurator)
         ok = true
 
         if notifier['subscriptions']

data/modules/mu/config/ref.rb

@@ -0,0 +1,365 @@
+# Copyright:: Copyright (c) 2020 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+
+  # Methods and structures for parsing Mu's configuration files. See also {MU::Config::BasketofKittens}.
+  class Config
+
+    # A wrapper class for resources to refer to other resources, whether they
+    # be a sibling object in the current deploy, an object in another deploy,
+    # or a plain cloud id from outside of Mu.
+    class Ref
+      attr_reader :name 
+      attr_reader :type 
+      attr_reader :cloud 
+      attr_reader :deploy_id 
+      attr_reader :region 
+      attr_reader :credentials 
+      attr_reader :habitat
+      attr_reader :mommacat
+      attr_reader :tag_key 
+      attr_reader :tag_value
+      attr_reader :obj 
+
+      @@refs = []
+      @@ref_semaphore = Mutex.new
+
+      # Little bit of a factory pattern... given a hash of options for a {MU::Config::Ref} objects, first see if we have an existing one that matches our more immutable attributes (+cloud+, +id+, etc). If we do, return that. If we do not, create one, add that to our inventory, and return that instead.
+      # @param cfg [Hash]: 
+      # @return [MU::Config::Ref]
+      def self.get(cfg)
+        return cfg if cfg.is_a?(MU::Config::Ref)
+        checkfields = cfg.keys.map { |k| k.to_sym }
+        required = [:id, :type]
+
+        @@ref_semaphore.synchronize {
+          @@refs.each { |ref|
+            saw_mismatch = false
+            saw_match = false
+            needed_values = []
+            checkfields.each { |field|
+              next if !cfg[field]
+              ext_value = ref.instance_variable_get("@#{field.to_s}".to_sym)
+              if !ext_value
+                needed_values << field
+                next
+              end
+              if cfg[field] != ext_value
+                saw_mismatch = true
+              elsif required.include?(field) and cfg[field] == ext_value
+                saw_match = true
+              end
+            }
+            if saw_match and !saw_mismatch
+              # populate empty fields we got from this request
+              if needed_values.size > 0
+                newref = ref.dup
+                needed_values.each { |field|
+                  newref.instance_variable_set("@#{field.to_s}".to_sym, cfg[field])
+                  if !newref.respond_to?(field)
+                    newref.singleton_class.instance_eval { attr_reader field.to_sym }
+                  end
+                }
+                @@refs << newref
+                return newref
+              else
+                return ref
+              end
+            end
+          }
+
+        }
+
+        # if we get here, there was no match
+        newref = MU::Config::Ref.new(cfg)
+        @@ref_semaphore.synchronize {
+          @@refs << newref
+          return newref
+        }
+      end
+
+      # A way of dynamically defining +attr_reader+ without leaking memory
+      def self.define_reader(name)
+        define_method(name) {
+          instance_variable_get("@#{name.to_s}")
+        }
+      end
+
+      # @param cfg [Hash]: A Basket of Kittens configuration hash containing
+      # lookup information for a cloud object
+      def initialize(cfg)
+        cfg.keys.each { |field|
+          next if field == "tag"
+          if !cfg[field].nil?
+            self.instance_variable_set("@#{field}".to_sym, cfg[field])
+          elsif !cfg[field.to_sym].nil?
+            self.instance_variable_set("@#{field.to_s}".to_sym, cfg[field.to_sym])
+          end
+          MU::Config::Ref.define_reader(field)
+        }
+        if cfg['tag'] and cfg['tag']['key'] and
+           !cfg['tag']['key'].empty? and cfg['tag']['value']
+          @tag_key = cfg['tag']['key']
+          @tag_value = cfg['tag']['value']
+        end
+
+        if @deploy_id and !@mommacat
+          @mommacat = MU::MommaCat.getLitter(@deploy_id, set_context_to_me: false)
+        elsif @mommacat and !@deploy_id
+          @deploy_id = @mommacat.deploy_id
+        end
+
+        kitten(shallow: true) if @mommacat # try to populate the actual cloud object for this
+      end
+
+      # Comparison operator
+      def <=>(other)
+        return 1 if other.nil?
+        self.to_s <=> other.to_s
+      end
+
+      # Lets callers access us like a {Hash}
+      # @param attribute [String,Symbol]
+      def [](attribute)
+        if respond_to?(attribute.to_sym)
+          send(attribute.to_sym)
+        else
+          nil
+        end
+      end
+
+      # Unset an attribute. Sort of. We can't actually do that, so nil it out
+      # and we get the behavior we want.
+      def delete(attribute)
+        attribute = ("@"+attribute).to_sym if attribute.to_s !~ /^@/
+        instance_variable_set(attribute.to_sym, nil)
+      end
+
+      # Base configuration schema for declared kittens referencing other cloud objects. This is essentially a set of filters that we're going to pass to {MU::MommaCat.findStray}.
+      # @param aliases [Array<Hash>]: Key => value mappings to set backwards-compatibility aliases for attributes, such as the ubiquitous +vpc_id+ (+vpc_id+ => +id+).
+      # @return [Hash]
+      def self.schema(aliases = [], type: nil, parent_obj: nil, desc: nil, omit_fields: [])
+        parent_obj ||= caller[1].gsub(/.*?\/([^\.\/]+)\.rb:.*/, '\1')
+        desc ||= "Reference a #{type ? "'#{type}' resource" : "resource" } from this #{parent_obj ? "'#{parent_obj}'" : "" } resource"
+        schema = {
+          "type" => "object",
+          "#MU_REFERENCE" => true,
+          "minProperties" => 1,
+          "description" => desc,
+          "properties" => {
+            "id" => {
+              "type" => "string",
+              "description" => "Cloud identifier of a resource we want to reference, typically used when leveraging resources not managed by MU"
+            },
+            "name" => {
+              "type" => "string",
+              "description" => "The short (internal Mu) name of a resource we're attempting to reference. Typically used when referring to a sibling resource elsewhere in the same deploy, or in another known Mu deploy in conjunction with +deploy_id+."
+            },
+            "type" => {
+              "type" => "string",
+              "description" => "The resource type we're attempting to reference.",
+              "enum" => MU::Cloud.resource_types.values.map { |t| t[:cfg_plural] }
+            },
+            "deploy_id" => {
+              "type" => "string",
+              "description" => "Our target resource should be found in this Mu deploy."
+            },
+            "credentials" => MU::Config.credentials_primitive,
+            "region" => MU::Config.region_primitive,
+            "cloud" => MU::Config.cloud_primitive,
+            "tag" => {
+              "type" => "object",
+              "description" => "If the target resource supports tagging and our resource implementations +find+ method supports it, we can attempt to locate it by tag.",
+              "properties" => {
+                "key" => {
+                  "type" => "string",
+                  "description" => "The tag or label key to search against"
+                },
+                "value" => {
+                  "type" => "string",
+                  "description" => "The tag or label value to match"
+                }
+              }
+            }
+          }
+        }
+        if !["folders", "habitats"].include?(type)
+          schema["properties"]["habitat"] = MU::Config::Habitat.reference
+        end
+
+        if omit_fields
+          omit_fields.each { |f|
+            schema["properties"].delete(f)
+          }
+        end
+
+        if !type.nil?
+          schema["required"] = ["type"]
+          schema["properties"]["type"]["default"] = type
+          schema["properties"]["type"]["enum"] = [type]
+        end
+
+        aliases.each { |a|
+          a.each_pair { |k, v|
+            if schema["properties"][v]
+              schema["properties"][k] = schema["properties"][v].dup
+              schema["properties"][k]["description"] = "Alias for <tt>#{v}</tt>"
+            else
+              MU.log "Reference schema alias #{k} wants to alias #{v}, but no such attribute exists", MU::WARN, details: caller[4]
+            end
+          }
+        }
+
+        schema
+      end
+
+      # Decompose into a plain-jane {MU::Config::BasketOfKittens} hash fragment,
+      # of the sort that would have been used to declare this reference in the
+      # first place.
+      def to_h
+        me = { }
+
+        self.instance_variables.each { |var|
+          next if [:@obj, :@mommacat, :@tag_key, :@tag_value].include?(var)
+          val = self.instance_variable_get(var)
+          next if val.nil?
+          val = val.to_h if val.is_a?(MU::Config::Ref)
+          me[var.to_s.sub(/^@/, '')] = val
+        }
+        if @tag_key and !@tag_key.empty?
+          me['tag'] = {
+            'key' => @tag_key,
+            'value' => @tag_value
+          }
+        end
+        me
+      end
+
+      # Getter for the #{id} instance variable that attempts to populate it if
+      # it's not set.
+      # @return [String,nil]
+      def id
+        return @id if @id
+        kitten # if it's not defined, attempt to define it
+        @id
+      end
+
+      # Alias for {id}
+      # @return [String,nil]
+      def cloud_id
+        id
+      end
+
+      # Return a {MU::Cloud} object for this reference. This is only meant to be
+      # called in a live deploy, which is to say that if called during initial
+      # configuration parsing, results may be incorrect.
+      # @param mommacat [MU::MommaCat]: A deploy object which will be searched for the referenced resource if provided, before restoring to broader, less efficient searches.
+      def kitten(mommacat = @mommacat, shallow: false, debug: false)
+        return nil if !@cloud or !@type
+        loglevel = debug ? MU::NOTICE : MU::DEBUG
+
+        if @obj
+          @deploy_id ||= @obj.deploy_id
+          @id ||= @obj.cloud_id
+          @name ||= @obj.config['name'] if @obj.config
+          return @obj
+        end
+
+        if mommacat and !caller.grep(/`findLitterMate'/) # XXX the dumbest
+          MU.log "Looking for #{@type} #{@name} #{@id} in deploy #{mommacat.deploy_id}", loglevel
+          begin
+            @obj = mommacat.findLitterMate(type: @type, name: @name, cloud_id: @id, credentials: @credentials, debug: debug)
+          rescue StandardError => e
+            if e.message =~ /deadlock/
+              MU.log "Saw a recursive deadlock trying to fetch kitten for Ref object in deploy #{mmommacat.deploy_id}", MU::ERR, details: to_h
+            end
+            raise e
+          end
+          if @obj # initialize missing attributes, if we can
+            @id ||= @obj.cloud_id
+            @mommacat ||= mommacat
+            @obj.intoDeploy(@mommacat) # make real sure these are set
+            @deploy_id ||= mommacat.deploy_id
+
+            if !@name
+              if @obj.config and @obj.config['name']
+                @name = @obj.config['name']
+              elsif @obj.mu_name
+if @type == "folders"
+MU.log "would assign name '#{@obj.mu_name}' in ref to this folder if I were feeling aggressive", MU::WARN, details: self.to_h
+end
+#                @name = @obj.mu_name
+              end
+            end
+            return @obj
+          else
+#            MU.log "Failed to find a live '#{@type.to_s}' object named #{@name}#{@id ? " (#{@id})" : "" }#{ @habitat ? " in habitat #{@habitat}" : "" }", MU::WARN, details: self
+          end
+        end
+
+        if !@obj and !(@cloud == "Google" and @id and @type == "users" and MU::Cloud.resourceClass("Google", "User").cannedServiceAcctName?(@id)) and !shallow
+          try_deploy_id = @deploy_id
+
+          begin
+            hab_arg = if @habitat.nil?
+              [nil]
+            elsif @habitat.is_a?(MU::Config::Ref)
+              [@habitat.id]
+            elsif @habitat.is_a?(Hash)
+              [@habitat["id"]]
+            else
+              [@habitat.to_s]
+            end
+
+            found = MU::MommaCat.findStray(
+              @cloud,
+              @type,
+              name: @name,
+              cloud_id: @id,
+              deploy_id: try_deploy_id,
+              region: @region,
+              habitats: hab_arg,
+              credentials: @credentials,
+              dummy_ok: (["habitats", "folders", "users", "groups", "vpcs"].include?(@type))
+            )
+            @obj ||= found.first if found
+          rescue MU::MommaCat::MultipleMatches => e
+            if try_deploy_id.nil? and MU.deploy_id
+              MU.log "Attempting to narrow down #{@cloud} #{@type} to #{MU.deploy_id}", MU::NOTICE
+              try_deploy_id = MU.deploy_id
+              retry
+            else
+              raise e
+            end
+          rescue ThreadError => e
+            # Sometimes MommaCat calls us in a potential deadlock situation;
+            # don't be the cause of a fatal error if so, we don't need this
+            # object that badly.
+            raise e if !e.message.match(/recursive locking/)
+          end
+        end
+
+        if @obj
+          @deploy_id ||= @obj.deploy_id
+          @id ||= @obj.cloud_id
+          @name ||= @obj.config['name']
+        end
+
+        @obj
+      end
+
+    end
+  end
+end

data/modules/mu/config/role.rb

@@ -14,7 +14,7 @@
 
 module MU
   class Config
-    # Basket of Kittens config schema and parser logic. See modules/mu/clouds/*/role.rb
+    # Basket of Kittens config schema and parser logic. See modules/mu/providers/*/role.rb
     class Role
 
       # Base configuration schema for a Group
@@ -131,10 +131,10 @@ module MU
       end
 
       # Generic pre-processing of {MU::Config::BasketofKittens::role}, bare and unvalidated.
-      # @param role [Hash]: The resource to process and validate
-      # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+      # @param _role [Hash]: The resource to process and validate
+      # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
       # @return [Boolean]: True if validation succeeded, False otherwise
-      def self.validate(role, configurator)
+      def self.validate(_role, _configurator)
         ok = true
         ok
       end

data/modules/mu/config/schema_helpers.rb

@@ -0,0 +1,509 @@
+# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+
+  # Methods and structures for parsing Mu's configuration files. See also {MU::Config::BasketofKittens}.
+  class Config
+
+    # The default cloud provider for new resources. Must exist in MU.supportedClouds
+    # return [String]
+    def self.defaultCloud
+      configured = {}
+      MU::Cloud.supportedClouds.each { |cloud|
+        if $MU_CFG[cloud.downcase] and !$MU_CFG[cloud.downcase].empty?
+          configured[cloud] = $MU_CFG[cloud.downcase].size
+          configured[cloud] += 0.5 if MU::Cloud.cloudClass(cloud).hosted? # tiebreaker
+        end
+      }
+      if configured.size > 0
+        return configured.keys.sort { |a, b|
+          configured[b] <=> configured[a]
+        }.first
+      else
+        MU::Cloud.supportedClouds.each { |cloud|
+          return cloud if MU::Cloud.cloudClass(cloud).hosted?
+        }
+        return MU::Cloud.supportedClouds.first
+      end
+    end
+
+    # The default grooming agent for new resources. Must exist in MU.supportedGroomers.
+    def self.defaultGroomer
+      MU.localOnly ? "Ansible" : "Chef"
+    end
+
+    # Accessor for our Basket of Kittens schema definition
+    def self.schema
+      @@schema
+    end
+
+    # Deep merge a configuration hash so we can meld different cloud providers'
+    # schemas together, while preserving documentation differences
+    def self.schemaMerge(orig, new, cloud)
+      if new.is_a?(Hash)
+        new.each_pair { |k, v|
+          if cloud and k == "description" and v.is_a?(String) and !v.match(/\b#{Regexp.quote(cloud.upcase)}\b/) and !v.empty?
+            new[k] = "+"+cloud.upcase+"+: "+v
+          end
+          if orig and orig.has_key?(k)
+          elsif orig
+            orig[k] = new[k]
+          else
+            orig = new
+          end
+          schemaMerge(orig[k], new[k], cloud)
+        }
+      elsif orig.is_a?(Array) and new
+        orig.concat(new)
+        orig.uniq!
+      elsif new.is_a?(String)
+        orig ||= ""
+        orig += "\n" if !orig.empty? 
+        orig += "+#{cloud.upcase}+: "+new
+      else
+# XXX I think this is a NOOP?
+      end
+    end
+
+    @@allregions = []
+    @@loadfails = []
+    MU::Cloud.availableClouds.each { |cloud|
+      next if @@loadfails.include?(cloud)
+      begin
+        regions = MU::Cloud.cloudClass(cloud).listRegions()
+        @@allregions.concat(regions) if regions
+      rescue MU::MuError => e
+        @@loadfails << cloud
+        MU.log e.message, MU::WARN
+      end
+    }
+
+    # Configuration chunk for choosing a provider region
+    # @return [Hash]
+    def self.region_primitive
+      if !@@allregions or @@allregions.empty?
+        @@allregions = []
+        MU::Cloud.availableClouds.each { |cloud|
+          next if @@loadfails.include?(cloud)
+          cloudclass = MU::Cloud.cloudClass(cloud)
+          begin
+            return @@allregions if !cloudclass.listRegions()
+            @@allregions.concat(cloudclass.listRegions())
+          rescue MU::MuError => e
+            @@loadfails << cloud
+            MU.log e.message, MU::WARN
+          end
+        }
+      end
+      {
+        "type" => "string",
+        "enum" => @@allregions
+      }
+    end
+
+    # Configuration chunk for choosing a set of cloud credentials
+    # @return [Hash]
+    def self.credentials_primitive
+      {
+          "type" => "string",
+          "description" => "Specify a non-default set of credentials to use when authenticating to cloud provider APIs, as listed in `mu.yaml` under each provider's subsection. If "
+      }
+    end
+
+    # Configuration chunk for creating resource tags as an array of key/value
+    # pairs.
+    # @return [Hash]
+    def self.optional_tags_primitive
+      {
+        "type" => "boolean",
+        "description" => "Tag the resource with our optional tags (+MU-HANDLE+, +MU-MASTER-NAME+, +MU-OWNER+).",
+        "default" => true
+      }
+    end
+
+    # Configuration chunk for creating resource tags as an array of key/value
+    # pairs.
+    # @return [Hash]
+    def self.tags_primitive
+      {
+        "type" => "array",
+        "minItems" => 1,
+        "items" => {
+          "description" => "Tags to apply to this resource. Will apply at the cloud provider level and in node groomers, where applicable.",
+          "type" => "object",
+          "title" => "tags",
+          "required" => ["key", "value"],
+          "additionalProperties" => false,
+          "properties" => {
+            "key" => {
+              "type" => "string",
+            },
+            "value" => {
+              "type" => "string",
+            }
+          }
+        }
+      }
+    end
+
+    # Configuration chunk for choosing a cloud provider
+    # @return [Hash]
+    def self.cloud_primitive
+      {
+        "type" => "string",
+#        "default" => MU::Config.defaultCloud, # applyInheritedDefaults does this better
+        "enum" => MU::Cloud.supportedClouds
+      }
+    end
+
+
+    # JSON-schema for resource dependencies
+    # @return [Hash]
+    def self.dependencies_primitive
+      {
+        "type" => "array",
+        "items" => {
+          "type" => "object",
+          "description" => "Declare other objects which this resource requires. This resource will wait until the others are available to create itself.",
+          "required" => ["name", "type"],
+          "additionalProperties" => false,
+          "properties" => {
+            "name" => {"type" => "string"},
+            "type" => {
+              "type" => "string",
+              "enum" => MU::Cloud.resource_types.values.map { |v| v[:cfg_name] }
+            },
+            "phase" => {
+              "type" => "string",
+              "description" => "Which part of the creation process of the resource we depend on should we wait for before starting our own creation? Defaults are usually sensible, but sometimes you want, say, a Server to wait on another Server to be completely ready (through its groom phase) before starting up.",
+              "enum" => ["create", "groom"]
+            },
+            "no_create_wait" => {
+              "type" => "boolean",
+              "default" => false,
+              "description" => "By default, it's assumed that we want to wait on our parents' creation phase, in addition to whatever is declared in this stanza. Setting this flag will bypass waiting on our parent resource's creation, so that our create or groom phase can instead depend only on the parent's groom phase. "
+            }
+          }
+        }
+      }
+    end
+
+    # Have a default value available for config schema elements that take an
+    # email address.
+    # @return [String]
+    def self.notification_email 
+      if MU.chef_user == "mu"
+        ENV['MU_ADMIN_EMAIL']
+      else
+        MU.userEmail
+      end
+    end
+
+    # Load and validate the schema for an individual resource class, optionally
+    # merging cloud-specific schema components.
+    # @param type [String]: The resource type to load
+    # @param cloud [String]: A specific cloud, whose implementation's schema of this resource we will merge
+    # @return [Hash]
+    def self.loadResourceSchema(type, cloud: nil)
+      valid = true
+      shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(type)
+      schemaclass = Object.const_get("MU").const_get("Config").const_get(shortclass)
+
+      [:schema, :validate].each { |method|
+        if !schemaclass.respond_to?(method)
+          MU.log "MU::Config::#{type}.#{method.to_s} doesn't seem to be implemented", MU::ERR
+          return [nil, false] if method == :schema
+          valid = false
+        end
+      }
+
+      schema = schemaclass.schema.dup
+
+      schema["properties"]["virtual_name"] = {
+        "description" => "Internal use.",
+        "type" => "string"
+      }
+      schema["properties"]["dependencies"] = MU::Config.dependencies_primitive
+      schema["properties"]["cloud"] = MU::Config.cloud_primitive
+      schema["properties"]["credentials"] = MU::Config.credentials_primitive
+      schema["title"] = type.to_s
+
+      if cloud
+        cloudclass = MU::Cloud.resourceClass(cloud, type)
+
+        if cloudclass.respond_to?(:schema)
+          _reqd, cloudschema = cloudclass.schema
+          cloudschema.each { |key, cfg|
+            if schema["properties"][key]
+              schemaMerge(schema["properties"][key], cfg, cloud)
+            else
+              schema["properties"][key] = cfg.dup
+            end
+          }
+        else
+          MU.log "MU::Cloud::#{cloud}::#{type}.#{method.to_s} doesn't seem to be implemented", MU::ERR
+          valid = false
+        end
+
+      end
+
+      return [schema, valid]
+    end
+
+    private
+
+    def applySchemaDefaults(conf_chunk = config, schema_chunk = schema, depth = 0, siblings = nil, type: nil)
+      return if schema_chunk.nil?
+
+      if conf_chunk != nil and schema_chunk["properties"].kind_of?(Hash) and conf_chunk.is_a?(Hash)
+
+        if schema_chunk["properties"]["creation_style"].nil? or
+            schema_chunk["properties"]["creation_style"] != "existing"
+          schema_chunk["properties"].each_pair { |key, subschema|
+            shortclass = if conf_chunk[key]
+              shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(key, false)
+              shortclass
+            else
+              nil
+            end
+
+            new_val = applySchemaDefaults(conf_chunk[key], subschema, depth+1, conf_chunk, type: shortclass).dup
+            if !new_val.nil?
+              begin
+                conf_chunk[key] = Marshal.load(Marshal.dump(new_val))
+              rescue TypeError
+                conf_chunk[key] = new_val.clone
+              end
+            end
+          }
+        end
+      elsif schema_chunk["type"] == "array" and conf_chunk.kind_of?(Array)
+        conf_chunk.map! { |item|
+          # If we're working on a resource type, go get implementation-specific
+          # schema information so that we set those defaults correctly.
+          realschema = if type and schema_chunk["items"] and schema_chunk["items"]["properties"] and item["cloud"] and MU::Cloud.supportedClouds.include?(item['cloud'])
+
+            _toplevel_required, cloudschema = MU::Cloud.resourceClass(item["cloud"], type).schema(self)
+
+            newschema = schema_chunk["items"].dup
+            MU::Config.schemaMerge(newschema["properties"], cloudschema, item["cloud"])
+            newschema
+          else
+            schema_chunk["items"].dup
+          end
+
+          applySchemaDefaults(item, realschema, depth+1, conf_chunk, type: type).dup
+        }
+      else
+        if conf_chunk.nil? and !schema_chunk["default_if"].nil? and !siblings.nil?
+          schema_chunk["default_if"].each { |cond|
+            if siblings[cond["key_is"]] == cond["value_is"]
+              return Marshal.load(Marshal.dump(cond["set"]))
+            end
+          }
+        end
+        if conf_chunk.nil? and schema_chunk["default"] != nil
+          return Marshal.load(Marshal.dump(schema_chunk["default"]))
+        end
+      end
+
+      return conf_chunk
+    end
+
+    # Given a bare hash describing a resource, insert default values which can
+    # be inherited from its parent or from the root of the BoK.
+    # @param kitten [Hash]: A resource descriptor
+    # @param type [String]: The type of resource this is ("servers" etc)
+    def applyInheritedDefaults(kitten, type)
+      return if !kitten.is_a?(Hash)
+      kitten['cloud'] ||= @config['cloud']
+      kitten['cloud'] ||= MU::Config.defaultCloud
+
+      if !MU::Cloud.supportedClouds.include?(kitten['cloud'])
+        return
+      end
+
+      cloudclass = MU::Cloud.cloudClass(kitten['cloud'])
+
+      resclass = MU::Cloud.resourceClass(kitten['cloud'], type)
+
+      schema_fields = ["us_only", "scrub_mu_isms", "credentials", "billing_acct"]
+      if !resclass.isGlobal?
+        kitten['region'] ||= @config['region']
+        kitten['region'] ||= cloudclass.myRegion(kitten['credentials'])
+        schema_fields << "region"
+      end
+
+      kitten['credentials'] ||= @config['credentials']
+      kitten['credentials'] ||= cloudclass.credConfig(name_only: true)
+
+      kitten['us_only'] ||= @config['us_only']
+      kitten['us_only'] ||= false
+
+      kitten['scrub_mu_isms'] ||= @config['scrub_mu_isms']
+      kitten['scrub_mu_isms'] ||= false
+
+      if kitten['cloud'] == "Google"
+# TODO this should be cloud-generic (handle AWS accounts, Azure subscriptions)
+        if resclass.canLiveIn.include?(:Habitat)
+          kitten["project"] ||= MU::Cloud::Google.defaultProject(kitten['credentials'])
+          schema_fields << "project"
+        end
+        if kitten['region'].nil? and !kitten['#MU_CLOUDCLASS'].nil? and
+           !resclass.isGlobal? and
+           ![MU::Cloud::VPC, MU::Cloud::FirewallRule].include?(kitten['#MU_CLOUDCLASS'])
+          if MU::Cloud::Google.myRegion((kitten['credentials'])).nil?
+            raise ValidationError, "Google '#{type}' resource '#{kitten['name']}' declared without a region, but no default Google region declared in mu.yaml under #{kitten['credentials'].nil? ? "default" : kitten['credentials']} credential set" 
+          end
+          kitten['region'] ||= MU::Cloud::Google.myRegion
+        end
+      elsif kitten["cloud"] == "AWS" and !resclass.isGlobal? and !kitten['region']
+        if MU::Cloud::AWS.myRegion.nil?
+          raise ValidationError, "AWS resource declared without a region, but no default AWS region found"
+        end
+        kitten['region'] ||= MU::Cloud::AWS.myRegion
+      end
+
+
+      kitten['billing_acct'] ||= @config['billing_acct'] if @config['billing_acct']
+
+      kitten["dependencies"] ||= []
+
+      # Make sure the schema knows about these "new" fields, so that validation
+      # doesn't trip over them.
+      schema_fields.each { |field|
+        if @@schema["properties"][field]
+          MU.log "Adding #{field} to schema for #{type} #{kitten['cloud']}", MU::DEBUG, details: @@schema["properties"][field]
+          @@schema["properties"][type]["items"]["properties"][field] ||= @@schema["properties"][field]
+        end
+      }
+    end
+
+    CIDR_PATTERN = "^\\d+\\.\\d+\\.\\d+\\.\\d+\/[0-9]{1,2}$"
+    CIDR_DESCRIPTION = "CIDR-formatted IP block, e.g. 1.2.3.4/32"
+    CIDR_PRIMITIVE = {
+      "type" => "string",
+      "pattern" => CIDR_PATTERN,
+      "description" => CIDR_DESCRIPTION
+    }
+
+
+    @@schema = {
+      "$schema" => "http://json-schema.org/draft-04/schema#",
+      "title" => "MU Application",
+      "type" => "object",
+      "description" => "A MU application stack, consisting of at least one resource.",
+      "required" => ["admins", "appname"],
+      "properties" => {
+        "appname" => {
+            "type" => "string",
+            "description" => "A name for your application stack. Should be short, but easy to differentiate from other applications.",
+        },
+        "scrub_mu_isms" => {
+            "type" => "boolean",
+            "description" => "When 'cloud' is set to 'CloudFormation,' use this flag to strip out Mu-specific artifacts (tags, standard userdata, naming conventions, etc) to yield a clean, source-agnostic template. Setting this flag here will override declarations in individual resources."
+        },
+        "project" => {
+          "type" => "string",
+          "description" => "**GOOGLE ONLY**: The project into which to deploy resources"
+        },
+        "billing_acct" => {
+          "type" => "string",
+          "description" => "**GOOGLE ONLY**: Billing account ID to associate with a newly-created Google Project. If not specified, will attempt to locate a billing account associated with the default project for our credentials.",
+        },
+        "region" => MU::Config.region_primitive,
+        "credentials" => MU::Config.credentials_primitive,
+        "us_only" => {
+            "type" => "boolean",
+            "description" => "For resources which span regions, restrict to regions inside the United States",
+            "default" => false
+        },
+        "conditions" => {
+            "type" => "array",
+            "items" => {
+              "type" => "object",
+              "required" => ["name", "cloudcode"],
+              "description" => "CloudFormation-specific. Define Conditions as in http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html. Arguments must use the cloudCode() macro.",
+              "properties" => {
+                "name" => { "required" => true, "type" => "string" },
+                "cloudcode" => { "required" => true, "type" => "string" },
+              }
+            }
+        },
+        "parameters" => {
+            "type" => "array",
+            "items" => {
+                "type" => "object",
+                "title" => "parameter",
+                "description" => "Parameters to be substituted elsewhere in this Basket of Kittens as ERB variables (<%= varname %>)",
+                "additionalProperties" => false,
+                "properties" => {
+                  "name" => { "required" => true, "type" => "string" },
+                  "default" => { "type" => "string" },
+                  "list_of" => {
+                    "type" => "string",
+                    "description" => "Treat the value as a comma-separated list of values with this key name, equivalent to CloudFormation's various List<> types. For example, set to 'subnet_id' to pass values as an array of subnet identifiers as the 'subnets' argument of a VPC stanza."
+                  },
+                  "prettyname" => {
+                    "type" => "string",
+                    "description" => "An alternative name to use when generating parameter fields in, for example, CloudFormation templates"
+                  },
+                  "description" => {"type" => "string"},
+                  "cloudtype" => {
+                    "type" => "string",
+                    "description" => "A platform-specific string describing the type of validation to use for this parameter. E.g. when generating a CloudFormation template, set to AWS::EC2::Image::Id to validate input as an AMI identifier."
+                  },
+                  "required" => {
+                    "type" => "boolean",
+                    "default" => true
+                  },
+                  "valid_values" => {
+                    "type" => "array",
+                    "description" => "List of valid values for this parameter. Can only be a list of static strings, for now.",
+                    "items" => {
+                      "type" => "string"
+                    }
+                  }
+                }
+            }
+        },
+        # TODO availability zones (or an array thereof) 
+
+        "admins" => {
+          "type" => "array",
+          "items" => {
+            "type" => "object",
+            "title" => "admin",
+            "description" => "Administrative contacts for this application stack. Will be automatically set to invoking Mu user, if not specified.",
+            "required" => ["name", "email"],
+            "additionalProperties" => false,
+            "properties" => {
+              "name" => {"type" => "string"},
+              "email" => {"type" => "string"},
+              "public_key" => {
+                "type" => "string",
+                "description" => "An OpenSSH-style public key string. This will be installed on all instances created in this deployment."
+              }
+            }
+          },
+          "minItems" => 1,
+          "uniqueItems" => true
+        }
+      },
+      "additionalProperties" => false
+    }
+
+  end #class
+end #module