RubyGems - cloud-mu - Versions diffs - 3.1.2 → 3.2.0 - Mend

cloud-mu 3.1.2 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (201) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +10 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -3
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +135 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +165 -111
data/modules/mu/adoption.rb +401 -68
data/modules/mu/cleanup.rb +199 -306
data/modules/mu/cloud.rb +100 -1632
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +46 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +920 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +165 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +4 -4
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +83 -104
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +6 -6
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +4 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +3 -3
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +3 -3
data/modules/mu/config/ref.rb +365 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +97 -70
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +70 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +83 -60
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +30 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +389 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +217 -2612
data/modules/mu/mommacat/daemon.rb +397 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +271 -112
data/modules/mu/{clouds → providers}/aws/alarm.rb +5 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +26 -22
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +33 -67
data/modules/mu/{clouds → providers}/aws/collection.rb +24 -23
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +681 -721
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +64 -63
data/modules/mu/{clouds → providers}/aws/endpoint.rb +22 -27
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +214 -244
data/modules/mu/{clouds → providers}/aws/folder.rb +7 -7
data/modules/mu/{clouds → providers}/aws/function.rb +17 -22
data/modules/mu/{clouds → providers}/aws/group.rb +23 -23
data/modules/mu/{clouds → providers}/aws/habitat.rb +17 -14
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +57 -48
data/modules/mu/{clouds → providers}/aws/log.rb +15 -12
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +17 -16
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +18 -11
data/modules/mu/{clouds → providers}/aws/notifier.rb +11 -6
data/modules/mu/{clouds → providers}/aws/role.rb +112 -86
data/modules/mu/{clouds → providers}/aws/search_domain.rb +39 -33
data/modules/mu/{clouds → providers}/aws/server.rb +835 -1133
data/modules/mu/{clouds → providers}/aws/server_pool.rb +56 -60
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +24 -42
data/modules/mu/{clouds → providers}/aws/user.rb +21 -22
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +523 -929
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +95 -48
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +67 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +84 -77
data/modules/mu/{clouds → providers}/google/database.rb +10 -20
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +139 -167
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +18 -20
data/modules/mu/{clouds → providers}/google/role.rb +92 -58
data/modules/mu/{clouds → providers}/google/server.rb +242 -155
data/modules/mu/{clouds → providers}/google/server_pool.rb +25 -44
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +11 -0
data/modules/tests/centos7.yaml +11 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +1 -0
data/modules/tests/super_simple_bok.yml +1 -3
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +232 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985

data/modules/mu/{clouds → providers}/aws/log.rb RENAMED

@@ -203,6 +203,9 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::Log.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+          MU.log "Placeholder: AWS Log artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
           log_groups = self.find(credentials: credentials, region: region).values
           if !log_groups.empty?
             log_groups.each{ |lg|
@@ -227,13 +230,13 @@ module MU
             }
           end
-          unless noop
-            MU::Cloud::AWS.iam(credentials: credentials).list_roles.roles.each{ |role|
-              match_string = "#{MU.deploy_id}.*CloudTrail"
-              # Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud::AWS::Server.
-#              MU::Cloud::AWS::Server.removeIAMProfile(role.role_name) if role.role_name.match(match_string)
-            }
-          end
+#          unless noop
+#            MU::Cloud::AWS.iam(credentials: credentials).list_roles.roles.each{ |role|
+#              match_string = "#{MU.deploy_id}.*CloudTrail"
+              # Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud.resourceClass("AWS", "Server").
+#              MU::Cloud.resourceClass("AWS", "Server").removeIAMProfile(role.role_name) if role.role_name.match(match_string)
+#            }
+#          end
         end
         # Locate an existing log group.
@@ -264,7 +267,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -304,9 +307,9 @@ module MU
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "retention_period" => {
@@ -357,9 +360,9 @@ module MU
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::logs}, bare and unvalidated.
         # @param log [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(log, configurator)
+        def self.validateConfig(log, _configurator)
           ok = true
           if log["filters"] && !log["filters"].empty?

data/modules/mu/{clouds → providers}/aws/msg_queue.rb RENAMED

@@ -53,14 +53,14 @@ module MU
           new_attrs = genQueueAttrs
           changed = false
-          new_attrs.each_pair { |k, v|
+          new_attrs.each_pair { |k, _v|
             if !cur_attrs.has_key?(k) or cur_attrs[k] != new_attrs[k]
               changed = true
             end
           }
           if changed
             MU.log "Updating SQS queue #{@mu_name}", MU::NOTICE, details: new_attrs
-            resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).set_queue_attributes(
+            MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).set_queue_attributes(
               queue_url: @cloud_id,
               attributes: new_attrs
             )
@@ -74,10 +74,13 @@ module MU
           "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":sqs:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":"+@cloud_id
         end
+        @cloud_desc_cache = nil
         # Retrieve the AWS descriptor for this SQS queue. AWS doesn't exactly
         # provide one; if you want real information for SQS ask notify()
         # @return [Hash]: AWS doesn't return anything but the SQS URL, so supplement with attributes
-        def cloud_desc
+        def cloud_desc(use_cache: true)
+          return @cloud_desc_cache if @cloud_desc_cache and use_cache
           if !@cloud_id
             resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).list_queues(
               queue_name_prefix: @mu_name
@@ -92,11 +95,12 @@ module MU
           end
           return nil if !@cloud_id
-          MU::Cloud::AWS::MsgQueue.find(
+          @cloud_desc_cache = MU::Cloud::AWS::MsgQueue.find(
             cloud_id: @cloud_id.dup,
             region: @config['region'],
             credentials: @config['credentials']
           )
+          @cloud_desc_cache
         end
         # Return the metadata for this MsgQueue rule
@@ -130,6 +134,9 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::MsgQueue.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+          MU.log "Placeholder: AWS MsgQueue artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
           resp = MU::Cloud::AWS.sqs(credentials: credentials, region: region).list_queues(
             queue_name_prefix: MU.deploy_id
           )
@@ -182,7 +189,7 @@ module MU
                 args[:cloud_id] = resp.queue_url if resp and resp.queue_url
               end
             end
-          rescue ::Aws::SQS::Errors::NonExistentQueue => e
+          rescue ::Aws::SQS::Errors::NonExistentQueue
           end
           # Go fetch its attributes
@@ -211,9 +218,9 @@ module MU
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "max_msg_size" => {
@@ -320,16 +327,10 @@ module MU
               failq.delete("failqueue")
               ok = false if !configurator.insertKitten(failq, "msg_queues")
               queue['failqueue']['name'] = failq['name']
-              queue['dependencies'] << {
-                "name" => failq['name'],
-                "type" => "msg_queue"
-              }
+              MU::Config.addDependency(queue, failq["name"], "msg_queue")
             else
               if configurator.haveLitterMate?(queue['failqueue']['name'], "msg_queue")
-                queue['dependencies'] << {
-                  "name" => queue['failqueue']['name'],
-                  "type" => "msg_queue"
-                }
+                MU::Config.addDependency(queue, queue['failqueue']['name'], "msg_queue")
               else
                 failq = MU::Cloud::AWS::MsgQueue.find(cloud_id: queue['failqueue']['name'])
                 if !failq
@@ -382,7 +383,7 @@ module MU
             end
             begin
               MU::Cloud::AWS.kms(region: queue['region']).describe_key(key_id: queue['kms']['key_id'])
-            rescue Aws::KMS::Errors::NotFoundException => e
+            rescue Aws::KMS::Errors::NotFoundException
               MU.log "KMS key '#{queue['kms']['key_id']}' specified in Queue '#{queue['name']}' was not found.", MU::ERR, details: "Key IDs are of the form bf64a093-2c3d-46fa-0d4f-8232fa7ed53. Keys can be created at https://console.aws.amazon.com/iam/home#/encryptionKeys/#{queue['region']}"
               ok = false
             end

data/modules/mu/{clouds → providers}/aws/nosqldb.rb RENAMED

@@ -164,6 +164,8 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::NoSQLDb.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           resp = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).list_tables
           if resp and resp.table_names
             resp.table_names.each { |table|
@@ -178,16 +180,23 @@ module MU
               begin
                 tags = MU::Cloud::AWS.dynamo(credentials: credentials, region: region).list_tags_of_resource(resource_arn: desc.table_arn)
                 if tags and tags.tags
+                  deploy_match = false
+                  master_match = false
                   tags.tags.each { |tag|
                     if tag.key == "MU-ID" and tag.value == MU.deploy_id
-                      MU.log "Deleting DynamoDB table #{desc.table_name}"
-                      if !noop
-                        MU::Cloud::AWS.dynamo(credentials: credentials, region: region).delete_table(table_name: desc.table_name)
-                      end
+                      deploy_match = true
+                    elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
+                      master_match = true
                     end
                   }
+                  if deploy_match and (master_match or ignoremaster)
+                    MU.log "Deleting DynamoDB table #{desc.table_name}"
+                    if !noop
+                      MU::Cloud::AWS.dynamo(credentials: credentials, region: region).delete_table(table_name: desc.table_name)
+                    end
+                  end
                 end
-              rescue Aws::DynamoDB::Errors::ResourceNotFoundException => e
+              rescue Aws::DynamoDB::Errors::ResourceNotFoundException
               end
             }
@@ -236,9 +245,9 @@ module MU
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = ["attributes"]
@@ -360,9 +369,9 @@ module MU
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::nosqldbs}, bare and unvalidated.
         # @param db [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(db, configurator)
+        def self.validateConfig(db, _configurator)
           ok = true
           partition = nil
@@ -399,8 +408,6 @@ module MU
           ok
         end
-        private
       end
     end
   end

data/modules/mu/{clouds → providers}/aws/notifier.rb RENAMED

@@ -66,12 +66,17 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::Notifier.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+          MU.log "Placeholder: AWS Notifier artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
           MU::Cloud::AWS.sns(region: region, credentials: credentials).list_topics.topics.each { |topic|
             if topic.topic_arn.match(MU.deploy_id)
               # We don't have a way to tag our SNS topics, so we will delete any topic that has the MU-ID in its ARN.
               # This may fail to find notifier groups in some cases (eg. cache_cluster) so we might want to delete from each API as well.
-              MU::Cloud::AWS.sns(region: region, credentials: credentials).delete_topic(topic_arn: topic.topic_arn)
-              MU.log "Deleted SNS topic: #{topic.topic_arn}"
+              MU.log "Deleting SNS topic: #{topic.topic_arn}"
+              if !noop
+                MU::Cloud::AWS.sns(region: region, credentials: credentials).delete_topic(topic_arn: topic.topic_arn)
+              end
             end
           }
         end
@@ -116,9 +121,9 @@ module MU
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "subscriptions" => {
@@ -143,9 +148,9 @@ module MU
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::notifier}, bare and unvalidated.
         # @param notifier [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(notifier, configurator)
+        def self.validateConfig(notifier, _configurator)
           ok = true
           if notifier['subscriptions']

data/modules/mu/{clouds → providers}/aws/role.rb RENAMED

@@ -43,7 +43,7 @@ module MU
               policy_name = @mu_name+"-"+policy.keys.first.upcase
               MU.log "Creating IAM policy #{policy_name}"
-              resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
+              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
                 policy_name: policy_name,
                 path: "/"+@deploy.deploy_id+"/",
                 policy_document: JSON.generate(policy.values.first),
@@ -56,8 +56,8 @@ module MU
             MU.log "Creating IAM role #{@mu_name}"
             @cloud_id = @mu_name
             path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
-              path: nil,
+            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
+              path: path,
               role_name: @mu_name,
               description: "Generated by Mu",
               assume_role_policy_document: gen_assume_role_policy_doc,
@@ -89,7 +89,6 @@ module MU
           end
           if @config['raw_policies'] or @config['attachable_policies']
-            attached_policies = []
             configured_policies = []
             if @config['raw_policies']
@@ -128,7 +127,7 @@ module MU
             # XXX not sure we're binding these sanely, validate that
             if @config['raw_policies']
-              pol_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+              MU::Cloud::AWS::Role.manageRawPolicies(
                 @config['raw_policies'],
                 basename: @deploy.getResourceName(@config['name']),
                 credentials: @credentials
@@ -183,7 +182,7 @@ module MU
                 desc
               end
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
               MU::Cloud::AWS.iam(credentials: credentials).create_policy(
                 policy_name: policy_name,
@@ -202,65 +201,72 @@ module MU
         def arn
           desc = cloud_desc
           if desc["role"]
-            desc["role"].arn
+            if desc['role'].is_a?(Hash)
+              desc["role"][:arn] # why though
+            else
+              desc["role"].arn
+            end
           else
             nil
           end
         end
+        @cloud_desc_cache = nil
         # Return a hash containing a +role+ element and a +policies+ element,
         # populated with one or both depending on what this resource has
         # defined.
-        def cloud_desc
-          desc = {}
+        def cloud_desc(use_cache: true)
+          return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          @cloud_desc_cache = {}
           if @config['bare_policies']
             if @cloud_id
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
             if @deploy and @deploy.deploy_id
-              desc["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
+              @cloud_desc_cache["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
                 path_prefix: "/"+@deploy.deploy_id+"/"
               ).policies
-              desc["policies"].reject! { |p|
+              @cloud_desc_cache["policies"].reject! { |p|
                 !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
               }
               # this is quasi-wrong because we can be mulitple cloud is, but
               # we can't really set this type to has_multiples because that's
               # just how managed policies work not anything else, goddammit
               # AWS why can't you just bundle everything in roles
-              if desc["policies"] and desc["policies"].size > 0
-                @cloud_id ||= desc["policies"].first.arn
+              if @cloud_desc_cache["policies"] and @cloud_desc_cache["policies"].size > 0
+                @cloud_id ||= @cloud_desc_cache["policies"].first.arn
               end
             end
           else
             if @cloud_id.match(/^arn:aws(:?-us-gov)?:[^:]*:[^:]*:\d*:policy\//)
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
 begin
-            desc['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
-            desc['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
+            @cloud_desc_cache['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
+            @cloud_desc_cache['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
             MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
               role_name: @mu_name
             ).attached_policies.each { |p|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
                 policy_arn: p.policy_arn
               ).policy
             }
             inline = MU::Cloud::AWS.iam(credentials: @credentials).list_role_policies(role_name: @mu_name).policy_names
             inline.each { |pol_name|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
                 role_name: @mu_name,
                 policy_name: pol_name
               )
@@ -270,9 +276,9 @@ rescue ::Aws::IAM::Errors::ValidationError => e
 MU.log @cloud_id+" "+@mu_name, MU::WARN, details: e.inspect
 end
           end
-          desc['cloud_id'] ||= @cloud_id
+          @cloud_desc_cache['cloud_id'] ||= @cloud_id
-          desc
+          @cloud_desc_cache
         end
         # Return the metadata for this user cofiguration
@@ -284,26 +290,25 @@ end
         # Insert a new target entity into an existing policy.
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        # @param mu_type [String]: A valid Mu resource type
-        def injectPolicyTargets(policy, targets, mu_type = nil)
+        def injectPolicyTargets(policy, targets)
           if !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
-          my_policies = cloud_desc["policies"]
+          my_policies = cloud_desc(use_cache: false)["policies"]
           my_policies ||= []
+          seen_policy = false
           my_policies.each { |p|
             if p.policy_name == policy
+              seen_policy = true
               old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
               doc = JSON.parse URI.decode_www_form_component old.document
               need_update = false
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
@@ -332,6 +337,10 @@ end
               end
             end
           }
+          if !seen_policy
+            MU.log "Was given new targets for policy #{policy}, but I don't see any such policy attached to role #{@cloud_id}", MU::WARN, details: targets
+          end
         end
         # Delete an IAM policy, along with attendant versions and attachments.
@@ -409,9 +418,8 @@ end
         # Remove all roles associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
             path_prefix: "/"+MU.deploy_id+"/"
@@ -438,12 +446,18 @@ end
             # check tags. Hardly seems efficient.
             desc = MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
             if desc.role and desc.role.tags and desc.role.tags
+              master_match = false
+              deploy_match = false
               desc.role.tags.each { |t|
                 if t.key == "MU-ID" and t.value == MU.deploy_id
-                  deleteme << r
-                  break
+                  deploy_match = true
+                elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
+                  master_match = true
                 end
               }
+              if deploy_match and (master_match or ignoremaster)
+                deleteme << r
+              end
             end
           }
@@ -481,7 +495,7 @@ end
                   MU::Cloud::AWS.iam(credentials: credentials).delete_instance_profile(instance_profile_name: r.role_name)
                 rescue Aws::IAM::Errors::ValidationError => e
                   MU.log "Cleaning up IAM role #{r.role_name}: #{e.inspect}", MU::WARN
-                rescue Aws::IAM::Errors::NoSuchEntity => e
+                rescue Aws::IAM::Errors::NoSuchEntity
                 end
                 MU::Cloud::AWS.iam(credentials: credentials).delete_role(
@@ -519,7 +533,7 @@ end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
           else
             marker = nil
             begin
@@ -552,7 +566,7 @@ end
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -601,14 +615,13 @@ end
                   )
                   JSON.parse(URI.decode(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
             }
             return bok if @config['bare_policies']
           end
           if desc.tags and desc.tags.size > 0
             bok["tags"] = MU.structToHash(desc.tags, stringify_keys: true)
           end
@@ -681,6 +694,7 @@ end
           end
           bok["attachable_policies"].uniq! if bok["attachable_policies"]
+          bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
           bok
         end
@@ -693,6 +707,10 @@ end
         def self.doc2MuPolicies(basename, doc, policies = [])
           policies ||= []
+          if !doc["Statement"].is_a?(Array)
+            doc["Statement"] = [doc["Statement"]]
+          end
           doc["Statement"].each { |s|
             if !s["Action"]
               MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
@@ -721,7 +739,7 @@ end
               "targets" => s["Resource"].map { |r|
                 if r.match(/^arn:aws(-us-gov)?:([^:]+):.*?:([^:]*)$/)
 # XXX which cases even count for blind references to sibling resources?
-                  type = if Regexp.last_match[1] == "s3"
+                  if Regexp.last_match[1] == "s3"
                     "bucket"
                   elsif Regexp.last_match[1]
                     MU.log "Service #{Regexp.last_match[1]} to type...", MU::WARN, details: r
@@ -741,7 +759,7 @@ end
         # Attach this role or group of loose policies to the specified entity.
         # @param entitytype [String]: The type of entity (user, group or role for policies; instance_profile for roles)
-        def bindTo(entitytype, entityname, policies = [])
+        def bindTo(entitytype, entityname)
           if entitytype == "instance_profile"
             begin
               resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
@@ -754,7 +772,7 @@ end
                   role_name: @mu_name
                 )
               end
-            rescue Exception => e
+            rescue StandardError => e
               MU.log "Error binding role #{@mu_name} to instance profile #{entityname}: #{e.message}", MU::ERR
               raise e
             end
@@ -783,7 +801,6 @@ end
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
                     p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
-                    retried = true
                     retry
                   end
                   raise e
@@ -833,6 +850,7 @@ end
           else
             raise MuError, "Invalid entitytype '#{entitytype}' passed to MU::Cloud::AWS::Role.bindTo. Must be be one of: user, group, role, instance_profile"
           end
+          cloud_desc(use_cache: false)
         end
         # Create an instance profile for EC2 instances, named identically and
@@ -847,7 +865,7 @@ end
             MU::Cloud::AWS.iam(credentials: @config['credentials']).create_instance_profile(
               instance_profile_name: @mu_name
             )
-          rescue Aws::IAM::Errors::EntityAlreadyExists => e
+          rescue Aws::IAM::Errors::EntityAlreadyExists
             MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
               instance_profile_name: @mu_name
             )
@@ -905,13 +923,13 @@ end
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
             begin
-              MU::Cloud.loadCloudType("AWS", t)
+              MU::Cloud.resourceClass("AWS", t)
               false
             rescue MuCloudResourceNotImplemented
               true
@@ -1012,10 +1030,9 @@ end
             subpaths = ["service-role", "aws-service-role", "job-function"]
             begin
               MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               if subpaths.size > 0
                 arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+ref["id"]
-                retried = true
                 retry
               end
               MU.log "No such canned AWS IAM policy '#{arn}'", MU::ERR
@@ -1029,9 +1046,9 @@ end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::roles}, bare and unvalidated.
         # @param role [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(role, configurator)
+        def self.validateConfig(role, _configurator)
           ok = true
           # munge things declared with the deprecated import keyword into
@@ -1074,11 +1091,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  role['dependencies'] ||= []
-                  role['dependencies'] << {
-                    "name" => target['identifier'],
-                    "type" => target['type']
-                  }
+                  MU::Config.addDependency(role, target['identifier'], target['type'])
                 end
               }
             }
@@ -1094,9 +1107,7 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil)
-          iam_policies = []
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false)
           if policies
             name = nil
             doc = {
@@ -1134,12 +1145,21 @@ end
                     )
                     if sibling
                       id = sibling.cloudobj.arn
-                      statement["Principal"] << id
+                      if bucket_style
+                        statement["Principal"] << { "AWS" => id }
+                      else
+                        statement["Principal"] << id
+                      end
                     else
                       raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
                     end
                   else
-                    statement["Principal"] << grantee["identifier"]
+                    bucket_prefix = grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/) ? "Service" : "AWS"
+                    if bucket_style
+                      statement["Principal"] << { bucket_prefix => grantee["identifier"] }
+                    else
+                      statement["Principal"] << grantee["identifier"]
+                    end
                   end
                 }
                 if policy["grant_to"].size == 1
@@ -1162,9 +1182,11 @@ end
                         stream_id = id.sub(/:([^:]+)$/, ":log-stream:*")
 #                        "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
                         statement["Resource"] << stream_id
+                      elsif id.match(/:s3:/)
+                        statement["Resource"] << id+"/*"
                       end
                     else
-                      raise MuError, "Couldn't find a #{target["entity_type"]} named #{target["identifier"]} when generating IAM policy"
+                      raise MuError, "Couldn't find a #{target["type"]} named #{target["identifier"]} when generating IAM policy"
                     end
                   else
                     target["identifier"] += target["path"] if target["path"]
@@ -1180,6 +1202,32 @@ end
           []
         end
+        # Update a policy, handling deletion of old versions as needed
+        # @param arn [String]:
+        # @param doc [Hash]:
+        # @param credentials [String]:
+        def self.update_policy(arn, doc, credentials: nil)
+# XXX this is just blindly replacing identical versions, when it should check
+# and guard
+          begin
+            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
+              policy_arn: arn,
+              set_as_default: true,
+              policy_document: JSON.generate(doc)
+            )
+          rescue Aws::IAM::Errors::LimitExceeded
+            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
+              policy_arn: arn,
+            ).versions.last.version_id
+            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
+            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
+              policy_arn: arn,
+              version_id: delete_version
+            )
+            retry
+          end
+        end
         private
         # Convert entries from the cloud-neutral @config['policies'] list into
@@ -1261,28 +1309,6 @@ end
           MU::Cloud::AWS::Role.update_policy(arn, doc, credentials: @credentials)
         end
-        # Update a policy, handling deletion of old versions as needed
-        def self.update_policy(arn, doc, credentials: nil)
-# XXX this is just blindly replacing identical versions, when it should check
-# and guard
-          begin
-            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
-              policy_arn: arn,
-              set_as_default: true,
-              policy_document: JSON.generate(doc)
-            )
-          rescue Aws::IAM::Errors::LimitExceeded => e
-            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
-              policy_arn: arn,
-            ).versions.last.version_id
-            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
-            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
-              policy_arn: arn,
-              version_id: delete_version
-            )
-            retry
-          end
-        end
       end
     end