cloud-mu 3.1.3 → 3.1.4

data/modules/mu/clouds/aws/dnszone.rb

@@ -344,7 +344,7 @@ module MU
               )
             rescue Aws::Route53::Errors::LastVPCAssociation => e
               MU.log e.inspect, MU::WARN
-            rescue Aws::Route53::Errors::VPCAssociationNotFound => e
+            rescue Aws::Route53::Errors::VPCAssociationNotFound
               MU.log "VPC #{vpc_id} access to zone #{id} already revoked", MU::WARN
             end
           end
@@ -366,7 +366,7 @@ module MU
         # @param location [Hash<String>]: A parsed Hash of {MU::Config::BasketofKittens::dnszones::records::geo_location}.
         # @param set_identifier [String]: A unique string to differentiate otherwise-similar records. Normally auto-generated, should not need to specify.
         # @param alias_zone [String]: Zone ID of the target's hosted zone, when creating an alias (type R53ALIAS)
-        def self.manageRecord(id, name, type, targets: nil, aliases: nil,
+        def self.manageRecord(id, name, type, targets: nil,
             ttl: 7200, delete: false, sync_wait: true, failover: nil,
             healthcheck: nil, region: nil, weight: nil, overwrite: true,
             location: nil, set_identifier: nil, alias_zone: nil)
@@ -502,7 +502,7 @@ module MU
           rescue Aws::Route53::Errors::PriorRequestNotComplete => e
             sleep 10
             retry
-          rescue Aws::Route53::Errors::InvalidChangeBatch, Aws::Route53::Errors::InvalidInput, Exception => e
+          rescue Aws::Route53::Errors::InvalidChangeBatch, Aws::Route53::Errors::InvalidInput, StandardError => e
             return if e.message.match(/ but it already exists/) and !delete
             MU.log "Failed to change DNS records, #{e.inspect}", MU::ERR, details: params
             raise e if !delete
@@ -663,7 +663,8 @@ module MU
         # Called by {MU::Cleanup}. Locates resources that were created by the
         # currently-loaded deployment, and purges them.
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          checks_to_clean = []
+          MU.log "AWS::DNSZone.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+
           threads = []
           MU::Cloud::AWS.route53(credentials: credentials).list_health_checks.health_checks.each { |check|
             begin
@@ -692,19 +693,19 @@ module MU
                 threads << Thread.new(check) { |mycheck|
                   MU.dupGlobals(parent_thread_id)
                   Thread.abort_on_exception = true
-                  MU.log "Removing health check #{check.id}"
+                  MU.log "Removing health check #{mycheck.id}"
                   retries = 5
                   begin 
-                    MU::Cloud::AWS.route53(credentials: credentials).delete_health_check(health_check_id: check.id) if !noop
+                    MU::Cloud::AWS.route53(credentials: credentials).delete_health_check(health_mycheck_id: mycheck.id) if !noop
                   rescue Aws::Route53::Errors::NoSuchHealthCheck => e
-                    MU.log "Health Check '#{check.id}' disappeared before I could remove it", MU::WARN, details: e.inspect
+                    MU.log "Health Check '#{mycheck.id}' disappeared before I could remove it", MU::WARN, details: e.inspect
                   rescue Aws::Route53::Errors::InvalidInput => e
                     if e.message.match(/is still referenced from parent health check/) && retries <= 5
                       sleep 5
                       retries += 1
                       retry
                     else
-                      MU.log "Health Check #{check.id} still has a parent health check associated with it, skipping", MU::WARN, details: e.inspect
+                      MU.log "Health Check #{mycheck.id} still has a parent health check associated with it, skipping", MU::WARN, details: e.inspect
                     end
                   end
                 }
@@ -719,7 +720,7 @@ module MU
           }
 
           zones = MU::Cloud::DNSZone.find(deploy_id: MU.deploy_id, region: region)
-          zones.each_pair { |id, zone|
+          zones.values.each { |zone|
             MU.log "Purging DNS Zone '#{zone.name}' (#{zone.id})"
             if !noop
               begin
@@ -727,7 +728,6 @@ module MU
                 rrsets = MU::Cloud::AWS.route53(credentials: credentials).list_resource_record_sets(hosted_zone_id: zone.id)
                 rrsets.resource_record_sets.each { |rrset|
                   next if zone.name == rrset.name and (rrset.type == "NS" or rrset.type == "SOA")
-                  records = []
                   MU::Cloud::AWS.route53(credentials: credentials).change_resource_record_sets(
                       hosted_zone_id: zone.id,
                       change_batch: {
@@ -791,9 +791,9 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {}
           [toplevel_required, schema]
@@ -801,9 +801,9 @@ module MU
 
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::dnszones}, bare and unvalidated.
         # @param zone [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(zone, configurator)
+        def self.validateConfig(zone, _configurator)
           ok = true
 
           if !zone["records"].nil?

data/modules/mu/clouds/aws/endpoint.rb

@@ -116,15 +116,15 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
             end
 
             if m['integrate_with']
-              role_arn = if m['iam_role']
-                if m['iam_role'].match(/^arn:/)
-                  m['iam_role']
-                else
-                  sib_role = @deploy.findLitterMate(name: m['iam_role'], type: "roles")
-                  sib_role.cloudobj.arn
+#              role_arn = if m['iam_role']
+#                if m['iam_role'].match(/^arn:/)
+#                  m['iam_role']
+#                else
+#                  sib_role = @deploy.findLitterMate(name: m['iam_role'], type: "roles")
+#                  sib_role.cloudobj.arn
 # XXX make this more like get_role_arn in Function, or just use Role.find?
-                end
-              end
+#                end
+#              end
 
               function_obj = nil
 
@@ -198,13 +198,12 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
           generate_methods
 
           MU.log "Deploying API Gateway #{@config['name']} to #{@config['deploy_to']}"
-          resp = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_deployment(
+          MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).create_deployment(
             rest_api_id: @cloud_id,
             stage_name: @config['deploy_to']
 #            cache_cluster_enabled: false,
 #            cache_cluster_size: 0.5,
           )
-          deployment_id = resp.id
           # this automatically creates a stage with the same name, so we don't
           # have to deal with that
 
@@ -220,11 +219,14 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
  
         end
 
+        @cloud_desc_cache = nil
         # @return [Struct]
-        def cloud_desc
-          MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_rest_api(
+        def cloud_desc(use_cache: true)
+          return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          @cloud_desc_cache = MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials']).get_rest_api(
             rest_api_id: @cloud_id
           )
+          @cloud_desc_cache
         end
 
         # Return the metadata for this API
@@ -241,6 +243,9 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::Endpoint.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+          MU.log "Placeholder: AWS Endpoint artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
+
           resp = MU::Cloud::AWS.apig(region: region, credentials: credentials).get_rest_apis
           if resp and resp.items
             resp.items.each { |api|
@@ -279,9 +284,9 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "deploy_to" => {
@@ -538,8 +543,6 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
           ok
         end
 
-        private
-
         def self.cors_option_integrations(path)
           {
             "type" => "OPTIONS",
@@ -585,6 +588,7 @@ MU::Cloud::AWS.apig(region: @config['region'], credentials: @config['credentials
             }
           }
         end
+        private_class_method :cors_option_integrations
 
       end
     end

data/modules/mu/clouds/aws/firewall_rule.rb

@@ -54,13 +54,12 @@ module MU
 
             secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_security_group(sg_struct)
             @cloud_id = secgroup.group_id
-          rescue Aws::EC2::Errors::InvalidGroupDuplicate => e
+          rescue Aws::EC2::Errors::InvalidGroupDuplicate
             MU.log "EC2 Security Group #{groupname} already exists, using it", MU::NOTICE
             filters = [{name: "group-name", values: [groupname]}]
             filters << {name: "vpc-id", values: [vpc_id]} if !vpc_id.nil?
 
             secgroup = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(filters: filters).security_groups.first
-            deploy_id = @deploy.deploy_id if !@deploy_id.nil?
             if secgroup.nil?
               raise MuError, "Failed to locate security group named #{groupname}, even though EC2 says it already exists", caller
             end
@@ -69,24 +68,24 @@ module MU
 
           begin
             MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_security_groups(group_ids: [secgroup.group_id])
-          rescue Aws::EC2::Errors::InvalidGroupNotFound => e
+          rescue Aws::EC2::Errors::InvalidGroupNotFound
             MU.log "#{secgroup.group_id} not yet ready, waiting...", MU::NOTICE
             sleep 10
             retry
           end
 
           MU::Cloud::AWS.createStandardTags(secgroup.group_id, region: @config['region'], credentials: @config['credentials'])
-          MU::MommaCat.createTag(secgroup.group_id, "Name", groupname, region: @config['region'], credentials: @config['credentials'])
+          MU::Cloud::AWS.createTag(secgroup.group_id, "Name", groupname, region: @config['region'], credentials: @config['credentials'])
 
           if @config['optional_tags']
             MU::MommaCat.listOptionalTags.each { |key, value|
-              MU::MommaCat.createTag(secgroup.group_id, key, value, region: @config['region'], credentials: @config['credentials'])
+              MU::Cloud::AWS.createTag(secgroup.group_id, key, value, region: @config['region'], credentials: @config['credentials'])
             }
           end
 
           if @config['tags']
             @config['tags'].each { |tag|
-              MU::MommaCat.createTag(secgroup.group_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
+              MU::Cloud::AWS.createTag(secgroup.group_id, tag['key'], tag['value'], region: @config['region'], credentials: @config['credentials'])
             }
           end
 
@@ -180,7 +179,7 @@ module MU
                 ip_permissions: ec2_rule
               )
             end
-          rescue Aws::EC2::Errors::InvalidPermissionDuplicate => e
+          rescue Aws::EC2::Errors::InvalidPermissionDuplicate
             MU.log "Attempt to add duplicate rule to #{@cloud_id}", MU::DEBUG, details: ec2_rule
             # Ensure that, at least, the description field gets updated on
             # existing rules
@@ -246,7 +245,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -513,14 +512,18 @@ module MU
                     if eni_resp and eni_resp.data and
                        eni_resp.data.network_interfaces
                       eni_resp.data.network_interfaces.each { |iface|
-                        iface_groups = iface.groups.map { |sg| sg.group_id }
+                        iface_groups = iface.groups.map { |if_sg| if_sg.group_id }
                         iface_groups.delete(sg.group_id)
                         iface_groups << default_sg if iface_groups.empty?
-                        MU.log "Attempting to remove #{sg.group_id} from ENI #{iface.network_interface_id}"
-                        MU::Cloud::AWS.ec2(credentials: credentials, region: region).modify_network_interface_attribute(
-                          network_interface_id: iface.network_interface_id,
-                          groups: iface_groups
-                        )
+                        MU.log "Attempting to remove #{sg.group_id} (#{sg.group_name}) from ENI #{iface.network_interface_id}"
+                        begin
+                          MU::Cloud::AWS.ec2(credentials: credentials, region: region).modify_network_interface_attribute(
+                            network_interface_id: iface.network_interface_id,
+                            groups: iface_groups
+                          )
+                        rescue ::Aws::EC2::Errors::AuthFailure
+                          MU.log "Permission denied attempting to trim Security Group list for #{iface.network_interface_id}", MU::WARN, details: iface.groups.map { |g| g.group_name }.join(",")+" => default"
+                        end
                       }
                     end
                   end
@@ -537,9 +540,9 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "rules" => {

data/modules/mu/clouds/aws/folder.rb

@@ -15,7 +15,7 @@
 module MU
   class Cloud
     class AWS
-      # A log as configured in {MU::Config::BasketofKittens::logs}
+      # A log as configured in {MU::Config::BasketofKittens::folders}
       class Folder < MU::Cloud::Folder
 
         # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
@@ -78,20 +78,20 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
           }
           [toplevel_required, schema]
         end
 
-        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::logs}, bare and unvalidated.
-        # @param log [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::folders}, bare and unvalidated.
+        # @param _folder [Hash]: The resource to process and validate
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(log, configurator)
+        def self.validateConfig(_folder, _configurator)
           ok = true
 
           ok

data/modules/mu/clouds/aws/function.rb

@@ -29,12 +29,12 @@ module MU
         def assign_tag(resource_arn, tag_list, region=@config['region'])
           begin
             tag_list.each do |each_pair|
-              tag_resp = MU::Cloud::AWS.lambda(region: region, credentials: @config['credentials']).tag_resource({
+              MU::Cloud::AWS.lambda(region: region, credentials: @config['credentials']).tag_resource({
                 resource: resource_arn,
                 tags: each_pair
               })
             end
-          rescue Exception => e
+          rescue StandardError => e
             MU.log e, MU::ERR
           end
         end
@@ -153,7 +153,7 @@ module MU
 
               MU.log trigger_properties, MU::DEBUG
               begin
-                add_trigger = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger_properties)
+                MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger_properties)
               rescue Aws::Lambda::Errors::ResourceConflictException
               end
               adjust_trigger(tr['service'], trigger_arn, func_arn, @mu_name) 
@@ -176,7 +176,7 @@ module MU
           begin
             # XXX There doesn't seem to be an API call to list or view existing
             # permissions, wtaf. This means we can't intelligently guard this.
-            add_trigger = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger)
+            MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).add_permission(trigger)
           rescue Aws::Lambda::Errors::ResourceConflictException => e
             if e.message.match(/already exists/)
               MU::Cloud::AWS.lambda(region: @config['region'], credentials: @config['credentials']).remove_permission(
@@ -220,15 +220,15 @@ module MU
           
           when 'sns'
            # XXX don't do this, use MU::Cloud::AWS::Notification 
-            sns_client = MU::Cloud::AWS.sns(region: @config['region'], credentials: @config['credentials'])
-            sub_to_what = sns_client.subscribe({
+            sns_client = MU::Cloud::AWS.sns(region: region, credentials: @config['credentials'])
+            sns_client.subscribe({
               topic_arn: trig_arn,
               protocol: protocol,
               endpoint: func_arn
             })
           when 'event','cloudwatch_event', 'events'
            # XXX don't do this, use MU::Cloud::AWS::Log
-            client = MU::Cloud::AWS.cloudwatch_events(region: @config['region'], credentials: @config['credentials']).put_targets({
+            MU::Cloud::AWS.cloudwatch_events(region: region, credentials: @config['credentials']).put_targets({
               rule: @config['trigger']['name'],
               targets: [
                 {
@@ -271,11 +271,13 @@ module MU
         # @param region [String]: The cloud provider region
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          MU.log "AWS::Function.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+
           MU::Cloud::AWS.lambda(credentials: credentials, region: region).list_functions.functions.each { |f|
             desc = MU::Cloud::AWS.lambda(credentials: credentials, region: region).get_function(
               function_name: f.function_name
             )
-            if desc.tags and desc.tags["MU-ID"] == MU.deploy_id
+            if desc.tags and desc.tags["MU-ID"] == MU.deploy_id and (desc.tags["MU-MASTER-IP"] == MU.mu_public_ip or ignoremaster)
               MU.log "Deleting Lambda function #{f.function_name}"
               if !noop
                 MU::Cloud::AWS.lambda(credentials: credentials, region: region).delete_function(
@@ -312,7 +314,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -407,9 +409,9 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
 
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = ["runtime"]
           schema = {
             "triggers" => {
@@ -437,6 +439,7 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
             },
             "code" => {
               "type" => "object",  
+              "description" => "Zipped deployment package to upload to our function.", 
               "properties" => {  
                 "s3_bucket" => {
                   "type" => "string",
@@ -565,7 +568,7 @@ MU.log shortname, MU::NOTICE, details: function.configuration.role
               role_name: name.to_s
             })
             return role['role']['arn']
-          rescue Exception => e
+          rescue StandardError => e
             MU.log "#{e}", MU::ERR
           end
           nil

data/modules/mu/clouds/aws/group.rb

@@ -39,7 +39,7 @@ module MU
             if !@config['use_if_exists']
               raise MuError, "IAM group #{@mu_name} already exists and use_if_exists is false"
             end
-          rescue Aws::IAM::Errors::NoSuchEntity => e
+          rescue Aws::IAM::Errors::NoSuchEntity
             @config['path'] ||= "/"+@deploy.deploy_id+"/"
             MU.log "Creating IAM group #{@config['path']}#{@mu_name}"
             MU::Cloud::AWS.iam(credentials: @config['credentials']).create_group(
@@ -99,7 +99,7 @@ module MU
 
           if @config['attachable_policies']
             configured_policies = @config['attachable_policies'].map { |p|
-              id = if p.is_a?(MU::Config::Ref)
+              if p.is_a?(MU::Config::Ref)
                 p.cloud_id
               else
                 p = MU::Config::Ref.get(p)
@@ -150,13 +150,15 @@ module MU
           cloud_desc.arn
         end
 
-
+        @cloud_desc_cache = nil
         # Fetch the AWS API description of this group
         # return [Struct]
-        def cloud_desc
-          MU::Cloud::AWS.iam(credentials: @config['credentials']).get_group(
+        def cloud_desc(use_cache: true)
+          return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          @cloud_desc_cache = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_group(
             group_name: @mu_name
           )
+          @cloud_desc_cache
         end
 
         # Return the metadata for this group configuration
@@ -183,9 +185,11 @@ module MU
         # Remove all groups associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+          MU.log "AWS::Group.cleanup: need to support flags['known']", MU::DEBUG, details: flags
+          MU.log "Placeholder: AWS Group artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
+
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_groups(
             path_prefix: "/"+MU.deploy_id+"/"
           )
@@ -259,7 +263,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -315,9 +319,9 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           polschema = MU::Config::Role.schema["properties"]["policies"]
           polschema.deep_merge!(MU::Cloud::AWS::Role.condition_schema)