RubyGems - cloud-mu - Versions diffs - 3.1.3 → 3.3.0 - Mend

cloud-mu 3.1.3 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +21 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +4 -4
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +147 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +158 -111
data/modules/mu/adoption.rb +404 -71
data/modules/mu/cleanup.rb +221 -306
data/modules/mu/cloud.rb +129 -1633
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +926 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +10 -9
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +5 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +19 -10
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +10 -21
data/modules/mu/config/ref.rb +411 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +98 -71
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +71 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +91 -68
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +43 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +410 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +218 -2612
data/modules/mu/mommacat/daemon.rb +403 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +380 -122
data/modules/mu/{clouds → providers}/aws/alarm.rb +7 -5
data/modules/mu/{clouds → providers}/aws/bucket.rb +297 -59
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +37 -71
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +26 -25
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +724 -744
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +88 -70
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +220 -247
data/modules/mu/{clouds → providers}/aws/folder.rb +8 -8
data/modules/mu/{clouds → providers}/aws/function.rb +300 -142
data/modules/mu/{clouds → providers}/aws/group.rb +31 -29
data/modules/mu/{clouds → providers}/aws/habitat.rb +18 -15
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +66 -56
data/modules/mu/{clouds → providers}/aws/log.rb +17 -14
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +29 -19
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +114 -16
data/modules/mu/{clouds → providers}/aws/notifier.rb +142 -65
data/modules/mu/{clouds → providers}/aws/role.rb +158 -118
data/modules/mu/{clouds → providers}/aws/search_domain.rb +201 -59
data/modules/mu/{clouds → providers}/aws/server.rb +844 -1139
data/modules/mu/{clouds → providers}/aws/server_pool.rb +74 -65
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +26 -44
data/modules/mu/{clouds → providers}/aws/user.rb +24 -25
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +525 -931
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +97 -49
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +68 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +85 -78
data/modules/mu/{clouds → providers}/google/database.rb +11 -21
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +140 -168
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +19 -21
data/modules/mu/{clouds → providers}/google/role.rb +94 -58
data/modules/mu/{clouds → providers}/google/server.rb +243 -156
data/modules/mu/{clouds → providers}/google/server_pool.rb +26 -45
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +2 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +240 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985
data/modules/mu/clouds/aws/endpoint.rb +0 -592

data/modules/mu/{clouds → providers}/aws/role.rb RENAMED

@@ -30,7 +30,7 @@ module MU
             end
           end
-          @mu_name ||= @deploy.getResourceName(@config["name"])
+          @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
         end
         # Called automatically by {MU::Deploy#createResources}
@@ -43,7 +43,7 @@ module MU
               policy_name = @mu_name+"-"+policy.keys.first.upcase
               MU.log "Creating IAM policy #{policy_name}"
-              resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
+              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
                 policy_name: policy_name,
                 path: "/"+@deploy.deploy_id+"/",
                 policy_document: JSON.generate(policy.values.first),
@@ -56,8 +56,8 @@ module MU
             MU.log "Creating IAM role #{@mu_name}"
             @cloud_id = @mu_name
             path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
-              path: nil,
+            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
+              path: path,
               role_name: @mu_name,
               description: "Generated by Mu",
               assume_role_policy_document: gen_assume_role_policy_doc,
@@ -89,7 +89,6 @@ module MU
           end
           if @config['raw_policies'] or @config['attachable_policies']
-            attached_policies = []
             configured_policies = []
             if @config['raw_policies']
@@ -128,7 +127,7 @@ module MU
             # XXX not sure we're binding these sanely, validate that
             if @config['raw_policies']
-              pol_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+              MU::Cloud::AWS::Role.manageRawPolicies(
                 @config['raw_policies'],
                 basename: @deploy.getResourceName(@config['name']),
                 credentials: @credentials
@@ -183,7 +182,7 @@ module MU
                 desc
               end
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
               MU::Cloud::AWS.iam(credentials: credentials).create_policy(
                 policy_name: policy_name,
@@ -202,65 +201,87 @@ module MU
         def arn
           desc = cloud_desc
           if desc["role"]
-            desc["role"].arn
+            if desc['role'].is_a?(Hash)
+              desc["role"][:arn] # why though
+            else
+              desc["role"].arn
+            end
           else
             nil
           end
         end
+        @cloud_desc_cache = nil
         # Return a hash containing a +role+ element and a +policies+ element,
         # populated with one or both depending on what this resource has
         # defined.
-        def cloud_desc
-          desc = {}
+        def cloud_desc(use_cache: true)
+          # we might inherit a naive cached description from the base cloud
+          # layer; rearrange it to our tastes
+          if @cloud_desc_cache.is_a?(::Aws::IAM::Types::Role)
+            new_desc = {
+              "role" => @cloud_desc_cache
+            }
+            @cloud_desc_cache = new_desc
+          elsif @cloud_desc_cache.is_a?(::Aws::IAM::Types::Policy)
+            new_desc = {
+              "policies" => [@cloud_desc_cache]
+            }
+            @cloud_desc_cache = new_desc
+          end
+          return @cloud_desc_cache if @cloud_desc_cache and !@cloud_desc_cache.empty? and use_cache
+          @cloud_desc_cache = {}
           if @config['bare_policies']
             if @cloud_id
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
             if @deploy and @deploy.deploy_id
-              desc["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
+              @cloud_desc_cache["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
                 path_prefix: "/"+@deploy.deploy_id+"/"
               ).policies
-              desc["policies"].reject! { |p|
+              @cloud_desc_cache["policies"].reject! { |p|
                 !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
               }
               # this is quasi-wrong because we can be mulitple cloud is, but
               # we can't really set this type to has_multiples because that's
               # just how managed policies work not anything else, goddammit
               # AWS why can't you just bundle everything in roles
-              if desc["policies"] and desc["policies"].size > 0
-                @cloud_id ||= desc["policies"].first.arn
+              if @cloud_desc_cache["policies"] and @cloud_desc_cache["policies"].size > 0
+                @cloud_id ||= @cloud_desc_cache["policies"].first.arn
               end
             end
           else
             if @cloud_id.match(/^arn:aws(:?-us-gov)?:[^:]*:[^:]*:\d*:policy\//)
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
 begin
-            desc['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
-            desc['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
+            @cloud_desc_cache['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
+            @cloud_desc_cache['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
             MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
               role_name: @mu_name
             ).attached_policies.each { |p|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
                 policy_arn: p.policy_arn
               ).policy
             }
             inline = MU::Cloud::AWS.iam(credentials: @credentials).list_role_policies(role_name: @mu_name).policy_names
             inline.each { |pol_name|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
                 role_name: @mu_name,
                 policy_name: pol_name
               )
@@ -270,9 +291,9 @@ rescue ::Aws::IAM::Errors::ValidationError => e
 MU.log @cloud_id+" "+@mu_name, MU::WARN, details: e.inspect
 end
           end
-          desc['cloud_id'] ||= @cloud_id
+          @cloud_desc_cache['cloud_id'] ||= @cloud_id
-          desc
+          @cloud_desc_cache
         end
         # Return the metadata for this user cofiguration
@@ -284,26 +305,25 @@ end
         # Insert a new target entity into an existing policy.
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        # @param mu_type [String]: A valid Mu resource type
-        def injectPolicyTargets(policy, targets, mu_type = nil)
+        def injectPolicyTargets(policy, targets)
           if !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
-          my_policies = cloud_desc["policies"]
+          my_policies = cloud_desc(use_cache: false)["policies"]
           my_policies ||= []
+          seen_policy = false
           my_policies.each { |p|
             if p.policy_name == policy
+              seen_policy = true
               old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
               doc = JSON.parse URI.decode_www_form_component old.document
               need_update = false
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
@@ -332,6 +352,10 @@ end
               end
             end
           }
+          if !seen_policy
+            MU.log "Was given new targets for policy #{policy}, but I don't see any such policy attached to role #{@cloud_id}", MU::WARN, details: targets
+          end
         end
         # Delete an IAM policy, along with attendant versions and attachments.
@@ -409,16 +433,15 @@ end
         # Remove all roles associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
-            path_prefix: "/"+MU.deploy_id+"/"
+            path_prefix: "/"+deploy_id+"/"
           )
           if resp and resp.policies
             resp.policies.each { |policy|
-              MU.log "Deleting IAM policy /#{MU.deploy_id}/#{policy.policy_name}"
+              MU.log "Deleting IAM policy /#{deploy_id}/#{policy.policy_name}"
               if !noop
                 purgePolicy(policy.arn, credentials)
               end
@@ -429,21 +452,31 @@ end
           roles = MU::Cloud::AWS::Role.find(credentials: credentials).values
           roles.each { |r|
             next if !r.respond_to?(:role_name)
-            if r.path.match(/^\/#{Regexp.quote(MU.deploy_id)}/)
+            if r.path.match(/^\/#{Regexp.quote(deploy_id)}/)
               deleteme << r
               next
             end
             # For some dumb reason, the list output that .find gets doesn't
             # include the tags, so we need to fetch each role individually to
             # check tags. Hardly seems efficient.
-            desc = MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            desc = begin
+              MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            rescue Aws::IAM::Errors::NoSuchEntity
+              next
+            end
             if desc.role and desc.role.tags and desc.role.tags
+              master_match = false
+              deploy_match = false
               desc.role.tags.each { |t|
-                if t.key == "MU-ID" and t.value == MU.deploy_id
-                  deleteme << r
-                  break
+                if t.key == "MU-ID" and t.value == deploy_id
+                  deploy_match = true
+                elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
+                  master_match = true
                 end
               }
+              if deploy_match and (master_match or ignoremaster)
+                deleteme << r
+              end
             end
           }
@@ -481,7 +514,7 @@ end
                   MU::Cloud::AWS.iam(credentials: credentials).delete_instance_profile(instance_profile_name: r.role_name)
                 rescue Aws::IAM::Errors::ValidationError => e
                   MU.log "Cleaning up IAM role #{r.role_name}: #{e.inspect}", MU::WARN
-                rescue Aws::IAM::Errors::NoSuchEntity => e
+                rescue Aws::IAM::Errors::NoSuchEntity
                 end
                 MU::Cloud::AWS.iam(credentials: credentials).delete_role(
@@ -502,7 +535,7 @@ end
             begin
               # managed policies get fetched by ARN, roles by plain name. Ok!
-              if args[:cloud_id].match(/^arn:/)
+              if args[:cloud_id].match(/^arn:.*?:policy\//)
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_policy(
                   policy_arn: args[:cloud_id]
                 )
@@ -511,39 +544,26 @@ end
                 end
               else
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_role(
-                  role_name: args[:cloud_id]
+                  role_name: args[:cloud_id].sub(/^arn:.*?\/([^:\/]+)$/, '\1') # XXX if it's an ARN, actually parse it and look in the correct account when applicable
                 )
                 if resp and resp.role
-                  found[args[:cloud_id]] = resp.role
+                  found[resp.role.role_name] = resp.role
                 end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
           else
-            marker = nil
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles(
-                marker: marker
-              )
-              break if !resp or !resp.roles
-              resp.roles.each { |role|
-                found[role.role_name] = role
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
+            resp.roles.each { |role|
+              found[role.role_name] = role
+            }
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(
-                scope: "Local",
-                marker: marker
-              )
-              break if !resp or !resp.policies
-              resp.policies.each { |pol|
-                found[pol.arn] = pol
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(scope: "Local")
+            resp.policies.each { |pol|
+              found[pol.arn] = pol
+            }
           end
           found
@@ -552,7 +572,7 @@ end
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -601,14 +621,13 @@ end
                   )
                   JSON.parse(URI.decode(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
             }
             return bok if @config['bare_policies']
           end
           if desc.tags and desc.tags.size > 0
             bok["tags"] = MU.structToHash(desc.tags, stringify_keys: true)
           end
@@ -681,6 +700,7 @@ end
           end
           bok["attachable_policies"].uniq! if bok["attachable_policies"]
+          bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
           bok
         end
@@ -693,6 +713,10 @@ end
         def self.doc2MuPolicies(basename, doc, policies = [])
           policies ||= []
+          if !doc["Statement"].is_a?(Array)
+            doc["Statement"] = [doc["Statement"]]
+          end
           doc["Statement"].each { |s|
             if !s["Action"]
               MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
@@ -721,7 +745,7 @@ end
               "targets" => s["Resource"].map { |r|
                 if r.match(/^arn:aws(-us-gov)?:([^:]+):.*?:([^:]*)$/)
 # XXX which cases even count for blind references to sibling resources?
-                  type = if Regexp.last_match[1] == "s3"
+                  if Regexp.last_match[1] == "s3"
                     "bucket"
                   elsif Regexp.last_match[1]
                     MU.log "Service #{Regexp.last_match[1]} to type...", MU::WARN, details: r
@@ -741,7 +765,7 @@ end
         # Attach this role or group of loose policies to the specified entity.
         # @param entitytype [String]: The type of entity (user, group or role for policies; instance_profile for roles)
-        def bindTo(entitytype, entityname, policies = [])
+        def bindTo(entitytype, entityname)
           if entitytype == "instance_profile"
             begin
               resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
@@ -754,7 +778,7 @@ end
                   role_name: @mu_name
                 )
               end
-            rescue Exception => e
+            rescue StandardError => e
               MU.log "Error binding role #{@mu_name} to instance profile #{entityname}: #{e.message}", MU::ERR
               raise e
             end
@@ -783,7 +807,6 @@ end
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
                     p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
-                    retried = true
                     retry
                   end
                   raise e
@@ -833,6 +856,7 @@ end
           else
             raise MuError, "Invalid entitytype '#{entitytype}' passed to MU::Cloud::AWS::Role.bindTo. Must be be one of: user, group, role, instance_profile"
           end
+          cloud_desc(use_cache: false)
         end
         # Create an instance profile for EC2 instances, named identically and
@@ -847,7 +871,7 @@ end
             MU::Cloud::AWS.iam(credentials: @config['credentials']).create_instance_profile(
               instance_profile_name: @mu_name
             )
-          rescue Aws::IAM::Errors::EntityAlreadyExists => e
+          rescue Aws::IAM::Errors::EntityAlreadyExists
             MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
               instance_profile_name: @mu_name
             )
@@ -905,13 +929,13 @@ end
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
             begin
-              MU::Cloud.loadCloudType("AWS", t)
+              MU::Cloud.resourceClass("AWS", t)
               false
             rescue MuCloudResourceNotImplemented
               true
@@ -1012,10 +1036,9 @@ end
             subpaths = ["service-role", "aws-service-role", "job-function"]
             begin
               MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               if subpaths.size > 0
                 arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+ref["id"]
-                retried = true
                 retry
               end
               MU.log "No such canned AWS IAM policy '#{arn}'", MU::ERR
@@ -1029,9 +1052,9 @@ end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::roles}, bare and unvalidated.
         # @param role [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(role, configurator)
+        def self.validateConfig(role, _configurator)
           ok = true
           # munge things declared with the deprecated import keyword into
@@ -1074,11 +1097,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  role['dependencies'] ||= []
-                  role['dependencies'] << {
-                    "name" => target['identifier'],
-                    "type" => target['type']
-                  }
+                  MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
                 end
               }
             }
@@ -1094,15 +1113,14 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil)
-          iam_policies = []
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
           if policies
             name = nil
             doc = {
-              "Version" => "2012-10-17",
+              "Version" => version,
               "Statement" => []
             }
+            doc["Id"] = doc_id if doc_id
             policies.each { |policy|
               policy["flag"] ||= "Allow"
               statement = {
@@ -1134,12 +1152,28 @@ end
                     )
                     if sibling
                       id = sibling.cloudobj.arn
-                      statement["Principal"] << id
+                      if bucket_style
+                        statement["Principal"] << { "AWS" => id }
+                      else
+                        statement["Principal"] << id
+                      end
                     else
                       raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
                     end
                   else
-                    statement["Principal"] << grantee["identifier"]
+                    bucket_prefix = if grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
+                      "Service"
+                    elsif grantee["identifier"] =~ /^[a-f0-9]+$/
+                      "CanonicalUser"
+                    else
+                      "AWS"
+                    end
+                    if bucket_style
+                      statement["Principal"] << { bucket_prefix => grantee["identifier"] }
+                    else
+                      statement["Principal"] << grantee["identifier"]
+                    end
                   end
                 }
                 if policy["grant_to"].size == 1
@@ -1162,9 +1196,11 @@ end
                         stream_id = id.sub(/:([^:]+)$/, ":log-stream:*")
 #                        "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
                         statement["Resource"] << stream_id
+                      elsif id.match(/:s3:/)
+                        statement["Resource"] << id+"/*"
                       end
                     else
-                      raise MuError, "Couldn't find a #{target["entity_type"]} named #{target["identifier"]} when generating IAM policy"
+                      raise MuError, "Couldn't find a #{target["type"]} named #{target["identifier"]} when generating IAM policy"
                     end
                   else
                     target["identifier"] += target["path"] if target["path"]
@@ -1180,6 +1216,32 @@ end
           []
         end
+        # Update a policy, handling deletion of old versions as needed
+        # @param arn [String]:
+        # @param doc [Hash]:
+        # @param credentials [String]:
+        def self.update_policy(arn, doc, credentials: nil)
+# XXX this is just blindly replacing identical versions, when it should check
+# and guard
+          begin
+            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
+              policy_arn: arn,
+              set_as_default: true,
+              policy_document: JSON.generate(doc)
+            )
+          rescue Aws::IAM::Errors::LimitExceeded
+            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
+              policy_arn: arn,
+            ).versions.last.version_id
+            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
+            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
+              policy_arn: arn,
+              version_id: delete_version
+            )
+            retry
+          end
+        end
         private
         # Convert entries from the cloud-neutral @config['policies'] list into
@@ -1261,28 +1323,6 @@ end
           MU::Cloud::AWS::Role.update_policy(arn, doc, credentials: @credentials)
         end
-        # Update a policy, handling deletion of old versions as needed
-        def self.update_policy(arn, doc, credentials: nil)
-# XXX this is just blindly replacing identical versions, when it should check
-# and guard
-          begin
-            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
-              policy_arn: arn,
-              set_as_default: true,
-              policy_document: JSON.generate(doc)
-            )
-          rescue Aws::IAM::Errors::LimitExceeded => e
-            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
-              policy_arn: arn,
-            ).versions.last.version_id
-            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
-            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
-              policy_arn: arn,
-              version_id: delete_version
-            )
-            retry
-          end
-        end
       end
     end