RubyGems - cloud-mu - Versions diffs - 3.1.3 → 3.3.0 - Mend

cloud-mu 3.1.3 → 3.3.0

Files changed (212) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +21 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +4 -4
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +147 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +158 -111
data/modules/mu/adoption.rb +404 -71
data/modules/mu/cleanup.rb +221 -306
data/modules/mu/cloud.rb +129 -1633
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +926 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +10 -9
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +5 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +19 -10
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +10 -21
data/modules/mu/config/ref.rb +411 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +98 -71
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +71 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +91 -68
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +43 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +410 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +218 -2612
data/modules/mu/mommacat/daemon.rb +403 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +380 -122
data/modules/mu/{clouds → providers}/aws/alarm.rb +7 -5
data/modules/mu/{clouds → providers}/aws/bucket.rb +297 -59
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +37 -71
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +26 -25
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +724 -744
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +88 -70
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +220 -247
data/modules/mu/{clouds → providers}/aws/folder.rb +8 -8
data/modules/mu/{clouds → providers}/aws/function.rb +300 -142
data/modules/mu/{clouds → providers}/aws/group.rb +31 -29
data/modules/mu/{clouds → providers}/aws/habitat.rb +18 -15
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +66 -56
data/modules/mu/{clouds → providers}/aws/log.rb +17 -14
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +29 -19
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +114 -16
data/modules/mu/{clouds → providers}/aws/notifier.rb +142 -65
data/modules/mu/{clouds → providers}/aws/role.rb +158 -118
data/modules/mu/{clouds → providers}/aws/search_domain.rb +201 -59
data/modules/mu/{clouds → providers}/aws/server.rb +844 -1139
data/modules/mu/{clouds → providers}/aws/server_pool.rb +74 -65
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +26 -44
data/modules/mu/{clouds → providers}/aws/user.rb +24 -25
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +525 -931
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +97 -49
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +68 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +85 -78
data/modules/mu/{clouds → providers}/google/database.rb +11 -21
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +140 -168
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +19 -21
data/modules/mu/{clouds → providers}/google/role.rb +94 -58
data/modules/mu/{clouds → providers}/google/server.rb +243 -156
data/modules/mu/{clouds → providers}/google/server_pool.rb +26 -45
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +2 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +240 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985
data/modules/mu/clouds/aws/endpoint.rb +0 -592

data/modules/mu/{clouds → providers}/aws/role.rb RENAMED

@@ -30,7 +30,7 @@ module MU
             end
           end
-          @mu_name ||= @deploy.getResourceName(@config["name"])
+          @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
         end
         # Called automatically by {MU::Deploy#createResources}
@@ -43,7 +43,7 @@ module MU
               policy_name = @mu_name+"-"+policy.keys.first.upcase
               MU.log "Creating IAM policy #{policy_name}"
-              resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
+              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
                 policy_name: policy_name,
                 path: "/"+@deploy.deploy_id+"/",
                 policy_document: JSON.generate(policy.values.first),
@@ -56,8 +56,8 @@ module MU
             MU.log "Creating IAM role #{@mu_name}"
             @cloud_id = @mu_name
             path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
-              path: nil,
+            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
+              path: path,
               role_name: @mu_name,
               description: "Generated by Mu",
               assume_role_policy_document: gen_assume_role_policy_doc,
@@ -89,7 +89,6 @@ module MU
           end
           if @config['raw_policies'] or @config['attachable_policies']
-            attached_policies = []
             configured_policies = []
             if @config['raw_policies']
@@ -128,7 +127,7 @@ module MU
             # XXX not sure we're binding these sanely, validate that
             if @config['raw_policies']
-              pol_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+              MU::Cloud::AWS::Role.manageRawPolicies(
                 @config['raw_policies'],
                 basename: @deploy.getResourceName(@config['name']),
                 credentials: @credentials
@@ -183,7 +182,7 @@ module MU
                 desc
               end
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
               MU::Cloud::AWS.iam(credentials: credentials).create_policy(
                 policy_name: policy_name,
@@ -202,65 +201,87 @@ module MU
         def arn
           desc = cloud_desc
           if desc["role"]
-            desc["role"].arn
+            if desc['role'].is_a?(Hash)
+              desc["role"][:arn] # why though
+            else
+              desc["role"].arn
+            end
           else
             nil
           end
         end
+        @cloud_desc_cache = nil
         # Return a hash containing a +role+ element and a +policies+ element,
         # populated with one or both depending on what this resource has
         # defined.
-        def cloud_desc
-          desc = {}
+        def cloud_desc(use_cache: true)
+          # we might inherit a naive cached description from the base cloud
+          # layer; rearrange it to our tastes
+          if @cloud_desc_cache.is_a?(::Aws::IAM::Types::Role)
+            new_desc = {
+              "role" => @cloud_desc_cache
+            }
+            @cloud_desc_cache = new_desc
+          elsif @cloud_desc_cache.is_a?(::Aws::IAM::Types::Policy)
+            new_desc = {
+              "policies" => [@cloud_desc_cache]
+            }
+            @cloud_desc_cache = new_desc
+          end
+          return @cloud_desc_cache if @cloud_desc_cache and !@cloud_desc_cache.empty? and use_cache
+          @cloud_desc_cache = {}
           if @config['bare_policies']
             if @cloud_id
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
             if @deploy and @deploy.deploy_id
-              desc["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
+              @cloud_desc_cache["policies"] = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
                 path_prefix: "/"+@deploy.deploy_id+"/"
               ).policies
-              desc["policies"].reject! { |p|
+              @cloud_desc_cache["policies"].reject! { |p|
                 !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
               }
               # this is quasi-wrong because we can be mulitple cloud is, but
               # we can't really set this type to has_multiples because that's
               # just how managed policies work not anything else, goddammit
               # AWS why can't you just bundle everything in roles
-              if desc["policies"] and desc["policies"].size > 0
-                @cloud_id ||= desc["policies"].first.arn
+              if @cloud_desc_cache["policies"] and @cloud_desc_cache["policies"].size > 0
+                @cloud_id ||= @cloud_desc_cache["policies"].first.arn
               end
             end
           else
             if @cloud_id.match(/^arn:aws(:?-us-gov)?:[^:]*:[^:]*:\d*:policy\//)
               pol_desc = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
               if pol_desc
-                desc['policies'] = [pol_desc]
-                return desc
+                @cloud_desc_cache['policies'] = [pol_desc]
+                return @cloud_desc_cache
               end
             end
 begin
-            desc['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
-            desc['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
+            @cloud_desc_cache['role'] = MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @cloud_id).values.first
+            @cloud_desc_cache['role'] ||= MU::Cloud::AWS::Role.find(credentials: @credentials, cloud_id: @mu_name).values.first
             MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
               role_name: @mu_name
             ).attached_policies.each { |p|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
                 policy_arn: p.policy_arn
               ).policy
             }
             inline = MU::Cloud::AWS.iam(credentials: @credentials).list_role_policies(role_name: @mu_name).policy_names
             inline.each { |pol_name|
-              desc["policies"] ||= []
-              desc["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
+              @cloud_desc_cache["policies"] ||= []
+              @cloud_desc_cache["policies"] << MU::Cloud::AWS.iam(credentials: @credentials).get_role_policy(
                 role_name: @mu_name,
                 policy_name: pol_name
               )
@@ -270,9 +291,9 @@ rescue ::Aws::IAM::Errors::ValidationError => e
 MU.log @cloud_id+" "+@mu_name, MU::WARN, details: e.inspect
 end
           end
-          desc['cloud_id'] ||= @cloud_id
+          @cloud_desc_cache['cloud_id'] ||= @cloud_id
-          desc
+          @cloud_desc_cache
         end
         # Return the metadata for this user cofiguration
@@ -284,26 +305,25 @@ end
         # Insert a new target entity into an existing policy.
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        # @param mu_type [String]: A valid Mu resource type
-        def injectPolicyTargets(policy, targets, mu_type = nil)
+        def injectPolicyTargets(policy, targets)
           if !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
-          my_policies = cloud_desc["policies"]
+          my_policies = cloud_desc(use_cache: false)["policies"]
           my_policies ||= []
+          seen_policy = false
           my_policies.each { |p|
             if p.policy_name == policy
+              seen_policy = true
               old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
               doc = JSON.parse URI.decode_www_form_component old.document
               need_update = false
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
@@ -332,6 +352,10 @@ end
               end
             end
           }
+          if !seen_policy
+            MU.log "Was given new targets for policy #{policy}, but I don't see any such policy attached to role #{@cloud_id}", MU::WARN, details: targets
+          end
         end
         # Delete an IAM policy, along with attendant versions and attachments.
@@ -409,16 +433,15 @@ end
         # Remove all roles associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
-            path_prefix: "/"+MU.deploy_id+"/"
+            path_prefix: "/"+deploy_id+"/"
           )
           if resp and resp.policies
             resp.policies.each { |policy|
-              MU.log "Deleting IAM policy /#{MU.deploy_id}/#{policy.policy_name}"
+              MU.log "Deleting IAM policy /#{deploy_id}/#{policy.policy_name}"
               if !noop
                 purgePolicy(policy.arn, credentials)
               end
@@ -429,21 +452,31 @@ end
           roles = MU::Cloud::AWS::Role.find(credentials: credentials).values
           roles.each { |r|
             next if !r.respond_to?(:role_name)
-            if r.path.match(/^\/#{Regexp.quote(MU.deploy_id)}/)
+            if r.path.match(/^\/#{Regexp.quote(deploy_id)}/)
               deleteme << r
               next
             end
             # For some dumb reason, the list output that .find gets doesn't
             # include the tags, so we need to fetch each role individually to
             # check tags. Hardly seems efficient.
-            desc = MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            desc = begin
+              MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            rescue Aws::IAM::Errors::NoSuchEntity
+              next
+            end
             if desc.role and desc.role.tags and desc.role.tags
+              master_match = false
+              deploy_match = false
               desc.role.tags.each { |t|
-                if t.key == "MU-ID" and t.value == MU.deploy_id
-                  deleteme << r
-                  break
+                if t.key == "MU-ID" and t.value == deploy_id
+                  deploy_match = true
+                elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
+                  master_match = true
                 end
               }
+              if deploy_match and (master_match or ignoremaster)
+                deleteme << r
+              end
             end
           }
@@ -481,7 +514,7 @@ end
                   MU::Cloud::AWS.iam(credentials: credentials).delete_instance_profile(instance_profile_name: r.role_name)
                 rescue Aws::IAM::Errors::ValidationError => e
                   MU.log "Cleaning up IAM role #{r.role_name}: #{e.inspect}", MU::WARN
-                rescue Aws::IAM::Errors::NoSuchEntity => e
+                rescue Aws::IAM::Errors::NoSuchEntity
                 end
                 MU::Cloud::AWS.iam(credentials: credentials).delete_role(
@@ -502,7 +535,7 @@ end
             begin
               # managed policies get fetched by ARN, roles by plain name. Ok!
-              if args[:cloud_id].match(/^arn:/)
+              if args[:cloud_id].match(/^arn:.*?:policy\//)
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_policy(
                   policy_arn: args[:cloud_id]
                 )
@@ -511,39 +544,26 @@ end
                 end
               else
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_role(
-                  role_name: args[:cloud_id]
+                  role_name: args[:cloud_id].sub(/^arn:.*?\/([^:\/]+)$/, '\1') # XXX if it's an ARN, actually parse it and look in the correct account when applicable
                 )
                 if resp and resp.role
-                  found[args[:cloud_id]] = resp.role
+                  found[resp.role.role_name] = resp.role
                 end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
           else
-            marker = nil
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles(
-                marker: marker
-              )
-              break if !resp or !resp.roles
-              resp.roles.each { |role|
-                found[role.role_name] = role
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
+            resp.roles.each { |role|
+              found[role.role_name] = role
+            }
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(
-                scope: "Local",
-                marker: marker
-              )
-              break if !resp or !resp.policies
-              resp.policies.each { |pol|
-                found[pol.arn] = pol
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(scope: "Local")
+            resp.policies.each { |pol|
+              found[pol.arn] = pol
+            }
           end
           found
@@ -552,7 +572,7 @@ end
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
             "credentials" => @config['credentials'],
@@ -601,14 +621,13 @@ end
                   )
                   JSON.parse(URI.decode(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
             }
             return bok if @config['bare_policies']
           end
           if desc.tags and desc.tags.size > 0
             bok["tags"] = MU.structToHash(desc.tags, stringify_keys: true)
           end
@@ -681,6 +700,7 @@ end
           end
           bok["attachable_policies"].uniq! if bok["attachable_policies"]
+          bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
           bok
         end
@@ -693,6 +713,10 @@ end
         def self.doc2MuPolicies(basename, doc, policies = [])
           policies ||= []
+          if !doc["Statement"].is_a?(Array)
+            doc["Statement"] = [doc["Statement"]]
+          end
           doc["Statement"].each { |s|
             if !s["Action"]
               MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
@@ -721,7 +745,7 @@ end
               "targets" => s["Resource"].map { |r|
                 if r.match(/^arn:aws(-us-gov)?:([^:]+):.*?:([^:]*)$/)
 # XXX which cases even count for blind references to sibling resources?
-                  type = if Regexp.last_match[1] == "s3"
+                  if Regexp.last_match[1] == "s3"
                     "bucket"
                   elsif Regexp.last_match[1]
                     MU.log "Service #{Regexp.last_match[1]} to type...", MU::WARN, details: r
@@ -741,7 +765,7 @@ end
         # Attach this role or group of loose policies to the specified entity.
         # @param entitytype [String]: The type of entity (user, group or role for policies; instance_profile for roles)
-        def bindTo(entitytype, entityname, policies = [])
+        def bindTo(entitytype, entityname)
           if entitytype == "instance_profile"
             begin
               resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
@@ -754,7 +778,7 @@ end
                   role_name: @mu_name
                 )
               end
-            rescue Exception => e
+            rescue StandardError => e
               MU.log "Error binding role #{@mu_name} to instance profile #{entityname}: #{e.message}", MU::ERR
               raise e
             end
@@ -783,7 +807,6 @@ end
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
                     p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
-                    retried = true
                     retry
                   end
                   raise e
@@ -833,6 +856,7 @@ end
           else
             raise MuError, "Invalid entitytype '#{entitytype}' passed to MU::Cloud::AWS::Role.bindTo. Must be be one of: user, group, role, instance_profile"
           end
+          cloud_desc(use_cache: false)
         end
         # Create an instance profile for EC2 instances, named identically and
@@ -847,7 +871,7 @@ end
             MU::Cloud::AWS.iam(credentials: @config['credentials']).create_instance_profile(
               instance_profile_name: @mu_name
             )
-          rescue Aws::IAM::Errors::EntityAlreadyExists => e
+          rescue Aws::IAM::Errors::EntityAlreadyExists
             MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
               instance_profile_name: @mu_name
             )
@@ -905,13 +929,13 @@ end
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
             begin
-              MU::Cloud.loadCloudType("AWS", t)
+              MU::Cloud.resourceClass("AWS", t)
               false
             rescue MuCloudResourceNotImplemented
               true
@@ -1012,10 +1036,9 @@ end
             subpaths = ["service-role", "aws-service-role", "job-function"]
             begin
               MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
-            rescue Aws::IAM::Errors::NoSuchEntity => e
+            rescue Aws::IAM::Errors::NoSuchEntity
               if subpaths.size > 0
                 arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+ref["id"]
-                retried = true
                 retry
               end
               MU.log "No such canned AWS IAM policy '#{arn}'", MU::ERR
@@ -1029,9 +1052,9 @@ end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::roles}, bare and unvalidated.
         # @param role [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(role, configurator)
+        def self.validateConfig(role, _configurator)
           ok = true
           # munge things declared with the deprecated import keyword into
@@ -1074,11 +1097,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  role['dependencies'] ||= []
-                  role['dependencies'] << {
-                    "name" => target['identifier'],
-                    "type" => target['type']
-                  }
+                  MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
                 end
               }
             }
@@ -1094,15 +1113,14 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil)
-          iam_policies = []
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
           if policies
             name = nil
             doc = {
-              "Version" => "2012-10-17",
+              "Version" => version,
               "Statement" => []
             }
+            doc["Id"] = doc_id if doc_id
             policies.each { |policy|
               policy["flag"] ||= "Allow"
               statement = {
@@ -1134,12 +1152,28 @@ end
                     )
                     if sibling
                       id = sibling.cloudobj.arn
-                      statement["Principal"] << id
+                      if bucket_style
+                        statement["Principal"] << { "AWS" => id }
+                      else
+                        statement["Principal"] << id
+                      end
                     else
                       raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
                     end
                   else
-                    statement["Principal"] << grantee["identifier"]
+                    bucket_prefix = if grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
+                      "Service"
+                    elsif grantee["identifier"] =~ /^[a-f0-9]+$/
+                      "CanonicalUser"
+                    else
+                      "AWS"
+                    end
+                    if bucket_style
+                      statement["Principal"] << { bucket_prefix => grantee["identifier"] }
+                    else
+                      statement["Principal"] << grantee["identifier"]
+                    end
                   end
                 }
                 if policy["grant_to"].size == 1
@@ -1162,9 +1196,11 @@ end
                         stream_id = id.sub(/:([^:]+)$/, ":log-stream:*")
 #                        "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
                         statement["Resource"] << stream_id
+                      elsif id.match(/:s3:/)
+                        statement["Resource"] << id+"/*"
                       end
                     else
-                      raise MuError, "Couldn't find a #{target["entity_type"]} named #{target["identifier"]} when generating IAM policy"
+                      raise MuError, "Couldn't find a #{target["type"]} named #{target["identifier"]} when generating IAM policy"
                     end
                   else
                     target["identifier"] += target["path"] if target["path"]
@@ -1180,6 +1216,32 @@ end
           []
         end
+        # Update a policy, handling deletion of old versions as needed
+        # @param arn [String]:
+        # @param doc [Hash]:
+        # @param credentials [String]:
+        def self.update_policy(arn, doc, credentials: nil)
+# XXX this is just blindly replacing identical versions, when it should check
+# and guard
+          begin
+            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
+              policy_arn: arn,
+              set_as_default: true,
+              policy_document: JSON.generate(doc)
+            )
+          rescue Aws::IAM::Errors::LimitExceeded
+            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
+              policy_arn: arn,
+            ).versions.last.version_id
+            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
+            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
+              policy_arn: arn,
+              version_id: delete_version
+            )
+            retry
+          end
+        end
         private
         # Convert entries from the cloud-neutral @config['policies'] list into
@@ -1261,28 +1323,6 @@ end
           MU::Cloud::AWS::Role.update_policy(arn, doc, credentials: @credentials)
         end
-        # Update a policy, handling deletion of old versions as needed
-        def self.update_policy(arn, doc, credentials: nil)
-# XXX this is just blindly replacing identical versions, when it should check
-# and guard
-          begin
-            MU::Cloud::AWS.iam(credentials: credentials).create_policy_version(
-              policy_arn: arn,
-              set_as_default: true,
-              policy_document: JSON.generate(doc)
-            )
-          rescue Aws::IAM::Errors::LimitExceeded => e
-            delete_version = MU::Cloud::AWS.iam(credentials: credentials).list_policy_versions(
-              policy_arn: arn,
-            ).versions.last.version_id
-            MU.log "Purging oldest version (#{delete_version}) of IAM policy #{arn}", MU::NOTICE
-            MU::Cloud::AWS.iam(credentials: credentials).delete_policy_version(
-              policy_arn: arn,
-              version_id: delete_version
-            )
-            retry
-          end
-        end
       end
     end