cloud-mu 3.1.3 → 3.3.0

data/modules/mu/{clouds → providers}/google/group.rb

@@ -44,7 +44,7 @@ module MU
             resp = MU::Cloud::Google.admin_directory(credentials: @credentials).insert_group(group_obj)
             @cloud_id = resp.email
 
-            MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'])
+            MU::Cloud.resourceClass("Google", "Role").bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'])
           else
             @cloud_id = @config['name'].sub(/@.*/, "")+"@"+@config['domain']
           end
@@ -52,7 +52,7 @@ module MU
 
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          MU::Cloud::Google::Role.bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'], debug: true)
+          MU::Cloud.resourceClass("Google", "Role").bindFromConfig("group", @cloud_id, @config['roles'], credentials: @config['credentials'], debug: true)
 
           if @config['members']
             resolved_desired = []
@@ -139,12 +139,17 @@ module MU
         # Remove all groups associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          my_domains = MU::Cloud::Google.getDomains(credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
+          MU::Cloud::Google.getDomains(credentials)
           my_org = MU::Cloud::Google.getOrg(credentials)
 
+          filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
+          if !ignoremaster and MU.mu_public_ip
+            filter += %Q{ AND (labels.mu-master-ip = "#{MU.mu_public_ip.gsub(/\./, "_")}")}
+          end
+          MU.log "Placeholder: Google Group artifacts do not support labels, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: filter
+
           if my_org
             groups = MU::Cloud::Google.admin_directory(credentials: credentials).list_groups(customer: MU::Cloud::Google.customerID(credentials)).groups
             if groups
@@ -161,7 +166,7 @@ module MU
 
           if flags['known']
             flags['known'].each { |group|
-              MU::Cloud::Google::Role.removeBindings("group", group, credentials: credentials, noop: noop)
+              MU::Cloud.resourceClass("Google", "Role").removeBindings("group", group, credentials: credentials, noop: noop)
             }
           end
         end
@@ -199,7 +204,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
 
           bok = {
             "cloud" => "Google",
@@ -208,28 +213,28 @@ module MU
 
           bok['name'] = cloud_desc.name
           bok['cloud_id'] = cloud_desc.email
-          bok['members'] = members
-          bok['members'].each { |m|
-            m = MU::Config::Ref.get(
-              id: m,
-              cloud: "Google",
-              credentials: @config['credentials'],
-              type: "users"
-            )
-          }
-          group_roles = MU::Cloud::Google::Role.getAllBindings(@config['credentials'])["by_entity"]
+          bok['members'] = members.dup
+#          bok['members'] = members.map { |m|
+#            MU::Config::Ref.get(
+#              id: m,
+#              cloud: "Google",
+#              credentials: @config['credentials'],
+#              type: "users"
+#            )
+#          }
+          group_roles = MU::Cloud.resourceClass("Google", "Role").getAllBindings(@config['credentials'])["by_entity"]
           if group_roles["group"] and group_roles["group"][bok['cloud_id']] and
              group_roles["group"][bok['cloud_id']].size > 0
-            bok['roles'] = MU::Cloud::Google::Role.entityBindingsToSchema(group_roles["group"][bok['cloud_id']], credentials: @config['credentials'])
+            bok['roles'] = MU::Cloud.resourceClass("Google", "Role").entityBindingsToSchema(group_roles["group"][bok['cloud_id']], credentials: @config['credentials'])
           end
 
           bok
        end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "name" => {
@@ -259,7 +264,7 @@ If we are binding (rather than creating) a group and no roles are specified, we
 
             "roles" => {
               "type" => "array",
-              "items" => MU::Cloud::Google::Role.ref_schema
+              "items" => MU::Cloud.resourceClass("Google", "Role").ref_schema
             }
           }
           [toplevel_required, schema]
@@ -322,7 +327,7 @@ If we are binding (rather than creating) a group and no roles are specified, we
           end
 
 
-          credcfg = MU::Cloud::Google.credConfig(group['credentials'])
+          MU::Cloud::Google.credConfig(group['credentials'])
 
           if group['external'] and group['members']
             MU.log "Cannot manage memberships for external group #{group['name']}", MU::ERR
@@ -335,11 +340,7 @@ If we are binding (rather than creating) a group and no roles are specified, we
           if group['members']
             group['members'].each { |m|
               if configurator.haveLitterMate?(m, "users")
-                group['dependencies'] ||= []
-                group['dependencies'] << {
-                  "name" => m,
-                  "type" => "user"
-                }
+                MU::Config.addDependency(group, m, "user")
               end
             }
           end
@@ -348,11 +349,7 @@ If we are binding (rather than creating) a group and no roles are specified, we
             group['roles'].each { |r|
               if r['role'] and r['role']['name'] and
                  (!r['role']['deploy_id'] and !r['role']['id'])
-                group['dependencies'] ||= []
-                group['dependencies'] << {
-                  "type" => "role",
-                  "name" => r['role']['name']
-                }
+                MU::Config.addDependency(group, r['role']['name'], "role")
               end
             }
           end
@@ -360,8 +357,6 @@ If we are binding (rather than creating) a group and no roles are specified, we
           ok
         end
 
-        private
-
       end
     end
   end

data/modules/mu/{clouds → providers}/google/habitat.rb

@@ -61,7 +61,7 @@ module MU
           if @config['parent']['name'] and !@config['parent']['id']
             @config['parent']['deploy_id'] = @deploy.deploy_id
           end
-          parent = MU::Cloud::Google::Folder.resolveParent(@config['parent'], credentials: @config['credentials'])
+          parent = MU::Cloud.resourceClass("Google", "Folder").resolveParent(@config['parent'], credentials: @config['credentials'])
           if !parent
             MU.log "Unable to resolve parent resource of Google Project #{@config['name']}", MU::ERR, details: @config['parent']
             raise "Unable to resolve parent resource of Google Project #{@config['name']}"
@@ -113,7 +113,7 @@ module MU
           @habitat_id = parent_id
           begin
             setProjectBilling
-          rescue Exception => e
+          rescue StandardError => e
             MU.log "Failed to set billing account #{@config['billing_acct']} on project #{@cloud_id}: #{e.message}", MU::ERR
             MU::Cloud::Google.resource_manager(credentials: @config['credentials']).delete_project(@cloud_id)
             raise e
@@ -167,10 +167,12 @@ module MU
           end
         end
 
+        @cached_cloud_desc = nil
         # Return the cloud descriptor for the Habitat
         # @return [Google::Apis::Core::Hashable]
-        def cloud_desc
-          @cached_cloud_desc ||= MU::Cloud::Google::Habitat.find(cloud_id: @cloud_id).values.first
+        def cloud_desc(use_cache: true)
+          return @cached_cloud_desc if @cached_cloud_desc and use_cache
+          @cached_cloud_desc = MU::Cloud::Google::Habitat.find(cloud_id: @cloud_id).values.first
           if @cached_cloud_desc and @cached_cloud_desc.parent
             @habitat_id ||= @cached_cloud_desc.parent.id
           end
@@ -209,7 +211,7 @@ module MU
                billing.billing_account_name.empty?
               return false
             end
-          rescue ::Google::Apis::ClientError => e
+          rescue ::Google::Apis::ClientError
             return false
           end
 
@@ -219,14 +221,15 @@ module MU
         # Remove all Google projects associated with the currently loaded deployment. Try to, anyway.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::Google.resource_manager(credentials: credentials).list_projects
+
           if resp and resp.projects
             resp.projects.each { |p|
-              if p.labels and p.labels["mu-id"] == MU.deploy_id.downcase and
-                 p.lifecycle_state == "ACTIVE"
+              labelmatch = (p.labels and (p.labels["mu-id"] == MU.deploy_id.downcase and (ignoremaster or p.labels["mu-master-ip"] == MU.mu_public_ip.gsub(/\./, "_"))))
+              flagmatch = (flags and flags['known'] and flags['known'].include?(p.project_id))
+              if (labelmatch or flagmatch) and p.lifecycle_state == "ACTIVE"
                 MU.log "Deleting project #{p.project_id} (#{p.name})", details: p
                 if !noop
                   begin
@@ -282,7 +285,7 @@ module MU
               next if p.lifecycle_state == "DELETE_REQUESTED"
               found[p.project_id] = p
             }
-            @@list_projects_cache = found
+            @@list_projects_cache = found.clone
           end
 
           found
@@ -291,7 +294,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**args)
           bok = {
             "cloud" => "Google",
             "credentials" => @config['credentials']
@@ -311,17 +314,17 @@ module MU
                 credentials: @config['credentials'],
                 type: "folders"
               )
-            elsif rootparent
+            elsif args[:rootparent]
               bok['parent'] = {
-                'id' => rootparent.is_a?(String) ? rootparent : rootparent.cloud_desc.name
+                'id' => args[:rootparent].is_a?(String) ? args[:rootparent] : args[:rootparent].cloud_desc.name
               }
             else
               # org parent is *probably* safe to infer from credentials
             end
           end
 
-          if billing
-            bok['billing_acct'] = billing
+          if args[:billing]
+            bok['billing_acct'] = args[:billing]
           else
             cur_billing = MU::Cloud::Google.billing(credentials: @config['credentials']).get_project_billing_info("projects/"+@cloud_id)
             if cur_billing and cur_billing.billing_account_name
@@ -334,9 +337,9 @@ module MU
 
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "billing_acct" => {
@@ -373,11 +376,7 @@ module MU
           end
 
           if habitat['parent'] and habitat['parent']['name'] and !habitat['parent']['deploy_id'] and configurator.haveLitterMate?(habitat['parent']['name'], "folders")
-            habitat["dependencies"] ||= []
-            habitat["dependencies"] << {
-              "type" => "folder",
-              "name" => habitat['parent']['name']
-            }
+            MU::Config.addDependency(habitat, habitat['parent']['name'], "folder")
           end
 
           ok

data/modules/mu/{clouds → providers}/google/loadbalancer.rb

@@ -79,13 +79,13 @@ module MU
             end
             if @config['global']
               MU.log "Creating Global Forwarding Rule #{@mu_name}", MU::NOTICE, details: ruleobj
-              resp = MU::Cloud::Google.compute(credentials: @config['credentials']).insert_global_forwarding_rule(
+              MU::Cloud::Google.compute(credentials: @config['credentials']).insert_global_forwarding_rule(
                 @project_id,
                 ruleobj
               )
             else
               MU.log "Creating regional Forwarding Rule #{@mu_name} in #{@config['region']}", MU::NOTICE, details: ruleobj
-              resp = MU::Cloud::Google.compute(credentials: @config['credentials']).insert_forwarding_rule(
+              MU::Cloud::Google.compute(credentials: @config['credentials']).insert_forwarding_rule(
                 @project_id,
                 @config['region'],
                 ruleobj
@@ -146,15 +146,20 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: nil, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: nil, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
+          filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
+          if !ignoremaster and MU.mu_public_ip
+            filter += %Q{ AND (labels.mu-master-ip = "#{MU.mu_public_ip.gsub(/\./, "_")}")}
+          end
+          MU.log "Placeholder: Google LoadBalancer artifacts do not support labels, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: filter
 
           if region
             ["forwarding_rule", "region_backend_service"].each { |type|
               MU::Cloud::Google.compute(credentials: credentials).delete(
                 type,
-                flags["project"],
+                flags["habitat"],
                 region,
                 noop
               )
@@ -165,7 +170,7 @@ module MU
             ["global_forwarding_rule", "target_http_proxy", "target_https_proxy", "url_map", "backend_service", "health_check", "http_health_check", "https_health_check"].each { |type|
               MU::Cloud::Google.compute(credentials: credentials).delete(
                 type,
-                flags["project"],
+                flags["habitat"],
                 nil,
                 noop
               )
@@ -174,9 +179,9 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "named_ports" => {
@@ -202,9 +207,9 @@ module MU
 
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::loadbalancers}, bare and unvalidated.
         # @param lb [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(lb, configurator)
+        def self.validateConfig(lb, _configurator)
           ok = true
           if lb['classic']
             MU.log "LoadBalancer 'classic' flag has no meaning in Google Cloud", MU::WARN
@@ -236,7 +241,6 @@ module MU
           end
 
           lb["listeners"].each { |l|
-            ruleobj = nil
             if lb["private"] and !["TCP", "UDP"].include?(l['lb_protocol'])
               MU.log "Only TCP and UDP listeners are valid for private LoadBalancers in Google Cloud", MU::ERR
               ok = false
@@ -255,7 +259,6 @@ module MU
           lb["targetgroups"].each { |tg|
             if tg["healthcheck"]
               target = tg["healthcheck"]['target'].match(/^([^:]+):(\d+)(.*)/)
-              proto = target[1]
               if tg["proto"] != target[1]
                 MU.log "LoadBalancer #{lb['name']} can't mix and match target group and health check protocols in Google Cloud", MU::ERR, details: tg
                 ok = false
@@ -286,14 +289,9 @@ module MU
         end
 
         # Locate an existing LoadBalancer or LoadBalancers and return an array containing matching Google resource descriptors for those that match.
-        # @param cloud_id [String]: The cloud provider's identifier for this resource.
-        # @param region [String]: The cloud provider region
-        # @param tag_key [String]: A tag key to search.
-        # @param tag_value [String]: The value of the tag specified by tag_key to match when searching by tag.
-        # @param flags [Hash]: Optional flags
-        # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching LoadBalancers
-        def self.find(cloud_id: nil, region: MU.curRegion, tag_key: "Name", tag_value: nil, flags: {}, credentials: nil)
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching LoadBalancers
+        def self.find(**args)
+          args = MU::Cloud::Google.findLocationArgs(args)
         end
 
         private

data/modules/mu/{clouds → providers}/google/role.rb

@@ -32,6 +32,7 @@ module MU
           # If we're being reverse-engineered from a cloud descriptor, use that
           # to determine what sort of account we are.
           if args[:from_cloud_desc]
+            require 'google/apis/admin_directory_v1'
             @cloud_desc_cache = args[:from_cloud_desc]
             if args[:from_cloud_desc].class == ::Google::Apis::AdminDirectoryV1::Role
               @config['role_source'] = "directory"
@@ -87,7 +88,7 @@ module MU
             resp = if @config['role_source'] == "org"
               my_org = MU::Cloud::Google.getOrg(@config['credentials'])
               MU.log "Creating IAM organization role #{@mu_name} in #{my_org.display_name}", details: create_role_obj
-              resp = MU::Cloud::Google.iam(credentials: @credentials).create_organization_role(my_org.name, create_role_obj)
+              MU::Cloud::Google.iam(credentials: @credentials).create_organization_role(my_org.name, create_role_obj)
             elsif @config['role_source'] == "project"
               if !@project_id
                 raise MuError, "Role #{@mu_name} is supposed to be in project #{@config['project']}, but no such project was found"
@@ -133,12 +134,13 @@ module MU
           }
         end
 
+        @cloud_desc_cache = nil
         # Return the cloud descriptor for the Role
         # @return [Google::Apis::Core::Hashable]
-        def cloud_desc
-          return @cloud_desc_cache if @cloud_desc_cache
+        def cloud_desc(use_cache: true)
+          return @cloud_desc_cache if @cloud_desc_cache and use_cache
 
-          my_org = MU::Cloud::Google.getOrg(@config['credentials'])
+          MU::Cloud::Google.getOrg(@config['credentials'])
 
           @cloud_desc_cache = if @config['role_source'] == "directory"
             MU::Cloud::Google.admin_directory(credentials: @config['credentials']).get_role(@customer, @cloud_id)
@@ -238,7 +240,7 @@ module MU
             req_obj = MU::Cloud::Google.resource_manager(:SetIamPolicyRequest).new(
               policy: policy
             )
-            policy = if scope_type == "organizations"
+            if scope_type == "organizations"
               MU::Cloud::Google.resource_manager(credentials: credentials).set_organization_iam_policy(
                 scope_id,
                 req_obj
@@ -269,13 +271,13 @@ module MU
           my_org = MU::Cloud::Google.getOrg(credentials)
           if my_org
             scopes["organizations"] = [my_org.name]
-            folders = MU::Cloud::Google::Folder.find(credentials: credentials)
+            folders = MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials)
             if folders and folders.size > 0
               scopes["folders"] = folders.keys
             end
           end
 
-          projects = MU::Cloud::Google::Habitat.find(credentials: credentials)
+          projects = MU::Cloud.resourceClass("Google", "Habitat").find(credentials: credentials)
           if projects and projects.size > 0
             scopes["projects"] = projects.keys
           end
@@ -310,7 +312,7 @@ module MU
                   policy: policy
                 )
 
-                policy = if scope_type == "organizations"
+                if scope_type == "organizations"
                   MU::Cloud::Google.resource_manager(credentials: credentials).set_organization_iam_policy(
                     scope_id,
                     req_obj
@@ -340,8 +342,6 @@ module MU
         def self.bindFromConfig(entity_type, entity_id, cfg, credentials: nil, deploy: nil, debug: false)
           loglevel = debug ? MU::NOTICE : MU::DEBUG
 
-          bindings = []
-
           return if !cfg
           MU.log "Google::Role::bindFromConfig binding called for #{entity_type} #{entity_id}", loglevel, details: cfg
 
@@ -407,12 +407,12 @@ module MU
                 # email field (which is the "real" id most of the time)
                 real_id = nil
                 if entity_type == "group"
-                  found = MU::Cloud::Google::Group.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "Group").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
                 elsif entity_type == "user"
-                  found = MU::Cloud::Google::User.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "User").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
@@ -464,12 +464,17 @@ module MU
         # Remove all roles associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           customer = MU::Cloud::Google.customerID(credentials)
           my_org = MU::Cloud::Google.getOrg(credentials)
 
+          filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
+          if !ignoremaster and MU.mu_public_ip
+            filter += %Q{ AND (labels.mu-master-ip = "#{MU.mu_public_ip.gsub(/\./, "_")}")}
+          end
+          MU.log "Placeholder: Google Role artifacts do not support labels, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: filter
+
           if flags['known']
             flags['known'].each { |id|
               next if id.nil?
@@ -558,7 +563,7 @@ module MU
           if args[:project]
             canned = Hash[MU::Cloud::Google.iam(credentials: args[:credentials]).list_roles.roles.map { |r| [r.name, r] }]
             begin
-              MU::Cloud::Google::Habitat.bindings(args[:project], credentials: args[:credentials]).each { |binding|
+              MU::Cloud.resourceClass("Google", "Habitat").bindings(args[:project], credentials: args[:credentials]).each { |binding|
                 found[binding.role] = canned[binding.role]
               }
             rescue ::Google::Apis::ClientError => e
@@ -576,7 +581,7 @@ module MU
               }
             end
             if args[:cloud_id]
-              found.reject! { |k, v| k != role.name }
+              found.reject! { |k, _v| k != role.name }
             end
 
             # Now go get everything that's bound here
@@ -586,10 +591,15 @@ module MU
                bindings['by_scope']['projects'][args[:project]]
               bindings['by_scope']['projects'][args[:project]].keys.each { |r|
                 if r.match(/^roles\//)
-                  role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
-                  found[role.name] = role
+                  begin
+                    role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
+                    found[role.name] = role
+                  rescue ::Google::Apis::ClientError => e
+                    raise e if !e.message.match(/(?:forbidden|notFound): /)
+                    MU.log "Failed  MU::Cloud::Google.iam(credentials: #{args[:credentials]}).get_role(#{r})", MU::WARN, details: e.message
+                  end
                 elsif !found[r]
-                  MU.log "NEED TO GET #{r}", MU::WARN
+#                  MU.log "NEED TO GET #{r}", MU::WARN
                 end
               }
             end
@@ -626,15 +636,17 @@ module MU
               }
             end
 
-            resp = begin
-              MU::Cloud::Google.iam(credentials: args[:credentials]).list_organization_roles(my_org.name)
-            rescue ::Google::Apis::ClientError => e
-              raise e if !e.message.match(/forbidden: /)
-            end
-            if resp and resp.roles
-              resp.roles.each { |role|
-                found[role.name] = role
-              }
+            if my_org
+              resp = begin
+                MU::Cloud::Google.iam(credentials: args[:credentials]).list_organization_roles(my_org.name)
+              rescue ::Google::Apis::ClientError => e
+                raise e if !e.message.match(/forbidden: /)
+              end
+              if resp and resp.roles
+                resp.roles.each { |role|
+                  found[role.name] = role
+                }
+              end
             end
           end
 
@@ -644,7 +656,8 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**args)
+
           bok = {
             "cloud" => "Google",
             "credentials" => @config['credentials'],
@@ -677,10 +690,10 @@ module MU
             end
             if !cloud_desc.role_privileges.nil? and !cloud_desc.role_privileges.empty?
               bok['import'] = []
-              ids, names, privs = MU::Cloud::Google::Role.privilege_service_to_name(@config['credentials'])
+              ids, _names, _privs = MU::Cloud::Google::Role.privilege_service_to_name(@config['credentials'])
               cloud_desc.role_privileges.each { |priv|
                 if !ids[priv.service_id]
-                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::WARN, details: priv
+                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::DEBUG, details: priv
                   bok["import"] << priv.service_id+"/"+priv.privilege_name
                 else
                   bok["import"] << ids[priv.service_id]+"/"+priv.privilege_name
@@ -696,7 +709,7 @@ module MU
               bok['name'] = name.gsub(/[^a-z0-9]/i, '-')
               bok['role_source'] = "canned"
             elsif cloud_desc.name.match(/^([^\/]+?)\/([^\/]+?)\/roles\/(.*)/)
-              junk, type, parent, name = Regexp.last_match.to_a
+              _junk, type, parent, name = Regexp.last_match.to_a
               bok['name'] = name.gsub(/[^a-z0-9]/i, '-')
               bok['role_source'] = type == "organizations" ? "org" : "project"
               if bok['role_source'] == "project"
@@ -723,25 +736,45 @@ module MU
                 bindings[scopetype].each_pair { |scope_id, entity_types|
                   # If we've been given a habitat filter, skip over bindings
                   # that don't match it.
-                  if scopetype == "projects" and habitats and
-                     !habitats.empty? and !habitats.include?(scope_id)
-                    next
+                  if scopetype == "projects"
+                    if (args[:habitats] and !args[:habitats].empty? and
+                       !args[:habitats].include?(scope_id)) or
+                       !MU::Cloud::Google.listHabitats(@credentials).include?(scope_id)
+                      next
+                    end
                   end
 
                   entity_types.each_pair { |entity_type, entities|
                     mu_entitytype = (entity_type == "serviceAccount" ? "user" : entity_type)+"s"
                     entities.each { |entity|
+                      next if entity.nil?
+                      foreign = if entity_type == "serviceAccount" and entity.match(/@(.*?)\.iam\.gserviceaccount\.com/)
+                        !MU::Cloud::Google.listHabitats(@credentials).include?(Regexp.last_match[1])
+                      end
+
                       entity_ref = if entity_type == "organizations"
                         { "id" => ((org == my_org.name and @config['credentials']) ? @config['credentials'] : org) }
                       elsif entity_type == "domain"
                         { "id" => entity }
                       else
+                        shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(mu_entitytype)
+                        if args[:types].include?(shortclass) and
+                           !(entity_type == "serviceAccount" and
+                             MU::Cloud::Google::User.cannedServiceAcctName?(entity))
+                          MU.log "Role #{@cloud_id}: Skipping #{shortclass} binding for #{entity}; we are adopting that type and will set bindings from that resource", MU::DEBUG
+                          next
+                        end
+
                         MU::Config::Ref.get(
                           id: entity,
                           cloud: "Google",
                           type: mu_entitytype
                         )
                       end
+                      if entity_ref.nil?
+                        MU.log "I somehow ended up with a nil entity reference for #{entity_type} #{entity}", MU::ERR, details: [ bok, bindings ]
+                        next
+                      end
                       refmap ||= {}
                       refmap[entity_ref] ||= {}
                       refmap[entity_ref][scopetype] ||= []
@@ -760,6 +793,7 @@ module MU
                   }
                 }
               }
+
               bok["bindings"] ||= []
               refmap.each_pair { |entity, scopes|
                 newbinding = { "entity" => entity }
@@ -882,7 +916,7 @@ module MU
                 end
 
                 role = MU::Cloud::Google.admin_directory(credentials: credentials).get_role(MU::Cloud::Google.customerID(credentials), binding.role_id)
-                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::WARN, details: role
+                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::DEBUG, details: role
               }
 
               resp = MU::Cloud::Google.resource_manager(credentials: credentials).get_organization_iam_policy(my_org.name)
@@ -890,15 +924,17 @@ module MU
                 insertBinding("organizations", my_org.name, binding)
               }
 
-              MU::Cloud::Google::Folder.find(credentials: credentials).keys.each { |folder|
-                MU::Cloud::Google::Folder.bindings(folder, credentials: credentials).each { |binding|
+              MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials).keys.each { |folder|
+                folder_bindings = MU::Cloud.resourceClass("Google", "Folder").bindings(folder, credentials: credentials)
+                next if !folder_bindings
+                folder_bindings.each { |binding|
                   insertBinding("folders", folder, binding)
                 }
               }
             end
-            MU::Cloud::Google::Habitat.find(credentials: credentials).keys.each { |project|
+            MU::Cloud::Google.listHabitats(credentials).each { |project|
               begin
-                MU::Cloud::Google::Habitat.bindings(project, credentials: credentials).each { |binding|
+                MU::Cloud.resourceClass("Google", "Habitat").bindings(project, credentials: credentials).each { |binding|
                   insertBinding("projects", project, binding)
                 }
               rescue ::Google::Apis::ClientError => e
@@ -983,9 +1019,9 @@ module MU
         end
 
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "name" => {
@@ -1050,7 +1086,7 @@ If this value is not specified, and the role name matches the name of an existin
         def self.validateConfig(role, configurator)
           ok = true
 
-          credcfg = MU::Cloud::Google.credConfig(role['credentials'])
+          MU::Cloud::Google.credConfig(role['credentials'])
 
           my_org = MU::Cloud::Google.getOrg(role['credentials'])
           if !role['role_source']
@@ -1059,7 +1095,7 @@ If this value is not specified, and the role name matches the name of an existin
               if !lookup_name.match(/^roles\//)
                 lookup_name = "roles/"+lookup_name
               end
-              canned = MU::Cloud::Google.iam(credentials: role['credentials']).get_role(lookup_name)
+              MU::Cloud::Google.iam(credentials: role['credentials']).get_role(lookup_name)
               MU.log "Role #{role['name']} appears to be a referenced to canned role #{role.name} (#{role.title})", MU::NOTICE
               role['role_source'] = "canned"
             rescue ::Google::Apis::ClientError
@@ -1081,7 +1117,7 @@ If this value is not specified, and the role name matches the name of an existin
                 MU.log "None of the directory service privileges available to credentials #{role['credentials']} map to the ones declared for role #{role['name']}", MU::ERR, details: role['import'].sort
                 ok = false
               elsif missing.size > 0
-                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::WARN, details: missing
+                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::DEBUG, details: missing
               end
             end
           end
@@ -1096,11 +1132,7 @@ If this value is not specified, and the role name matches the name of an existin
           if role['role_source'] == "project"
             role['project'] ||= MU::Cloud::Google.defaultProject(role['credentials'])
             if configurator.haveLitterMate?(role['project'], "habitats")
-              role['dependencies'] ||= []
-              role['dependencies'] << {
-                "type" => "habitat",
-                "name" => role['project']
-              }
+              MU::Config.addDependency(role, role['project'], "habitat")
             end
           end
 
@@ -1108,26 +1140,25 @@ If this value is not specified, and the role name matches the name of an existin
             role['bindings'].each { |binding|
               if binding['entity'] and binding['entity']['name'] and 
                  configurator.haveLitterMate?(binding['entity']['name'], binding['entity']['type'])
-                role['dependencies'] ||= []
-                role['dependencies'] << {
-                  "type" => binding['entity']['type'].sub(/s$/, ''),
-                  "name" => binding['entity']['name']
-                }
-
+                MU::Config.addDependency(role, binding['entity']['name'], binding['entity']['type'])
               end
             }
+            role['bindings'].uniq!
           end
 
           ok
         end
 
-        private
-
         @@service_id_to_name = {}
         @@service_id_to_privs = {}
         @@service_name_to_id = {}
         @@service_name_map_semaphore = Mutex.new
 
+        # Generate lookup tables mapping between hex service role identifiers,
+        # human-readable names of services, and the privileges associated with
+        # those roles.
+        # @param credentials [String]
+        # @return [Array<Hash,Hash,Hash>]
         def self.privilege_service_to_name(credentials = nil)
 
           customer = MU::Cloud::Google.customerID(credentials)
@@ -1176,6 +1207,11 @@ If this value is not specified, and the role name matches the name of an existin
           }
         end
 
+        # Convert a list of shorthand GSuite/Cloud Identity privileges into
+        # +RolePrivilege+ objects for consumption by other API calls
+        # @param roles [Array<String>]:
+        # @param credentials [String]:
+        # @return [Array<Google::Apis::AdminDirectoryV1::DirectoryService::Role::RolePrivilege>]
         def self.map_directory_privileges(roles, credentials: nil)
           rolepriv_objs = []
           notfound = []