RubyGems - cloud-mu - Versions diffs - 3.1.3 → 3.3.0 - Mend

cloud-mu 3.1.3 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +21 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +4 -4
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +147 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +158 -111
data/modules/mu/adoption.rb +404 -71
data/modules/mu/cleanup.rb +221 -306
data/modules/mu/cloud.rb +129 -1633
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +926 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +10 -9
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +5 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +19 -10
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +10 -21
data/modules/mu/config/ref.rb +411 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +98 -71
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +71 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +91 -68
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +43 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +410 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +218 -2612
data/modules/mu/mommacat/daemon.rb +403 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +380 -122
data/modules/mu/{clouds → providers}/aws/alarm.rb +7 -5
data/modules/mu/{clouds → providers}/aws/bucket.rb +297 -59
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +37 -71
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +26 -25
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +724 -744
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +88 -70
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +220 -247
data/modules/mu/{clouds → providers}/aws/folder.rb +8 -8
data/modules/mu/{clouds → providers}/aws/function.rb +300 -142
data/modules/mu/{clouds → providers}/aws/group.rb +31 -29
data/modules/mu/{clouds → providers}/aws/habitat.rb +18 -15
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +66 -56
data/modules/mu/{clouds → providers}/aws/log.rb +17 -14
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +29 -19
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +114 -16
data/modules/mu/{clouds → providers}/aws/notifier.rb +142 -65
data/modules/mu/{clouds → providers}/aws/role.rb +158 -118
data/modules/mu/{clouds → providers}/aws/search_domain.rb +201 -59
data/modules/mu/{clouds → providers}/aws/server.rb +844 -1139
data/modules/mu/{clouds → providers}/aws/server_pool.rb +74 -65
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +26 -44
data/modules/mu/{clouds → providers}/aws/user.rb +24 -25
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +525 -931
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +97 -49
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +68 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +85 -78
data/modules/mu/{clouds → providers}/google/database.rb +11 -21
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +140 -168
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +19 -21
data/modules/mu/{clouds → providers}/google/role.rb +94 -58
data/modules/mu/{clouds → providers}/google/server.rb +243 -156
data/modules/mu/{clouds → providers}/google/server_pool.rb +26 -45
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +2 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +240 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985
data/modules/mu/clouds/aws/endpoint.rb +0 -592

data/modules/mu/cleanup.rb CHANGED

@@ -25,13 +25,15 @@ module MU
   # Routines for removing cloud resources.
   class Cleanup
-    home = Etc.getpwuid(Process.uid).dir
     @deploy_id = nil
     @noop = false
     @onlycloud = false
     @skipcloud = false
+    # Resource types, in the order in which we generally have to clean them up
+    # to disentangle them from one another.
+    TYPES_IN_ORDER = ["Collection", "CDN", "Endpoint", "Function", "ServerPool", "ContainerCluster", "SearchDomain", "Server", "MsgQueue", "Database", "CacheCluster", "StoragePool", "LoadBalancer", "NoSQLDB", "FirewallRule", "Alarm", "Notifier", "Log", "Job", "VPC", "Role", "Group", "User", "Bucket", "DNSZone", "Collection"]
     # Purge all resources associated with a deployment.
     # @param deploy_id [String]: The identifier of the deployment to remove (typically seen in the MU-ID tag on a resource).
     # @param noop [Boolean]: Do not delete resources, merely list what would be deleted.
@@ -50,20 +52,14 @@ module MU
       @onlycloud = onlycloud
       @skipcloud = skipcloud
       @ignoremaster = ignoremaster
+      @deploy_id = deploy_id
       if @skipcloud and @onlycloud # you actually mean noop
         @onlycloud = @skipcloud = false
         @noop = true
       end
-      if MU.mu_user != "mu"
-        MU.setVar("dataDir", Etc.getpwnam(MU.mu_user).dir+"/.mu/var")
-      else
-        MU.setVar("dataDir", MU.mainDataDir)
-      end
-      types_in_order = ["Collection", "Endpoint", "Function", "ServerPool", "ContainerCluster", "SearchDomain", "Server", "MsgQueue", "Database", "CacheCluster", "StoragePool", "LoadBalancer", "NoSQLDB", "FirewallRule", "Alarm", "Notifier", "Log", "VPC", "Role", "Group", "User", "Bucket", "DNSZone", "Collection"]
+      MU.setVar("dataDir", (MU.mu_user == "mu" ? MU.mainDataDir : Etc.getpwnam(MU.mu_user).dir+"/.mu/var"))
       # Load up our deployment metadata
       if !mommacat.nil?
@@ -81,174 +77,27 @@ module MU
             MU.log "Searching for remnants of #{deploy_id}, though this may be an invalid MU-ID.", MU::WARN
           end
           @mommacat = MU::MommaCat.new(deploy_id, mu_user: MU.mu_user, delay_descriptor_load: true)
-        rescue Exception => e
+        rescue StandardError => e
           MU.log "Can't load a deploy record for #{deploy_id} (#{e.inspect}), cleaning up resources by guesswork", MU::WARN, details: e.backtrace
           MU.setVar("deploy_id", deploy_id)
         end
       end
-      regionsused = @mommacat.regionsUsed if @mommacat
-      credsused = @mommacat.credsUsed if @mommacat
+      @regionsused = @mommacat.regionsUsed if @mommacat
+      @credsused = @mommacat.credsUsed if @mommacat
+      @habitatsused = @mommacat.habitatsUsed if @mommacat
       if !@skipcloud
-        creds = {}
-        MU::Cloud.availableClouds.each { |cloud|
-          cloudclass = Object.const_get("MU").const_get("Cloud").const_get(cloud)
-          if $MU_CFG[cloud.downcase] and $MU_CFG[cloud.downcase].size > 0
-            creds[cloud] ||= {}
-            cloudclass.listCredentials.each { |credset|
-              next if credsets and credsets.size > 0 and !credsets.include?(credset)
-              next if credsused and credsused.size > 0 and !credsused.include?(credset)
-              MU.log "Will scan #{cloud} with credentials #{credset}"
-              creds[cloud][credset] = cloudclass.listRegions(credentials: credset)
-            }
-          else
-            if cloudclass.hosted?
-              creds[cloud] ||= {}
-              creds[cloud]["#default"] = cloudclass.listRegions
-            end
-          end
-        }
+        creds = listUsedCredentials(credsets)
-        parent_thread_id = Thread.current.object_id
-        deleted_nodes = 0
         cloudthreads = []
-        keyname = "deploy-#{MU.deploy_id}"
         had_failures = false
         creds.each_pair { |provider, credsets_outer|
           cloudthreads << Thread.new(provider, credsets_outer) { |cloud, credsets_inner|
-            MU.dupGlobals(parent_thread_id)
             Thread.abort_on_exception = false
-            cloudclass = Object.const_get("MU").const_get("Cloud").const_get(cloud)
-            habitatclass = Object.const_get("MU").const_get("Cloud").const_get(cloud).const_get("Habitat")
-            credsets_inner.each_pair { |credset, acct_regions|
-              next if credsused and !credsused.include?(credset)
-              global_vs_region_semaphore = Mutex.new
-              global_done = {}
-              habitats_done = {}
-              regionthreads = []
-              acct_regions.each { |r|
-                if regionsused
-                  if regionsused.size > 0
-                    next if !regionsused.include?(r)
-                  else
-                    next if r != cloudclass.myRegion(credset)
-                  end
-                end
-                if regions and !regions.empty?
-                  next if !regions.include?(r)
-                  MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}...", MU::NOTICE
-                end
-                regionthreads << Thread.new {
-                  MU.dupGlobals(parent_thread_id)
-                  Thread.abort_on_exception = false
-                  MU.setVar("curRegion", r)
-                  projects = []
-                  if habitats
-                    projects = habitats
-                  else
-                    if $MU_CFG and $MU_CFG[cloud.downcase] and
-                       $MU_CFG[cloud.downcase][credset] and
-                       $MU_CFG[cloud.downcase][credset]["project"]
-# XXX GCP credential schema needs an array for projects
-                      projects << $MU_CFG[cloud.downcase][credset]["project"]
-                    end
-                    begin
-                      projects.concat(cloudclass.listProjects(credset))
-                    rescue NoMethodError
-                    end
-                  end
-                  if projects == []
-                    projects << "" # dummy
-                    MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}", MU::NOTICE
-                  end
-                  projects.uniq!
-                  # We do these in an order that unrolls dependent resources
-                  # sensibly, and we hit :Collection twice because AWS
-                  # CloudFormation sometimes fails internally.
-                  projectthreads = []
-                  projects.each { |project|
-                    next if !habitatclass.isLive?(project, credset)
-                    if habitats and !habitats.empty? and project != ""
-                      next if !habitats.include?(project)
-                    end
-                    projectthreads << Thread.new {
-                      MU.dupGlobals(parent_thread_id)
-                      MU.setVar("curRegion", r)
-                      Thread.abort_on_exception = false
-                      if project != ""
-                        MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}, project #{project}", MU::NOTICE
-                      end
-                      MU.dupGlobals(parent_thread_id)
-                      flags = {
-                        "project" => project,
-                        "onlycloud" => @onlycloud,
-                        "skipsnapshots" => @skipsnapshots,
-                      }
-                      types_in_order.each { |t|
-                        shortclass, cfg_name, cfg_plural, classname = MU::Cloud.getResourceNames(t)
-                        begin
-                          skipme = false
-                          global_vs_region_semaphore.synchronize {
-                            MU::Cloud.loadCloudType(cloud, t)
-                            if Object.const_get("MU").const_get("Cloud").const_get(cloud).const_get(t).isGlobal?
-                              global_done[project] ||= []
-                              if !global_done[project].include?(t)
-                                global_done[project] << t
-                                flags['global'] = true
-                              else
-                                skipme = true
-                              end
-                            end
-                          }
-                          next if skipme
-                        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented => e
-                          next
-                        rescue MU::MuError, NoMethodError => e
-                          MU.log "While checking mu/clouds/#{cloud.downcase}/#{cloudclass.cfg_name} for global-ness in cleanup: "+e.message, MU::WARN
-                          next
-                        rescue ::Aws::EC2::Errors::AuthFailure, ::Google::Apis::ClientError => e
-                          MU.log e.message+" in "+r, MU::ERR
-                          next
-                        end
-                        begin
-                          if !self.call_cleanup(t, credset, cloud, flags, r)
-                            had_failures = true
-                          end
-                        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented => e
-                          next
-                        end
-                      }
-                    } # types_in_order.each { |t|
-                  } # projects.each { |project|
-                  projectthreads.each do |t|
-                    t.join
-                  end
-                  # XXX move to MU::AWS
-                  if cloud == "AWS"
-                    resp = MU::Cloud::AWS.ec2(region: r, credentials: credset).describe_key_pairs(
-                      filters: [{name: "key-name", values: [keyname]}]
-                    )
-                    resp.data.key_pairs.each { |keypair|
-                      MU.log "Deleting key pair #{keypair.key_name} from #{r}"
-                      MU::Cloud::AWS.ec2(region: r, credentials: credset).delete_key_pair(key_name: keypair.key_name) if !@noop
-                    }
-                  end
-                } # regionthreads << Thread.new {
-              } # acct_regions.each { |r|
-              regionthreads.each do |t|
-                t.join
-              end
-            } # credsets.each_pair { |credset, acct_regions|
+            cleanCloud(cloud, habitats, regions, credsets_inner)
           } # cloudthreads << Thread.new(provider, credsets) { |cloud, credsets_outer|
           cloudthreads.each do |t|
             t.join
@@ -260,24 +109,21 @@ module MU
         # once they're all done.
         creds.each_pair { |provider, credsets_inner|
           credsets_inner.keys.each { |credset|
-            next if credsused and !credsused.include?(credset)
+            next if @credsused and !@credsused.include?(credset)
             ["Habitat", "Folder"].each { |t|
               flags = {
                 "onlycloud" => @onlycloud,
                 "skipsnapshots" => @skipsnapshots
               }
-              if !self.call_cleanup(t, credset, provider, flags, nil)
+              if !call_cleanup(t, credset, provider, flags, nil)
                 had_failures = true
               end
             }
           }
         }
-        MU::Cloud::Google.removeDeploySecretsAndRoles(MU.deploy_id)
-# XXX port AWS equivalent behavior and add a MU::Cloud wrapper
         creds.each_pair { |provider, credsets_inner|
-          cloudclass = Object.const_get("MU").const_get("Cloud").const_get(provider)
+          cloudclass = MU::Cloud.cloudClass(provider)
           credsets_inner.keys.each { |c|
             cloudclass.cleanDeploy(MU.deploy_id, credentials: c, noop: @noop)
           }
@@ -285,44 +131,16 @@ module MU
       end
       # Scrub any residual Chef records with matching tags
-      if !@onlycloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0) and !(Gem.paths and Gem.paths.home and !Dir.exist?("/opt/mu/lib"))
-        begin
-          MU::Groomer::Chef.loadChefLib
-          if File.exist?(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
-            Chef::Config.from_file(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
-          end
-          deadnodes = []
-          Chef::Config[:environment] = MU.environment
-          q = Chef::Search::Query.new
-          begin
-            q.search("node", "tags_MU-ID:#{MU.deploy_id}").each { |item|
-              next if item.is_a?(Integer)
-              item.each { |node|
-                deadnodes << node.name
-              }
-            }
-          rescue Net::HTTPServerException
-          end
-          begin
-            q.search("node", "name:#{MU.deploy_id}-*").each { |item|
-              next if item.is_a?(Integer)
-              item.each { |node|
-                deadnodes << node.name
-              }
-            }
-          rescue Net::HTTPServerException
-          end
-          MU.log "Missed some Chef resources in node cleanup, purging now", MU::NOTICE if deadnodes.size > 0
-          deadnodes.uniq.each { |node|
-            MU::Groomer::Chef.cleanup(node, [], noop)
-          }
-        rescue LoadError
-        end
+      if !@onlycloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0) and !@noop
+        MU.supportedGroomers.each { |g|
+          groomer = MU::Groomer.loadGroomer(g)
+          groomer.cleanup(MU.deploy_id, @noop)
+        }
       end
       if had_failures
         MU.log "Had cleanup failures, exiting", MU::ERR
+        File.unlink("#{deploy_dir}/.cleanup") if !@noop
         exit 1
       end
@@ -330,134 +148,231 @@ module MU
         @mommacat.purge!
       end
-      myhome = Etc.getpwuid(Process.uid).dir
-      sshdir = "#{myhome}/.ssh"
-      sshconf = "#{sshdir}/config"
-      ssharchive = "#{sshdir}/archive"
-      Dir.mkdir(sshdir, 0700) if !Dir.exist?(sshdir) and !@noop
-      Dir.mkdir(ssharchive, 0700) if !Dir.exist?(ssharchive) and !@noop
+      if !@onlycloud
+        MU::Master.purgeDeployFromSSH(MU.deploy_id, noop: @noop)
+      end
-      keyname = "deploy-#{MU.deploy_id}"
-      if File.exist?("#{sshdir}/#{keyname}")
-        MU.log "Moving #{sshdir}/#{keyname} to #{ssharchive}/#{keyname}"
-        if !@noop
-          File.rename("#{sshdir}/#{keyname}", "#{ssharchive}/#{keyname}")
-        end
+      if !@noop and !@skipcloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0)
+#        MU::Master.syncMonitoringConfig
       end
-      if File.exist?(sshconf) and File.open(sshconf).read.match(/\/deploy\-#{MU.deploy_id}$/)
-        MU.log "Expunging #{MU.deploy_id} from #{sshconf}"
-        if !@noop
-          FileUtils.copy(sshconf, "#{ssharchive}/config-#{MU.deploy_id}")
-          File.open(sshconf, File::CREAT|File::RDWR, 0600) { |f|
-            f.flock(File::LOCK_EX)
-            newlines = Array.new
-            delete_block = false
-            f.readlines.each { |line|
-              if line.match(/^Host #{MU.deploy_id}\-/)
-                delete_block = true
-              elsif line.match(/^Host /)
-                delete_block = false
-              end
-              newlines << line if !delete_block
-            }
-            f.rewind
-            f.truncate(0)
-            f.puts(newlines)
-            f.flush
-            f.flock(File::LOCK_UN)
+    end
+    def self.listUsedCredentials(credsets)
+      creds = {}
+      MU::Cloud.availableClouds.each { |cloud|
+        cloudclass = MU::Cloud.cloudClass(cloud)
+        if $MU_CFG[cloud.downcase] and $MU_CFG[cloud.downcase].size > 0
+          creds[cloud] ||= {}
+          cloudclass.listCredentials.each { |credset|
+            next if credsets and credsets.size > 0 and !credsets.include?(credset)
+            next if @credsused and @credsused.size > 0 and !@credsused.include?(credset)
+            MU.log "Will scan #{cloud} with credentials #{credset}"
+            creds[cloud][credset] = cloudclass.listRegions(credentials: credset)
           }
+        else
+          if cloudclass.hosted?
+            creds[cloud] ||= {}
+            creds[cloud]["#default"] = cloudclass.listRegions
+          end
         end
-      end
-      # XXX refactor with above? They're similar, ish.
-      hostsfile = "/etc/hosts"
-      if File.open(hostsfile).read.match(/ #{MU.deploy_id}\-/)
-        if Process.uid == 0
-          MU.log "Expunging traces of #{MU.deploy_id} from #{hostsfile}"
-          if !@noop
-            FileUtils.copy(hostsfile, "#{hostsfile}.cleanup-#{deploy_id}")
-            File.open(hostsfile, File::CREAT|File::RDWR, 0644) { |f|
-              f.flock(File::LOCK_EX)
-              newlines = Array.new
-              f.readlines.each { |line|
-                newlines << line if !line.match(/ #{MU.deploy_id}\-/)
-              }
-              f.rewind
-              f.truncate(0)
-              f.puts(newlines)
-              f.flush
-              f.flock(File::LOCK_UN)
-            }
+      }
+      creds
+    end
+    private_class_method :listUsedCredentials
+    def self.cleanCloud(cloud, habitats, regions, credsets)
+      cloudclass = MU::Cloud.cloudClass(cloud)
+      credsets.each_pair { |credset, acct_regions|
+        next if @credsused and !@credsused.include?(credset)
+        global_vs_region_semaphore = Mutex.new
+        global_done = {}
+        regionthreads = []
+        acct_regions.each { |r|
+          if @regionsused
+            if @regionsused.size > 0
+              next if !@regionsused.include?(r)
+            else
+              next if r != cloudclass.myRegion(credset)
+            end
           end
-        else
-          MU.log "Residual /etc/hosts entries for #{MU.deploy_id} must be removed by root user", MU::WARN
+          if regions and !regions.empty?
+            next if !regions.include?(r)
+            MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{r}...", MU::NOTICE
+          end
+          regionthreads << Thread.new {
+            Thread.abort_on_exception = false
+            MU.setVar("curRegion", r)
+            cleanRegion(cloud, credset, r, global_vs_region_semaphore, global_done, habitats)
+          } # regionthreads << Thread.new {
+        } # acct_regions.each { |r|
+        regionthreads.each do |t|
+          t.join
+        end
+      }
+    end
+    private_class_method :cleanCloud
+    def self.cleanRegion(cloud, credset, region, global_vs_region_semaphore, global_done, habitats)
+      had_failures = false
+      cloudclass = MU::Cloud.cloudClass(cloud)
+      habitatclass = MU::Cloud.resourceClass(cloud, "Habitat")
+      if !habitats
+        habitats = []
+        if $MU_CFG and $MU_CFG[cloud.downcase] and
+           $MU_CFG[cloud.downcase][credset] and
+           $MU_CFG[cloud.downcase][credset]["project"]
+# XXX GCP credential schema needs an array for projects
+          habitats << $MU_CFG[cloud.downcase][credset]["project"]
+        end
+        begin
+          habitats.concat(cloudclass.listHabitats(credset, use_cache: false))
+        rescue NoMethodError
         end
       end
-      if !@noop and !@skipcloud
-        if $MU_CFG['aws'] and $MU_CFG['aws']['account_number']
-          MU::Cloud::AWS.s3(region: MU.myRegion).delete_object(
-            bucket: MU.adminBucketName,
-            key: "#{MU.deploy_id}-secret"
-          )
+      if habitats == []
+        habitats << "" # dummy
+        MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{region}", MU::NOTICE
+      end
+      habitats.uniq!
+      # We do these in an order that unrolls dependent resources
+      # sensibly, and we hit :Collection twice because AWS
+      # CloudFormation sometimes fails internally.
+      habitat_threads = []
+      habitats.each { |habitat|
+        if habitats and !habitats.empty? and habitat != ""
+          next if !habitats.include?(habitat)
         end
-        if $MU_CFG['google'] and $MU_CFG['google']['project']
-          begin
-            MU::Cloud::Google.storage.delete_object(
-              MU.adminBucketName,
-              "#{MU.deploy_id}-secret"
-            )
-          rescue ::Google::Apis::ClientError => e
-            raise e if !e.message.match(/^notFound: /)
-          end
+        if @habitatsused and !@habitatsused.empty? and habitat != ""
+          next if !@habitatsused.include?(habitat)
         end
-        if MU.myCloud == "AWS"
-          MU::Cloud::AWS.openFirewallForClients # XXX add the other clouds, or abstract
+        next if !habitatclass.isLive?(habitat, credset)
+        habitat_threads << Thread.new {
+          Thread.current.thread_variable_set("name", "#{cloud}/#{credset}/#{habitat}/#{region}")
+          Thread.abort_on_exception = false
+          if !cleanHabitat(cloud, credset, region, habitat, global_vs_region_semaphore, global_done)
+            had_failures = true
+          end
+        } # TYPES_IN_ORDER.each { |t|
+      } # habitats.each { |habitat|
+      last_checkin = Time.now
+      begin
+        deletia = []
+        habitat_threads.each { |t|
+          if !t.status
+            t.join
+            deletia << t
+          end
+        }
+        deletia.each { |t|
+          habitat_threads.delete(t)
+        }
+        if (Time.now - last_checkin) > 120
+          list = habitat_threads.map { |t|
+            t.thread_variable_get("name") + (t.thread_variable_get("type") ? "/"+t.thread_variable_get("type") : "")
+          }
+          MU.log "Waiting on #{habitat_threads.size.to_s} habitat#{habitat_threads.size > 1 ? "s" : ""} in region #{region}", MU::NOTICE, details: list
+          last_checkin = Time.now
         end
-      end
+        sleep 10 if !habitat_threads.empty?
+      end while !habitat_threads.empty?
-      if !@noop and !@skipcloud and (@mommacat.nil? or @mommacat.numKittens(types: ["Server", "ServerPool"]) > 0)
-#        MU::MommaCat.syncMonitoringConfig
+      had_failures
+    end
+    private_class_method :cleanRegion
+    def self.cleanHabitat(cloud, credset, region, habitat, global_vs_region_semaphore, global_done)
+      had_failures = false
+      if habitat != ""
+        MU.log "Checking for #{cloud}/#{credset} resources from #{MU.deploy_id} in #{region}, habitat #{habitat}", MU::NOTICE
       end
-    end
+      flags = {
+        "habitat" => habitat,
+        "onlycloud" => @onlycloud,
+        "skipsnapshots" => @skipsnapshots,
+      }
+      TYPES_IN_ORDER.each { |t|
+        begin
+          skipme = false
+          global_vs_region_semaphore.synchronize {
+            if MU::Cloud.resourceClass(cloud, t).isGlobal?
+              global_done[habitat] ||= []
+              if !global_done[habitat].include?(t)
+                global_done[habitat] << t
+                flags['global'] = true
+              else
+                skipme = true
+              end
+            end
+          }
+          next if skipme
+        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented
+          next
+        rescue MU::MuError, NoMethodError => e
+          MU.log "While checking mu/providers/#{cloud.downcase}/#{cloudclass.cfg_name} for global-ness in cleanup: "+e.message, MU::WARN
+          next
+        rescue ::Aws::EC2::Errors::AuthFailure, ::Google::Apis::ClientError => e
+          MU.log e.message+" in "+region, MU::ERR
+          next
+        end
-    private
+        begin
+          if !call_cleanup(t, credset, cloud, flags, region)
+            had_failures = true
+          end
+        rescue MU::Cloud::MuDefunctHabitat, MU::Cloud::MuCloudResourceNotImplemented
+          next
+        end
+      }
+      had_failures
+    end
+    private_class_method :cleanHabitat
+    # Wrapper for dynamically invoking resource type cleanup methods.
+    # @param type [String]:
+    # @param credset [String]:
+    # @param provider [String]:
+    # @param flags [Hash]:
+    # @param region [String]:
     def self.call_cleanup(type, credset, provider, flags, region)
+      Thread.current.thread_variable_set("type", type)
       if @mommacat.nil? or @mommacat.numKittens(types: [type]) > 0
         if @mommacat
           found = @mommacat.findLitterMate(type: type, return_all: true, credentials: credset)
-          flags['known'] ||= []
-          if found.is_a?(Array)
-            found.each { |k|
-              flags['known'] << k.cloud_id
-            }
-          elsif found and found.is_a?(Hash)
-            flags['known'] << found['cloud_id']
-          elsif found
-            flags['known'] << found.cloud_id
+          if found
+            flags['known'] = if found.is_a?(Array)
+              found.map { |k| k.cloud_id }
+            elsif found.is_a?(Hash)
+              found.each_value.map { |k| k.cloud_id }
+            else
+              [found.cloud_id]
+            end
           end
         end
-#        begin
-          resclass = Object.const_get("MU").const_get("Cloud").const_get(type)
-          resclass.cleanup(
-            noop: @noop,
-            ignoremaster: @ignoremaster,
-            region: region,
-            cloud: provider,
-            flags: flags,
-            credentials: credset
-          )
-#                        rescue ::Seahorse::Client::NetworkingError => e
-#                          MU.log "Service not available in AWS region #{r}, skipping", MU::DEBUG, details: e.message
-#                        end
+        MU::Cloud.loadBaseType(type).cleanup(
+          noop: @noop,
+          ignoremaster: @ignoremaster,
+          region: region,
+          cloud: provider,
+          flags: flags,
+          credentials: credset,
+          deploy_id: @deploy_id
+        )
       else
         true
       end
     end
+    private_class_method :call_cleanup
   end #class
 end #module