cloud-mu 3.1.4 → 3.1.5

data/modules/mu/clouds/aws/vpc_subnet.rb

@@ -0,0 +1,286 @@
+# Copyright:: Copyright (c) 2020 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class AWS
+
+      # Creation of Virtual Private Clouds and associated artifacts (routes, subnets, etc).
+      class VPC < MU::Cloud::VPC
+
+        # Subnets are almost a first-class resource. So let's kinda sorta treat
+        # them like one. This should only be invoked on objects that already
+        # exists in the cloud layer.
+        class Subnet < MU::Cloud::AWS::VPC
+
+          attr_reader :cloud_id
+          attr_reader :ip_block
+          attr_reader :mu_name
+          attr_reader :name
+          attr_reader :az
+          attr_reader :cloud_desc
+
+          # @param parent [MU::Cloud::AWS::VPC]: The parent VPC of this subnet.
+          # @param config [Hash<String>]:
+          def initialize(parent, config)
+            @parent = parent
+            @config = MU::Config.manxify(config)
+            @cloud_id = config['cloud_id']
+            @mu_name = config['mu_name']
+            @name = config['name']
+            @deploydata = config # This is a dummy for the sake of describe()
+            resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [@cloud_id]).subnets.first
+            @az = resp.availability_zone
+            @ip_block = resp.cidr_block
+            @cloud_desc = resp # XXX this really isn't the cloud implementation's business
+
+          end
+
+          # Return the cloud identifier for the default route of this subnet.
+          # @return [String,nil]
+          def defaultRoute
+            resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
+                filters: [{name: "association.subnet-id", values: [@cloud_id]}]
+            )
+            if resp.route_tables.size == 0 # use default route table for the VPC
+              resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
+                 filters: [{name: "vpc-id", values: [@parent.cloud_id]}]
+              )
+            end
+            resp.route_tables.each { |route_table|
+              route_table.routes.each { |route|
+                if route.destination_cidr_block =="0.0.0.0/0" and route.state != "blackhole"
+                  return route.instance_id if !route.instance_id.nil?
+                  return route.gateway_id if !route.gateway_id.nil?
+                  return route.vpc_peering_connection_id if !route.vpc_peering_connection_id.nil?
+                  return route.network_interface_id if !route.network_interface_id.nil?
+                end
+              }
+            }
+            return nil
+          end
+
+          # Is this subnet privately-routable only, or public?
+          # @return [Boolean]
+          def private?
+            return false if @cloud_id.nil?
+            resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
+                filters: [{name: "association.subnet-id", values: [@cloud_id]}]
+            )
+            if resp.route_tables.size == 0 # use default route table for the VPC
+              resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
+                 filters: [{name: "vpc-id", values: [@parent.cloud_id]}]
+              )
+            end
+            resp.route_tables.each { |route_table|
+              route_table.routes.each { |route|
+                return false if !route.gateway_id.nil? and route.gateway_id != "local" # you can have an IgW and route it to a subset of IPs instead of 0.0.0.0/0
+                if route.destination_cidr_block == "0.0.0.0/0"
+                  return true if !route.instance_id.nil?
+                  return true if route.nat_gateway_id
+                end
+              }
+            }
+            return true
+          end
+        end # VPC::Subnet class
+
+        private
+
+        def create_subnets
+          return [] if @config['subnets'].nil? or @config['subnets'].empty?
+          nat_gateways = []
+
+          @eip_allocation_ids ||= []
+
+          subnetthreads = Array.new
+
+          azs = MU::Cloud::AWS.listAZs(region: @config['region'], credentials: @config['credentials'])
+          @config['subnets'].each { |subnet|
+            subnet_name = @config['name']+"-"+subnet['name']
+            az = subnet['availability_zone'] ? subnet['availability_zone'] : azs.op
+            MU.log "Creating Subnet #{subnet_name} (#{subnet['ip_block']}) in #{az}", details: subnet
+
+            subnetthreads << Thread.new {
+              resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_subnet(
+                vpc_id: @cloud_id,
+                cidr_block: subnet['ip_block'],
+                availability_zone: az
+              ).subnet
+              subnet_id = subnet['subnet_id'] = resp.subnet_id
+
+              tag_me(subnet_id, @mu_name+"-"+subnet['name'])
+
+              loop_if = Proc.new {
+                resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_subnets(subnet_ids: [subnet_id]).subnets.first
+                (!resp or resp.state != "available")
+              }
+
+              MU.retrier([Aws::EC2::Errors::InvalidSubnetIDNotFound, NoMethodError], wait: 5, loop_if: loop_if) { |retries, _wait|
+                MU.log "Waiting for Subnet #{subnet_name} (#{subnet_id}) to become available", MU::NOTICE if retries > 0 and (retries % 3) == 0
+              }
+
+              if !subnet['route_table'].nil?
+                routes = {}
+                @config['route_tables'].each { |tbl|
+                  routes[tbl['name']] = tbl
+                }
+                if routes[subnet['route_table']].nil?
+                  raise "Subnet #{subnet_name} references nonexistent route #{subnet['route_table']}"
+                end
+                MU.log "Associating Route Table '#{subnet['route_table']}' (#{routes[subnet['route_table']]['route_table_id']}) with #{subnet_name}"
+                MU.retrier([Aws::EC2::Errors::InvalidRouteTableIDNotFound], wait: 10, max: 10) {
+                  MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).associate_route_table(
+                    route_table_id: routes[subnet['route_table']]['route_table_id'],
+                    subnet_id: subnet_id
+                  )
+                }
+              end
+
+              if subnet.has_key?("map_public_ips")
+                MU.retrier([Aws::EC2::Errors::InvalidSubnetIDNotFound], wait: 10, max: 10) {
+                  resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).modify_subnet_attribute(
+                    subnet_id: subnet_id,
+                    map_public_ip_on_launch: {
+                      value: subnet['map_public_ips'],
+                    }
+                  )
+                }
+              end
+
+              if subnet['is_public'] and subnet['create_nat_gateway']
+                nat_gateways << create_nat_gateway(subnet)
+              end
+
+              if subnet["enable_traffic_logging"]
+                loggroup = @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs")
+                logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
+                MU.log "Enabling traffic logging on Subnet #{subnet_name} in VPC #{@mu_name} to log group #{loggroup.mu_name}"
+                MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_flow_logs(
+                  resource_ids: [subnet_id],
+                  resource_type: "Subnet",
+                  traffic_type: subnet["traffic_type_to_log"],
+                  log_group_name: loggroup.mu_name,
+                  deliver_logs_permission_arn: logrole.cloudobj.arn
+                )
+              end
+            }
+          }
+
+          subnetthreads.each { |t|
+            t.join
+          }
+
+          nat_gateways
+        end
+
+        def allocate_eip_for_nat
+          MU::MommaCat.lock("nat-gateway-eipalloc")
+
+          eips = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_addresses(
+            filters: [
+              {
+                name: "domain",
+                values: ["vpc"]
+              }
+            ]
+          ).addresses
+
+          allocation_id = nil
+          eips.each { |eip|
+            next if !eip.association_id.nil? and !eip.association_id.empty?
+            if (eip.private_ip_address.nil? || eip.private_ip_address.empty?) and MU::MommaCat.lock(eip.allocation_id, true, true)
+              if !@eip_allocation_ids.include?(eip.allocation_id)
+                allocation_id = eip.allocation_id
+                break
+              end
+            end
+          }
+
+          if allocation_id.nil?
+            allocation_id = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).allocate_address(domain: "vpc").allocation_id
+            MU::MommaCat.lock(allocation_id, false, true)
+          end
+
+          @eip_allocation_ids << allocation_id
+
+          MU::MommaCat.unlock("nat-gateway-eipalloc")
+
+          allocation_id
+        end
+
+        def create_nat_gateway(subnet)
+          allocation_id = allocate_eip_for_nat
+
+          nat_gateway_id = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).create_nat_gateway(
+            subnet_id: subnet['subnet_id'],
+            allocation_id: allocation_id,
+          ).nat_gateway.nat_gateway_id
+
+          ensure_unlock = Proc.new { MU::MommaCat.unlock(allocation_id, true) }
+          resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_nat_gateways(nat_gateway_ids: [nat_gateway_id]).nat_gateways.first
+          loop_if = Proc.new {
+            resp = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_nat_gateways(nat_gateway_ids: [nat_gateway_id]).nat_gateways.first
+            resp.class != Aws::EC2::Types::NatGateway or resp.state == "pending"
+          }
+
+          MU.retrier([Aws::EmptyStructure, NoMethodError], wait: 5, max: 30, always: ensure_unlock, loop_if: loop_if) { |retries, _wait|
+            MU.log "Waiting for nat gateway #{nat_gateway_id} to become available (EIP allocation: #{allocation_id})" if retries % 5 == 0
+          }
+
+          raise MuError, "NAT Gateway failed #{nat_gateway_id}: #{resp}" if resp.state == "failed"
+
+          tag_me(nat_gateway_id)
+
+          {'id' => nat_gateway_id, 'availability_zone' => subnet['availability_zone']}
+        end
+
+        # Remove all subnets associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param tagfilters [Array<Hash>]: EC2 tags to filter against when search for resources to purge
+        # @param region [String]: The cloud provider region
+        # @return [void]
+        def self.purge_subnets(noop = false, tagfilters = [{name: "tag:MU-ID", values: [MU.deploy_id]}], region: MU.curRegion, credentials: nil)
+          resp = MU::Cloud::AWS.ec2(credentials: credentials, region: region).describe_subnets(
+            filters: tagfilters
+          )
+          subnets = resp.data.subnets
+
+          return if subnets.nil? or subnets.size == 0
+
+          subnets.each { |subnet|
+            on_retry = Proc.new {
+              MU::Cloud::AWS::VPC.purge_interfaces(noop, [{name: "subnet-id", values: [subnet.subnet_id]}], region: region, credentials: credentials)
+            }
+
+            MU.log "Deleting Subnet #{subnet.subnet_id}"
+            MU.retrier([Aws::EC2::Errors::DependencyViolation], ignoreme: [Aws::EC2::Errors::InvalidSubnetIDNotFound], max: 20, on_retry: on_retry) { |_retries, wait|
+              begin
+                if subnet.state != "available"
+                  MU.log "Waiting for #{subnet.subnet_id} to be in a removable state...", MU::NOTICE
+                  sleep wait
+                else
+                  MU::Cloud::AWS.ec2(credentials: credentials, region: region).delete_subnet(subnet_id: subnet.subnet_id) if !noop
+                end
+              end while subnet.state != "available"
+            }
+          }
+        end
+        private_class_method :purge_subnets
+
+      end # VPC class
+
+    end #class
+  end
+end #module

data/modules/mu/clouds/google/bucket.rb

@@ -305,7 +305,7 @@ module MU
           schema = {
             "storage_class" => {
               "type" => "string",
-              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY"],
+              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY", "ARCHIVE"],
               "default" => "STANDARD"
             },
             "bucket_wide_acls" => {

data/modules/mu/clouds/google/container_cluster.rb

@@ -567,22 +567,24 @@ module MU
             bok['kubernetes']['network_policy_addon'] = true
           end
 
-          if cloud_desc.ip_allocation_policy.use_ip_aliases
-            bok['ip_aliases'] = true
-          end
-          if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-            bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-          end
-          if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-            bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-          end
+          if cloud_desc.ip_allocation_policy
+            if cloud_desc.ip_allocation_policy.use_ip_aliases
+              bok['ip_aliases'] = true
+            end
+            if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+              bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+            end
+            if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+              bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+            end
 
-          if cloud_desc.ip_allocation_policy.create_subnetwork
-            bok['custom_subnet'] = {
-              "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
-            }
-            if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
-              bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+            if cloud_desc.ip_allocation_policy.create_subnetwork
+              bok['custom_subnet'] = {
+                "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
+              }
+              if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+                bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+              end
             end
           end
 
@@ -1029,7 +1031,8 @@ module MU
               type: "habitats"
             )
             if cluster['service_account']['name'] and
-               !cluster['service_account']['id']
+               !cluster['service_account']['id'] and
+               !cluster['service_account']['deploy_id']
               cluster['dependencies'] ||= []
               cluster['dependencies'] << {
                 "type" => "user",
@@ -1188,7 +1191,8 @@ module MU
           labels["name"] = MU::Cloud::Google.nameStr(@mu_name)
 
           labelset = MU::Cloud::Google.container(:SetLabelsRequest).new(
-            resource_labels: labels
+            resource_labels: labels,
+            label_fingerprint: cloud_desc.label_fingerprint
           )
           MU::Cloud::Google.container(credentials: @config['credentials']).set_project_location_cluster_resource_labels(@cloud_id, labelset)
         end

data/modules/mu/clouds/google/function.rb

@@ -340,7 +340,7 @@ module example.com/cloudfunction
           end
 
           codefile = bok["project"]+"_"+bok["region"]+"_"+bok["name"]+".zip"
-          MU::Cloud::Google::Function.downloadPackage(@cloud_id, codefile, credentials: @config['credentials'])
+          return nil if !MU::Cloud::Google::Function.downloadPackage(@cloud_id, codefile, credentials: @config['credentials'])
           bok['code'] = {
             'zip_file' => codefile
           }
@@ -417,7 +417,12 @@ module example.com/cloudfunction
             bucket = Regexp.last_match[1]
             path = Regexp.last_match[2]
 
-            MU::Cloud::Google.storage(credentials: credentials).get_object(bucket, path, download_dest: zipfile)
+            begin
+              MU::Cloud::Google.storage(credentials: credentials).get_object(bucket, path, download_dest: zipfile)
+            rescue ::Google::Apis::ClientError => e
+              MU.log "Couldn't retrieve gs://#{bucket}/#{path} for #{function_id}", MU::WARN, details: e.inspect
+              return false
+            end
           elsif cloud_desc.source_upload_url
             resp = MU::Cloud::Google.function(credentials: credentials).generate_function_download_url(
               function_id
@@ -428,6 +433,7 @@ module example.com/cloudfunction
               f.close
             end
           end
+          true
         end
 
         # Upload a zipfile to our admin Cloud Storage bucket, for use by

data/modules/mu/clouds/google/server.rb

@@ -164,19 +164,26 @@ module MU
         def self.diskConfig(config, create = true, disk_as_url = true, credentials: nil)
           disks = []
           if config['image_id'].nil? and config['basis'].nil?
-            pp config.keys
             raise MuError, "Can't generate disk configuration for server #{config['name']} without an image ID or basis specified"
           end
 
           img = fetchImage(config['image_id'] || config['basis']['launch_config']['image_id'], credentials: credentials)
 
-# XXX slurp settings from /dev/sda or w/e by convention?
+#          if img.source_disk and img.source_disk.match(/projects\/([^\/]+)\/zones\/([^\/]+)\/disks\/(.*)/)
+#            _junk, proj, az, name = Regexp.last_match
+#            disk_desc = MU::Cloud::Google.compute(credentials: credentials).get_disk(proj, az, name)
+#            pp disk_desc
+#            raise "nah"
+#          end
+
           disktype = "projects/#{config['project']}/zones/#{config['availability_zone']}/diskTypes/pd-standard"
-          disktype = "pd-standard" if !disk_as_url
-# disk_type: projects/project/zones/#{config['availability_zone']}/diskTypes/pd-standard Other values include pd-ssd and local-ssd
+
+
+          disktype.gsub!(/.*?\/([^\/])$/, '\1') if !disk_as_url
+
           imageobj = MU::Cloud::Google.compute(:AttachedDiskInitializeParams).new(
             source_image: img.self_link,
-            disk_size_gb: 10, # this is binary? 2gb, that says
+            disk_size_gb: img.disk_size_gb,
             disk_type: disktype,
           )
           disks << MU::Cloud::Google.compute(:AttachedDisk).new(
@@ -329,7 +336,7 @@ next if !create
             end
             metadata["startup-script"] = @userdata if @userdata and !@userdata.empty?
 
-            deploykey = @config['ssh_user']+":"+@deploy.ssh_public_key
+            deploykey = @config["ssh_user"]+":"+@deploy.ssh_public_key
             if metadata["ssh-keys"]
               metadata["ssh-keys"] += "\n"+deploykey
             else
@@ -502,7 +509,8 @@ next if !create
 
           if @config['ssh_user'].nil?
             if windows?
-              @config['ssh_user'] = "Administrator"
+              @config['ssh_user'] = @config['windows_admin_user']
+              @config['ssh_user'] ||= "Administrator"
             else
               @config['ssh_user'] = "root"
             end
@@ -800,29 +808,6 @@ next if !create
 
 #          punchAdminNAT
 
-#          MU::Cloud::AWS::Server.tagVolumes(@cloud_id)
-
-          # If we have a loadbalancer configured, attach us to it
-#          if !@config['loadbalancers'].nil?
-#            if @loadbalancers.nil?
-#              raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
-#            end
-#            @loadbalancers.each { |lb|
-#              lb.registerNode(@cloud_id)
-#            }
-#          end
-
-          # Let us into any databases we depend on.
-          # This is probelmtic with autscaling - old ips are not removed, and access to the database can easily be given at the BoK level
-          # if @dependencies.has_key?("database")
-            # @dependencies['database'].values.each { |db|
-              # db.allowHost(@deploydata["private_ip_address"]+"/32")
-              # if @deploydata["public_ip_address"]
-                # db.allowHost(@deploydata["public_ip_address"]+"/32")
-              # end
-            # }
-          # end
-
           @groomer.saveDeployData
 
           begin
@@ -1017,9 +1002,93 @@ next if !create
         end
 
         # return [String]: A password string.
-        def getWindowsAdminPassword
+        def getWindowsAdminPassword(use_cache: true)
+          @config['windows_auth_vault'] ||= {
+            "vault" => @mu_name,
+            "item" => "windows_credentials",
+            "password_field" => "password"
+          }
+
+          if use_cache
+            begin
+              win_admin_password = @groomer.getSecret(
+                vault: @config['windows_auth_vault']['vault'],
+                item: @config['windows_auth_vault']['item'],
+                field: @config["windows_auth_vault"]["password_field"]
+              )
+MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
+              return win_admin_password if win_admin_password
+            rescue MU::Groomer::MuNoSuchSecret, MU::Groomer::RunError
+            end
+          end
+
+          require 'openssl/oaep'
+          timeout = 300
+
+          serial_out = nil
+          key = OpenSSL::PKey::RSA.generate 2048
+
+          missing_response = Proc.new {
+            !serial_out or !serial_out.contents or serial_out.contents.empty? or JSON.parse(serial_out.contents)["userName"] != @config['windows_admin_username']
+          }
+
+          did_metadata = false
+          MU.retrier(loop_if: missing_response, wait: 10, max: timeout/10) {
+            serial_out = MU::Cloud::Google.compute(credentials: @credentials).get_instance_serial_port_output(@project_id, @config['availability_zone'], @cloud_id, port: 4)
+
+            if missing_response.call and
+               !cloud_desc(use_cache: false).metadata.items.map { |i| i.key }.include?("windows-keys")
+              keybytes = Base64.decode64(key.public_key.export.gsub(/-----(?:BEGIN|END) PUBLIC KEY-----/, ''))
+              modulus = keybytes.byteslice(33,256)
+              exponent = keybytes.byteslice(291,3)
+              keydata = {
+                "userName" => @config['windows_admin_username'],
+                "modulus" => Base64.strict_encode64(modulus),
+                "exponent" => Base64.strict_encode64(exponent),
+                "email" => MU.muCfg['mu_admin_email'],
+                "expireOn" => (Time.now.utc+timeout).strftime('%Y-%m-%dT%H:%M:%SZ')
+              }
+
+              new_items = cloud_desc.metadata.items.map { |item|
+                MU::Cloud::Google.compute(:Metadata)::Item.new(
+                  key: item.key,
+                  value: item.value
+                )
+              }
+              new_items.reject! { |item| item.key == "windows-keys" }
+              new_items << MU::Cloud::Google.compute(:Metadata)::Item.new(
+                key: "windows-keys",
+                value: JSON.generate(keydata)
+              )
+              new_metadata = MU::Cloud::Google.compute(:Metadata).new(
+                fingerprint: cloud_desc(use_cache: false).metadata.fingerprint,
+                items: new_items
+              )
+
+              MU::Cloud::Google.compute(credentials: @credentials).set_instance_metadata(@project_id, @config['availability_zone'], @cloud_id, new_metadata)
+            end
+          }
+
+          return nil if missing_response.call
+
+          pwdata = JSON.parse(serial_out.contents)
+          if pwdata['encryptedPassword'] and pwdata['userName'] == @config['windows_admin_username']
+            decrypted_pw = key.private_decrypt_oaep(Base64.strict_decode64(pwdata['encryptedPassword']))
+            creds = {
+              "username" => @config['windows_admin_username'],
+              "password" => decrypted_pw,
+              "sshd_username" => "sshd_service",
+              "sshd_password" => decrypted_pw
+            }
+            @groomer.saveSecret(vault: @mu_name, item: "windows_credentials", data: creds, permissions: "name:#{@mu_name}")
+
+            return decrypted_pw
+          end
+
+          nil
         end
 
+
         # Add a volume to this instance
         # @param dev [String]: Device name to use when attaching to instance
         # @param size [String]: Size (in gb) of the new volume
@@ -1272,7 +1341,7 @@ next if !create
             "roles" => MU::Cloud::Google::User.schema(config)[1]["roles"],
             "windows_admin_username" => {
               "type" => "string",
-              "default" => "Administrator"
+              "default" => "muadmin"
             },
             "create_image" => {
               "properties" => {
@@ -1438,6 +1507,7 @@ next if !create
           end
 
           if server['service_account']
+            server['service_account'] = server['service_account'].to_h
             server['service_account']['cloud'] = "Google"
             server['service_account']['habitat'] ||= server['project']
             found = MU::Config::Ref.get(server['service_account'])