RubyGems - cloud-mu - Versions diffs - 3.1.4 → 3.3.1 - Mend

cloud-mu 3.1.4 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

checksums.yaml +4 -4
data/Dockerfile +5 -1
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +16 -12
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -1
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +37 -12
data/cloud-mu.gemspec +5 -3
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +1 -1
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/modules/mommacat.ru +1 -1
data/modules/mu.rb +158 -107
data/modules/mu/adoption.rb +386 -59
data/modules/mu/cleanup.rb +214 -303
data/modules/mu/cloud.rb +128 -1632
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +926 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +135 -82
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +1 -1
data/modules/mu/config/container_cluster.rb +7 -2
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +5 -4
data/modules/mu/config/doc_helpers.rb +5 -6
data/modules/mu/config/endpoint.rb +2 -1
data/modules/mu/config/firewall_rule.rb +3 -19
data/modules/mu/config/folder.rb +1 -1
data/modules/mu/config/function.rb +17 -8
data/modules/mu/config/group.rb +1 -1
data/modules/mu/config/habitat.rb +1 -1
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +57 -11
data/modules/mu/config/log.rb +1 -1
data/modules/mu/config/msg_queue.rb +1 -1
data/modules/mu/config/nosqldb.rb +1 -1
data/modules/mu/config/notifier.rb +8 -19
data/modules/mu/config/ref.rb +92 -14
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +38 -37
data/modules/mu/config/search_domain.rb +1 -1
data/modules/mu/config/server.rb +12 -13
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +3 -7
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +11 -0
data/modules/mu/config/user.rb +1 -1
data/modules/mu/config/vpc.rb +27 -23
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +91 -68
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +1 -0
data/modules/mu/deploy.rb +33 -19
data/modules/mu/groomer.rb +16 -1
data/modules/mu/groomers/ansible.rb +123 -21
data/modules/mu/groomers/chef.rb +64 -11
data/modules/mu/logger.rb +120 -144
data/modules/mu/master.rb +97 -4
data/modules/mu/master/ssl.rb +0 -1
data/modules/mu/mommacat.rb +154 -867
data/modules/mu/mommacat/daemon.rb +23 -14
data/modules/mu/mommacat/naming.rb +110 -3
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +225 -192
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +281 -64
data/modules/mu/{clouds → providers}/aws/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +275 -41
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +14 -50
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +5 -5
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +708 -749
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +75 -57
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +212 -242
data/modules/mu/{clouds → providers}/aws/folder.rb +1 -1
data/modules/mu/{clouds → providers}/aws/function.rb +289 -134
data/modules/mu/{clouds → providers}/aws/group.rb +18 -20
data/modules/mu/{clouds → providers}/aws/habitat.rb +3 -3
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +50 -41
data/modules/mu/{clouds → providers}/aws/log.rb +5 -5
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +14 -11
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +96 -5
data/modules/mu/{clouds → providers}/aws/notifier.rb +135 -63
data/modules/mu/{clouds → providers}/aws/role.rb +94 -57
data/modules/mu/{clouds → providers}/aws/search_domain.rb +173 -42
data/modules/mu/{clouds → providers}/aws/server.rb +782 -1107
data/modules/mu/{clouds → providers}/aws/server_pool.rb +36 -46
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +21 -38
data/modules/mu/{clouds → providers}/aws/user.rb +12 -16
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +429 -849
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +13 -0
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
data/modules/mu/{clouds → providers}/azure/server.rb +32 -24
data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
data/modules/mu/{clouds → providers}/cloudformation.rb +10 -0
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +29 -6
data/modules/mu/{clouds → providers}/google/bucket.rb +5 -5
data/modules/mu/{clouds → providers}/google/container_cluster.rb +59 -37
data/modules/mu/{clouds → providers}/google/database.rb +5 -12
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +5 -5
data/modules/mu/{clouds → providers}/google/folder.rb +5 -9
data/modules/mu/{clouds → providers}/google/function.rb +14 -8
data/modules/mu/{clouds → providers}/google/group.rb +9 -17
data/modules/mu/{clouds → providers}/google/habitat.rb +4 -8
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/google/role.rb +50 -31
data/modules/mu/{clouds → providers}/google/server.rb +142 -55
data/modules/mu/{clouds → providers}/google/server_pool.rb +14 -14
data/modules/mu/{clouds → providers}/google/user.rb +34 -24
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +46 -15
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +2 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/modules/tests/win2k12.yaml +25 -0
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +169 -93
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1974
data/modules/mu/clouds/aws/endpoint.rb +0 -596
data/modules/tests/needwork/win2k12.yaml +0 -13

data/modules/mu/{clouds → providers}/aws/role.rb RENAMED

@@ -30,7 +30,7 @@ module MU
             end
           end
-          @mu_name ||= @deploy.getResourceName(@config["name"])
+          @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
         end
         # Called automatically by {MU::Deploy#createResources}
@@ -92,13 +92,14 @@ module MU
             configured_policies = []
             if @config['raw_policies']
+              MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies = @config['raw_policies'].map { |p|
                 @mu_name+"-"+p.keys.first.upcase
               }
             end
             if @config['attachable_policies']
-              MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
+              MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies.concat(@config['attachable_policies'].map { |p|
                 id = if p.is_a?(MU::Config::Ref)
                   p.cloud_id
@@ -109,17 +110,16 @@ module MU
                 end
                 id.gsub(/.*?\/([^:\/]+)$/, '\1')
               })
-              configured_policies.each { |pol|
-              }
             end
+            # Purge anything that doesn't belong
             if !@config['bare_policies']
               attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
                 role_name: @mu_name
               ).attached_policies
               attached_policies.each { |a|
                 if !configured_policies.include?(a.policy_name)
-                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE
+                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
                   MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials'])
                 end
               }
@@ -137,7 +137,7 @@ module MU
           if !@config['bare_policies'] and
              (@config['raw_policies'] or @config['attachable_policies'])
-            bindTo("role", @mu_name)
+#            bindTo("role", @mu_name)
           end
         end
@@ -153,6 +153,7 @@ module MU
             policy.values.each { |p|
               p["Version"] ||= "2012-10-17"
             }
             policy_name = basename+"-"+policy.keys.first.upcase
             arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
@@ -201,7 +202,11 @@ module MU
         def arn
           desc = cloud_desc
           if desc["role"]
-            desc["role"].arn
+            if desc['role'].is_a?(Hash)
+              desc["role"][:arn] # why though
+            else
+              desc["role"].arn
+            end
           else
             nil
           end
@@ -212,7 +217,22 @@ module MU
         # populated with one or both depending on what this resource has
         # defined.
         def cloud_desc(use_cache: true)
-          return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          # we might inherit a naive cached description from the base cloud
+          # layer; rearrange it to our tastes
+          if @cloud_desc_cache.is_a?(::Aws::IAM::Types::Role)
+            new_desc = {
+              "role" => @cloud_desc_cache
+            }
+            @cloud_desc_cache = new_desc
+          elsif @cloud_desc_cache.is_a?(::Aws::IAM::Types::Policy)
+            new_desc = {
+              "policies" => [@cloud_desc_cache]
+            }
+            @cloud_desc_cache = new_desc
+          end
+          return @cloud_desc_cache if @cloud_desc_cache and !@cloud_desc_cache.empty? and use_cache
           @cloud_desc_cache = {}
           if @config['bare_policies']
@@ -290,21 +310,21 @@ end
           if !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
-          my_policies = cloud_desc["policies"]
+          my_policies = cloud_desc(use_cache: false)["policies"]
           my_policies ||= []
+          seen_policy = false
           my_policies.each { |p|
             if p.policy_name == policy
+              seen_policy = true
               old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
               doc = JSON.parse URI.decode_www_form_component old.document
               need_update = false
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
@@ -333,6 +353,10 @@ end
               end
             end
           }
+          if !seen_policy
+            MU.log "Was given new targets for policy #{policy}, but I don't see any such policy attached to role #{@cloud_id}", MU::WARN, details: targets
+          end
         end
         # Delete an IAM policy, along with attendant versions and attachments.
@@ -411,14 +435,14 @@ end
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
-            path_prefix: "/"+MU.deploy_id+"/"
+            path_prefix: "/"+deploy_id+"/"
           )
           if resp and resp.policies
             resp.policies.each { |policy|
-              MU.log "Deleting IAM policy /#{MU.deploy_id}/#{policy.policy_name}"
+              MU.log "Deleting IAM policy /#{deploy_id}/#{policy.policy_name}"
               if !noop
                 purgePolicy(policy.arn, credentials)
               end
@@ -429,19 +453,23 @@ end
           roles = MU::Cloud::AWS::Role.find(credentials: credentials).values
           roles.each { |r|
             next if !r.respond_to?(:role_name)
-            if r.path.match(/^\/#{Regexp.quote(MU.deploy_id)}/)
+            if r.path.match(/^\/#{Regexp.quote(deploy_id)}/)
               deleteme << r
               next
             end
             # For some dumb reason, the list output that .find gets doesn't
             # include the tags, so we need to fetch each role individually to
             # check tags. Hardly seems efficient.
-            desc = MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            desc = begin
+              MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            rescue Aws::IAM::Errors::NoSuchEntity
+              next
+            end
             if desc.role and desc.role.tags and desc.role.tags
               master_match = false
               deploy_match = false
               desc.role.tags.each { |t|
-                if t.key == "MU-ID" and t.value == MU.deploy_id
+                if t.key == "MU-ID" and t.value == deploy_id
                   deploy_match = true
                 elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
                   master_match = true
@@ -508,7 +536,7 @@ end
             begin
               # managed policies get fetched by ARN, roles by plain name. Ok!
-              if args[:cloud_id].match(/^arn:/)
+              if args[:cloud_id].match(/^arn:.*?:policy\//)
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_policy(
                   policy_arn: args[:cloud_id]
                 )
@@ -517,39 +545,26 @@ end
                 end
               else
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_role(
-                  role_name: args[:cloud_id]
+                  role_name: args[:cloud_id].sub(/^arn:.*?\/([^:\/]+)$/, '\1') # XXX if it's an ARN, actually parse it and look in the correct account when applicable
                 )
                 if resp and resp.role
-                  found[args[:cloud_id]] = resp.role
+                  found[resp.role.role_name] = resp.role
                 end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
           else
-            marker = nil
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles(
-                marker: marker
-              )
-              break if !resp or !resp.roles
-              resp.roles.each { |role|
-                found[role.role_name] = role
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
+            resp.roles.each { |role|
+              found[role.role_name] = role
+            }
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(
-                scope: "Local",
-                marker: marker
-              )
-              break if !resp or !resp.policies
-              resp.policies.each { |pol|
-                found[pol.arn] = pol
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(scope: "Local")
+            resp.policies.each { |pol|
+              found[pol.arn] = pol
+            }
           end
           found
@@ -607,14 +622,13 @@ end
                   )
                   JSON.parse(URI.decode(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
             }
             return bok if @config['bare_policies']
           end
           if desc.tags and desc.tags.size > 0
             bok["tags"] = MU.structToHash(desc.tags, stringify_keys: true)
           end
@@ -687,6 +701,7 @@ end
           end
           bok["attachable_policies"].uniq! if bok["attachable_policies"]
+          bok["name"].gsub!(/[^a-zA-Z0-9_\-]/, "_")
           bok
         end
@@ -699,6 +714,10 @@ end
         def self.doc2MuPolicies(basename, doc, policies = [])
           policies ||= []
+          if !doc["Statement"].is_a?(Array)
+            doc["Statement"] = [doc["Statement"]]
+          end
           doc["Statement"].each { |s|
             if !s["Action"]
               MU.log "Statement in policy document for #{basename} didn't have an Action field", MU::WARN, details: doc
@@ -796,6 +815,19 @@ end
               }
             end
+            if @config['raw_policies']
+              raw_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+                @config['raw_policies'],
+                basename: @deploy.getResourceName(@config['name']),
+                credentials: @credentials
+              )
+              raw_arns.each { |p_arn|
+                mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(
+                  policy_arn: p_arn
+                ).policy
+              }
+            end
             mypolicies.each { |p|
               if entitytype == "user"
                 resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies(
@@ -838,6 +870,7 @@ end
           else
             raise MuError, "Invalid entitytype '#{entitytype}' passed to MU::Cloud::AWS::Role.bindTo. Must be be one of: user, group, role, instance_profile"
           end
+          cloud_desc(use_cache: false)
         end
         # Create an instance profile for EC2 instances, named identically and
@@ -916,7 +949,7 @@ end
           toplevel_required = []
           aws_resource_types = MU::Cloud.resource_types.keys.reject { |t|
             begin
-              MU::Cloud.loadCloudType("AWS", t)
+              MU::Cloud.resourceClass("AWS", t)
               false
             rescue MuCloudResourceNotImplemented
               true
@@ -1078,11 +1111,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  role['dependencies'] ||= []
-                  role['dependencies'] << {
-                    "name" => target['identifier'],
-                    "type" => target['type']
-                  }
+                  MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
                 end
               }
             }
@@ -1098,13 +1127,14 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false)
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
           if policies
             name = nil
             doc = {
-              "Version" => "2012-10-17",
+              "Version" => version,
               "Statement" => []
             }
+            doc["Id"] = doc_id if doc_id
             policies.each { |policy|
               policy["flag"] ||= "Allow"
               statement = {
@@ -1145,7 +1175,14 @@ end
                       raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
                     end
                   else
-                    bucket_prefix = grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/) ? "Service" : "AWS"
+                    bucket_prefix = if grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
+                      "Service"
+                    elsif grantee["identifier"] =~ /^[a-f0-9]+$/
+                      "CanonicalUser"
+                    else
+                      "AWS"
+                    end
                     if bucket_style
                       statement["Principal"] << { bucket_prefix => grantee["identifier"] }
                     else
@@ -1177,7 +1214,7 @@ end
                         statement["Resource"] << id+"/*"
                       end
                     else
-                      raise MuError, "Couldn't find a #{target["entity_type"]} named #{target["identifier"]} when generating IAM policy"
+                      raise MuError, "Couldn't find a #{target["type"]} named #{target["identifier"]} when generating IAM policy"
                     end
                   else
                     target["identifier"] += target["path"] if target["path"]

data/modules/mu/{clouds → providers}/aws/search_domain.rb RENAMED

@@ -22,9 +22,9 @@ module MU
         # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
         def initialize(**args)
           super
-          if @cloud_id and !@config['domain_name']
-            @config['domain_name'] = @cloud_id
-          end
+          describe if @mu_name and !@deploydata
+          @cloud_id ||= @deploydata['domain_name'] if @deploydata
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
@@ -35,7 +35,8 @@ module MU
           params = genParams
           MU.log "Creating ElasticSearch domain #{@config['domain_name']}", details: params
-          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).create_elasticsearch_domain(params).domain_status
+          @cloud_id = @config['domain_name']
+          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).create_elasticsearch_domain(params).domain_status
           tagDomain
@@ -44,17 +45,18 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def groom
           tagDomain
-          @config['domain_name'] ||= @deploydata['domain_name']
+          @config['domain_name'] ||= @cloud_id
           params = genParams(cloud_desc) # get parameters that would change only
           if params.size > 1
             waitWhileProcessing # wait until the create finishes, if still going
             MU.log "Updating ElasticSearch domain #{@config['domain_name']}", MU::NOTICE, details: params
-            MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).update_elasticsearch_domain_config(params)
+            MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).update_elasticsearch_domain_config(params)
           end
           waitWhileProcessing # don't return until creation/updating is complete
+          MU.log "Search Domain #{@config['name']}: #{cloud_desc.endpoint}", MU::SUMMARY
         end
         @cloud_desc_cache = nil
@@ -63,31 +65,30 @@ module MU
         # our druthers.
         def cloud_desc(use_cache: true)
           return @cloud_desc_cache if @cloud_desc_cache and use_cache
-          @cloud_desc_cache = if @config['domain_name']
-            MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).describe_elasticsearch_domain(
-              domain_name: @config['domain_name']
+          @cloud_id ||= @config['domain_name']
+          return nil if !@cloud_id
+          MU.retrier([::Aws::ElasticsearchService::Errors::ResourceNotFoundException], wait: 10, max: 12) {
+            @cloud_desc_cache = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).describe_elasticsearch_domain(
+              domain_name: @cloud_id
             ).domain_status
-          elsif @deploydata and @deploydata['domain_name']
-            MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).describe_elasticsearch_domain(
-              domain_name: @deploydata['domain_name']
-            ).domain_status
-          else
-            raise MuError, "#{@mu_name} can't find its official Elasticsearch domain name!"
-          end
+          }
           @cloud_desc_cache
         end
         # Canonical Amazon Resource Number for this resource
         # @return [String]
         def arn
-          cloud_desc.arn
+          return nil if !cloud_desc
+          cloud_desc.arn.dup
         end
         # Return the metadata for this SearchDomain rule
         # @return [Hash]
         def notify
-          deploy_struct = MU.structToHash(cloud_desc)
-          tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).list_tags(arn: deploy_struct[:arn]).tag_list
+          return nil if !cloud_desc(use_cache: false)
+          deploy_struct = MU.structToHash(cloud_desc, stringify_keys: true)
+          tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: arn).tag_list
           deploy_struct['tags'] = tags.map { |t| { t.key => t.value } }
           if deploy_struct['endpoint']
             deploy_struct['kibana'] = deploy_struct['endpoint']+"/_plugin/kibana/"
@@ -119,7 +120,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::SearchDomain.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           list = MU::Cloud::AWS.elasticsearch(region: region, credentials: credentials).list_domain_names
@@ -135,7 +136,7 @@ module MU
                 deploy_match = false
                 master_match = false
                 tags.tag_list.each { |tag|
-                  if tag.key == "MU-ID" and tag.value == MU.deploy_id
+                  if tag.key == "MU-ID" and tag.value == deploy_id
                     deploy_match = true
                   elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
                     master_match = true
@@ -156,8 +157,8 @@ module MU
             begin
               resp = MU::Cloud::AWS.iam(credentials: credentials).list_roles(marker: marker)
               resp.roles.each{ |role|
-                # XXX Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud::AWS::Server.
-#                MU::Cloud::AWS::Server.removeIAMProfile(role.role_name) if role.role_name.match(/^#{Regexp.quote(MU.deploy_id)}/)
+                # XXX Maybe we should have a more generic way to delete IAM profiles and policies. The call itself should be moved from MU::Cloud.resourceClass("AWS", "Server").
+#                MU::Cloud.resourceClass("AWS", "Server").removeIAMProfile(role.role_name) if role.role_name.match(/^#{Regexp.quote(deploy_id)}/)
               }
               marker = resp.marker
             end while resp.is_truncated
@@ -191,6 +192,96 @@ module MU
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(**_args)
+          bok = {
+            "cloud" => "AWS",
+            "credentials" => @credentials,
+            "cloud_id" => @cloud_id,
+            "region" => @config['region']
+          }
+          if !cloud_desc
+            MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
+            return nil
+          end
+          bok['name'] = cloud_desc.domain_name
+          bok['elasticsearch_version'] = cloud_desc.elasticsearch_version
+          bok['instance_count'] = cloud_desc.elasticsearch_cluster_config.instance_count
+          bok['instance_type'] = cloud_desc.elasticsearch_cluster_config.instance_type
+          bok['zone_aware'] = cloud_desc.elasticsearch_cluster_config.zone_awareness_enabled
+          if cloud_desc.elasticsearch_cluster_config.dedicated_master_enabled
+            bok['dedicated_masters'] = cloud_desc.elasticsearch_cluster_config.dedicated_master_count
+            bok['master_instance_type'] = cloud_desc.elasticsearch_cluster_config.dedicated_master_type
+          end
+          if cloud_desc.access_policies and !cloud_desc.access_policies.empty?
+            bok['access_policies'] = JSON.parse(cloud_desc.access_policies)
+          end
+          if cloud_desc.advanced_options and !cloud_desc.advanced_options.empty?
+            bok['advanced_options'] = cloud_desc.advanced_options
+          end
+          bok['ebs_size'] = cloud_desc.ebs_options.volume_size
+          bok['ebs_type'] = cloud_desc.ebs_options.volume_type
+          bok['ebs_iops'] = cloud_desc.ebs_options.iops if cloud_desc.ebs_options.iops
+          if cloud_desc.snapshot_options and cloud_desc.snapshot_options.automated_snapshot_start_hour
+            bok['snapshot_hour'] = cloud_desc.snapshot_options.automated_snapshot_start_hour
+          end
+          if cloud_desc.cognito_options.user_pool_id and
+             cloud_desc.cognito_options.identity_pool_id
+            bok['user_pool_id'] = cloud_desc.cognito_options.user_pool_id
+            bok['identity_pool_id'] = cloud_desc.cognito_options.identity_pool_id
+          end
+          tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: cloud_desc.arn).tag_list
+          if tags and !tags.empty?
+            bok['tags'] = MU.structToHash(tags)
+          end
+          if cloud_desc.vpc_options
+            bok['vpc'] = MU::Config::Ref.get(
+              id: cloud_desc.vpc_options.vpc_id,
+              cloud: "AWS",
+              credentials: @credentials,
+              type: "vpcs",
+              region: @config['region'],
+              subnets: cloud_desc.vpc_options.subnet_ids.map { |s| { "subnet_id" => s } }
+            )
+            if cloud_desc.vpc_options.security_group_ids and
+               !cloud_desc.vpc_options.security_group_ids.empty?
+              bok['add_firewall_rules'] = cloud_desc.vpc_options.security_group_ids.map { |sg|
+                MU::Config::Ref.get(
+                  id: sg,
+                  cloud: "AWS",
+                  credentials: @credentials,
+                  region: @config['region'],
+                  type: "firewall_rules",
+                )
+              }
+            end
+          end
+          if cloud_desc.log_publishing_options
+            # XXX this is primitive... there are multiple other log types now,
+            # and this should be a Ref blob, not a flat string
+            cloud_desc.log_publishing_options.each_pair { |type, whither|
+              if type == "SEARCH_SLOW_LOGS"
+                bok['slow_logs'] = whither.cloud_watch_logs_log_group_arn
+              end
+            }
+          end
+          bok
+        end
         # Cloud-specific configuration properties.
         # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
@@ -200,7 +291,7 @@ module MU
           versions = begin
             MU::Cloud::AWS.elasticsearch.list_elasticsearch_versions.elasticsearch_versions
           rescue MuError
-            ["7.1", "6.8", "6.7", "6.5", "6.4", "6.3", "6.2", "6.0", "5.6"]
+            ["7.4", "7.1", "6.8", "6.7", "6.5", "6.4", "6.3", "6.2", "6.0", "5.6"]
           end
           instance_types = begin
             MU::Cloud::AWS.elasticsearch.list_elasticsearch_instance_types(
@@ -215,6 +306,8 @@ module MU
             ).elasticsearch_instance_types
           end
+          polschema = MU::Config::Role.schema["properties"]["policies"]
+          polschema.deep_merge!(MU::Cloud.resourceClass("AWS", "Role").condition_schema)
           schema = {
             "name" => {
@@ -236,9 +329,10 @@ module MU
               "default" => 0,
               "description" => "Separate, dedicated master node(s), over and above the search instances specified in instance_count."
             },
+            "policies" => polschema,
             "access_policies" => {
               "type" => "object",
-              "description" => "An IAM policy document for access to ElasticSearch. Our parser expects this to be defined inline like the rest of your YAML/JSON Basket of Kittens, not as raw JSON. For guidance on ElasticSearch IAM capabilities, see: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
+              "description" => "An IAM policy document for access to ElasticSearch (see {policies} for setting complex access policies with runtime dependencies). Our parser expects this to be defined inline like the rest of your YAML/JSON Basket of Kittens, not as raw JSON. For guidance on ElasticSearch IAM capabilities, see: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
             },
             "master_instance_type" => {
               "type" => "string",
@@ -246,7 +340,7 @@ module MU
             },
             "ebs_type" => {
               "type" => "string",
-              "default" => "standard",
+              "default" => "gp2",
               "description" => "Type of EBS storage to use for cluster nodes. If 'none' is specified, EBS storage will not be used, but this is only valid for certain instance types.",
               "enum" => ["standard", "gp2", "io1", "none"]
             },
@@ -378,9 +472,9 @@ module MU
           if dom['slow_logs']
             if configurator.haveLitterMate?(dom['slow_logs'], "log")
-              dom['dependencies'] << { "name" => dom['slow_logs'], "type" => "log" }
+              MU::Config.addDependency(dom, dom['slow_logs'], "log")
             else
-              log_group = MU::Cloud::AWS::Log.find(cloud_id: dom['slow_logs'], region: dom['region']).values.first
+              log_group = MU::Cloud.resourceClass("AWS", "Log").find(cloud_id: dom['slow_logs'], region: dom['region']).values.first
               if !log_group
                 MU.log "Specified slow_logs CloudWatch log group '#{dom['slow_logs']}' in SearchDomain '#{dom['name']}' doesn't appear to exist", MU::ERR
                 ok = false
@@ -395,7 +489,7 @@ module MU
               "credentials" => dom['credentials']
             }
             ok = false if !configurator.insertKitten(log_group, "logs")
-            dom['dependencies'] << { "name" => dom['slow_logs'], "type" => "log" }
+            MU::Config.addDependency(dom, dom['slow_logs'], "log")
           end
           if dom['advanced_options']
@@ -456,12 +550,7 @@ module MU
                 ]
               }
               configurator.insertKitten(roledesc, "roles")
-              dom['dependencies'] ||= []
-              dom['dependencies'] << {
-                "type" => "role",
-                "name" => dom['name']+"cognitorole"
-              }
+              MU::Config.addDependency(dom, dom['name']+"cognitorole", "role")
             end
           end
@@ -514,9 +603,51 @@ module MU
             params[:snapshot_options][:automated_snapshot_start_hour] = @config['snapshot_hour']
           end
-          if @config['access_policies']
-            # TODO check against ext.access_policies.options
-            params[:access_policies] = JSON.generate(@config['access_policies'])
+          if ext
+            # Despite being called access_policies, this parameter actually
+            # only accepts one policy. So, we'll munge everything we have
+            # together into one policy with multiple Statements.
+            policy = nil
+            # TODO check against ext.access_policy.options
+            if @config['access_policies']
+              policy = @config['access_policies']
+              # ensure the "Statement" key is cased in a predictable way
+              statement_key = nil
+              policy.each_pair { |k, v|
+                if k.downcase == "statement" and k != "Statement"
+                  statement_key = k
+                  break
+                end
+              }
+              if statement_key
+                policy["Statement"] = policy.delete(statement_key)
+              end
+              if !policy["Statement"].is_a?(Array)
+                policy["Statement"] = [policy["Statement"]]
+              end
+            end
+            if @config['policies']
+              @config['policies'].each { |p|
+                p['targets'].each { |t|
+                  if t['path']
+                    t['path'].gsub!(/#SELF/, @mu_name.downcase)
+                  end
+                }
+                parsed = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument([p], deploy_obj: @deploy, bucket_style: true).first.values.first
+                if policy and policy["Statement"]
+                  policy["Statement"].concat(parsed["Statement"])
+                else
+                  policy = parsed
+                end
+              }
+            end
+            if policy
+              params[:access_policies] = JSON.generate(policy)
+            end
           end
           if @config['slow_logs']
@@ -525,7 +656,7 @@ module MU
               arn = @config['slow_logs']
             else
               log_group = @deploy.findLitterMate(type: "log", name: @config['slow_logs'])
-              log_group = MU::Cloud::AWS::Log.find(cloud_id: log_group.mu_name, region: log_group.cloudobj.config['region']).values.first
+              log_group = MU::Cloud.resourceClass("AWS", "Log").find(cloud_id: log_group.mu_name, region: log_group.cloudobj.config['region']).values.first
               if log_group.nil? or log_group.arn.nil?
                 raise MuError, "Failed to retrieve ARN of sibling LogGroup '#{@config['slow_logs']}'"
               end
@@ -552,7 +683,7 @@ module MU
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"] = {}
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:enabled] = true
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:cloud_watch_logs_log_group_arn] = arn
-              MU::Cloud::AWS::Log.allowService("es.amazonaws.com", arn, @config['region'])
+              MU::Cloud.resourceClass("AWS", "Log").allowService("es.amazonaws.com", arn, @config['region'])
             end
           end
@@ -682,7 +813,7 @@ module MU
             raise MU::MuError, "Can't tag ElasticSearch domain, cloud descriptor came back without an ARN"
           end
-          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @config['credentials']).add_tags(
+          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).add_tags(
             arn: domain.arn,
             tag_list: tags
           )
@@ -693,7 +824,7 @@ module MU
           interval = 60
           begin
-            resp = cloud_desc
+            resp = cloud_desc(use_cache: false)
             if (resp.endpoint.nil? or resp.endpoint.empty?) and
                (resp.endpoints.nil? or resp.endpoints.empty?) and