cloud-mu 3.1.4 → 3.3.1

data/modules/mu/{clouds → providers}/google/habitat.rb

@@ -61,7 +61,7 @@ module MU
           if @config['parent']['name'] and !@config['parent']['id']
             @config['parent']['deploy_id'] = @deploy.deploy_id
           end
-          parent = MU::Cloud::Google::Folder.resolveParent(@config['parent'], credentials: @config['credentials'])
+          parent = MU::Cloud.resourceClass("Google", "Folder").resolveParent(@config['parent'], credentials: @config['credentials'])
           if !parent
             MU.log "Unable to resolve parent resource of Google Project #{@config['name']}", MU::ERR, details: @config['parent']
             raise "Unable to resolve parent resource of Google Project #{@config['name']}"
@@ -222,7 +222,7 @@ module MU
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           resp = MU::Cloud::Google.resource_manager(credentials: credentials).list_projects
 
           if resp and resp.projects
@@ -285,7 +285,7 @@ module MU
               next if p.lifecycle_state == "DELETE_REQUESTED"
               found[p.project_id] = p
             }
-            @@list_projects_cache = found
+            @@list_projects_cache = found.clone
           end
 
           found
@@ -376,11 +376,7 @@ module MU
           end
 
           if habitat['parent'] and habitat['parent']['name'] and !habitat['parent']['deploy_id'] and configurator.haveLitterMate?(habitat['parent']['name'], "folders")
-            habitat["dependencies"] ||= []
-            habitat["dependencies"] << {
-              "type" => "folder",
-              "name" => habitat['parent']['name']
-            }
+            MU::Config.addDependency(habitat, habitat['parent']['name'], "folder")
           end
 
           ok

data/modules/mu/{clouds → providers}/google/loadbalancer.rb

@@ -146,9 +146,9 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: nil, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: nil, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
           filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
           if !ignoremaster and MU.mu_public_ip
             filter += %Q{ AND (labels.mu-master-ip = "#{MU.mu_public_ip.gsub(/\./, "_")}")}
@@ -159,7 +159,7 @@ module MU
             ["forwarding_rule", "region_backend_service"].each { |type|
               MU::Cloud::Google.compute(credentials: credentials).delete(
                 type,
-                flags["project"],
+                flags["habitat"],
                 region,
                 noop
               )
@@ -170,7 +170,7 @@ module MU
             ["global_forwarding_rule", "target_http_proxy", "target_https_proxy", "url_map", "backend_service", "health_check", "http_health_check", "https_health_check"].each { |type|
               MU::Cloud::Google.compute(credentials: credentials).delete(
                 type,
-                flags["project"],
+                flags["habitat"],
                 nil,
                 noop
               )

data/modules/mu/{clouds → providers}/google/role.rb

@@ -271,13 +271,13 @@ module MU
           my_org = MU::Cloud::Google.getOrg(credentials)
           if my_org
             scopes["organizations"] = [my_org.name]
-            folders = MU::Cloud::Google::Folder.find(credentials: credentials)
+            folders = MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials)
             if folders and folders.size > 0
               scopes["folders"] = folders.keys
             end
           end
 
-          projects = MU::Cloud::Google::Habitat.find(credentials: credentials)
+          projects = MU::Cloud.resourceClass("Google", "Habitat").find(credentials: credentials)
           if projects and projects.size > 0
             scopes["projects"] = projects.keys
           end
@@ -407,12 +407,12 @@ module MU
                 # email field (which is the "real" id most of the time)
                 real_id = nil
                 if entity_type == "group"
-                  found = MU::Cloud::Google::Group.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "Group").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
                 elsif entity_type == "user"
-                  found = MU::Cloud::Google::User.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "User").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
@@ -465,7 +465,7 @@ module MU
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           customer = MU::Cloud::Google.customerID(credentials)
           my_org = MU::Cloud::Google.getOrg(credentials)
 
@@ -563,7 +563,7 @@ module MU
           if args[:project]
             canned = Hash[MU::Cloud::Google.iam(credentials: args[:credentials]).list_roles.roles.map { |r| [r.name, r] }]
             begin
-              MU::Cloud::Google::Habitat.bindings(args[:project], credentials: args[:credentials]).each { |binding|
+              MU::Cloud.resourceClass("Google", "Habitat").bindings(args[:project], credentials: args[:credentials]).each { |binding|
                 found[binding.role] = canned[binding.role]
               }
             rescue ::Google::Apis::ClientError => e
@@ -591,10 +591,15 @@ module MU
                bindings['by_scope']['projects'][args[:project]]
               bindings['by_scope']['projects'][args[:project]].keys.each { |r|
                 if r.match(/^roles\//)
-                  role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
-                  found[role.name] = role
+                  begin
+                    role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
+                    found[role.name] = role
+                  rescue ::Google::Apis::ClientError => e
+                    raise e if !e.message.match(/(?:forbidden|notFound): /)
+                    MU.log "Failed  MU::Cloud::Google.iam(credentials: #{args[:credentials]}).get_role(#{r})", MU::WARN, details: e.message
+                  end
                 elsif !found[r]
-                  MU.log "NEED TO GET #{r}", MU::WARN
+#                  MU.log "NEED TO GET #{r}", MU::WARN
                 end
               }
             end
@@ -688,7 +693,7 @@ module MU
               ids, _names, _privs = MU::Cloud::Google::Role.privilege_service_to_name(@config['credentials'])
               cloud_desc.role_privileges.each { |priv|
                 if !ids[priv.service_id]
-                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::WARN, details: priv
+                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::DEBUG, details: priv
                   bok["import"] << priv.service_id+"/"+priv.privilege_name
                 else
                   bok["import"] << ids[priv.service_id]+"/"+priv.privilege_name
@@ -731,26 +736,45 @@ module MU
                 bindings[scopetype].each_pair { |scope_id, entity_types|
                   # If we've been given a habitat filter, skip over bindings
                   # that don't match it.
-                  if scopetype == "projects" and args[:habitats] and
-                     !args[:habitats].empty? and
-                     !args[:habitats].include?(scope_id)
-                    next
+                  if scopetype == "projects"
+                    if (args[:habitats] and !args[:habitats].empty? and
+                       !args[:habitats].include?(scope_id)) or
+                       !MU::Cloud::Google.listHabitats(@credentials).include?(scope_id)
+                      next
+                    end
                   end
 
                   entity_types.each_pair { |entity_type, entities|
                     mu_entitytype = (entity_type == "serviceAccount" ? "user" : entity_type)+"s"
                     entities.each { |entity|
+                      next if entity.nil?
+                      foreign = if entity_type == "serviceAccount" and entity.match(/@(.*?)\.iam\.gserviceaccount\.com/)
+                        !MU::Cloud::Google.listHabitats(@credentials).include?(Regexp.last_match[1])
+                      end
+
                       entity_ref = if entity_type == "organizations"
                         { "id" => ((org == my_org.name and @config['credentials']) ? @config['credentials'] : org) }
                       elsif entity_type == "domain"
                         { "id" => entity }
                       else
+                        shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(mu_entitytype)
+                        if args[:types].include?(shortclass) and
+                           !(entity_type == "serviceAccount" and
+                             MU::Cloud::Google::User.cannedServiceAcctName?(entity))
+                          MU.log "Role #{@cloud_id}: Skipping #{shortclass} binding for #{entity}; we are adopting that type and will set bindings from that resource", MU::DEBUG
+                          next
+                        end
+
                         MU::Config::Ref.get(
                           id: entity,
                           cloud: "Google",
                           type: mu_entitytype
                         )
                       end
+                      if entity_ref.nil?
+                        MU.log "I somehow ended up with a nil entity reference for #{entity_type} #{entity}", MU::ERR, details: [ bok, bindings ]
+                        next
+                      end
                       refmap ||= {}
                       refmap[entity_ref] ||= {}
                       refmap[entity_ref][scopetype] ||= []
@@ -769,6 +793,7 @@ module MU
                   }
                 }
               }
+
               bok["bindings"] ||= []
               refmap.each_pair { |entity, scopes|
                 newbinding = { "entity" => entity }
@@ -891,7 +916,7 @@ module MU
                 end
 
                 role = MU::Cloud::Google.admin_directory(credentials: credentials).get_role(MU::Cloud::Google.customerID(credentials), binding.role_id)
-                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::WARN, details: role
+                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::DEBUG, details: role
               }
 
               resp = MU::Cloud::Google.resource_manager(credentials: credentials).get_organization_iam_policy(my_org.name)
@@ -899,15 +924,17 @@ module MU
                 insertBinding("organizations", my_org.name, binding)
               }
 
-              MU::Cloud::Google::Folder.find(credentials: credentials).keys.each { |folder|
-                MU::Cloud::Google::Folder.bindings(folder, credentials: credentials).each { |binding|
+              MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials).keys.each { |folder|
+                folder_bindings = MU::Cloud.resourceClass("Google", "Folder").bindings(folder, credentials: credentials)
+                next if !folder_bindings
+                folder_bindings.each { |binding|
                   insertBinding("folders", folder, binding)
                 }
               }
             end
-            MU::Cloud::Google::Habitat.find(credentials: credentials).keys.each { |project|
+            MU::Cloud::Google.listHabitats(credentials).each { |project|
               begin
-                MU::Cloud::Google::Habitat.bindings(project, credentials: credentials).each { |binding|
+                MU::Cloud.resourceClass("Google", "Habitat").bindings(project, credentials: credentials).each { |binding|
                   insertBinding("projects", project, binding)
                 }
               rescue ::Google::Apis::ClientError => e
@@ -1090,7 +1117,7 @@ If this value is not specified, and the role name matches the name of an existin
                 MU.log "None of the directory service privileges available to credentials #{role['credentials']} map to the ones declared for role #{role['name']}", MU::ERR, details: role['import'].sort
                 ok = false
               elsif missing.size > 0
-                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::WARN, details: missing
+                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::DEBUG, details: missing
               end
             end
           end
@@ -1105,11 +1132,7 @@ If this value is not specified, and the role name matches the name of an existin
           if role['role_source'] == "project"
             role['project'] ||= MU::Cloud::Google.defaultProject(role['credentials'])
             if configurator.haveLitterMate?(role['project'], "habitats")
-              role['dependencies'] ||= []
-              role['dependencies'] << {
-                "type" => "habitat",
-                "name" => role['project']
-              }
+              MU::Config.addDependency(role, role['project'], "habitat")
             end
           end
 
@@ -1117,14 +1140,10 @@ If this value is not specified, and the role name matches the name of an existin
             role['bindings'].each { |binding|
               if binding['entity'] and binding['entity']['name'] and 
                  configurator.haveLitterMate?(binding['entity']['name'], binding['entity']['type'])
-                role['dependencies'] ||= []
-                role['dependencies'] << {
-                  "type" => binding['entity']['type'].sub(/s$/, ''),
-                  "name" => binding['entity']['name']
-                }
-
+                MU::Config.addDependency(role, binding['entity']['name'], binding['entity']['type'])
               end
             }
+            role['bindings'].uniq!
           end
 
           ok

data/modules/mu/{clouds → providers}/google/server.rb

@@ -164,19 +164,26 @@ module MU
         def self.diskConfig(config, create = true, disk_as_url = true, credentials: nil)
           disks = []
           if config['image_id'].nil? and config['basis'].nil?
-            pp config.keys
             raise MuError, "Can't generate disk configuration for server #{config['name']} without an image ID or basis specified"
           end
 
           img = fetchImage(config['image_id'] || config['basis']['launch_config']['image_id'], credentials: credentials)
 
-# XXX slurp settings from /dev/sda or w/e by convention?
+#          if img.source_disk and img.source_disk.match(/projects\/([^\/]+)\/zones\/([^\/]+)\/disks\/(.*)/)
+#            _junk, proj, az, name = Regexp.last_match
+#            disk_desc = MU::Cloud::Google.compute(credentials: credentials).get_disk(proj, az, name)
+#            pp disk_desc
+#            raise "nah"
+#          end
+
           disktype = "projects/#{config['project']}/zones/#{config['availability_zone']}/diskTypes/pd-standard"
-          disktype = "pd-standard" if !disk_as_url
-# disk_type: projects/project/zones/#{config['availability_zone']}/diskTypes/pd-standard Other values include pd-ssd and local-ssd
+
+
+          disktype.gsub!(/.*?\/([^\/])$/, '\1') if !disk_as_url
+
           imageobj = MU::Cloud::Google.compute(:AttachedDiskInitializeParams).new(
             source_image: img.self_link,
-            disk_size_gb: 10, # this is binary? 2gb, that says
+            disk_size_gb: img.disk_size_gb,
             disk_type: disktype,
           )
           disks << MU::Cloud::Google.compute(:AttachedDisk).new(
@@ -329,7 +336,7 @@ next if !create
             end
             metadata["startup-script"] = @userdata if @userdata and !@userdata.empty?
 
-            deploykey = @config['ssh_user']+":"+@deploy.ssh_public_key
+            deploykey = @config["ssh_user"]+":"+@deploy.ssh_public_key
             if metadata["ssh-keys"]
               metadata["ssh-keys"] += "\n"+deploykey
             else
@@ -485,7 +492,7 @@ next if !create
           return nil if @config.nil? or @deploy.nil?
 
           nat_ssh_key = nat_ssh_user = nat_ssh_host = nil
-          if !@config["vpc"].nil? and !MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
+          if !@config["vpc"].nil? and !MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
 
             if !@nat.nil?
               if @nat.cloud_desc.nil?
@@ -502,7 +509,8 @@ next if !create
 
           if @config['ssh_user'].nil?
             if windows?
-              @config['ssh_user'] = "Administrator"
+              @config['ssh_user'] = @config['windows_admin_user']
+              @config['ssh_user'] ||= "Administrator"
             else
               @config['ssh_user'] = "root"
             end
@@ -615,7 +623,7 @@ next if !create
           end
 
           _nat_ssh_key, _nat_ssh_user, nat_ssh_host, _canonical_ip, _ssh_user, _ssh_key_name = getSSHConfig
-          if !nat_ssh_host and !MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
+          if !nat_ssh_host and !MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
 # XXX check if canonical_ip is in the private ranges
 #            raise MuError, "#{node} has no NAT host configured, and I have no other route to it"
           end
@@ -800,29 +808,6 @@ next if !create
 
 #          punchAdminNAT
 
-#          MU::Cloud::AWS::Server.tagVolumes(@cloud_id)
-
-          # If we have a loadbalancer configured, attach us to it
-#          if !@config['loadbalancers'].nil?
-#            if @loadbalancers.nil?
-#              raise MuError, "#{@mu_name} is configured to use LoadBalancers, but none have been loaded by dependencies()"
-#            end
-#            @loadbalancers.each { |lb|
-#              lb.registerNode(@cloud_id)
-#            }
-#          end
-
-          # Let us into any databases we depend on.
-          # This is probelmtic with autscaling - old ips are not removed, and access to the database can easily be given at the BoK level
-          # if @dependencies.has_key?("database")
-            # @dependencies['database'].values.each { |db|
-              # db.allowHost(@deploydata["private_ip_address"]+"/32")
-              # if @deploydata["public_ip_address"]
-                # db.allowHost(@deploydata["public_ip_address"]+"/32")
-              # end
-            # }
-          # end
-
           @groomer.saveDeployData
 
           begin
@@ -1007,7 +992,7 @@ next if !create
           # Our deploydata gets corrupted often with server pools, this will cause us to use the wrong IP to identify a node
           # which will cause us to create certificates, DNS records and other artifacts with incorrect information which will cause our deploy to fail.
           # The cloud_id is always correct so lets use 'cloud_desc' to get the correct IPs
-          if MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials']) or public_ips.size == 0
+          if MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials']) or public_ips.size == 0
             @config['canonical_ip'] = private_ips.first
             return private_ips.first
           else
@@ -1016,10 +1001,109 @@ next if !create
           end
         end
 
+        # Return all of the IP addresses, public and private, from all of our
+        # network interfaces.
+        # @return [Array<String>]
+        def listIPs
+          ips = []
+          cloud_desc.network_interfaces.each { |iface|
+            ips << iface.network_ip
+            if iface.access_configs
+              iface.access_configs.each { |acfg|
+                ips << acfg.nat_ip if acfg.nat_ip
+              }
+            end
+          }
+          ips
+        end
+
         # return [String]: A password string.
-        def getWindowsAdminPassword
+        def getWindowsAdminPassword(use_cache: true)
+          @config['windows_auth_vault'] ||= {
+            "vault" => @mu_name,
+            "item" => "windows_credentials",
+            "password_field" => "password"
+          }
+
+          if use_cache
+            begin
+              win_admin_password = @groomer.getSecret(
+                vault: @config['windows_auth_vault']['vault'],
+                item: @config['windows_auth_vault']['item'],
+                field: @config["windows_auth_vault"]["password_field"]
+              )
+              return win_admin_password if win_admin_password
+            rescue MU::Groomer::MuNoSuchSecret, MU::Groomer::RunError
+            end
+          end
+
+          require 'openssl/oaep'
+          timeout = 300
+
+          serial_out = nil
+          key = OpenSSL::PKey::RSA.generate 2048
+
+          missing_response = Proc.new {
+            !serial_out or !serial_out.contents or serial_out.contents.empty? or JSON.parse(serial_out.contents)["userName"] != @config['windows_admin_username']
+          }
+
+          did_metadata = false
+          MU.retrier(loop_if: missing_response, wait: 10, max: timeout/10) {
+            serial_out = MU::Cloud::Google.compute(credentials: @credentials).get_instance_serial_port_output(@project_id, @config['availability_zone'], @cloud_id, port: 4)
+
+            if missing_response.call and
+               !cloud_desc(use_cache: false).metadata.items.map { |i| i.key }.include?("windows-keys")
+              keybytes = Base64.decode64(key.public_key.export.gsub(/-----(?:BEGIN|END) PUBLIC KEY-----/, ''))
+              modulus = keybytes.byteslice(33,256)
+              exponent = keybytes.byteslice(291,3)
+              keydata = {
+                "userName" => @config['windows_admin_username'],
+                "modulus" => Base64.strict_encode64(modulus),
+                "exponent" => Base64.strict_encode64(exponent),
+                "email" => MU.muCfg['mu_admin_email'],
+                "expireOn" => (Time.now.utc+timeout).strftime('%Y-%m-%dT%H:%M:%SZ')
+              }
+
+              new_items = cloud_desc.metadata.items.map { |item|
+                MU::Cloud::Google.compute(:Metadata)::Item.new(
+                  key: item.key,
+                  value: item.value
+                )
+              }
+              new_items.reject! { |item| item.key == "windows-keys" }
+              new_items << MU::Cloud::Google.compute(:Metadata)::Item.new(
+                key: "windows-keys",
+                value: JSON.generate(keydata)
+              )
+              new_metadata = MU::Cloud::Google.compute(:Metadata).new(
+                fingerprint: cloud_desc(use_cache: false).metadata.fingerprint,
+                items: new_items
+              )
+
+              MU::Cloud::Google.compute(credentials: @credentials).set_instance_metadata(@project_id, @config['availability_zone'], @cloud_id, new_metadata)
+            end
+          }
+
+          return nil if missing_response.call
+
+          pwdata = JSON.parse(serial_out.contents)
+          if pwdata['encryptedPassword'] and pwdata['userName'] == @config['windows_admin_username']
+            decrypted_pw = key.private_decrypt_oaep(Base64.strict_decode64(pwdata['encryptedPassword']))
+            creds = {
+              "username" => @config['windows_admin_username'],
+              "password" => decrypted_pw,
+              "sshd_username" => "sshd_service",
+              "sshd_password" => decrypted_pw
+            }
+            @groomer.saveSecret(vault: @mu_name, item: "windows_credentials", data: creds, permissions: "name:#{@mu_name}")
+
+            return decrypted_pw
+          end
+
+          nil
         end
 
+
         # Add a volume to this instance
         # @param dev [String]: Device name to use when attaching to instance
         # @param size [String]: Size (in gb) of the new volume
@@ -1206,9 +1290,9 @@ next if !create
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
 
 # XXX make damn sure MU.deploy_id is set
           filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
@@ -1219,13 +1303,12 @@ next if !create
           MU::Cloud::Google.listAZs(region).each { |az|
             disks = []
             resp = MU::Cloud::Google.compute(credentials: credentials).list_instances(
-              flags["project"],
+              flags["habitat"],
               az,
               filter: filter
             )
             if !resp.items.nil? and resp.items.size > 0
               resp.items.each { |instance|
-                saname = instance.tags.items.first.gsub(/[^a-z]/, "") # XXX this nonsense again
                 MU.log "Terminating instance #{instance.name}"
                 if !instance.disks.nil? and instance.disks.size > 0
                   instance.disks.each { |disk|
@@ -1233,17 +1316,21 @@ next if !create
                   }
                 end
                 MU::Cloud::Google.compute(credentials: credentials).delete_instance(
-                  flags["project"],
+                  flags["habitat"],
                   az,
                   instance.name
                 ) if !noop
-                MU.log "Removing service account #{saname}"
-                begin
-                  MU::Cloud::Google.iam(credentials: credentials).delete_project_service_account(
-                    "projects/#{flags["project"]}/serviceAccounts/#{saname}@#{flags["project"]}.iam.gserviceaccount.com"
-                  ) if !noop
-                rescue ::Google::Apis::ClientError => e
-                  raise e if !e.message.match(/^notFound: /)
+                if instance.service_accounts
+                  instance.service_accounts.each { |sa|
+                    MU.log "Removing service account #{sa.email}"
+                    begin
+                      MU::Cloud::Google.iam(credentials: credentials).delete_project_service_account(
+                        "projects/#{flags["habitat"]}/serviceAccounts/#{sa.email}"
+                      ) if !noop
+                    rescue ::Google::Apis::ClientError => e
+                      raise e if !e.message.match(/^notFound: /)
+                    end
+                  }
                 end
 # XXX wait-loop on pending?
 #                pp deletia
@@ -1256,7 +1343,7 @@ next if !create
 # XXX honor snapshotting
             MU::Cloud::Google.compute(credentials: credentials).delete(
               "disk",
-              flags["project"],
+              flags["habitat"],
               az,
               noop
             ) if !noop
@@ -1269,10 +1356,10 @@ next if !create
         def self.schema(config)
           toplevel_required = []
           schema = {
-            "roles" => MU::Cloud::Google::User.schema(config)[1]["roles"],
+            "roles" => MU::Cloud.resourceClass("Google", "User").schema(config)[1]["roles"],
             "windows_admin_username" => {
               "type" => "string",
-              "default" => "Administrator"
+              "default" => "muadmin"
             },
             "create_image" => {
               "properties" => {
@@ -1380,8 +1467,7 @@ next if !create
             foundmatch = false
             MU::Cloud.availableClouds.each { |cloud|
               next if cloud == "Google"
-              cloudbase = Object.const_get("MU").const_get("Cloud").const_get(cloud)
-              foreign_types = (cloudbase.listInstanceTypes).values.first
+              foreign_types = (MU::Cloud.cloudClass(cloud).listInstanceTypes).values.first
               if foreign_types.size == 1
                 foreign_types = foreign_types.values.first
               end
@@ -1438,6 +1524,7 @@ next if !create
           end
 
           if server['service_account']
+            server['service_account'] = server['service_account'].to_h
             server['service_account']['cloud'] = "Google"
             server['service_account']['habitat'] ||= server['project']
             found = MU::Config::Ref.get(server['service_account'])
@@ -1446,12 +1533,12 @@ next if !create
               ok = false
             end
           else
-            server = MU::Cloud::Google::User.genericServiceAccount(server, configurator)
+            server = MU::Cloud.resourceClass("Google", "User").genericServiceAccount(server, configurator)
           end
 
           subnets = nil
           if !server['vpc']
-            vpcs = MU::Cloud::Google::VPC.find(credentials: server['credentials'])
+            vpcs = MU::Cloud.resourceClass("Google", "VPC").find(credentials: server['credentials'])
             if vpcs["default"]
               server["vpc"] ||= {}
               server["vpc"]["vpc_id"] = vpcs["default"].self_link
@@ -1466,7 +1553,7 @@ next if !create
           if !server['vpc']['subnet_id'] and server['vpc']['subnet_name'].nil?
             if !subnets
               if server["vpc"]["vpc_id"]
-                vpcs = MU::Cloud::Google::VPC.find(cloud_id: server["vpc"]["vpc_id"])
+                vpcs = MU::Cloud.resourceClass("Google", "VPC").find(cloud_id: server["vpc"]["vpc_id"])
                 subnets = vpcs["default"].subnetworks.sample
               end
             end