RubyGems - cloud-mu - Versions diffs - 3.1.5 → 3.3.2 - Mend

cloud-mu 3.1.5 → 3.3.2

Files changed (185) hide show

checksums.yaml +4 -4
data/Dockerfile +5 -1
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/tasks/main.yml +16 -0
data/bin/mu-adopt +16 -12
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -1
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +37 -12
data/cloud-mu.gemspec +3 -3
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +1 -1
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/windows-client.rb +25 -22
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +2 -0
data/extras/image-generators/AWS/win2k16.yaml +2 -0
data/extras/image-generators/AWS/win2k19.yaml +2 -0
data/modules/mommacat.ru +1 -1
data/modules/mu.rb +86 -98
data/modules/mu/adoption.rb +373 -58
data/modules/mu/cleanup.rb +214 -303
data/modules/mu/cloud.rb +128 -1733
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +929 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +123 -81
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +1 -1
data/modules/mu/config/container_cluster.rb +7 -2
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +5 -4
data/modules/mu/config/doc_helpers.rb +5 -6
data/modules/mu/config/endpoint.rb +2 -1
data/modules/mu/config/firewall_rule.rb +3 -19
data/modules/mu/config/folder.rb +1 -1
data/modules/mu/config/function.rb +17 -8
data/modules/mu/config/group.rb +1 -1
data/modules/mu/config/habitat.rb +1 -1
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +57 -11
data/modules/mu/config/log.rb +1 -1
data/modules/mu/config/msg_queue.rb +1 -1
data/modules/mu/config/nosqldb.rb +1 -1
data/modules/mu/config/notifier.rb +8 -19
data/modules/mu/config/ref.rb +92 -14
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +38 -37
data/modules/mu/config/search_domain.rb +1 -1
data/modules/mu/config/server.rb +12 -13
data/modules/mu/config/server_pool.rb +3 -7
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +11 -0
data/modules/mu/config/user.rb +1 -1
data/modules/mu/config/vpc.rb +27 -23
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +90 -90
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +1 -0
data/modules/mu/deploy.rb +34 -20
data/modules/mu/groomer.rb +16 -1
data/modules/mu/groomers/ansible.rb +69 -4
data/modules/mu/groomers/chef.rb +51 -4
data/modules/mu/logger.rb +120 -144
data/modules/mu/master.rb +97 -4
data/modules/mu/mommacat.rb +160 -874
data/modules/mu/mommacat/daemon.rb +23 -14
data/modules/mu/mommacat/naming.rb +110 -3
data/modules/mu/mommacat/search.rb +497 -0
data/modules/mu/mommacat/storage.rb +252 -194
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +258 -57
data/modules/mu/{clouds → providers}/aws/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +275 -41
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +14 -50
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +5 -5
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +95 -84
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +26 -12
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +39 -32
data/modules/mu/{clouds → providers}/aws/folder.rb +1 -1
data/modules/mu/{clouds → providers}/aws/function.rb +289 -134
data/modules/mu/{clouds → providers}/aws/group.rb +18 -20
data/modules/mu/{clouds → providers}/aws/habitat.rb +3 -3
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +77 -47
data/modules/mu/{clouds → providers}/aws/log.rb +5 -5
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +14 -11
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +96 -5
data/modules/mu/{clouds → providers}/aws/notifier.rb +135 -63
data/modules/mu/{clouds → providers}/aws/role.rb +76 -48
data/modules/mu/{clouds → providers}/aws/search_domain.rb +172 -41
data/modules/mu/{clouds → providers}/aws/server.rb +66 -98
data/modules/mu/{clouds → providers}/aws/server_pool.rb +42 -60
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +21 -38
data/modules/mu/{clouds → providers}/aws/user.rb +12 -16
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/aws/vpc.rb +143 -74
data/modules/mu/{clouds → providers}/aws/vpc_subnet.rb +0 -0
data/modules/mu/{clouds → providers}/azure.rb +13 -0
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
data/modules/mu/{clouds → providers}/azure/server.rb +32 -24
data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
data/modules/mu/{clouds → providers}/cloudformation.rb +10 -0
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +29 -6
data/modules/mu/{clouds → providers}/google/bucket.rb +4 -4
data/modules/mu/{clouds → providers}/google/container_cluster.rb +38 -20
data/modules/mu/{clouds → providers}/google/database.rb +5 -12
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +5 -5
data/modules/mu/{clouds → providers}/google/folder.rb +5 -9
data/modules/mu/{clouds → providers}/google/function.rb +6 -6
data/modules/mu/{clouds → providers}/google/group.rb +9 -17
data/modules/mu/{clouds → providers}/google/habitat.rb +4 -8
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/google/role.rb +50 -31
data/modules/mu/{clouds → providers}/google/server.rb +41 -24
data/modules/mu/{clouds → providers}/google/server_pool.rb +14 -14
data/modules/mu/{clouds → providers}/google/user.rb +34 -24
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +45 -14
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +2 -2
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +1 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +122 -92
data/modules/mu/clouds/aws/database.rb +0 -1974
data/modules/mu/clouds/aws/endpoint.rb +0 -596

data/modules/mu/{clouds → providers}/aws/alarm.rb RENAMED

@@ -124,7 +124,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::Alarm.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           MU.log "Placeholder: AWS Alarm artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
           alarms = []
@@ -132,7 +132,7 @@ module MU
           # This can miss alarms in some cases (eg. cache_cluster) so we might want to delete alarms from each API as well.
           MU::Cloud::AWS.cloudwatch(credentials: credentials, region: region).describe_alarms.each { |page|
             page.metric_alarms.map(&:alarm_name).each { |alarm_name|
-              alarms << alarm_name if alarm_name.match(MU.deploy_id)
+              alarms << alarm_name if alarm_name.match(deploy_id)
             }
           }
@@ -321,7 +321,7 @@ module MU
               if !depclass.nil?
                 dimension["depclass"] = depclass
                 if !dimension["name"].nil? and !dimension["name"].empty?
-                  alarm["dependencies"] << { "name" => dimension["name"], "type" => depclass }
+                  MU::Config.addDependency(alarm, dimension["name"], depclass)
                 end
               end
             }

data/modules/mu/{clouds → providers}/aws/bucket.rb RENAMED

@@ -21,6 +21,12 @@ module MU
         @@region_cache = {}
         @@region_cache_semaphore = Mutex.new
+        # Map some filename extensions to mime types. S3 does most of this on
+        # its own, add to this for cases it doesn't cover.
+        MIME_MAP = {
+          ".svg" => "image/svg+xml"
+        }
         # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
         # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
         def initialize(**args)
@@ -81,6 +87,35 @@ module MU
         end
+        # @return [String]
+        def url
+          "https://#{@cloud_id}.s3.amazonaws.com"
+        end
+        # Grant access via our bucket policy to the specified resource
+        # @param principal [String]
+        # @param permissions [Array<String>]
+        # @param paths [Array<String>]
+        def allowPrincipal(principal, permissions: ["GetObject", "ListBucket"], paths: [""], doc_id: nil, name: nil)
+          @config['policies'] ||= []
+          name ||= principal.sub(/.*?([0-9a-z\-_]+)$/i, '\1')
+          @config['policies'] << {
+            "name" => name,
+            "grant_to" => [ { "identifier" => principal } ],
+            "permissions" => permissions.map { |p| "s3:"+p },
+            "flag" => "allow",
+            "targets" => paths.map { |p|
+              {
+                "path" => p,
+                "type" => "bucket",
+                "identifier" => @config['name']
+              }
+            }
+          }
+          applyPolicies(doc_id: doc_id)
+        end
         # Called automatically by {MU::Deploy#createResources}
         def groom
@@ -90,20 +125,46 @@ module MU
           tagBucket if !@config['scrub_mu_isms']
           current = cloud_desc
-          if @config['policies']
-            @config['policies'].each { |pol|
-              pol['grant_to'] ||= [
-                { "id" => "*" }
-              ]
-            }
+          applyPolicies if @config['policies']
+          if @config['versioning'] and current["versioning"].status != "Enabled"
+            MU.log "Enabling versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Enabled"
+              }
+            )
+          elsif !@config['versioning'] and current["versioning"].status == "Enabled"
+            MU.log "Suspending versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Suspended"
+              }
+            )
+          end
-            policy_docs = MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy, bucket_style: true)
-            policy_docs.each { |doc|
-              MU.log "Applying S3 bucket policy #{doc.keys.first} to bucket #{@cloud_id}", MU::NOTICE, details: JSON.pretty_generate(doc.values.first)
-              MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_policy(
-                bucket: @cloud_id,
-                policy: JSON.generate(doc.values.first)
-              )
+          if @config['upload']
+            @config['upload'].each { |batch|
+              urlbase = "s3://"+@cloud_id+batch['destination']
+              urlbase += "/" if urlbase !~ /\/$/
+              upload_me = if File.directory?(batch['source'])
+                Dir[batch['source']+'/**/*'].reject {|d|
+                  File.directory?(d)
+                }.map { |f|
+                  [ f, urlbase+f.sub(/^#{Regexp.quote(batch['source'])}\/?/, '') ]
+                }
+              else
+                batch['source'].match(/([^\/]+)$/)
+                [ [batch['source'], urlbase+Regexp.last_match[1]] ]
+              end
+              Hash[upload_me].each_pair { |file, url|
+                self.class.upload(url, file: file, credentials: @credentials, region: @config['region'], acl: batch['acl'])
+              }
             }
           end
@@ -120,6 +181,23 @@ module MU
                 }
               }
             )
+            ['web_error_object', 'web_index_object'].each { |key|
+              begin
+                MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).head_object(
+                  bucket: @cloud_id,
+                  key: @config[key]
+                )
+              rescue Aws::S3::Errors::NotFound
+                MU.log "Uploading placeholder #{@config[key]} to bucket #{@cloud_id}"
+                MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_object(
+                  acl: "public-read",
+                  bucket: @cloud_id,
+                  key: @config[key],
+                  body: ""
+                )
+              end
+            }
+# XXX check if error and index objs exist, and if not provide placeholders
           elsif !@config['web'] and !current["website"].nil?
             MU.log "Disabling web service on S3 bucket #{@cloud_id}", MU::NOTICE
             MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).delete_bucket_website(
@@ -127,25 +205,38 @@ module MU
             )
           end
-          if @config['versioning'] and current["versioning"].status != "Enabled"
-            MU.log "Enabling versioning on S3 bucket #{@cloud_id}", MU::NOTICE
-            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
-              bucket: @cloud_id,
-              versioning_configuration: {
-                mfa_delete: "Disabled",
-                status: "Enabled"
+          symbolify_keys = Proc.new { |parent|
+            if parent.is_a?(Hash)
+              newhash = {}
+              parent.each_pair { |k, v|
+                newhash[k.to_sym] = symbolify_keys.call(v)
               }
-            )
-          elsif !@config['versioning'] and current["versioning"].status == "Enabled"
-            MU.log "Suspending versioning on S3 bucket #{@cloud_id}", MU::NOTICE
-            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              newhash
+            elsif parent.is_a?(Array)
+              newarr = []
+              parent.each { |child|
+                newarr << symbolify_keys.call(child)
+              }
+              newarr
+            else
+              parent
+            end
+          }
+          if @config['cors']
+            MU.log "Setting CORS rules on #{@cloud_id}", details: @config['cors']
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_cors(
               bucket: @cloud_id,
-              versioning_configuration: {
-                mfa_delete: "Disabled",
-                status: "Suspended"
+              cors_configuration: {
+                cors_rules: symbolify_keys.call(@config['cors'])
               }
             )
           end
+          MU.log "Bucket #{@config['name']}: s3://#{@cloud_id}", MU::SUMMARY
+          if @config['web']
+            MU.log "Bucket #{@config['name']} web access: http://#{@cloud_id}.s3-website-#{@config['region']}.amazonaws.com/", MU::SUMMARY
+          end
         end
         # Upload a file to a bucket.
@@ -160,7 +251,7 @@ module MU
           if file and !file.empty?
             if !File.exist?(file) or !File.readable?(file)
-              raise MuError, "Unable to read #{file} for upload to #{url}"
+              raise MuError, "Unable to read #{file} for upload to #{url} (I'm at #{Dir.pwd}"
             else
               data = File.read(file)
             end
@@ -177,12 +268,19 @@ module MU
           begin
             MU.log "Writing #{path} to S3 bucket #{bucket}"
-            MU::Cloud::AWS.s3(region: region, credentials: credentials).put_object(
+            params = {
               acl: acl,
               bucket: bucket,
               key: path,
               body: data
-            )
+            }
+            MIME_MAP.each_pair { |extension, content_type|
+              if path =~ /#{Regexp.quote(extension)}$/i
+                params[:content_type] = content_type
+              end
+            }
+            MU::Cloud::AWS.s3(region: region, credentials: credentials).put_object(params)
           rescue Aws::S3::Errors => e
             raise MuError, "Got #{e.inspect} trying to write #{path} to #{bucket} (region: #{region}, credentials: #{credentials})"
           end
@@ -207,7 +305,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::Bucket.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           resp = MU::Cloud::AWS.s3(credentials: credentials, region: region).list_buckets
@@ -242,7 +340,7 @@ module MU
                 deploy_match = false
                 master_match = false
                 tags.each { |tag|
-                  if tag.key == "MU-ID" and tag.value == MU.deploy_id
+                  if tag.key == "MU-ID" and tag.value == deploy_id
                     deploy_match = true
                   elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
                     master_match = true
@@ -254,6 +352,21 @@ module MU
                     MU::Cloud::AWS.s3(credentials: credentials, region: region).delete_bucket(bucket: bucket.name)
                   end
                 end
+              rescue Aws::S3::Errors::BucketNotEmpty => e
+                if flags["skipsnapshots"]
+                  del = MU::Cloud::AWS.s3(credentials: credentials, region: region).list_objects(bucket: bucket.name).contents.map { |o| { key: o.key } }
+                  del.concat(MU::Cloud::AWS.s3(credentials: credentials, region: region).list_object_versions(bucket: bucket.name).versions.map { |o| { key: o.key, version_id: o.version_id } })
+                  MU.log "Purging #{del.size.to_s} objects and versions from #{bucket.name}"
+                  begin
+                    batch = del.slice!(0, (del.length >= 1000 ? 1000 : del.length))
+                    MU::Cloud::AWS.s3(credentials: credentials, region: region).delete_objects(bucket: bucket.name, delete: { objects: batch } ) if !noop
+                  end while del.size > 0
+                  retry if !noop
+                else
+                  MU.log "Bucket #{bucket.name} is non-empty, will preserve it and its contents. Use --skipsnapshots to forcibly remove.", MU::WARN
+                end
               rescue Aws::S3::Errors::NoSuchTagSet, Aws::S3::Errors::PermanentRedirect
                 next
               end
@@ -279,9 +392,32 @@ module MU
         def self.find(**args)
           found = {}
+          args[:region] ||= MU::Cloud::AWS.myRegion(args[:credentials])
+          if args[:flags] and args[:flags][:allregions]
+            args[:allregions] = args[:flags][:allregions]
+          end
+          minimal = args[:full] ? false : true
+          location = Proc.new { |name|
+            begin
+              loc_resp = MU::Cloud::AWS.s3(credentials: args[:credentials], region: args[:region]).get_bucket_location(bucket: name)
+              if loc_resp.location_constraint and !loc_resp.location_constraint.empty?
+                loc_resp.location_constraint
+              else
+                nil
+              end
+            rescue Aws::S3::Errors::AccessDenied
+              nil
+            end
+          }
           if args[:cloud_id]
             begin
-              found[args[:cloud_id]] = describe_bucket(args[:cloud_id], minimal: true, credentials: args[:credentials], region: args[:region])
+              found[args[:cloud_id]] = describe_bucket(args[:cloud_id], minimal: minimal, credentials: args[:credentials], region: args[:region])
+              found[args[:cloud_id]]['region'] ||= location.call(args[:cloud_id])
+              found[args[:cloud_id]]['region'] ||= args[:region]
+              found[args[:cloud_id]]['name'] ||= args[:cloud_id]
             rescue ::Aws::S3::Errors::NoSuchBucket
             end
           else
@@ -289,11 +425,14 @@ module MU
             if resp and resp.buckets
               resp.buckets.each { |b|
                 begin
-                  loc_resp = MU::Cloud::AWS.s3(credentials: args[:credentials], region: args[:region]).get_bucket_location(bucket: b.name)
-                  if !loc_resp or loc_resp.location_constraint != args[:region]
+                  bucket_region = location.call(b.name)
+                  if !args[:allregions] and bucket_region != args[:region]
                     next
                   end
-                  found[b.name] = describe_bucket(b.name, minimal: true, credentials: args[:credentials], region: args[:region])
+                  bucket_region ||= args[:region]
+                  found[b.name] = describe_bucket(b.name, minimal: minimal, credentials: args[:credentials], region: bucket_region)
+                  found[b.name]["region"] ||= bucket_region
+                  found[b.name]['name'] ||= b.name
                 rescue Aws::S3::Errors::AccessDenied
                 end
               }
@@ -303,22 +442,96 @@ module MU
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(**_args)
+          bok = {
+            "cloud" => "AWS",
+            "credentials" => @config['credentials'],
+            "cloud_id" => @cloud_id
+          }
+if @cloud_id =~ /espier/i
+  MU.log @cloud_id, MU::WARN, details: cloud_desc
+end
+          if !cloud_desc
+            MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
+            return nil
+          end
+          nil
+        end
         # Cloud-specific configuration properties.
         # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(_config)
           toplevel_required = []
           schema = {
-            "policies" => MU::Cloud::AWS::Role.condition_schema,
-            "acl" => {
-              "type" => "string",
-              "enum" => ["private", "public-read", "public-read-write", "authenticated-read"],
-              "default" => "private"
+            "policies" => MU::Cloud.resourceClass("AWS", "Role").condition_schema,
+            "upload" => {
+              "items" => {
+                "properties" => {
+                  "acl" => {
+                    "type" => "string",
+                    "enum" => ["private", "public-read", "public-read-write", "authenticated-read"],
+                    "default" => "private"
+                  }
+                }
+              }
             },
             "storage_class" => {
               "type" => "string",
               "enum" => ["STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER"],
               "default" => "STANDARD"
+            },
+            "cors" => {
+              "type" => "array",
+              "items" => {
+                "type" => "object",
+                "description" => "AWS S3 Cross-origin resource sharing policy",
+                "required" => ["allowed_origins"],
+                "properties" => {
+                  "allowed_headers" => {
+                    "type" => "array",
+                    "default" => ["*"],
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Specifies which headers are allowed in a preflight request through the +Access-Control-Request-Headers+ header."
+                    }
+                  },
+                  "allowed_methods" => {
+                    "type" => "array",
+                    "default" => ["GET"],
+                    "items" => {
+                      "type" => "string",
+                      "enum" => %w{GET PUT POST DELETE HEAD},
+                      "description" => "Specifies which HTTP methods for which cross-domain request are permitted"
+                    }
+                  },
+                  "allowed_origins" => {
+                    "type" => "array",
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Origins (in URL form) for which cross-domain request are permitted"
+                    }
+                  },
+                  "expose_headers" => {
+                    "type" => "array",
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Headers in the response which should be visible to the requesting application"
+                    }
+                  },
+                  "max_age_seconds" => {
+                    "type" => "integer",
+                    "default" => 3600,
+                    "description" => "Maximum cache time for preflight requests"
+                  }
+                }
+              }
             }
           }
           [toplevel_required, schema]
@@ -384,6 +597,27 @@ module MU
           desc
         end
+        private
+        def applyPolicies(doc_id: nil)
+          return if !@config['policies']
+          @config['policies'].each { |pol|
+            pol['grant_to'] ||= [
+              { "id" => "*" }
+            ]
+          }
+          policy_docs = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument(@config['policies'], deploy_obj: @deploy, bucket_style: true, version: "2008-10-17", doc_id: doc_id)
+          policy_docs.each { |doc|
+            MU.log "Applying S3 bucket policy #{doc.keys.first} to bucket #{@cloud_id}", MU::NOTICE, details: JSON.pretty_generate(doc.values.first)
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_policy(
+              bucket: @cloud_id,
+              policy: JSON.generate(doc.values.first)
+            )
+          }
+        end
       end
     end
   end