RubyGems - cloud-mu - Versions diffs - 3.1.5 → 3.3.2 - Mend

cloud-mu 3.1.5 → 3.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

checksums.yaml +4 -4
data/Dockerfile +5 -1
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/tasks/main.yml +16 -0
data/bin/mu-adopt +16 -12
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -1
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +37 -12
data/cloud-mu.gemspec +3 -3
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +1 -1
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/windows-client.rb +25 -22
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +2 -0
data/extras/image-generators/AWS/win2k16.yaml +2 -0
data/extras/image-generators/AWS/win2k19.yaml +2 -0
data/modules/mommacat.ru +1 -1
data/modules/mu.rb +86 -98
data/modules/mu/adoption.rb +373 -58
data/modules/mu/cleanup.rb +214 -303
data/modules/mu/cloud.rb +128 -1733
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +44 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +929 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +169 -0
data/modules/mu/config.rb +123 -81
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +32 -3
data/modules/mu/config/cache_cluster.rb +2 -2
data/modules/mu/config/cdn.rb +100 -0
data/modules/mu/config/collection.rb +1 -1
data/modules/mu/config/container_cluster.rb +7 -2
data/modules/mu/config/database.rb +84 -105
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +5 -4
data/modules/mu/config/doc_helpers.rb +5 -6
data/modules/mu/config/endpoint.rb +2 -1
data/modules/mu/config/firewall_rule.rb +3 -19
data/modules/mu/config/folder.rb +1 -1
data/modules/mu/config/function.rb +17 -8
data/modules/mu/config/group.rb +1 -1
data/modules/mu/config/habitat.rb +1 -1
data/modules/mu/config/job.rb +89 -0
data/modules/mu/config/loadbalancer.rb +57 -11
data/modules/mu/config/log.rb +1 -1
data/modules/mu/config/msg_queue.rb +1 -1
data/modules/mu/config/nosqldb.rb +1 -1
data/modules/mu/config/notifier.rb +8 -19
data/modules/mu/config/ref.rb +92 -14
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +38 -37
data/modules/mu/config/search_domain.rb +1 -1
data/modules/mu/config/server.rb +12 -13
data/modules/mu/config/server_pool.rb +3 -7
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +11 -0
data/modules/mu/config/user.rb +1 -1
data/modules/mu/config/vpc.rb +27 -23
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +90 -90
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +1 -0
data/modules/mu/deploy.rb +34 -20
data/modules/mu/groomer.rb +16 -1
data/modules/mu/groomers/ansible.rb +69 -4
data/modules/mu/groomers/chef.rb +51 -4
data/modules/mu/logger.rb +120 -144
data/modules/mu/master.rb +97 -4
data/modules/mu/mommacat.rb +160 -874
data/modules/mu/mommacat/daemon.rb +23 -14
data/modules/mu/mommacat/naming.rb +110 -3
data/modules/mu/mommacat/search.rb +497 -0
data/modules/mu/mommacat/storage.rb +252 -194
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +258 -57
data/modules/mu/{clouds → providers}/aws/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +275 -41
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +14 -50
data/modules/mu/providers/aws/cdn.rb +782 -0
data/modules/mu/{clouds → providers}/aws/collection.rb +5 -5
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +95 -84
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +26 -12
data/modules/mu/providers/aws/endpoint.rb +1072 -0
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +39 -32
data/modules/mu/{clouds → providers}/aws/folder.rb +1 -1
data/modules/mu/{clouds → providers}/aws/function.rb +289 -134
data/modules/mu/{clouds → providers}/aws/group.rb +18 -20
data/modules/mu/{clouds → providers}/aws/habitat.rb +3 -3
data/modules/mu/providers/aws/job.rb +466 -0
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +77 -47
data/modules/mu/{clouds → providers}/aws/log.rb +5 -5
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +14 -11
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +96 -5
data/modules/mu/{clouds → providers}/aws/notifier.rb +135 -63
data/modules/mu/{clouds → providers}/aws/role.rb +76 -48
data/modules/mu/{clouds → providers}/aws/search_domain.rb +172 -41
data/modules/mu/{clouds → providers}/aws/server.rb +66 -98
data/modules/mu/{clouds → providers}/aws/server_pool.rb +42 -60
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +21 -38
data/modules/mu/{clouds → providers}/aws/user.rb +12 -16
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/aws/vpc.rb +143 -74
data/modules/mu/{clouds → providers}/aws/vpc_subnet.rb +0 -0
data/modules/mu/{clouds → providers}/azure.rb +13 -0
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
data/modules/mu/{clouds → providers}/azure/server.rb +32 -24
data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
data/modules/mu/{clouds → providers}/cloudformation.rb +10 -0
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +29 -6
data/modules/mu/{clouds → providers}/google/bucket.rb +4 -4
data/modules/mu/{clouds → providers}/google/container_cluster.rb +38 -20
data/modules/mu/{clouds → providers}/google/database.rb +5 -12
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +5 -5
data/modules/mu/{clouds → providers}/google/folder.rb +5 -9
data/modules/mu/{clouds → providers}/google/function.rb +6 -6
data/modules/mu/{clouds → providers}/google/group.rb +9 -17
data/modules/mu/{clouds → providers}/google/habitat.rb +4 -8
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/google/role.rb +50 -31
data/modules/mu/{clouds → providers}/google/server.rb +41 -24
data/modules/mu/{clouds → providers}/google/server_pool.rb +14 -14
data/modules/mu/{clouds → providers}/google/user.rb +34 -24
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +45 -14
data/modules/tests/aws-jobs-functions.yaml +46 -0
data/modules/tests/centos6.yaml +15 -0
data/modules/tests/centos7.yaml +15 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +2 -2
data/modules/tests/eks.yaml +1 -1
data/modules/tests/functions/node-function/lambda_function.js +10 -0
data/modules/tests/functions/python-function/lambda_function.py +12 -0
data/modules/tests/microservice_app.yaml +288 -0
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +1 -1
data/modules/tests/super_complex_bok.yml +2 -2
data/modules/tests/super_simple_bok.yml +3 -5
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +122 -92
data/modules/mu/clouds/aws/database.rb +0 -1974
data/modules/mu/clouds/aws/endpoint.rb +0 -596

data/modules/mu/{clouds → providers}/aws/alarm.rb RENAMED

@@ -124,7 +124,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::Alarm.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           MU.log "Placeholder: AWS Alarm artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
           alarms = []
@@ -132,7 +132,7 @@ module MU
           # This can miss alarms in some cases (eg. cache_cluster) so we might want to delete alarms from each API as well.
           MU::Cloud::AWS.cloudwatch(credentials: credentials, region: region).describe_alarms.each { |page|
             page.metric_alarms.map(&:alarm_name).each { |alarm_name|
-              alarms << alarm_name if alarm_name.match(MU.deploy_id)
+              alarms << alarm_name if alarm_name.match(deploy_id)
             }
           }
@@ -321,7 +321,7 @@ module MU
               if !depclass.nil?
                 dimension["depclass"] = depclass
                 if !dimension["name"].nil? and !dimension["name"].empty?
-                  alarm["dependencies"] << { "name" => dimension["name"], "type" => depclass }
+                  MU::Config.addDependency(alarm, dimension["name"], depclass)
                 end
               end
             }

data/modules/mu/{clouds → providers}/aws/bucket.rb RENAMED

@@ -21,6 +21,12 @@ module MU
         @@region_cache = {}
         @@region_cache_semaphore = Mutex.new
+        # Map some filename extensions to mime types. S3 does most of this on
+        # its own, add to this for cases it doesn't cover.
+        MIME_MAP = {
+          ".svg" => "image/svg+xml"
+        }
         # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
         # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
         def initialize(**args)
@@ -81,6 +87,35 @@ module MU
         end
+        # @return [String]
+        def url
+          "https://#{@cloud_id}.s3.amazonaws.com"
+        end
+        # Grant access via our bucket policy to the specified resource
+        # @param principal [String]
+        # @param permissions [Array<String>]
+        # @param paths [Array<String>]
+        def allowPrincipal(principal, permissions: ["GetObject", "ListBucket"], paths: [""], doc_id: nil, name: nil)
+          @config['policies'] ||= []
+          name ||= principal.sub(/.*?([0-9a-z\-_]+)$/i, '\1')
+          @config['policies'] << {
+            "name" => name,
+            "grant_to" => [ { "identifier" => principal } ],
+            "permissions" => permissions.map { |p| "s3:"+p },
+            "flag" => "allow",
+            "targets" => paths.map { |p|
+              {
+                "path" => p,
+                "type" => "bucket",
+                "identifier" => @config['name']
+              }
+            }
+          }
+          applyPolicies(doc_id: doc_id)
+        end
         # Called automatically by {MU::Deploy#createResources}
         def groom
@@ -90,20 +125,46 @@ module MU
           tagBucket if !@config['scrub_mu_isms']
           current = cloud_desc
-          if @config['policies']
-            @config['policies'].each { |pol|
-              pol['grant_to'] ||= [
-                { "id" => "*" }
-              ]
-            }
+          applyPolicies if @config['policies']
+          if @config['versioning'] and current["versioning"].status != "Enabled"
+            MU.log "Enabling versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Enabled"
+              }
+            )
+          elsif !@config['versioning'] and current["versioning"].status == "Enabled"
+            MU.log "Suspending versioning on S3 bucket #{@cloud_id}", MU::NOTICE
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              bucket: @cloud_id,
+              versioning_configuration: {
+                mfa_delete: "Disabled",
+                status: "Suspended"
+              }
+            )
+          end
-            policy_docs = MU::Cloud::AWS::Role.genPolicyDocument(@config['policies'], deploy_obj: @deploy, bucket_style: true)
-            policy_docs.each { |doc|
-              MU.log "Applying S3 bucket policy #{doc.keys.first} to bucket #{@cloud_id}", MU::NOTICE, details: JSON.pretty_generate(doc.values.first)
-              MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_policy(
-                bucket: @cloud_id,
-                policy: JSON.generate(doc.values.first)
-              )
+          if @config['upload']
+            @config['upload'].each { |batch|
+              urlbase = "s3://"+@cloud_id+batch['destination']
+              urlbase += "/" if urlbase !~ /\/$/
+              upload_me = if File.directory?(batch['source'])
+                Dir[batch['source']+'/**/*'].reject {|d|
+                  File.directory?(d)
+                }.map { |f|
+                  [ f, urlbase+f.sub(/^#{Regexp.quote(batch['source'])}\/?/, '') ]
+                }
+              else
+                batch['source'].match(/([^\/]+)$/)
+                [ [batch['source'], urlbase+Regexp.last_match[1]] ]
+              end
+              Hash[upload_me].each_pair { |file, url|
+                self.class.upload(url, file: file, credentials: @credentials, region: @config['region'], acl: batch['acl'])
+              }
             }
           end
@@ -120,6 +181,23 @@ module MU
                 }
               }
             )
+            ['web_error_object', 'web_index_object'].each { |key|
+              begin
+                MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).head_object(
+                  bucket: @cloud_id,
+                  key: @config[key]
+                )
+              rescue Aws::S3::Errors::NotFound
+                MU.log "Uploading placeholder #{@config[key]} to bucket #{@cloud_id}"
+                MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_object(
+                  acl: "public-read",
+                  bucket: @cloud_id,
+                  key: @config[key],
+                  body: ""
+                )
+              end
+            }
+# XXX check if error and index objs exist, and if not provide placeholders
           elsif !@config['web'] and !current["website"].nil?
             MU.log "Disabling web service on S3 bucket #{@cloud_id}", MU::NOTICE
             MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).delete_bucket_website(
@@ -127,25 +205,38 @@ module MU
             )
           end
-          if @config['versioning'] and current["versioning"].status != "Enabled"
-            MU.log "Enabling versioning on S3 bucket #{@cloud_id}", MU::NOTICE
-            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
-              bucket: @cloud_id,
-              versioning_configuration: {
-                mfa_delete: "Disabled",
-                status: "Enabled"
+          symbolify_keys = Proc.new { |parent|
+            if parent.is_a?(Hash)
+              newhash = {}
+              parent.each_pair { |k, v|
+                newhash[k.to_sym] = symbolify_keys.call(v)
               }
-            )
-          elsif !@config['versioning'] and current["versioning"].status == "Enabled"
-            MU.log "Suspending versioning on S3 bucket #{@cloud_id}", MU::NOTICE
-            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_versioning(
+              newhash
+            elsif parent.is_a?(Array)
+              newarr = []
+              parent.each { |child|
+                newarr << symbolify_keys.call(child)
+              }
+              newarr
+            else
+              parent
+            end
+          }
+          if @config['cors']
+            MU.log "Setting CORS rules on #{@cloud_id}", details: @config['cors']
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_cors(
               bucket: @cloud_id,
-              versioning_configuration: {
-                mfa_delete: "Disabled",
-                status: "Suspended"
+              cors_configuration: {
+                cors_rules: symbolify_keys.call(@config['cors'])
               }
             )
           end
+          MU.log "Bucket #{@config['name']}: s3://#{@cloud_id}", MU::SUMMARY
+          if @config['web']
+            MU.log "Bucket #{@config['name']} web access: http://#{@cloud_id}.s3-website-#{@config['region']}.amazonaws.com/", MU::SUMMARY
+          end
         end
         # Upload a file to a bucket.
@@ -160,7 +251,7 @@ module MU
           if file and !file.empty?
             if !File.exist?(file) or !File.readable?(file)
-              raise MuError, "Unable to read #{file} for upload to #{url}"
+              raise MuError, "Unable to read #{file} for upload to #{url} (I'm at #{Dir.pwd}"
             else
               data = File.read(file)
             end
@@ -177,12 +268,19 @@ module MU
           begin
             MU.log "Writing #{path} to S3 bucket #{bucket}"
-            MU::Cloud::AWS.s3(region: region, credentials: credentials).put_object(
+            params = {
               acl: acl,
               bucket: bucket,
               key: path,
               body: data
-            )
+            }
+            MIME_MAP.each_pair { |extension, content_type|
+              if path =~ /#{Regexp.quote(extension)}$/i
+                params[:content_type] = content_type
+              end
+            }
+            MU::Cloud::AWS.s3(region: region, credentials: credentials).put_object(params)
           rescue Aws::S3::Errors => e
             raise MuError, "Got #{e.inspect} trying to write #{path} to #{bucket} (region: #{region}, credentials: #{credentials})"
           end
@@ -207,7 +305,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::Bucket.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           resp = MU::Cloud::AWS.s3(credentials: credentials, region: region).list_buckets
@@ -242,7 +340,7 @@ module MU
                 deploy_match = false
                 master_match = false
                 tags.each { |tag|
-                  if tag.key == "MU-ID" and tag.value == MU.deploy_id
+                  if tag.key == "MU-ID" and tag.value == deploy_id
                     deploy_match = true
                   elsif tag.key == "MU-MASTER-IP" and tag.value == MU.mu_public_ip
                     master_match = true
@@ -254,6 +352,21 @@ module MU
                     MU::Cloud::AWS.s3(credentials: credentials, region: region).delete_bucket(bucket: bucket.name)
                   end
                 end
+              rescue Aws::S3::Errors::BucketNotEmpty => e
+                if flags["skipsnapshots"]
+                  del = MU::Cloud::AWS.s3(credentials: credentials, region: region).list_objects(bucket: bucket.name).contents.map { |o| { key: o.key } }
+                  del.concat(MU::Cloud::AWS.s3(credentials: credentials, region: region).list_object_versions(bucket: bucket.name).versions.map { |o| { key: o.key, version_id: o.version_id } })
+                  MU.log "Purging #{del.size.to_s} objects and versions from #{bucket.name}"
+                  begin
+                    batch = del.slice!(0, (del.length >= 1000 ? 1000 : del.length))
+                    MU::Cloud::AWS.s3(credentials: credentials, region: region).delete_objects(bucket: bucket.name, delete: { objects: batch } ) if !noop
+                  end while del.size > 0
+                  retry if !noop
+                else
+                  MU.log "Bucket #{bucket.name} is non-empty, will preserve it and its contents. Use --skipsnapshots to forcibly remove.", MU::WARN
+                end
               rescue Aws::S3::Errors::NoSuchTagSet, Aws::S3::Errors::PermanentRedirect
                 next
               end
@@ -279,9 +392,32 @@ module MU
         def self.find(**args)
           found = {}
+          args[:region] ||= MU::Cloud::AWS.myRegion(args[:credentials])
+          if args[:flags] and args[:flags][:allregions]
+            args[:allregions] = args[:flags][:allregions]
+          end
+          minimal = args[:full] ? false : true
+          location = Proc.new { |name|
+            begin
+              loc_resp = MU::Cloud::AWS.s3(credentials: args[:credentials], region: args[:region]).get_bucket_location(bucket: name)
+              if loc_resp.location_constraint and !loc_resp.location_constraint.empty?
+                loc_resp.location_constraint
+              else
+                nil
+              end
+            rescue Aws::S3::Errors::AccessDenied
+              nil
+            end
+          }
           if args[:cloud_id]
             begin
-              found[args[:cloud_id]] = describe_bucket(args[:cloud_id], minimal: true, credentials: args[:credentials], region: args[:region])
+              found[args[:cloud_id]] = describe_bucket(args[:cloud_id], minimal: minimal, credentials: args[:credentials], region: args[:region])
+              found[args[:cloud_id]]['region'] ||= location.call(args[:cloud_id])
+              found[args[:cloud_id]]['region'] ||= args[:region]
+              found[args[:cloud_id]]['name'] ||= args[:cloud_id]
             rescue ::Aws::S3::Errors::NoSuchBucket
             end
           else
@@ -289,11 +425,14 @@ module MU
             if resp and resp.buckets
               resp.buckets.each { |b|
                 begin
-                  loc_resp = MU::Cloud::AWS.s3(credentials: args[:credentials], region: args[:region]).get_bucket_location(bucket: b.name)
-                  if !loc_resp or loc_resp.location_constraint != args[:region]
+                  bucket_region = location.call(b.name)
+                  if !args[:allregions] and bucket_region != args[:region]
                     next
                   end
-                  found[b.name] = describe_bucket(b.name, minimal: true, credentials: args[:credentials], region: args[:region])
+                  bucket_region ||= args[:region]
+                  found[b.name] = describe_bucket(b.name, minimal: minimal, credentials: args[:credentials], region: bucket_region)
+                  found[b.name]["region"] ||= bucket_region
+                  found[b.name]['name'] ||= b.name
                 rescue Aws::S3::Errors::AccessDenied
                 end
               }
@@ -303,22 +442,96 @@ module MU
           found
         end
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(**_args)
+          bok = {
+            "cloud" => "AWS",
+            "credentials" => @config['credentials'],
+            "cloud_id" => @cloud_id
+          }
+if @cloud_id =~ /espier/i
+  MU.log @cloud_id, MU::WARN, details: cloud_desc
+end
+          if !cloud_desc
+            MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
+            return nil
+          end
+          nil
+        end
         # Cloud-specific configuration properties.
         # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(_config)
           toplevel_required = []
           schema = {
-            "policies" => MU::Cloud::AWS::Role.condition_schema,
-            "acl" => {
-              "type" => "string",
-              "enum" => ["private", "public-read", "public-read-write", "authenticated-read"],
-              "default" => "private"
+            "policies" => MU::Cloud.resourceClass("AWS", "Role").condition_schema,
+            "upload" => {
+              "items" => {
+                "properties" => {
+                  "acl" => {
+                    "type" => "string",
+                    "enum" => ["private", "public-read", "public-read-write", "authenticated-read"],
+                    "default" => "private"
+                  }
+                }
+              }
             },
             "storage_class" => {
               "type" => "string",
               "enum" => ["STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER"],
               "default" => "STANDARD"
+            },
+            "cors" => {
+              "type" => "array",
+              "items" => {
+                "type" => "object",
+                "description" => "AWS S3 Cross-origin resource sharing policy",
+                "required" => ["allowed_origins"],
+                "properties" => {
+                  "allowed_headers" => {
+                    "type" => "array",
+                    "default" => ["*"],
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Specifies which headers are allowed in a preflight request through the +Access-Control-Request-Headers+ header."
+                    }
+                  },
+                  "allowed_methods" => {
+                    "type" => "array",
+                    "default" => ["GET"],
+                    "items" => {
+                      "type" => "string",
+                      "enum" => %w{GET PUT POST DELETE HEAD},
+                      "description" => "Specifies which HTTP methods for which cross-domain request are permitted"
+                    }
+                  },
+                  "allowed_origins" => {
+                    "type" => "array",
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Origins (in URL form) for which cross-domain request are permitted"
+                    }
+                  },
+                  "expose_headers" => {
+                    "type" => "array",
+                    "items" => {
+                      "type" => "string",
+                      "description" => "Headers in the response which should be visible to the requesting application"
+                    }
+                  },
+                  "max_age_seconds" => {
+                    "type" => "integer",
+                    "default" => 3600,
+                    "description" => "Maximum cache time for preflight requests"
+                  }
+                }
+              }
             }
           }
           [toplevel_required, schema]
@@ -384,6 +597,27 @@ module MU
           desc
         end
+        private
+        def applyPolicies(doc_id: nil)
+          return if !@config['policies']
+          @config['policies'].each { |pol|
+            pol['grant_to'] ||= [
+              { "id" => "*" }
+            ]
+          }
+          policy_docs = MU::Cloud.resourceClass("AWS", "Role").genPolicyDocument(@config['policies'], deploy_obj: @deploy, bucket_style: true, version: "2008-10-17", doc_id: doc_id)
+          policy_docs.each { |doc|
+            MU.log "Applying S3 bucket policy #{doc.keys.first} to bucket #{@cloud_id}", MU::NOTICE, details: JSON.pretty_generate(doc.values.first)
+            MU::Cloud::AWS.s3(credentials: @config['credentials'], region: @config['region']).put_bucket_policy(
+              bucket: @cloud_id,
+              policy: JSON.generate(doc.values.first)
+            )
+          }
+        end
       end
     end
   end