cloud-mu 3.1.5 → 3.3.2

data/modules/mu/{clouds → providers}/aws/cache_cluster.rb

@@ -199,7 +199,7 @@ module MU
               addStandardTags(member, "cluster", region: @config['region'])
             }
 
-            MU::Cloud::AWS::DNSZone.genericMuDNSEntry(
+            MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(
               name: resp.replication_group_id,
               target: "#{resp.node_groups.first.primary_endpoint.address}.",
               cloudclass: MU::Cloud::CacheCluster,
@@ -207,7 +207,7 @@ module MU
             )
 
             resp.node_groups.first.node_group_members.each { |member|
-              MU::Cloud::AWS::DNSZone.genericMuDNSEntry(
+              MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(
                 name: member.cache_cluster_id,
                 target: "#{member.read_endpoint.address}.",
                 cloudclass: MU::Cloud::CacheCluster,
@@ -270,7 +270,7 @@ module MU
         def createSubnetGroup
           subnet_ids = []
           if @config["vpc"] && !@config["vpc"].empty?
-            raise MuError, "Didn't find the VPC specified in #{@config["vpc"]}" unless @vpc
+            raise MuError.new "Didn't find the VPC specified for #{@mu_name}", details: @config["vpc"].to_h unless @vpc
 
             vpc_id = @vpc.cloud_id
 
@@ -283,7 +283,7 @@ module MU
             else
               @config["vpc"]["subnets"].each { |subnet|
                 subnet_obj = @vpc.getSubnet(cloud_id: subnet["subnet_id"].to_s, name: subnet["subnet_name"].to_s)
-                raise MuError, "Couldn't find a live subnet matching #{subnet} in #{@vpc} (#{@vpc.subnets})" if subnet_obj.nil?
+                raise MuError.new "Couldn't find a live subnet matching #{subnet} in #{@vpc}", details: @vpc.subnets if subnet_obj.nil?
                 subnet_ids << subnet_obj.cloud_id
               }
             end
@@ -333,24 +333,7 @@ module MU
               subnet_ids: subnet_ids
             )
 
-            # Find NAT and create holes in security groups.
-            # Adding just for consistency, but do we really need this for cache clusters? I guess Nagios and such..
-            if @config["vpc"]["nat_host_name"] || @config["vpc"]["nat_host_id"] || @config["vpc"]["nat_host_tag"] || @config["vpc"]["nat_host_ip"]
-              nat = @nat
-              if nat.is_a?(Struct) && nat.nat_gateway_id && nat.nat_gateway_id.start_with?("nat-")
-                MU.log "Using NAT Gateway, not modifying security groups"
-              else
-                _nat_name, _nat_conf, nat_deploydata = @nat.describe
-                @deploy.kittens['firewall_rules'].values.each { |acl|
-  # XXX if a user doesn't set up dependencies correctly, this can die horribly on a NAT that's still in mid-creation. Fix this... possibly in the config parser.
-                  if acl.config["admin"]
-                    acl.addRule([nat_deploydata["private_ip_address"]], proto: "tcp")
-                    acl.addRule([nat_deploydata["private_ip_address"]], proto: "udp")
-                    break
-                  end
-                }
-              end
-            end
+            allowBastionAccess
 
             if @dependencies.has_key?('firewall_rule')
               @config["security_group_ids"] = []
@@ -430,7 +413,7 @@ module MU
               }
             end
             # XXX this should be a call to @deploy.nameKitten
-            MU::Cloud::AWS::DNSZone.createRecordsFromConfig(@config['dns_records'], target: repl_group.node_groups.first.primary_endpoint.address)
+            MU::Cloud.resourceClass("AWS", "DNSZone").createRecordsFromConfig(@config['dns_records'], target: repl_group.node_groups.first.primary_endpoint.address)
 
             deploy_struct = {
               "identifier" => repl_group.replication_group_id,
@@ -586,7 +569,7 @@ module MU
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server.
         # @param region [String]: The cloud provider's region in which to operate.
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, region: MU.curRegion, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, region: MU.curRegion, flags: {})
           skipsnapshots = flags["skipsnapshots"]
           all_clusters = MU::Cloud::AWS.elasticache(credentials: credentials, region: region).describe_cache_clusters
           our_clusters = []
@@ -594,7 +577,7 @@ module MU
 
           # Because we can't run list_tags_for_resource on a cache cluster that isn't in "available" state we're loading the deploy to make sure we have a cache cluster to cleanup.
           # To ensure we don't miss cache clusters that have been terminated mid creation we'll load the 'original_config'. We might want to find a better approach for this.
-          deploy = MU::MommaCat.getLitter(MU.deploy_id)
+          deploy = MU::MommaCat.getLitter(deploy_id)
           if deploy.original_config && deploy.original_config.has_key?("cache_clusters") && !deploy.original_config["cache_clusters"].empty?
 
             # The ElastiCache API and documentation are a mess, the replication group ARN resource_type is not documented, and is not easily guessable.
@@ -632,14 +615,14 @@ module MU
                   sleep 30
                   retry
                 else
-                  raise MuError, "Failed to get tags for cache cluster #{cluster_id}, MU-ID #{MU.deploy_id}: #{e.inspect}"
+                  raise MuError, "Failed to get tags for cache cluster #{cluster_id}, MU-ID #{deploy_id}: #{e.inspect}"
                 end
               end
 
               found_muid = false
               found_master = false
               tags.each { |tag|
-                found_muid = true if tag.key == "MU-ID" && tag.value == MU.deploy_id
+                found_muid = true if tag.key == "MU-ID" && tag.value == deploy_id
                 found_master = true if tag.key == "MU-MASTER-IP" && tag.value == MU.mu_public_ip
               }
               next if !found_muid
@@ -703,26 +686,7 @@ module MU
               "type" => "boolean",
               "description" => "Create a replication group; will be set automatically if +engine+ is +redis+ and +node_count+ is greated than one."
             },
-            "ingress_rules" => {
-              "items" => {
-                "properties" => {
-                  "sgs" => {
-                    "type" => "array",
-                    "items" => {
-                      "description" => "Other AWS Security Groups; resources that are associated with this group will have this rule applied to their traffic",
-                      "type" => "string"
-                    }
-                  },
-                  "lbs" => {
-                    "type" => "array",
-                    "items" => {
-                      "description" => "AWS Load Balancers which will have this rule applied to their traffic",
-                      "type" => "string"
-                    }
-                  }
-                }
-              }
-            }
+            "ingress_rules" => MU::Cloud.resourceClass("AWS", "FirewallRule").ingressRuleAddtlSchema
           }
           [toplevel_required, schema]
         end
@@ -823,7 +787,7 @@ module MU
           end
 
           # The API is broken, cluster.cache_nodes is returnning an empty array, and the only URL we can get is the config one with cluster.configuration_endpoint.address.
-          # MU::Cloud::AWS::DNSZone.genericMuDNSEntry(name: cluster_id, target: , cloudclass: MU::Cloud::CacheCluster, delete: true)
+          # MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: cluster_id, target: , cloudclass: MU::Cloud::CacheCluster, delete: true)
           
           if %w{deleting deleted}.include?(cluster.cache_cluster_status)
             MU.log "#{cluster_id} has already been terminated", MU::WARN
@@ -925,10 +889,10 @@ module MU
           end
 
           # What's the likelihood of having more than one node group? maybe iterate over node_groups instead of assuming there is only one?
-          MU::Cloud::AWS::DNSZone.genericMuDNSEntry(name: repl_group_id, target: repl_group.node_groups.first.primary_endpoint.address, cloudclass: MU::Cloud::CacheCluster, delete: true)
+          MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: repl_group_id, target: repl_group.node_groups.first.primary_endpoint.address, cloudclass: MU::Cloud::CacheCluster, delete: true)
           # Assuming we also created DNS records for each of our cluster's read endpoint.
           repl_group.node_groups.first.node_group_members.each { |member|
-            MU::Cloud::AWS::DNSZone.genericMuDNSEntry(name: member.cache_cluster_id, target: member.read_endpoint.address, cloudclass: MU::Cloud::CacheCluster, delete: true)
+            MU::Cloud.resourceClass("AWS", "DNSZone").genericMuDNSEntry(name: member.cache_cluster_id, target: member.read_endpoint.address, cloudclass: MU::Cloud::CacheCluster, delete: true)
           }
           
           if %w{deleting deleted}.include?(repl_group.status)

data/modules/mu/providers/aws/cdn.rb

@@ -0,0 +1,782 @@
+# Copyright:: Copyright (c) 2020 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module MU
+  class Cloud
+    class AWS
+      # A scheduled task facility as configured in {MU::Config::BasketofKittens::cdns}
+      class CDN < MU::Cloud::CDN
+
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          @mu_name ||= @deploy.getResourceName(@config["name"])
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def create
+          resp = MU::Cloud::AWS.cloudfront(credentials: @credentials).create_cloud_front_origin_access_identity(
+            cloud_front_origin_access_identity_config: {
+              caller_reference: @mu_name,
+              comment: @mu_name
+            }
+          )
+
+          @origin_access_identity = "origin-access-identity/cloudfront/"+resp.cloud_front_origin_access_identity.id
+
+          params = get_properties
+
+          begin
+            MU.log "Creating CloudFront distribution #{@mu_name}", details: params
+            MU.retrier([Aws::CloudFront::Errors::InvalidOrigin], wait: 10, max: 6) {
+              resp = MU::Cloud::AWS.cloudfront(credentials: @credentials).create_distribution_with_tags(
+                distribution_config_with_tags: {
+                  distribution_config: params,
+                  tags: {
+                    items: @tags.each_key.map { |k| { :key => k, :value => @tags[k] } }
+                  }
+                }
+              )
+              @cloud_id = resp.distribution.id
+            }
+            ready?
+          rescue ::Aws::CloudFront::Errors::InvalidViewerCertificate => e
+            cert_arn, cert_domains = MU::Cloud::AWS.findSSLCertificate(
+              name: @config['certificate']["name"],
+              id: @config['certificate']["id"],
+              region: @config['certificate']['region'],
+              credentials: @config['certificate']['credentials']
+            )
+            raise MuError.new e.message, details: { "aliases" => @config['aliases'], "certificate domains" => cert_domains }
+          rescue ::Aws::CloudFront::Errors::InvalidOrigin => e
+            raise MuError.new e.message, details: params[:origins]
+          rescue ::Aws::CloudFront::Errors::InvalidArgument => e
+            raise MuError.new e.message, details: params
+          end
+        end
+
+        # Called automatically by {MU::Deploy#createResources}
+        def groom
+          params = get_properties
+
+          if !@config['dns_records'].nil?
+            if !MU::Cloud::AWS.isGovCloud?
+              MU::Cloud.resourceClass("AWS", "DNSZone").createRecordsFromConfig(@config['dns_records'], target: cloud_desc.domain_name)
+            end
+          end
+          MU.log "CloudFront Distribution #{@config['name']} at #{cloud_desc.domain_name}", MU::SUMMARY
+          if @config['aliases']
+            @config['aliases'].each { |a|
+              MU.log "Alias for CloudFront Distribution #{@config['name']}: #{a}", MU::SUMMARY
+            }
+          end
+
+          # Make sure we show up in the bucket policy of our target bucket,
+          # if it's a sibling in this deploy
+          cloud_desc(use_cache: false).origins.items.each { |o|
+            if o.s3_origin_config
+              id = o.s3_origin_config.origin_access_identity.sub(/^origin-access-identity\/cloudfront\//, '')
+              bucketref = get_bucketref_from_domain(o.domain_name)
+              next if !bucketref or !bucketref.kitten
+              resp = MU::Cloud::AWS.cloudfront(credentials: @credentials).get_cloud_front_origin_access_identity(id: id)
+#              bucketref.kitten.allowPrincipal("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "+id, doc_id: "PolicyForCloudFrontPrivateContent", permissions: ["GetObject"])
+              bucketref.kitten.allowPrincipal(resp.cloud_front_origin_access_identity.s3_canonical_user_id, doc_id: "PolicyForCloudFrontPrivateContent", permissions: ["GetObject"], name: @mu_name)
+            end
+          }
+
+        end
+
+        # Canonical Amazon Resource Number for this resource
+        # @return [String]
+        def arn
+          cloud_desc ? cloud_desc.arn : nil
+        end
+
+        # Return the metadata for this cdn
+        # @return [Hash]
+        def notify
+          MU.structToHash(cloud_desc, stringify_keys: true)
+        end
+
+        # Wait until the distribution is ready (status is +Deployed+)
+        def ready?
+          self.class.ready?(@cloud_id, credentials: @credentials)
+        end
+
+        # Wait until a distribution is ready (status is +Deployed+)
+        # @param id [String]
+        # @param credentials [String]
+        def self.ready?(id, credentials: nil)
+          desc = nil
+          MU.retrier([], loop_if: Proc.new { !desc or desc.status != "Deployed" }, wait: 30, max:60) {
+            desc = MU::Cloud::AWS.cloudfront(credentials: credentials).get_distribution(id: id).distribution
+          }
+        end
+
+        # Does this resource type exist as a global (cloud-wide) artifact, or
+        # is it localized to a region/zone?
+        # @return [Boolean]
+        def self.isGlobal?
+          true
+        end
+
+        # Denote whether this resource implementation is experiment, ready for
+        # testing, or ready for production use.
+        def self.quality
+          MU::Cloud::ALPHA
+        end
+
+        # Remove all cdns associated with the currently loaded deployment.
+        # @param noop [Boolean]: If true, will only print what would be done
+        # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
+        # @return [void]
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
+
+          resp = MU::Cloud::AWS.cloudfront(credentials: credentials).list_distributions
+          if resp and resp.distribution_list and resp.distribution_list.items
+            delete_threads = []
+            ids = Hash[resp.distribution_list.items.map { |distro| [distro.arn, distro] }]
+
+            ids.each_key { |arn|
+              tags = MU::Cloud::AWS.cloudfront(credentials: credentials).list_tags_for_resource(resource: arn).tags.items
+
+              found_muid = found_master = false
+              name = nil
+              tags.each { |tag|
+                name = tag.value if tag.key == "Name"
+                found_muid = true if tag.key == "MU-ID" && tag.value == deploy_id
+                found_master = true if tag.key == "MU-MASTER-IP" && tag.value == MU.mu_public_ip
+              }
+
+              if found_muid and (ignoremaster or found_master)
+                delete_threads << Thread.new(arn, name) { |my_arn, my_name|
+                  current = MU::Cloud::AWS.cloudfront(credentials: credentials).get_distribution_config(id: ids[my_arn].id)
+                  etag = current.etag
+
+                  if !noop
+
+                    if current.distribution_config.enabled
+                      newcfg = MU.structToHash(current.distribution_config)
+                      newcfg[:enabled] = false
+                      MU.log "Disabling CloudFront distribution #{my_name ? my_name : ids[my_arn].id})", MU::NOTICE
+                      updated = MU::Cloud::AWS.cloudfront(credentials: credentials).update_distribution(id: ids[my_arn].id, distribution_config: newcfg, if_match: etag)
+                      etag = updated.etag
+                    end
+
+                  end
+
+                  MU.log "Deleting CloudFront distribution #{my_name ? my_name : ids[my_arn].id})"
+                  if !noop
+                    ready?(ids[my_arn].id, credentials: credentials)
+                    MU::Cloud::AWS.cloudfront(credentials: credentials).delete_distribution(id: ids[my_arn].id, if_match: etag)
+                  end
+                }
+              end
+            }
+            delete_threads.each { |t| t.join }
+          end
+
+          resp = MU::Cloud::AWS.cloudfront(credentials: credentials).list_cloud_front_origin_access_identities
+          if resp and resp.cloud_front_origin_access_identity_list and
+             resp.cloud_front_origin_access_identity_list.items.each and
+             deploy_id =~ /-\d{10}-[A-Z]{2}/
+            resp.cloud_front_origin_access_identity_list.items.each { |ident|
+              if ident.comment =~ /^#{Regexp.quote(deploy_id)}-/
+                MU.log "Deleting CloudFront origin access identity #{ident.id} (#{ident.comment})"
+                if !noop
+                  getresp = MU::Cloud::AWS.cloudfront(credentials: credentials).get_cloud_front_origin_access_identity(id: ident.id)
+                  begin
+                    MU::Cloud::AWS.cloudfront(credentials: credentials).delete_cloud_front_origin_access_identity(id: ident.id, if_match: getresp.etag)
+                  rescue ::Aws::CloudFront::Errors::CloudFrontOriginAccessIdentityInUse => e
+                    MU.log "Got #{e.message} deleting #{ident.id}; it likely belongs to a distribution we can't to delete", MU::WARN, details: ident
+                  end
+                end
+              end
+            }
+          end
+        end
+
+        # Locate an existing event.
+        # @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching CloudWatch Event
+        def self.find(**args)
+          found = {}
+
+          MU::Cloud::AWS.cloudfront(credentials: args[:credentials]).list_distributions.distribution_list.items.each { |d|
+            next if args[:cloud_id] and ![d.id, d.arn].include?(args[:cloud_id])
+            found[d.id] = d
+          }
+
+          found
+        end
+
+        # Reverse-map our cloud description into a runnable config hash.
+        # We assume that any values we have in +@config+ are placeholders, and
+        # calculate our own accordingly based on what's live in the cloud.
+        def toKitten(**_args)
+          bok = {
+            "cloud" => "AWS",
+            "credentials" => @config['credentials'],
+            "cloud_id" => @cloud_id
+          }
+
+          if !cloud_desc
+            MU.log "toKitten failed to load a cloud_desc from #{@cloud_id}", MU::ERR, details: @config
+            return nil
+          end
+
+          resp = MU::Cloud::AWS.cloudfront(credentials: @credentials).list_tags_for_resource(resource: arn)
+          if resp and resp.tags and resp.tags.items
+            tags = MU.structToHash(resp.tags.items, stringify_keys: true)
+            bok['name'] = MU::Adoption.tagsToName(tags)
+            bok['tags'] = tags if !tags.empty?
+          end
+
+          if !bok['name'] 
+            bok['name'] = if cloud_desc.domain_name !~ /\.cloudfront\.net$/
+              cloud_desc.domain_name.sub(/\..*/, '')
+            elsif cloud_desc.aliases and !cloud_desc.aliases.items.empty?
+              cloud_desc.aliases.items.first.sub(/\..*/, '')
+            # XXX maybe try to guess from the name of an origin resource?
+            else
+              @cloud_id
+            end
+          end
+
+          cloud_desc.origins.items.each { |o|
+            bok['origins'] ||= []
+            origin = {
+              "path" => o.origin_path,
+              "name" => o.id
+            }
+            if o.s3_origin_config
+              origin["bucket"] = get_bucketref_from_domain(o.domain_name)
+            end
+            origin["domain_name"] = o.domain_name if !origin["bucket"]
+            if o.custom_origin_config
+              origin["http_port"] = o.custom_origin_config.http_port
+              origin["https_port"] = o.custom_origin_config.https_port
+              origin["protocol_policy"] = o.custom_origin_config.origin_protocol_policy
+              origin["ssl_protocols"] = o.custom_origin_config.origin_ssl_protocols.items
+            end
+
+            if o.custom_headers and !o.custom_headers.empty?
+            end
+
+            bok['origins'] << origin
+          }
+
+          if cloud_desc.aliases and cloud_desc.aliases.items and
+             !cloud_desc.aliases.items.empty?
+            bok['aliases'] = cloud_desc.aliases.items
+          end
+
+          bok['disabled'] = true if !cloud_desc.enabled
+
+          bok['behaviors'] = []
+
+          add_behavior = Proc.new { |b, default|
+            behavior = {}
+
+            behavior["origin"] = b.target_origin_id
+            behavior["path_pattern"] = b.path_pattern if b.respond_to?(:path_pattern)
+            behavior["protocol_policy"] = b.viewer_protocol_policy
+            if b.lambda_function_associations and !b.lambda_function_associations.items.empty?
+              b.lambda_function_associations.items.each { |f|
+                behavior['functions'] ||= []
+                f.lambda_function_arn.match(/^arn:.*?:lambda:([^:]+?):(\d*):function:([^:]+)/)
+                region = Regexp.last_match[1]
+                acct = Regexp.last_match[2]
+                id = Regexp.last_match[3]
+                behavior['functions'] << MU::Config::Ref.get(
+                  id: id,
+                  region: region,
+                  type: "functions",
+                  event_type: f.event_type,
+                  include_body: f.include_body,
+                  cloud: "AWS",
+                  credentials: @credentials,
+                  habitat: MU::Config::Ref.get(
+                    id: acct,
+                    cloud: "AWS",
+                    credentials: @credentials
+                  )
+                )
+              }
+              [:min_ttl, :default_ttl, :max_ttl].each { |ttl|
+                behavior[ttl.to_s] = b.send(ttl)
+              }
+            end
+            bok['behaviors'] << behavior
+          }
+
+          add_behavior.call(cloud_desc.default_cache_behavior, true)
+
+          if cloud_desc.cache_behaviors and
+             !cloud_desc.cache_behaviors.items.empty?
+            cloud_desc.cache_behaviors.items.each { |b|
+              add_behavior.call(b, false)
+            }
+          end
+
+          bok
+        end
+
+
+        # Cloud-specific configuration properties.
+        # @param _config [MU::Config]: The calling MU::Config object
+        # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
+        def self.schema(_config)
+          toplevel_required = []
+
+          schema = {
+            "disabled" => {
+              "type" => "boolean",
+              "description" => "Flag this CloudFront distribution as disabled",
+              "default" => false
+            },
+            "certificate" => MU::Config::Ref.schema(type: "certificate", desc: "Required if any domains have been specified with +aliases+; parser will attempt to autodetect a valid ACM or IAM certificate if not specified.", omit_fields: ["cloud", "tag", "deploy_id"]),
+            "behaviors" => {
+              "items" => {
+                "properties" => {
+                  "min_ttl" => {
+                    "type" => "integer",
+                    "description" => "The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated.",
+                    "default" => 0
+                  },
+                  "default_ttl" => {
+                    "type" => "integer",
+                    "description" => "The default amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated.",
+                    "default" => 86400
+                  },
+                  "max_ttl" => {
+                    "type" => "integer",
+                    "description" => "The maximum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated.",
+                    "default" => 31536000
+                  },
+                  "protocol_policy" => {
+                    "type" => "string",
+                    "enum" => %w{allow-all https-only redirect-to-https},
+                    "default" => "redirect-to-https"
+                  },
+                  "functions" => {
+                    "type" => "array",
+                    "items" => MU::Config::Ref.schema(type: "functions", desc: "Add a Lambda function which can be invoked on requests or responses through this distribution.")
+                  },
+                  "forwarded_values" => {
+                    "type" => "object",
+                    "description" => "HTTP request artifacts to include in requests passed to our back-end +origin+",
+                    "default" => {
+                      "query_string" => false
+                    },
+                    "properties" => {
+                      "query_string" => {
+                        "type" => "boolean",
+                        "description" => "Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior and cache based on the query string parameters.",
+                        "default" => false
+                      },
+                      "cookies" => {
+                        "type" => "object",
+                        "description" => "A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones.",
+                        "default" => {
+                          "forward" => "none"
+                        },
+                        "properties" => {
+                          "forward" => {
+                            "type" => "string",
+                            "description" => "Specifies which cookies to forward to the origin for this cache behavior: all, none, or the list of cookies specified in +whitelisted_names+",
+                            "enum" => %w{none whitelist all}
+                          },
+                          "whitelisted_names" => {
+                            "type" => "array",
+                            "items" => {
+                              "description" => "Required if you specify whitelist for the value of +forward+",
+                              "type" => "string"
+                            }
+                          },
+                        }
+                      },
+                      "headers" => {
+                        "type" => "array",
+                        "items" => {
+                          "description" => "Specifies the headers, if any, that you want CloudFront to forward to the origin for this cache behavior (whitelisted headers).",
+                          "type" => "string"
+                        }
+                      },
+                      "query_string_cache_keys" => {
+                        "type" => "array",
+                        "items" => {
+                          "description" => "Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior and cache based on the query string parameters",
+                          "type" => "string"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            },
+            "origins" => {
+              "items" => {
+                "properties" => {
+                  "bucket" => MU::Config::Ref.schema(type: "buckets", desc: "Reference an S3 bucket for use as an origin"),
+                  "endpoint" => MU::Config::Ref.schema(type: "endpoints", desc: "Reference an API Gateway for use as an origin"),
+                  "loadbalancer" => MU::Config::Ref.schema(type: "loadbalancers", desc: "Reference a Load Balancer for use as an origin"),
+                  "connection_attempts" => {
+                    "type" => "integer",
+                    "default" => 3
+                  },
+                  "connection_timeout" => {
+                    "type" => "integer",
+                    "default" => 10
+                  },
+                  "protocol_policy" => {
+                    "type" => "string",
+                    "enum" => %w{http-only https-only match-viewer},
+                    "default" => "match-viewer"
+                  },
+                  "ssl_protocols" => {
+                    "type" => "array",
+                    "default" => ["TLSv1.2"],
+                    "items" => {
+                      "type" => "string",
+                      "enum" => %w{SSLv3 TLSv1 TLSv1.1 TLSv1.2},
+                    }
+                  },
+                  "http_port" => {
+                    "type" => "integer",
+                    "default" => 80
+                  },
+                  "https_port" => {
+                    "type" => "integer",
+                    "default" => 443
+                  },
+                  "custom_headers" => {
+                    "type" => "array",
+                    "items" => {
+                      "description" => "A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.",
+                      "type" => "object",
+                      "required" => ["key", "value"],
+                      "properties" => {
+                        "key" => {
+                          "type" => "string"
+                        },
+                        "value" => {
+                          "type" => "string"
+                        },
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+
+          schema["behaviors"]["items"]["properties"]["functions"]["items"]["include_body"] = {
+            "type" => "boolean",
+            "default" => false
+          }
+          schema["behaviors"]["items"]["properties"]["functions"]["items"]["event_type"] = {
+            "type" => "string",
+            "enum" => %w{viewer-request viewer-response origin-request origin-response},
+            "default" => "viewer-request"
+          }
+
+          [toplevel_required, schema]
+        end
+
+        # Cloud-specific pre-processing of {MU::Config::BasketofKittens::cdns}, bare and unvalidated.
+        # @param cdn [Hash]: The resource to process and validate
+        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @return [Boolean]: True if validation succeeded, False otherwise
+        def self.validateConfig(cdn, configurator)
+          ok = true
+
+          cdn['origins'].each { |o|
+            count = 0
+            ['bucket', 'endpoint', 'loadbalancer'].each { |sib_type|
+              if o[sib_type]
+                if count > 0
+                  ok = false
+                  MU.log "Origin in CloudFront distro #{cdn['name']} may specify at most one of bucket, endpoint, or loadbalancer.", MU::ERR
+                end
+                target_ref = MU::Config::Ref.get(o[sib_type])
+                if target_ref.name
+                  MU::Config.addDependency(cdn, target_ref.name, sib_type, phase: "groom")
+                end
+                count += 1
+              end
+            }
+          }
+
+          cert_domains = nil
+
+          if cdn['certificate']
+            cert_arn, cert_domains = MU::Cloud::AWS.resolveSSLCertificate(cdn['certificate'], region: cdn['region'], credentials: cdn['credentials'])
+            if !cert_arn
+              MU.log "Failed to find an ACM or IAM certificate specified in CloudFront distribution #{cdn['name']}", MU::ERR, details: cdn['certificate'].to_h
+              ok = false
+            end
+          end
+
+          if cdn['aliases']
+            cdn['aliases'].each { |a|
+              if !cdn['certificate']
+                foundcert, cert_domains = MU::Cloud::AWS.findSSLCertificate(name: a, region: cdn['region'], credentials: cdn['credentials'], raise_on_missing: false)
+                if !foundcert
+                  foundcert, cert_domains = MU::Cloud::AWS.findSSLCertificate(name: a.sub(/^[^\.]+\./, '*.'), region: cdn['region'], credentials: cdn['credentials'], raise_on_missing: false)
+                end
+                if !foundcert
+                  MU.log "Failed to find an ACM or IAM certificate matching #{a} for CloudFront distribution #{cdn['name']}", MU::ERR
+                  ok = false
+                else
+                  cdn['certificate'] = {
+                    "id" => foundcert,
+                    "credentials" => cdn['credentials']
+                  }
+                  MU.log "Auto-detected SSL certificate for CloudFront distribution #{cdn['name']} alias #{a}", MU::NOTICE, details: cdn['certificate']['id']
+                end
+              else
+                if !MU::Cloud::AWS.nameMatchesCertificate(a, cdn['certificate']['id'])
+                  MU.log "Alias #{a} in CloudFront distro #{cdn['name']} does not appear to fit any domains on our SSL certificate", MU::ERR, details: cert_domains
+                  ok = false
+                end
+              end
+            }
+          end
+
+          if cdn['dns_records'] and cdn['certificate']
+            cdn['dns_records'].each { |rec|
+              next if !rec['name']
+              dnsname = MU::Cloud.resourceClass("AWS", "DNSZone").recordToName(rec)
+              if MU::Cloud::AWS.nameMatchesCertificate(dnsname, cdn['certificate']['id'])
+                cdn['aliases'] ||= []
+                cdn['aliases'] << dnsname if !cdn['aliases'].include?(dnsname)
+              end
+            }
+          end
+
+          path_patterns = {}
+          cdn['behaviors'].each { |b|
+            b['path_pattern'] ||= "*"
+            path_patterns[b['path_pattern']] ||= 0
+            path_patterns[b['path_pattern']] += 1
+          }
+          path_patterns.each_pair { |pattern, origins|
+            if origins > 1
+              MU.log "CDN #{cdn['name']} has #{origins.to_s} uses of path_pattern '#{pattern}' in its behavior list (must be unique)", MU::ERR, details: cdn['behaviors']
+              ok = false
+            end
+          }
+
+          ok
+        end
+
+        private
+
+        def get_properties
+          params = {
+            default_root_object: @config['default_object'],
+            caller_reference: @mu_name, # eh, probably should be random
+            origins: {
+              quantity: @config['origins'].size,
+              items: []
+            },
+            comment: @deploy.deploy_id,
+            enabled: !(@config['disabled'])
+          }
+
+          if @config['certificate']
+            params[:viewer_certificate] = {
+              ssl_support_method: "sni-only"
+            }
+            if @config['certificate']['id'] =~ /^arn:aws(?:-us-gov)?:iam/
+              params[:viewer_certificate][:iam_certificate_id] = @config['certificate']['id']
+              params[:viewer_certificate][:certificate_source] = "iam"
+            elsif @config['certificate']['id'] =~ /^arn:aws(?:-us-gov)?:acm/
+              params[:viewer_certificate][:acm_certificate_arn] = @config['certificate']['id']
+              params[:viewer_certificate][:certificate_source] = "acm"
+            end
+
+          end
+
+          @config['origins'].each { |o|
+            origin = {
+              id: o['name'],
+            }
+            sib_obj = nil
+            ['bucket', 'endpoint', 'loadbalancer'].each { |sib_type|
+              if o[sib_type]
+                sib_obj = MU::Config::Ref.get(o[sib_type]).kitten(@deploy, cloud: "AWS")
+                if !sib_obj
+                  raise MuError.new "Failed to resolve #{sib_type} referenced in CloudFront distribution #{@config['name']}", details: o[sib_type].to_h
+                end
+                break
+              end
+            }
+            if o['bucket']
+              origin[:domain_name] = sib_obj.cloud_desc["name"]+".s3.amazonaws.com"
+              origin[:origin_path] = o['path'] if o['path']
+              origin[:s3_origin_config] = {
+                origin_access_identity: @origin_access_identity
+              }
+            elsif o['endpoint']
+              origin[:domain_name] = sib_obj.cloud_id+".execute-api."+sib_obj.config['region']+".amazonaws.com"
+              origin[:custom_origin_config] = {
+                origin_protocol_policy: "https-only"
+              }
+              if sib_obj.config['deploy_to']
+                origin[:origin_path] ||= "/"+sib_obj.config['deploy_to']
+              end
+            elsif o['loadbalancer']
+              origin[:domain_name] = sib_obj.cloud_desc.dns_name
+              origin[:origin_path] = o['path'] if o['path']
+            else # XXX make sure parser guarantees these are present
+              origin[:domain_name] = o['domain_name']
+              origin[:origin_path] = o['path']
+            end
+
+            if o['custom_headers']
+              origin[:custom_headers] = {
+                quantity: o['custom_headers'].size,
+                items: o['custom_headers'].map { |h|
+                  {
+                    header_name: h['key'],
+                    header_value: h['value']
+                  }
+                }
+              }
+            end
+
+            [:connection_attempts, :connection_timeout].each { |field|
+              origin[field] ||= o[field.to_s]
+            }
+            if !origin[:s3_origin_config]
+              maplet = {
+                'protocol_policy' => :origin_protocol_policy,
+                'ssl_protocols' => :origin_ssl_protocols,
+                'http_port' => :http_port,
+                'https_port' => :https_port
+              }
+              maplet.each_pair { |field, paramfield|
+                next if !o[field]
+                origin[:custom_origin_config] ||= {}
+                origin[:custom_origin_config][paramfield] ||= if o[field.to_s].is_a?(Array)
+                  {
+                    quantity: o[field].size,
+                    items: o[field]
+                  }
+                else
+                  o[field]
+                end
+              }
+            end
+
+            params[:origins][:items] << origin
+          }
+
+          # if we have any placeholder DNS records that are intended to be
+          # filled out with our runtime @mu_name, do so, and add an alias if
+          # applicable
+          if @config['dns_records']
+            @config['dns_records'].each { |rec|
+              if !rec['name']
+                rec['name'] = @mu_name.downcase
+                dnsname = MU::Cloud.resourceClass("AWS", "DNSZone").recordToName(rec)
+                if @config['certificate'] and MU::Cloud::AWS.nameMatchesCertificate(dnsname, @config['certificate']['id'])
+                  @config['aliases'] ||= []
+                  @config['aliases'] << dnsname if !@config['aliases'].include?(dnsname)
+                end
+              end
+            }
+          end
+
+          if @config['aliases']
+            params[:aliases] = {
+              items: @config['aliases'],
+              quantity: @config['aliases'].size
+            }
+          end
+
+          # XXX config parser should guarantee a default behavior
+          @config['behaviors'].each { |b|
+            b['origin'] ||= @config['origins'].first['name']
+            behavior = {
+              target_origin_id: b['origin'],
+              viewer_protocol_policy: b['protocol_policy'],
+              min_ttl: b['min_ttl'],
+              max_ttl: b['max_ttl'],
+              default_ttl: b['default_ttl'],
+            }
+            behavior[:trusted_signers] = {
+              enabled: false,
+              quantity: 0,
+#              items: []
+            }
+            behavior[:forwarded_values] = {
+              query_string: b['forwarded_values']['query_string'],
+              cookies: {
+                forward: b['forwarded_values']['cookies']['forward']
+              }
+            }
+            if b['forwarded_values']['cookies']['whitelisted_names']
+              behavior[:forwarded_values][:cookies][:whitelisted_names] = {
+                quantity: b['forwarded_values']['cookies']['whitelisted_names'].size,
+                items: b['forwarded_values']['cookies']['whitelisted_names']
+              }
+            end
+            ['headers', 'query_string_cache_keys'].each { |field|
+              if b['forwarded_values'][field]
+                behavior[:forwarded_values][field.to_sym] = {
+                  quantity: b['forwarded_values'][field].size,
+                  items: b['forwarded_values'][field]
+                }
+              end
+            }
+
+            if @config['behaviors'].size == 1 or b['path_pattern'] == "*"
+              params[:default_cache_behavior] = behavior
+            else
+              behavior[:path_pattern] = b['path_pattern']
+              params[:cache_behaviors] ||= {
+                quantity: (@config['behaviors'].size-1),
+                items: []
+              }
+              params[:cache_behaviors][:items] << behavior
+            end
+          }
+
+          params
+        end
+
+        def get_bucketref_from_domain(domain_name)
+          buckets = MU::Cloud.resourceClass("AWS", "Bucket").find(credentials: @credentials, allregions: true, cloud_id: domain_name.sub(/\..*/, ''))
+          if buckets and buckets.size == 1
+            return MU::Config::Ref.get(
+              id: buckets.keys.first,
+              type: "buckets",
+              region: buckets.values.first["region"],
+              credentials: @credentials,
+              cloud: "AWS"
+            )
+          else
+            MU.log "Failed to locate or isolate a bucket object from #{domain_name}", MU::WARN, details: buckets.keys
+          end
+
+          nil
+        end
+
+      end
+    end
+  end
+end