cloud-mu 3.1.5 → 3.3.2

data/modules/mu/{clouds → providers}/google/role.rb

@@ -271,13 +271,13 @@ module MU
           my_org = MU::Cloud::Google.getOrg(credentials)
           if my_org
             scopes["organizations"] = [my_org.name]
-            folders = MU::Cloud::Google::Folder.find(credentials: credentials)
+            folders = MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials)
             if folders and folders.size > 0
               scopes["folders"] = folders.keys
             end
           end
 
-          projects = MU::Cloud::Google::Habitat.find(credentials: credentials)
+          projects = MU::Cloud.resourceClass("Google", "Habitat").find(credentials: credentials)
           if projects and projects.size > 0
             scopes["projects"] = projects.keys
           end
@@ -407,12 +407,12 @@ module MU
                 # email field (which is the "real" id most of the time)
                 real_id = nil
                 if entity_type == "group"
-                  found = MU::Cloud::Google::Group.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "Group").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
                 elsif entity_type == "user"
-                  found = MU::Cloud::Google::User.find(cloud_id: entity_id, credentials: credentials)
+                  found = MU::Cloud.resourceClass("Google", "User").find(cloud_id: entity_id, credentials: credentials)
                   if found[entity_id]
                     real_id = found[entity_id].id
                   end
@@ -465,7 +465,7 @@ module MU
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           customer = MU::Cloud::Google.customerID(credentials)
           my_org = MU::Cloud::Google.getOrg(credentials)
 
@@ -563,7 +563,7 @@ module MU
           if args[:project]
             canned = Hash[MU::Cloud::Google.iam(credentials: args[:credentials]).list_roles.roles.map { |r| [r.name, r] }]
             begin
-              MU::Cloud::Google::Habitat.bindings(args[:project], credentials: args[:credentials]).each { |binding|
+              MU::Cloud.resourceClass("Google", "Habitat").bindings(args[:project], credentials: args[:credentials]).each { |binding|
                 found[binding.role] = canned[binding.role]
               }
             rescue ::Google::Apis::ClientError => e
@@ -591,10 +591,15 @@ module MU
                bindings['by_scope']['projects'][args[:project]]
               bindings['by_scope']['projects'][args[:project]].keys.each { |r|
                 if r.match(/^roles\//)
-                  role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
-                  found[role.name] = role
+                  begin
+                    role = MU::Cloud::Google.iam(credentials: args[:credentials]).get_role(r)
+                    found[role.name] = role
+                  rescue ::Google::Apis::ClientError => e
+                    raise e if !e.message.match(/(?:forbidden|notFound): /)
+                    MU.log "Failed  MU::Cloud::Google.iam(credentials: #{args[:credentials]}).get_role(#{r})", MU::WARN, details: e.message
+                  end
                 elsif !found[r]
-                  MU.log "NEED TO GET #{r}", MU::WARN
+#                  MU.log "NEED TO GET #{r}", MU::WARN
                 end
               }
             end
@@ -688,7 +693,7 @@ module MU
               ids, _names, _privs = MU::Cloud::Google::Role.privilege_service_to_name(@config['credentials'])
               cloud_desc.role_privileges.each { |priv|
                 if !ids[priv.service_id]
-                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::WARN, details: priv
+                  MU.log "Role privilege defined for a service id with no name I can find, writing with raw id", MU::DEBUG, details: priv
                   bok["import"] << priv.service_id+"/"+priv.privilege_name
                 else
                   bok["import"] << ids[priv.service_id]+"/"+priv.privilege_name
@@ -731,26 +736,45 @@ module MU
                 bindings[scopetype].each_pair { |scope_id, entity_types|
                   # If we've been given a habitat filter, skip over bindings
                   # that don't match it.
-                  if scopetype == "projects" and args[:habitats] and
-                     !args[:habitats].empty? and
-                     !args[:habitats].include?(scope_id)
-                    next
+                  if scopetype == "projects"
+                    if (args[:habitats] and !args[:habitats].empty? and
+                       !args[:habitats].include?(scope_id)) or
+                       !MU::Cloud::Google.listHabitats(@credentials).include?(scope_id)
+                      next
+                    end
                   end
 
                   entity_types.each_pair { |entity_type, entities|
                     mu_entitytype = (entity_type == "serviceAccount" ? "user" : entity_type)+"s"
                     entities.each { |entity|
+                      next if entity.nil?
+                      foreign = if entity_type == "serviceAccount" and entity.match(/@(.*?)\.iam\.gserviceaccount\.com/)
+                        !MU::Cloud::Google.listHabitats(@credentials).include?(Regexp.last_match[1])
+                      end
+
                       entity_ref = if entity_type == "organizations"
                         { "id" => ((org == my_org.name and @config['credentials']) ? @config['credentials'] : org) }
                       elsif entity_type == "domain"
                         { "id" => entity }
                       else
+                        shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(mu_entitytype)
+                        if args[:types].include?(shortclass) and
+                           !(entity_type == "serviceAccount" and
+                             MU::Cloud::Google::User.cannedServiceAcctName?(entity))
+                          MU.log "Role #{@cloud_id}: Skipping #{shortclass} binding for #{entity}; we are adopting that type and will set bindings from that resource", MU::DEBUG
+                          next
+                        end
+
                         MU::Config::Ref.get(
                           id: entity,
                           cloud: "Google",
                           type: mu_entitytype
                         )
                       end
+                      if entity_ref.nil?
+                        MU.log "I somehow ended up with a nil entity reference for #{entity_type} #{entity}", MU::ERR, details: [ bok, bindings ]
+                        next
+                      end
                       refmap ||= {}
                       refmap[entity_ref] ||= {}
                       refmap[entity_ref][scopetype] ||= []
@@ -769,6 +793,7 @@ module MU
                   }
                 }
               }
+
               bok["bindings"] ||= []
               refmap.each_pair { |entity, scopes|
                 newbinding = { "entity" => entity }
@@ -891,7 +916,7 @@ module MU
                 end
 
                 role = MU::Cloud::Google.admin_directory(credentials: credentials).get_role(MU::Cloud::Google.customerID(credentials), binding.role_id)
-                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::WARN, details: role
+                MU.log "Failed to find entity #{binding.assigned_to} referenced in GSuite/Cloud Identity binding to role #{role.role_name}", MU::DEBUG, details: role
               }
 
               resp = MU::Cloud::Google.resource_manager(credentials: credentials).get_organization_iam_policy(my_org.name)
@@ -899,15 +924,17 @@ module MU
                 insertBinding("organizations", my_org.name, binding)
               }
 
-              MU::Cloud::Google::Folder.find(credentials: credentials).keys.each { |folder|
-                MU::Cloud::Google::Folder.bindings(folder, credentials: credentials).each { |binding|
+              MU::Cloud.resourceClass("Google", "Folder").find(credentials: credentials).keys.each { |folder|
+                folder_bindings = MU::Cloud.resourceClass("Google", "Folder").bindings(folder, credentials: credentials)
+                next if !folder_bindings
+                folder_bindings.each { |binding|
                   insertBinding("folders", folder, binding)
                 }
               }
             end
-            MU::Cloud::Google::Habitat.find(credentials: credentials).keys.each { |project|
+            MU::Cloud::Google.listHabitats(credentials).each { |project|
               begin
-                MU::Cloud::Google::Habitat.bindings(project, credentials: credentials).each { |binding|
+                MU::Cloud.resourceClass("Google", "Habitat").bindings(project, credentials: credentials).each { |binding|
                   insertBinding("projects", project, binding)
                 }
               rescue ::Google::Apis::ClientError => e
@@ -1090,7 +1117,7 @@ If this value is not specified, and the role name matches the name of an existin
                 MU.log "None of the directory service privileges available to credentials #{role['credentials']} map to the ones declared for role #{role['name']}", MU::ERR, details: role['import'].sort
                 ok = false
               elsif missing.size > 0
-                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::WARN, details: missing
+                MU.log "Some directory service privileges declared for role #{role['name']} aren't available to credentials #{role['credentials']}, will skip", MU::DEBUG, details: missing
               end
             end
           end
@@ -1105,11 +1132,7 @@ If this value is not specified, and the role name matches the name of an existin
           if role['role_source'] == "project"
             role['project'] ||= MU::Cloud::Google.defaultProject(role['credentials'])
             if configurator.haveLitterMate?(role['project'], "habitats")
-              role['dependencies'] ||= []
-              role['dependencies'] << {
-                "type" => "habitat",
-                "name" => role['project']
-              }
+              MU::Config.addDependency(role, role['project'], "habitat")
             end
           end
 
@@ -1117,14 +1140,10 @@ If this value is not specified, and the role name matches the name of an existin
             role['bindings'].each { |binding|
               if binding['entity'] and binding['entity']['name'] and 
                  configurator.haveLitterMate?(binding['entity']['name'], binding['entity']['type'])
-                role['dependencies'] ||= []
-                role['dependencies'] << {
-                  "type" => binding['entity']['type'].sub(/s$/, ''),
-                  "name" => binding['entity']['name']
-                }
-
+                MU::Config.addDependency(role, binding['entity']['name'], binding['entity']['type'])
               end
             }
+            role['bindings'].uniq!
           end
 
           ok

data/modules/mu/{clouds → providers}/google/server.rb

@@ -492,7 +492,7 @@ next if !create
           return nil if @config.nil? or @deploy.nil?
 
           nat_ssh_key = nat_ssh_user = nat_ssh_host = nil
-          if !@config["vpc"].nil? and !MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
+          if !@config["vpc"].nil? and !MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
 
             if !@nat.nil?
               if @nat.cloud_desc.nil?
@@ -623,7 +623,7 @@ next if !create
           end
 
           _nat_ssh_key, _nat_ssh_user, nat_ssh_host, _canonical_ip, _ssh_user, _ssh_key_name = getSSHConfig
-          if !nat_ssh_host and !MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
+          if !nat_ssh_host and !MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials'])
 # XXX check if canonical_ip is in the private ranges
 #            raise MuError, "#{node} has no NAT host configured, and I have no other route to it"
           end
@@ -992,7 +992,7 @@ next if !create
           # Our deploydata gets corrupted often with server pools, this will cause us to use the wrong IP to identify a node
           # which will cause us to create certificates, DNS records and other artifacts with incorrect information which will cause our deploy to fail.
           # The cloud_id is always correct so lets use 'cloud_desc' to get the correct IPs
-          if MU::Cloud::Google::VPC.haveRouteToInstance?(cloud_desc, credentials: @config['credentials']) or public_ips.size == 0
+          if MU::Cloud.resourceClass("Google", "VPC").haveRouteToInstance?(cloud_desc, credentials: @config['credentials']) or public_ips.size == 0
             @config['canonical_ip'] = private_ips.first
             return private_ips.first
           else
@@ -1001,6 +1001,22 @@ next if !create
           end
         end
 
+        # Return all of the IP addresses, public and private, from all of our
+        # network interfaces.
+        # @return [Array<String>]
+        def listIPs
+          ips = []
+          cloud_desc.network_interfaces.each { |iface|
+            ips << iface.network_ip
+            if iface.access_configs
+              iface.access_configs.each { |acfg|
+                ips << acfg.nat_ip if acfg.nat_ip
+              }
+            end
+          }
+          ips
+        end
+
         # return [String]: A password string.
         def getWindowsAdminPassword(use_cache: true)
           @config['windows_auth_vault'] ||= {
@@ -1016,7 +1032,6 @@ next if !create
                 item: @config['windows_auth_vault']['item'],
                 field: @config["windows_auth_vault"]["password_field"]
               )
-MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
               return win_admin_password if win_admin_password
             rescue MU::Groomer::MuNoSuchSecret, MU::Groomer::RunError
             end
@@ -1275,9 +1290,9 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
 
 # XXX make damn sure MU.deploy_id is set
           filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
@@ -1288,13 +1303,12 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
           MU::Cloud::Google.listAZs(region).each { |az|
             disks = []
             resp = MU::Cloud::Google.compute(credentials: credentials).list_instances(
-              flags["project"],
+              flags["habitat"],
               az,
               filter: filter
             )
             if !resp.items.nil? and resp.items.size > 0
               resp.items.each { |instance|
-                saname = instance.tags.items.first.gsub(/[^a-z]/, "") # XXX this nonsense again
                 MU.log "Terminating instance #{instance.name}"
                 if !instance.disks.nil? and instance.disks.size > 0
                   instance.disks.each { |disk|
@@ -1302,17 +1316,21 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
                   }
                 end
                 MU::Cloud::Google.compute(credentials: credentials).delete_instance(
-                  flags["project"],
+                  flags["habitat"],
                   az,
                   instance.name
                 ) if !noop
-                MU.log "Removing service account #{saname}"
-                begin
-                  MU::Cloud::Google.iam(credentials: credentials).delete_project_service_account(
-                    "projects/#{flags["project"]}/serviceAccounts/#{saname}@#{flags["project"]}.iam.gserviceaccount.com"
-                  ) if !noop
-                rescue ::Google::Apis::ClientError => e
-                  raise e if !e.message.match(/^notFound: /)
+                if instance.service_accounts
+                  instance.service_accounts.each { |sa|
+                    MU.log "Removing service account #{sa.email}"
+                    begin
+                      MU::Cloud::Google.iam(credentials: credentials).delete_project_service_account(
+                        "projects/#{flags["habitat"]}/serviceAccounts/#{sa.email}"
+                      ) if !noop
+                    rescue ::Google::Apis::ClientError => e
+                      raise e if !e.message.match(/^notFound: /)
+                    end
+                  }
                 end
 # XXX wait-loop on pending?
 #                pp deletia
@@ -1325,7 +1343,7 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
 # XXX honor snapshotting
             MU::Cloud::Google.compute(credentials: credentials).delete(
               "disk",
-              flags["project"],
+              flags["habitat"],
               az,
               noop
             ) if !noop
@@ -1338,7 +1356,7 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
         def self.schema(config)
           toplevel_required = []
           schema = {
-            "roles" => MU::Cloud::Google::User.schema(config)[1]["roles"],
+            "roles" => MU::Cloud.resourceClass("Google", "User").schema(config)[1]["roles"],
             "windows_admin_username" => {
               "type" => "string",
               "default" => "muadmin"
@@ -1449,8 +1467,7 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
             foundmatch = false
             MU::Cloud.availableClouds.each { |cloud|
               next if cloud == "Google"
-              cloudbase = Object.const_get("MU").const_get("Cloud").const_get(cloud)
-              foreign_types = (cloudbase.listInstanceTypes).values.first
+              foreign_types = (MU::Cloud.cloudClass(cloud).listInstanceTypes).values.first
               if foreign_types.size == 1
                 foreign_types = foreign_types.values.first
               end
@@ -1516,12 +1533,12 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
               ok = false
             end
           else
-            server = MU::Cloud::Google::User.genericServiceAccount(server, configurator)
+            server = MU::Cloud.resourceClass("Google", "User").genericServiceAccount(server, configurator)
           end
 
           subnets = nil
           if !server['vpc']
-            vpcs = MU::Cloud::Google::VPC.find(credentials: server['credentials'])
+            vpcs = MU::Cloud.resourceClass("Google", "VPC").find(credentials: server['credentials'])
             if vpcs["default"]
               server["vpc"] ||= {}
               server["vpc"]["vpc_id"] = vpcs["default"].self_link
@@ -1536,7 +1553,7 @@ MU.log "RETURNINATING FROM CACHE", MU::WARN, details: win_admin_password
           if !server['vpc']['subnet_id'] and server['vpc']['subnet_name'].nil?
             if !subnets
               if server["vpc"]["vpc_id"]
-                vpcs = MU::Cloud::Google::VPC.find(cloud_id: server["vpc"]["vpc_id"])
+                vpcs = MU::Cloud.resourceClass("Google", "VPC").find(cloud_id: server["vpc"]["vpc_id"])
                 subnets = vpcs["default"].subnetworks.sample
               end
             end

data/modules/mu/{clouds → providers}/google/server_pool.rb

@@ -89,8 +89,8 @@ module MU
             machine_type: size,
             service_accounts: [@service_acct],
             labels: labels,
-            disks: MU::Cloud::Google::Server.diskConfig(@config, false, false, credentials: @config['credentials']),
-            network_interfaces: MU::Cloud::Google::Server.interfaceConfig(@config, @vpc),
+            disks: MU::Cloud.resourceClass("Google", "Server").diskConfig(@config, false, false, credentials: @config['credentials']),
+            network_interfaces: MU::Cloud.resourceClass("Google", "Server").interfaceConfig(@config, @vpc),
             metadata: metadata,
             tags: MU::Cloud::Google.compute(:Tags).new(items: [MU::Cloud::Google.nameStr(@mu_name)])
           )
@@ -324,11 +324,11 @@ end
         def self.schema(config)
           toplevel_required = []
           schema = {
-            "ssh_user" => MU::Cloud::Google::Server.schema(config)[1]["ssh_user"],
-            "metadata" => MU::Cloud::Google::Server.schema(config)[1]["metadata"],
-            "service_account" => MU::Cloud::Google::Server.schema(config)[1]["service_account"],
-            "scopes" => MU::Cloud::Google::Server.schema(config)[1]["scopes"],
-            "network_tags" => MU::Cloud::Google::Server.schema(config)[1]["network_tags"],
+            "ssh_user" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["ssh_user"],
+            "metadata" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["metadata"],
+            "service_account" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["service_account"],
+            "scopes" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["scopes"],
+            "network_tags" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["network_tags"],
             "availability_zone" => {
               "type" => "string",
               "description" => "Target a specific availability zone for this pool, which will create zonal instance managers and scalers instead of regional ones."
@@ -382,7 +382,7 @@ end
           if pool['basis']['launch_config']
             launch = pool["basis"]["launch_config"]
 
-            launch['size'] = MU::Cloud::Google::Server.validateInstanceType(launch["size"], pool["region"])
+            launch['size'] = MU::Cloud.resourceClass("Google", "Server").validateInstanceType(launch["size"], pool["region"])
             ok = false if launch['size'].nil?
 
             if launch['image_id'].nil?
@@ -397,7 +397,7 @@ end
 
             real_image = nil
             begin
-              real_image = MU::Cloud::Google::Server.fetchImage(launch['image_id'].to_s, credentials: pool['credentials'])
+              real_image = MU::Cloud.resourceClass("Google", "Server").fetchImage(launch['image_id'].to_s, credentials: pool['credentials'])
             rescue ::Google::Apis::ClientError => e
               MU.log e.inspect, MU::WARN
             end
@@ -431,9 +431,9 @@ end
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
           filter = %Q{(labels.mu-id = "#{MU.deploy_id.downcase}")}
           if !ignoremaster and MU.mu_public_ip
             filter += %Q{ AND (labels.mu-master-ip = "#{MU.mu_public_ip.gsub(/\./, "_")}")}
@@ -444,7 +444,7 @@ end
             ["region_autoscaler", "region_instance_group_manager"].each { |type|
               MU::Cloud::Google.compute(credentials: credentials).delete(
                 type,
-                flags["project"],
+                flags["habitat"],
                 region,
                 noop
               )
@@ -452,7 +452,7 @@ end
           else
             MU::Cloud::Google.compute(credentials: credentials).delete(
               "instance_template",
-              flags["project"],
+              flags["habitat"],
               noop
             )
           end

data/modules/mu/{clouds → providers}/google/user.rb

@@ -26,10 +26,12 @@ module MU
           # If we're being reverse-engineered from a cloud descriptor, use that
           # to determine what sort of account we are.
           if args[:from_cloud_desc]
+            @cloud_desc_cache = args[:from_cloud_desc]
             MU::Cloud::Google.admin_directory
             MU::Cloud::Google.iam
             if args[:from_cloud_desc].class == ::Google::Apis::AdminDirectoryV1::User
               @config['type'] = "interactive"
+              @cloud_id = args[:from_cloud_desc].primary_email
             elsif args[:from_cloud_desc].class == ::Google::Apis::IamV1::ServiceAccount
               @config['type'] = "service"
               @config['name'] = args[:from_cloud_desc].display_name
@@ -48,6 +50,10 @@ module MU
             @config['name']
           end
 
+          if @config['type'] == "interactive" and @config['email']
+            @cloud_id ||= @config['email']
+          end
+
         end
 
         # Called automatically by {MU::Deploy#createResources}
@@ -58,7 +64,7 @@ module MU
               account_id: acct_id,
               service_account: MU::Cloud::Google.iam(:ServiceAccount).new(
                 display_name: @mu_name,
-                description: @config['scrub_mu_isms'] ? nil : @deploy.deploy_id
+                description: @config['scrub_mu_isms'] ? @config['description'] : @deploy.deploy_id
               )
             )
             if @config['use_if_exists']
@@ -90,7 +96,7 @@ module MU
             end
           elsif @config['external']
             @cloud_id = @config['email']
-            MU::Cloud::Google::Role.bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
+            MU::Cloud.resourceClass("Google", "Role").bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
           else
             if !@config['email']
               domains = MU::Cloud::Google.admin_directory(credentials: @credentials).list_domains(@customer)
@@ -122,10 +128,10 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def groom
           if @config['external']
-            MU::Cloud::Google::Role.bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
+            MU::Cloud.resourceClass("Google", "Role").bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
           elsif @config['type'] == "interactive"
             need_update = false
-            MU::Cloud::Google::Role.bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
+            MU::Cloud.resourceClass("Google", "Role").bindFromConfig("user", @cloud_id, @config['roles'], credentials: @config['credentials'])
 
             if @config['force_password_change'] and !cloud_desc.change_password_at_next_login
               MU.log "Forcing #{@mu_name} to change their password at next login", MU::NOTICE
@@ -170,7 +176,7 @@ module MU
             end
 
           else
-            MU::Cloud::Google::Role.bindFromConfig("serviceAccount", @cloud_id.gsub(/.*?\/([^\/]+)$/, '\1'), @config['roles'], credentials: @config['credentials'])
+            MU::Cloud.resourceClass("Google", "Role").bindFromConfig("serviceAccount", @cloud_id.gsub(/.*?\/([^\/]+)$/, '\1'), @config['roles'], credentials: @config['credentials'])
             if @config['create_api_key']
               resp = MU::Cloud::Google.iam(credentials: @config['credentials']).list_project_service_account_keys(
                 cloud_desc.name
@@ -195,6 +201,7 @@ module MU
           if @config['type'] == "interactive" or !@config['type']
              @config['type'] ||= "interactive"
             if !@config['external']
+              @cloud_id ||= @config['email']
               @cloud_desc_cache = MU::Cloud::Google.admin_directory(credentials: @config['credentials']).get_user(@cloud_id)
             else
               return nil
@@ -226,7 +233,7 @@ module MU
           else
             {}
           end
-          description.delete(:etag)
+          description.delete(:etag) if description
           description
         end
 
@@ -247,7 +254,7 @@ module MU
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
           MU::Cloud::Google.getDomains(credentials)
           my_org = MU::Cloud::Google.getOrg(credentials)
 
@@ -275,15 +282,15 @@ module MU
                 next if user_email.nil?
                 next if !user_email.match(/^[^\/]+@[^\/]+$/)
 
-                MU::Cloud::Google::Role.removeBindings("user", user_email, credentials: credentials, noop: noop)
+                MU::Cloud.resourceClass("Google", "Role").removeBindings("user", user_email, credentials: credentials, noop: noop)
               }
 
             end
           end
 
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
           resp = MU::Cloud::Google.iam(credentials: credentials).list_project_service_accounts(
-            "projects/"+flags["project"]
+            "projects/"+flags["habitat"]
           )
 
           if resp and resp.accounts and MU.deploy_id
@@ -356,8 +363,10 @@ module MU
           else
             if cred_cfg['masquerade_as']
               resp = MU::Cloud::Google.admin_directory(credentials: args[:credentials]).list_users(customer: MU::Cloud::Google.customerID(args[:credentials]), show_deleted: false)
+# XXX this ain't exactly performant, do some caching or something
               if resp and resp.users
                 resp.users.each { |u|
+                  next if args[:cloud_id] and !args[:cloud_id] != u.primary_email
                   found[u.primary_email] = u
                 }
               end
@@ -374,6 +383,7 @@ module MU
           name.match(/\b\d+\-compute@developer\.gserviceaccount\.com$/) or
           name.match(/\bproject-\d+@storage-transfer-service\.iam\.gserviceaccount\.com$/) or
           name.match(/\b\d+@cloudbuild\.gserviceaccount\.com$/) or
+          name.match(/\b\d+@cloudservices\.gserviceaccount\.com$/) or
           name.match(/\bservice-\d+@containerregistry\.iam\.gserviceaccount\.com$/) or
           name.match(/\bservice-\d+@container-analysis\.iam\.gserviceaccount\.com$/) or
           name.match(/\bservice-\d+@compute-system\.iam\.gserviceaccount\.com$/) or
@@ -416,7 +426,7 @@ module MU
             return nil
           end
 
-          user_roles = MU::Cloud::Google::Role.getAllBindings(@config['credentials'])["by_entity"]
+          user_roles = MU::Cloud.resourceClass("Google", "Role").getAllBindings(@config['credentials'])["by_entity"]
 
           if cloud_desc.nil?
             MU.log "FAILED TO FIND CLOUD DESCRIPTOR FOR #{self}", MU::ERR, details: @config
@@ -429,6 +439,10 @@ module MU
 
           if bok['type'] == "service"
             bok['name'].gsub!(/@.*/, '')
+            if cloud_desc.description and !cloud_desc.description.empty? and
+               !cloud_desc.description.match(/^[A-Z0-9_-]+-[A-Z0-9_-]+-\d{10}-[A-Z]{2}$/)
+              bok['description'] = cloud_desc.description
+            end
             bok['project'] = @project_id
             keys = MU::Cloud::Google.iam(credentials: @config['credentials']).list_project_service_account_keys(@cloud_id)
 
@@ -439,13 +453,13 @@ module MU
             if user_roles["serviceAccount"] and
                user_roles["serviceAccount"][bok['cloud_id']] and
                user_roles["serviceAccount"][bok['cloud_id']].size > 0
-              bok['roles'] = MU::Cloud::Google::Role.entityBindingsToSchema(user_roles["serviceAccount"][bok['cloud_id']])
+              bok['roles'] = MU::Cloud.resourceClass("Google", "Role").entityBindingsToSchema(user_roles["serviceAccount"][bok['cloud_id']])
             end
           else
             if user_roles["user"] and
                user_roles["user"][bok['cloud_id']] and
                user_roles["user"][bok['cloud_id']].size > 0
-              bok['roles'] = MU::Cloud::Google::Role.entityBindingsToSchema(user_roles["user"][bok['cloud_id']], credentials: @config['credentials'])
+              bok['roles'] = MU::Cloud.resourceClass("Google", "Role").entityBindingsToSchema(user_roles["user"][bok['cloud_id']], credentials: @config['credentials'])
             end
             bok['given_name'] = cloud_desc.name.given_name if cloud_desc.name.given_name and !cloud_desc.name.given_name.empty?
             bok['family_name'] = cloud_desc.name.family_name if cloud_desc.name.family_name and !cloud_desc.name.family_name.empty?
@@ -501,6 +515,10 @@ If we are binding (rather than creating) a user and no roles are specified, we w
               "type" => "string",
               "description" => "Alias for +family_name+"
             },
+            "description" => {
+              "type" => "string",
+              "description" => "Comment field for service accounts, which we normally use to store the originating deploy's deploy id, since GCP service accounts do not have labels. This field is only honored if +scrub_mu_isms+ is set."
+            },
             "email" => {
               "type" => "string",
               "description" => "Canonical email address for a +directory+ user. If not specified, will be set to +name@domain+."
@@ -528,7 +546,7 @@ If we are binding (rather than creating) a user and no roles are specified, we w
             "roles" => {
               "type" => "array",
               "description" => "One or more Google IAM roles to associate with this user.",
-              "items" => MU::Cloud::Google::Role.ref_schema
+              "items" => MU::Cloud.resourceClass("Google", "Role").ref_schema
             }
           }
           [toplevel_required, schema]
@@ -614,15 +632,11 @@ If we are binding (rather than creating) a user and no roles are specified, we w
             ok = false
           end
 
-          user['dependencies'] ||= []
           if user['roles']
             user['roles'].each { |r|
               if r['role'] and r['role']['name'] and
                  (!r['role']['deploy_id'] and !r['role']['id'])
-                user['dependencies'] << {
-                  "type" => "role",
-                  "name" => r['role']['name']
-                }
+                MU::Config.addDependency(user, r['role']['name'], "role")
               end
 
               if !r["projects"] and !r["organizations"] and !r["folders"]
@@ -661,7 +675,6 @@ If we are binding (rather than creating) a user and no roles are specified, we w
             user['roles'] = parent['roles'].dup
           end
           configurator.insertKitten(user, "users", true)
-          parent['dependencies'] ||= []
           parent['service_account'] = MU::Config::Ref.get(
             type: "users",
             cloud: "Google",
@@ -669,10 +682,7 @@ If we are binding (rather than creating) a user and no roles are specified, we w
             project: user["project"],
             credentials: user["credentials"]
           )
-          parent['dependencies'] << {
-            "type" => "user",
-            "name" => user["name"]
-          }
+          MU::Config.addDependency(parent, user['name'], "user")
 
           parent
         end