cloud-mu 3.2.0 → 3.5.0

data/modules/mu/providers/aws/collection.rb

@@ -25,15 +25,15 @@ module MU
         def initialize(**args)
           super
           @mu_name ||= @deploy.getResourceName(@config['name'], need_unique_string: true)
-          MU.setVar("curRegion", @config['region']) if !@config['region'].nil?
+          MU.setVar("curRegion", @region) if !@region.nil?
         end
 
 
         # Called automatically by {MU::Deploy#createResources}
         def create
           flag="SUCCESS"
-          MU.setVar("curRegion", @config['region']) if !@config['region'].nil?
-          region = @config['region']
+          MU.setVar("curRegion", @region) if !@region.nil?
+          region = @region
           server=@config["name"]
           stack_name = getStackName(@config["name"])
 
@@ -108,10 +108,10 @@ module MU
             end
 
             MU.log "Creating CloudFormation stack '#{@config['name']}'", details: stack_descriptor
-            MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).create_stack(stack_descriptor);
+            MU::Cloud::AWS.cloudformation(region: region, credentials: @credentials).create_stack(stack_descriptor);
 
             sleep(10);
-            stack_response = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stacks({:stack_name => stack_name}).stacks.first
+            stack_response = MU::Cloud::AWS.cloudformation(region: region, credentials: @credentials).describe_stacks({:stack_name => stack_name}).stacks.first
             attempts = 0
             begin
               if attempts % 5 == 0
@@ -119,7 +119,7 @@ module MU
               else
                 MU.log "Waiting for CloudFormation stack '#{@config['name']}' to be ready...", MU::DEBUG
               end
-              stack_response =MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stacks({:stack_name => stack_name}).stacks.first
+              stack_response =MU::Cloud::AWS.cloudformation(region: region, credentials: @credentials).describe_stacks({:stack_name => stack_name}).stacks.first
               sleep 60
             end while stack_response.stack_status == "CREATE_IN_PROGRESS"
 
@@ -135,14 +135,14 @@ module MU
           end
 
           if flag == "FAIL" then
-            MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).delete_stack({:stack_name => stack_name})
+            MU::Cloud::AWS.cloudformation(region: region, credentials: @credentials).delete_stack({:stack_name => stack_name})
             exit 1
           end
 
           MU.log "CloudFormation stack '#{@config['name']}' complete"
 
           begin
-            resources = MU::Cloud::AWS.cloudformation(region: region, credentials: @config['credentials']).describe_stack_resources(:stack_name => stack_name)
+            resources = MU::Cloud::AWS.cloudformation(region: region, credentials: @credentials).describe_stack_resources(:stack_name => stack_name)
 
             resources[:stack_resources].each { |resource|
 
@@ -150,7 +150,7 @@ module MU
                 when "AWS::EC2::Instance"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   instance_name = MU.deploy_id+"-"+@config['name']+"-"+resource.logical_resource_id
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", instance_name, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", instance_name, credentials: @credentials)
 
                   instance = MU::Cloud.resourceClass("AWS", "Server").notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
@@ -177,14 +177,14 @@ module MU
 
                 when "AWS::EC2::SecurityGroup"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @credentials)
                   MU::Cloud.resourceClass("AWS", "FirewallRule").notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
                       resource.physical_resource_id
                   )
                 when "AWS::EC2::Subnet"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @credentials)
                   data = {
                       "collection" => @config["name"],
                       "subnet_id" => resource.physical_resource_id,
@@ -192,7 +192,7 @@ module MU
                   @deploy.notify("subnets", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::VPC"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @credentials)
                   data = {
                       "collection" => @config["name"],
                       "vpc_id" => resource.physical_resource_id,
@@ -200,10 +200,10 @@ module MU
                   @deploy.notify("vpcs", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::InternetGateway"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @credentials)
                 when "AWS::EC2::RouteTable"
                   MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
-                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
+                  MU::Cloud::AWS.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @credentials)
 
                 # The rest of these aren't anything we act on
                 when "AWS::EC2::Route"
@@ -242,7 +242,7 @@ module MU
         # @param region [String]: The cloud provider region
         # @param wait [Boolean]: Block on the removal of this stack; AWS deletion will continue in the background otherwise if false.
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, wait: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, wait: false, credentials: nil, flags: {})
           MU.log "AWS::Collection.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           MU.log "Placeholder: AWS Collection artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
 
@@ -251,7 +251,7 @@ module MU
           resp.stacks.each { |stack|
             ok = false
             stack.tags.each { |tag|
-              ok = true if (tag.key == "MU-ID") and tag.value == MU.deploy_id
+              ok = true if (tag.key == "MU-ID") and tag.value == deploy_id
             }
             if ok
               MU.log "Deleting CloudFormation stack #{stack.stack_name})"

data/modules/mu/providers/aws/container_cluster.rb

@@ -65,7 +65,7 @@ module MU
 
             on_retry = Proc.new { |e|
               # soul-crushing, yet effective
-              if e.message.match(/because (#{Regexp.quote(@config['region'])}[a-z]), the targeted availability zone, does not currently have sufficient capacity/)
+              if e.message.match(/because (#{Regexp.quote(@region)}[a-z]), the targeted availability zone, does not currently have sufficient capacity/)
                 bad_az = Regexp.last_match(1)
                 deletia = []
                 mySubnets.each { |subnet|
@@ -81,7 +81,7 @@ module MU
 
             MU.retrier([Aws::EKS::Errors::UnsupportedAvailabilityZoneException, Aws::EKS::Errors::InvalidParameterException], on_retry: on_retry, max: subnet_ids.size) {
               MU.log "Creating EKS cluster #{@mu_name}", details: params
-              MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).create_cluster(params)
+              MU::Cloud::AWS.eks(region: @region, credentials: @credentials).create_cluster(params)
             }
             @cloud_id = @mu_name
 
@@ -100,7 +100,7 @@ module MU
 
             MU.log "Creation of EKS cluster #{@mu_name} complete"
           else
-            MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).create_cluster(
+            MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).create_cluster(
               cluster_name: @mu_name
             )
             @cloud_id = @mu_name
@@ -118,7 +118,7 @@ module MU
             # this account; EKS applications might want one, but will fail in
             # confusing ways if this hasn't been done.
             begin
-              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_service_linked_role(
+              MU::Cloud::AWS.iam(credentials: @credentials).create_service_linked_role(
                 aws_service_name: "elasticloadbalancing.amazonaws.com"
               )
             rescue ::Aws::IAM::Errors::InvalidInput
@@ -170,7 +170,7 @@ module MU
             if tasks.size > 0
               tasks_failing = false
               MU.retrier(wait: 15, max: 10, loop_if: Proc.new { tasks_failing }){ |retries, _wait|
-                tasks_failing = !MU::Cloud::AWS::ContainerCluster.tasksRunning?(@mu_name, log: (retries > 0), region: @config['region'], credentials: @config['credentials'])
+                tasks_failing = !MU::Cloud::AWS::ContainerCluster.tasksRunning?(@mu_name, log: (retries > 0), region: @region, credentials: @credentials)
               }
 
               if tasks_failing
@@ -287,14 +287,15 @@ MU.log c.name, MU::NOTICE, details: t
         # @return [OpenStruct]
         def cloud_desc(use_cache: true)
           return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          return nil if !@cloud_id
           @cloud_desc_cache = if @config['flavor'] == "EKS" or
              (@config['flavor'] == "Fargate" and !@config['containers'])
-            resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).describe_cluster(
+            resp = MU::Cloud::AWS.eks(region: @region, credentials: @credentials).describe_cluster(
               name: @cloud_id
             )
             resp.cluster
           else
-            resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).describe_clusters(
+            resp = MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).describe_clusters(
               clusters: [@cloud_id]
             )
             resp.clusters.first
@@ -317,7 +318,7 @@ MU.log c.name, MU::NOTICE, details: t
         def notify
           deploy_struct = MU.structToHash(cloud_desc)
           deploy_struct['cloud_id'] = @mu_name
-          deploy_struct["region"] = @config['region']
+          deploy_struct["region"] = @region
           if @config['flavor'] == "EKS"
             deploy_struct["max_pods"] = @config['kubernetes']['max_pods'].to_s
 # XXX if FargateKS, get the Fargate Profile artifact
@@ -326,7 +327,7 @@ MU.log c.name, MU::NOTICE, details: t
         end
 
         @@eks_versions = {}
-        @@eks_version_semaphore = Mutex.new
+        @@eks_version_semaphores = {}
         # Use the AWS SSM API to fetch the current version of the Amazon Linux
         # ECS-optimized AMI, so we can use it as a default AMI for ECS deploys.
         # @param flavor [String]: ECS or EKS
@@ -339,24 +340,22 @@ MU.log c.name, MU::NOTICE, details: t
               names: ["/aws/service/#{flavor.downcase}/optimized-ami/amazon-linux/recommended"]
             )
           else
-            @@eks_version_semaphore.synchronize {
+            @@eks_version_semaphores[region] ||= Mutex.new
+
+            @@eks_version_semaphores[region].synchronize {
               if !@@eks_versions[region]
                 @@eks_versions[region] ||= []
                 versions = {}
-                resp = nil
-                next_token = nil
-                begin
-                  resp = MU::Cloud::AWS.ssm(region: region).get_parameters_by_path(
-                    path: "/aws/service/#{flavor.downcase}",
-                    recursive: true,
-                    next_token: next_token
-                  )
-                  resp.parameters.each { |p|
-                    p.name.match(/\/aws\/service\/eks\/optimized-ami\/([^\/]+?)\//)
-                    versions[Regexp.last_match[1]] = true
-                  }
-                  next_token = resp.next_token
-                end while !next_token.nil?
+                resp = MU::Cloud::AWS.ssm(region: region).get_parameters_by_path(
+                  path: "/aws/service/#{flavor.downcase}/optimized-ami",
+                  recursive: true,
+                  max_results: 10 # as high as it goes, ugh
+                )
+
+                resp.parameters.each { |p|
+                  p.name.match(/\/aws\/service\/eks\/optimized-ami\/([^\/]+?)\//)
+                  versions[Regexp.last_match[1]] = true
+                }
                 @@eks_versions[region] = versions.keys.sort { |a, b| MU.version_sort(a, b) }
               end
             }
@@ -376,16 +375,31 @@ MU.log c.name, MU::NOTICE, details: t
           nil
         end
 
+        @@supported_eks_region_cache = []
+        @@eks_region_semaphore = Mutex.new
+
         # Return the list of regions where we know EKS is supported.
-        def self.EKSRegions(credentials = nil, region: nil)
-          eks_regions = []
-          check_regions = region ? [region] : MU::Cloud::AWS.listRegions(credentials: credentials)
-          check_regions.each { |r|
-            ami = getStandardImage("EKS", r)
-            eks_regions << r if ami
-          }
+        def self.EKSRegions(credentials = nil)
+          @@eks_region_semaphore.synchronize {
+            if @@supported_eks_region_cache and !@@supported_eks_region_cache.empty?
+              return @@supported_eks_region_cache
+            end
+start = Time.now
+            # the SSM API is painfully slow for large result sets, so thread
+            # these and do them in parallel
+            @@supported_eks_region_cache = []
+            region_threads = []
+            MU::Cloud::AWS.listRegions(credentials: credentials).each { |region|
+              region_threads << Thread.new(region) { |r|
+r_start = Time.now
+                ami = getStandardImage("EKS", r)
+                @@supported_eks_region_cache << r if ami
+              }
+            }
+            region_threads.each { |t| t.join }
 
-          eks_regions
+            @@supported_eks_region_cache
+          }
         end
 
         # Does this resource type exist as a global (cloud-wide) artifact, or
@@ -406,30 +420,32 @@ MU.log c.name, MU::NOTICE, details: t
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           MU.log "AWS::ContainerCluster.cleanup: need to support flags['known']", MU::DEBUG, details: flags
           MU.log "Placeholder: AWS ContainerCluster artifacts do not support tags, so ignoremaster cleanup flag has no effect", MU::DEBUG, details: ignoremaster
 
-          purge_ecs_clusters(noop: noop, region: region, credentials: credentials)
+          purge_ecs_clusters(noop: noop, region: region, credentials: credentials, deploy_id: deploy_id)
 
-          purge_eks_clusters(noop: noop, region: region, credentials: credentials)
+          purge_eks_clusters(noop: noop, region: region, credentials: credentials, deploy_id: deploy_id)
 
         end
 
-        def self.purge_eks_clusters(noop: false, region: MU.curRegion, credentials: nil)
-          return if !MU::Cloud::AWS::ContainerCluster.EKSRegions(credentials, region: region).include?(region)
+        def self.purge_eks_clusters(noop: false, region: MU.curRegion, credentials: nil, deploy_id: MU.deploy_id)
           resp = begin
             MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
           rescue Aws::EKS::Errors::AccessDeniedException
             # EKS isn't actually live in this region, even though SSM lists
             # base images for it
+            if @@supported_eks_region_cache
+              @@supported_eks_region_cache.delete(region)
+            end
             return
           end
 
           return if !resp or !resp.clusters
 
           resp.clusters.each { |cluster|
-            if cluster.match(/^#{MU.deploy_id}-/)
+            if cluster.match(/^#{deploy_id}-/)
 
               desc = MU::Cloud::AWS.eks(credentials: credentials, region: region).describe_cluster(
                 name: cluster
@@ -473,13 +489,14 @@ MU.log c.name, MU::NOTICE, details: t
         end
         private_class_method :purge_eks_clusters
 
-        def self.purge_ecs_clusters(noop: false, region: MU.curRegion, credentials: nil)
+        def self.purge_ecs_clusters(noop: false, region: MU.curRegion, credentials: nil, deploy_id: MU.deploy_id)
+start = Time.now
           resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).list_clusters
 
           return if !resp or !resp.cluster_arns or resp.cluster_arns.empty?
 
           resp.cluster_arns.each { |arn|
-            if arn.match(/:cluster\/(#{MU.deploy_id}[^:]+)$/)
+            if arn.match(/:cluster\/(#{deploy_id}[^:]+)$/)
               cluster = Regexp.last_match[1]
 
               svc_resp = MU::Cloud::AWS.ecs(region: region, credentials: credentials).list_services(
@@ -525,7 +542,7 @@ MU.log c.name, MU::NOTICE, details: t
           }
 
           tasks = MU::Cloud::AWS.ecs(region: region, credentials: credentials).list_task_definitions(
-            family_prefix: MU.deploy_id
+            family_prefix: deploy_id
           )
 
           if tasks and tasks.task_definition_arns
@@ -1221,12 +1238,12 @@ start = Time.now
 
           cluster["flavor"] = "EKS" if cluster["flavor"].match(/^Kubernetes$/i)
 
-          if cluster["flavor"] == "ECS" and cluster["kubernetes"] and !MU::Cloud::AWS.isGovCloud?(cluster["region"]) and !cluster["containers"] and MU::Cloud::AWS::ContainerCluster.EKSRegions(cluster['credentials'], region: cluster['region']).include?(cluster['region'])
+          if cluster["flavor"] == "ECS" and cluster["kubernetes"] and !MU::Cloud::AWS.isGovCloud?(cluster["region"]) and !cluster["containers"] and MU::Cloud::AWS::ContainerCluster.EKSRegions(cluster['credentials']).include?(cluster['region'])
             cluster["flavor"] = "EKS"
             MU.log "Setting flavor of ContainerCluster '#{cluster['name']}' to EKS ('kubernetes' stanza was specified)", MU::NOTICE
           end
 
-          if cluster["flavor"] == "EKS" and !MU::Cloud::AWS::ContainerCluster.EKSRegions(cluster['credentials'], region: cluster['region']).include?(cluster['region'])
+          if cluster["flavor"] == "EKS" and !MU::Cloud::AWS::ContainerCluster.EKSRegions(cluster['credentials']).include?(cluster['region'])
             MU.log "EKS is only available in some regions", MU::ERR, details: MU::Cloud::AWS::ContainerCluster.EKSRegions
             ok = false
           end
@@ -1364,7 +1381,7 @@ start = Time.now
             role["tags"] = cluster["tags"] if !cluster["tags"].nil?
             role["optional_tags"] = cluster["optional_tags"] if !cluster["optional_tags"].nil?
             configurator.insertKitten(role, "roles")
-            MU::Config.addDependency(cluster, cluster["name"]+"pods", "role", phase: "groom")
+            MU::Config.addDependency(cluster, cluster["name"]+"pods", "role", their_phase: "groom")
             if !MU::Master.kubectl
               MU.log "Since I can't find a kubectl executable, you will have to handle all service account, user, and role bindings manually!", MU::WARN
             end
@@ -1484,7 +1501,8 @@ start = Time.now
                   worker_pool[k] = cluster[k]
                 end
               }
-
+            else
+              worker_pool["groom"] = false # don't meddle with ECS workers unnecessarily
             end
 
             configurator.insertKitten(worker_pool, "server_pools")
@@ -1512,7 +1530,7 @@ start = Time.now
             role["tags"] = cluster["tags"] if !cluster["tags"].nil?
             role["optional_tags"] = cluster["optional_tags"] if !cluster["optional_tags"].nil?
             configurator.insertKitten(role, "roles")
-            MU::Config.addDependency(cluster, cluster["name"]+"controlplane", "role", phase: "groom")
+            MU::Config.addDependency(cluster, cluster["name"]+"controlplane", "role", their_phase: "groom")
           end
 
           ok
@@ -1562,7 +1580,7 @@ start = Time.now
           @cacert = cloud_desc.certificate_authority.data
           @cluster = @mu_name
           if @config['flavor'] != "Fargate"
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role(role_name: @mu_name+"WORKERS")
+            resp = MU::Cloud::AWS.iam(credentials: @credentials).get_role(role_name: @mu_name+"WORKERS")
             @worker_role_arn = resp.role.arn
           end
           kube_conf = @deploy.deploy_dir+"/kubeconfig-#{@config['name']}"
@@ -1629,7 +1647,7 @@ start = Time.now
               :tags => @tags
             }
             begin
-              resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).describe_fargate_profile(
+              resp = MU::Cloud::AWS.eks(region: @region, credentials: @credentials).describe_fargate_profile(
                 cluster_name: @mu_name,
                 fargate_profile_name: profname
               )
@@ -1642,7 +1660,7 @@ start = Time.now
                 old_desc["subnets"].sort!
                 if !old_desc.eql?(new_desc)
                   MU.log "Deleting Fargate profile #{profname} in order to apply changes", MU::WARN, details: desc 
-                  MU::Cloud::AWS::ContainerCluster.purge_fargate_profile(profname, @mu_name, @config['region'], @credentials)
+                  MU::Cloud::AWS::ContainerCluster.purge_fargate_profile(profname, @mu_name, @region, @credentials)
                 else
                   next
                 end
@@ -1651,9 +1669,9 @@ start = Time.now
               # This is just fine!
             end
             MU.log "Creating EKS Fargate profile #{profname}", details: desc
-            resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).create_fargate_profile(desc)
+            resp = MU::Cloud::AWS.eks(region: @region, credentials: @credentials).create_fargate_profile(desc)
             begin
-              resp = MU::Cloud::AWS.eks(region: @config['region'], credentials: @config['credentials']).describe_fargate_profile(
+              resp = MU::Cloud::AWS.eks(region: @region, credentials: @credentials).describe_fargate_profile(
                 cluster_name: @mu_name,
                 fargate_profile_name: profname
               )
@@ -1693,19 +1711,19 @@ start = Time.now
             tagme << s.cloud_id
             tagme_elb << s.cloud_id if !s.private?
           }
-          rtbs = MU::Cloud::AWS.ec2(region: @config['region'], credentials: @config['credentials']).describe_route_tables(
+          rtbs = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_route_tables(
             filters: [ { name: "vpc-id", values: [@vpc.cloud_id] } ]
           ).route_tables
           tagme.concat(rtbs.map { |r| r.route_table_id } )
           main_sg = @deploy.findLitterMate(type: "firewall_rules", name: "server_pool#{@config['name']}workers")
           tagme << main_sg.cloud_id if main_sg
           MU.log "Applying kubernetes.io tags to VPC resources", details: tagme
-          MU::Cloud::AWS.createTag(tagme, "kubernetes.io/cluster/#{@mu_name}", "shared", credentials: @config['credentials'])
-          MU::Cloud::AWS.createTag(tagme_elb, "kubernetes.io/cluster/elb", @mu_name, credentials: @config['credentials'])
+          MU::Cloud::AWS.createTag(tagme, "kubernetes.io/cluster/#{@mu_name}", "shared", credentials: @credentials)
+          MU::Cloud::AWS.createTag(tagme_elb, "kubernetes.io/cluster/elb", @mu_name, credentials: @credentials)
         end
 
         def manage_ecs_workers
-          resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).list_container_instances({
+          resp = MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).list_container_instances({
             cluster: @mu_name
           })
           existing = {}
@@ -1715,7 +1733,7 @@ start = Time.now
               uuids << arn.sub(/^.*?:container-instance\//, "")
             }
             if uuids.size > 0
-              resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).describe_container_instances({
+              resp = MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).describe_container_instances({
                 cluster: @mu_name,
                 container_instances: uuids
               })
@@ -1726,12 +1744,12 @@ start = Time.now
           end
 
           threads = []
-          resource_lookup = MU::Cloud::AWS.listInstanceTypes(@config['region'])[@config['region']]
+          resource_lookup = MU::Cloud::AWS.listInstanceTypes(@region)[@region]
           serverpool = if ['EKS', 'ECS'].include?(@config['flavor'])
             @deploy.findLitterMate(type: "server_pools", name: @config["name"]+"workers")
           end
           serverpool.listNodes.each { |mynode|
-            resources = resource_lookup[node.cloud_desc.instance_type]
+            resources = resource_lookup[mynode.cloud_desc.instance_type]
             threads << Thread.new(mynode) { |node|
               ident_doc = nil
               ident_doc_sig = nil
@@ -1771,7 +1789,7 @@ start = Time.now
                 params[:container_instance_arn] = existing[node.cloud_id].container_instance_arn
                 MU.log "Updating ECS instance #{node} in cluster #{@mu_name}", MU::NOTICE, details: params
               end
-              MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).register_container_instance(params)
+              MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).register_container_instance(params)
 
             }
           }
@@ -1787,7 +1805,7 @@ start = Time.now
             @loadbalancers.each {|lb|
               MU.log "Mapping LB #{lb.mu_name} to service #{c['name']}", MU::INFO
               if lb.cloud_desc.type != "classic"
-                elb_groups = MU::Cloud::AWS.elb2(region: @config['region'], credentials: @config['credentials']).describe_target_groups({
+                elb_groups = MU::Cloud::AWS.elb2(region: @region, credentials: @credentials).describe_target_groups({
                     load_balancer_arn: lb.cloud_desc.load_balancer_arn
                   })
                   matching_target_groups = []
@@ -1932,12 +1950,14 @@ start = Time.now
             task_params[:network_mode] = "awsvpc"
             task_params[:cpu] = cpu_total.to_i.to_s
             task_params[:memory] = mem_total.to_i.to_s
+          elsif @config['vpc']
+            task_params[:network_mode] = "awsvpc"
           end
 
           MU.log "Registering task definition #{service_name} with #{container_definitions.size.to_s} containers"
 
 # XXX this helpfully keeps revisions, but let's compare anyway and avoid cluttering with identical ones
-          resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).register_task_definition(task_params)
+          resp = MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).register_task_definition(task_params)
 
           resp.task_definition.task_definition_arn
         end
@@ -1945,7 +1965,7 @@ start = Time.now
         def list_ecs_services
           svc_resp = nil
           MU.retrier([Aws::ECS::Errors::ClusterNotFoundException], wait: 5, max: 10){
-            svc_resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).list_services(
+            svc_resp = MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).list_services(
               cluster: arn
             )
           }
@@ -1985,14 +2005,14 @@ start = Time.now
           if !existing_svcs.include?(service_name)
             MU.log "Creating Service #{service_name}"
 
-            MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).create_service(service_params)
+            MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).create_service(service_params)
           else
             service_params[:service] = service_params[:service_name].dup
             service_params.delete(:service_name)
             service_params.delete(:launch_type)
             MU.log "Updating Service #{service_name}", MU::NOTICE, details: service_params
 
-            MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).update_service(service_params)
+            MU::Cloud::AWS.ecs(region: @region, credentials: @credentials).update_service(service_params)
           end
         end