cloud-mu 3.3.0 → 3.5.1

data/modules/mu/providers/aws/log.rb

@@ -30,13 +30,13 @@ module MU
           @config["log_group_name"] = @mu_name
           @config["log_stream_name"] =
             if @config["enable_cloudtrail_logging"]
-              "#{MU::Cloud::AWS.credToAcct(@config['credentials'])}_CloudTrail_#{@config["region"]}"
+              "#{MU::Cloud::AWS.credToAcct(@credentials)}_CloudTrail_#{@region}"
             else
               @mu_name
             end
 
           MU.log "Creating log group #{@mu_name}"
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).create_log_group(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).create_log_group(
             log_group_name: @config["log_group_name"],
             tags: @tags
           )
@@ -45,7 +45,7 @@ module MU
           retries = 0
           max_retries = 5
           begin
-            resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @config["region"])
+            resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @region)
             if resp.nil?
               if retries >= max_retries
                 raise MuError, "Cloudwatch Logs group #{@config["log_group_name"]} creation hasn't succeeded after #{(retries*max_retries).to_s}s"
@@ -56,19 +56,19 @@ module MU
             end
           end while resp.nil?
 
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).create_log_stream(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).create_log_stream(
             log_group_name: @config["log_group_name"],
             log_stream_name: @config["log_stream_name"]
           )
 
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).put_retention_policy(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).put_retention_policy(
             log_group_name: @config["log_group_name"],
             retention_in_days: @config["retention_period"]
           )
 
           if @config["filters"] && !@config["filters"].empty?
             @config["filters"].each{ |filter|
-              MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).put_metric_filter(
+              MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).put_metric_filter(
                 log_group_name: @config["log_group_name"],
                 filter_name: filter["name"],
                 filter_pattern: filter["search_pattern"],
@@ -82,8 +82,8 @@ module MU
           end
 
           if @config["enable_cloudtrail_logging"]
-            trail_resp = MU::Cloud::AWS.cloudtrail(region: @config["region"], credentials: @config["credentials"]).describe_trails.trail_list.first
-            raise MuError, "Can't find a cloudtrail in #{MU::Cloud::AWS.credToAcct(@config['credentials'])}/#{@config["region"]}. Please create cloudtrail before enabling logging on it" unless trail_resp
+            trail_resp = MU::Cloud::AWS.cloudtrail(region: @region, credentials: @credentials).describe_trails.trail_list.first
+            raise MuError, "Can't find a cloudtrail in #{MU::Cloud::AWS.credToAcct(@credentials)}/#{@region}. Please create cloudtrail before enabling logging on it" unless trail_resp
 
             iam_policy = '{
               "Version": "2012-10-17",
@@ -96,7 +96,7 @@ module MU
                     "logs:PutLogEventsBatch",
                     "logs:PutLogEvents"
                   ],
-                  "Resource": "arn:'+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+':logs:'+@config["region"]+':'+MU::Cloud::AWS.credToAcct(@config['credentials'])+':log-group:'+@config["log_group_name"]+':log-stream:'+@config["log_stream_name"]+'*"
+                  "Resource": "arn:'+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+':logs:'+@region+':'+MU::Cloud::AWS.credToAcct(@credentials)+':log-group:'+@config["log_group_name"]+':log-stream:'+@config["log_stream_name"]+'*"
                 }
               ]
             }'
@@ -132,11 +132,11 @@ module MU
               policy_document: iam_policy
             )
 
-            log_group_resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @config["region"])
+            log_group_resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @region)
 
             retries = 0
             begin 
-              MU::Cloud::AWS.cloudtrail(region: @config["region"], credentials: @config["credentials"]).update_trail(
+              MU::Cloud::AWS.cloudtrail(region: @region, credentials: @credentials).update_trail(
                 name: trail_resp.name,
                 cloud_watch_logs_log_group_arn: log_group_resp.arn,
                 cloud_watch_logs_role_arn: iam_resp.role.arn
@@ -270,9 +270,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -283,7 +283,7 @@ module MU
           bok['name'] = cloud_desc.log_group_name.sub(/.*?\/([^\/]+)$/, '\1')
 
           if cloud_desc.metric_filter_count > 0
-            resp = MU::Cloud::AWS.cloudwatchlogs(region: @config['region'], credentials: @credentials).describe_metric_filters(
+            resp = MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).describe_metric_filters(
               log_group_name: @cloud_id
             )
             resp.metric_filters.each { |filter|

data/modules/mu/providers/aws/msg_queue.rb

@@ -33,7 +33,7 @@ module MU
           namestr += ".fifo" if attrs['FifoQueue']
 
           MU.log "Creating SQS queue #{namestr}", details: attrs
-          resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).create_queue(
+          resp = MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).create_queue(
             queue_name: namestr,
             attributes: attrs
           )
@@ -60,7 +60,7 @@ module MU
           }
           if changed
             MU.log "Updating SQS queue #{@mu_name}", MU::NOTICE, details: new_attrs
-            MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).set_queue_attributes(
+            MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).set_queue_attributes(
               queue_url: @cloud_id,
               attributes: new_attrs
             )
@@ -71,7 +71,7 @@ module MU
         # Canonical Amazon Resource Number for this resource
         # @return [String]
         def arn
-          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":sqs:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":"+@cloud_id
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":sqs:"+@region+":"+MU::Cloud::AWS.credToAcct(@credentials)+":"+@cloud_id
         end
 
         @cloud_desc_cache = nil
@@ -83,7 +83,7 @@ module MU
           return nil if !@cloud_id
 
           if !@cloud_id
-            resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).list_queues(
+            resp = MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).list_queues(
               queue_name_prefix: @mu_name
             )
             return nil if !resp or !resp.queue_urls
@@ -98,8 +98,8 @@ module MU
           return nil if !@cloud_id
           @cloud_desc_cache = MU::Cloud::AWS::MsgQueue.find(
             cloud_id: @cloud_id.dup,
-            region: @config['region'],
-            credentials: @config['credentials']
+            region: @region,
+            credentials: @credentials
           )
           @cloud_desc_cache
         end
@@ -110,8 +110,8 @@ module MU
           cloud_desc
           deploy_struct = MU::Cloud::AWS::MsgQueue.find(
             cloud_id: @cloud_id,
-            region: @config['region'],
-            credentials: @config['credentials']
+            region: @region,
+            credentials: @credentials
           )
           return deploy_struct
         end
@@ -426,7 +426,7 @@ module MU
             if sibling # resolve sibling queues to something useful
               id = sibling.cloud_id
             end
-            desc = MU::Cloud::AWS::MsgQueue.find(cloud_id: id, credentials: @config['credentials'])
+            desc = MU::Cloud::AWS::MsgQueue.find(cloud_id: id, credentials: @credentials)
             if !desc
               raise MuError, "Failed to get cloud descriptor for SQS queue #{@config['failqueue']['name']}"
             end
@@ -484,7 +484,7 @@ module MU
           end
 
           begin
-            MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).tag_queue(
+            MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).tag_queue(
               queue_url: url,
               tags: tags
             )

data/modules/mu/providers/aws/nosqldb.rb

@@ -114,11 +114,11 @@ module MU
 
           MU.log "Creating DynamoDB table #{@mu_name}", MU::NOTICE, details: params
 
-          resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).create_table(params)
+          resp = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).create_table(params)
           @cloud_id = @mu_name
 
           begin
-            resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).describe_table(table_name: @cloud_id)
+            resp = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).describe_table(table_name: @cloud_id)
             sleep 5 if resp.table.table_status == "CREATING"
           end while resp.table.table_status == "CREATING"
 
@@ -130,7 +130,7 @@ module MU
             begin
               batch = items_to_write.slice!(0, (items_to_write.length >= 25 ? 25 : items_to_write.length))
               begin
-                MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).batch_write_item(
+                MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).batch_write_item(
                   request_items: {
                     @cloud_id => batch.map { |i| { put_request: { item: i } } }
                   }
@@ -162,7 +162,7 @@ module MU
             }
           end
 
-          MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).tag_resource(
+          MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).tag_resource(
             resource_arn: arn,
             tags: tagset
           )
@@ -281,9 +281,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -318,10 +318,10 @@ module MU
 
             bok['stream'] = cloud_desc.stream_specification.stream_view_type
 #            cloud_desc.latest_stream_arn
-#            MU::Cloud::AWS.dynamostream(credentials: @credentials, region: @config['region']).list_streams
+#            MU::Cloud::AWS.dynamostream(credentials: @credentials, region: @region).list_streams
           end
 
-          bok["populate"] = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @config['region']).scan(
+          bok["populate"] = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).scan(
             table_name: @cloud_id
           ).items
 

data/modules/mu/providers/aws/notifier.rb

@@ -28,7 +28,7 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def create
           @cloud_id = @mu_name
-          MU::Cloud::AWS.sns(region: @config['region'], credentials: @config['credentials']).create_topic(name: @cloud_id)
+          MU::Cloud::AWS.sns(region: @region, credentials: @credentials).create_topic(name: @cloud_id)
           MU.log "Created SNS topic #{@mu_name}"
         end
 
@@ -52,7 +52,7 @@ module MU
         # @param endpoint [String]: The address, identifier, or ARN of the resource being subscribed
         # @param protocol [String]: The protocol being subscribed
         def subscribe(endpoint, protocol)
-          self.class.subscribe(arn, endpoint, protocol, region: @config['region'], credentials: @credentials)
+          self.class.subscribe(arn, endpoint, protocol, region: @region, credentials: @credentials)
         end
 
         # Subscribe something to an SNS topic
@@ -116,14 +116,14 @@ module MU
         # @return [String]
         def arn
           @cloud_id ||= @mu_name
-          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":sns:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":"+@cloud_id
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":sns:"+@region+":"+MU::Cloud::AWS.credToAcct(@credentials)+":"+@cloud_id
         end
 
         # Return the metadata for this user cofiguration
         # @return [Hash]
         def notify
           return nil if !@cloud_id or !cloud_desc(use_cache: false)
-          desc = MU::Cloud::AWS.sns(region: @config["region"], credentials: @config["credentials"]).get_topic_attributes(topic_arn: arn).attributes
+          desc = MU::Cloud::AWS.sns(region: @region, credentials: @credentials).get_topic_attributes(topic_arn: arn).attributes
           MU.structToHash(desc)
         end
 
@@ -165,9 +165,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -180,7 +180,7 @@ module MU
             "lambda" => "functions",
             "sqs" => "msg_queues"
           }
-          MU::Cloud::AWS.sns(region: @config['region'], credentials: @credentials).list_subscriptions_by_topic(topic_arn: cloud_desc["TopicArn"]).subscriptions.each { |sub|
+          MU::Cloud::AWS.sns(region: @region, credentials: @credentials).list_subscriptions_by_topic(topic_arn: cloud_desc["TopicArn"]).subscriptions.each { |sub|
             bok['subscriptions'] ||= []
 
             bok['subscriptions'] << if sub.endpoint.match(/^arn:[^:]+:(sqs|lambda):([^:]+):(\d+):.*?([^:\/]+)$/)

data/modules/mu/providers/aws/role.rb

@@ -30,7 +30,7 @@ module MU
             end
           end
 
-          @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
+          @mu_name ||= @config['scrub_mu_isms'] ? @config['name'] : @deploy.getResourceName(@config["name"], max_length: 64)
         end
 
         # Called automatically by {MU::Deploy#createResources}
@@ -43,7 +43,7 @@ module MU
 
               policy_name = @mu_name+"-"+policy.keys.first.upcase
               MU.log "Creating IAM policy #{policy_name}"
-              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
+              MU::Cloud::AWS.iam(credentials: @credentials).create_policy(
                 policy_name: policy_name,
                 path: "/"+@deploy.deploy_id+"/",
                 policy_document: JSON.generate(policy.values.first),
@@ -53,16 +53,18 @@ module MU
           end
 
           if !@config['bare_policies']
-            MU.log "Creating IAM role #{@mu_name}"
             @cloud_id = @mu_name
             path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
-              path: path,
-              role_name: @mu_name,
-              description: "Generated by Mu",
-              assume_role_policy_document: gen_assume_role_policy_doc,
-              tags: get_tag_params
-            )
+            params = {
+              :path => path,
+              :role_name => @mu_name,
+              :description => "Generated by Mu",
+              :assume_role_policy_document => gen_assume_role_policy_doc,
+              :tags => get_tag_params(@config['scrub_mu_isms'])
+            }
+
+            MU.log "Creating IAM role #{@mu_name} (#{@credentials})", details: params
+            MU::Cloud::AWS.iam(credentials: @credentials).create_role(params)
           end
         end
 
@@ -75,7 +77,7 @@ module MU
           end
 
           if !@config['bare_policies']
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role(
+            resp = MU::Cloud::AWS.iam(credentials: @credentials).get_role(
               role_name: @mu_name
             ).role
             ext_tags = resp.tags.map { |t| t.to_h }
@@ -84,7 +86,7 @@ module MU
 
             if tag_param.size > 0
               MU.log "Updating tags on IAM role #{@mu_name}", MU::NOTICE, details: tag_param
-              MU::Cloud::AWS.iam(credentials: @config['credentials']).tag_role(role_name: @mu_name, tags: tag_param)
+              MU::Cloud::AWS.iam(credentials: @credentials).tag_role(role_name: @mu_name, tags: tag_param)
             end
           end
 
@@ -92,13 +94,14 @@ module MU
             configured_policies = []
 
             if @config['raw_policies']
+              MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies = @config['raw_policies'].map { |p|
                 @mu_name+"-"+p.keys.first.upcase
               }
             end
 
             if @config['attachable_policies']
-              MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
+              MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies.concat(@config['attachable_policies'].map { |p|
                 id = if p.is_a?(MU::Config::Ref)
                   p.cloud_id
@@ -109,18 +112,17 @@ module MU
                 end
                 id.gsub(/.*?\/([^:\/]+)$/, '\1')
               })
-              configured_policies.each { |pol|
-              }
             end
 
+            # Purge anything that doesn't belong
             if !@config['bare_policies']
-              attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
+              attached_policies = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
                 role_name: @mu_name
               ).attached_policies
               attached_policies.each { |a|
                 if !configured_policies.include?(a.policy_name)
-                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE
-                  MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials'])
+                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
+                  MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @credentials)
                 end
               }
             end
@@ -153,8 +155,8 @@ module MU
             policy.values.each { |p|
               p["Version"] ||= "2012-10-17"
             }
-            policy_name = basename+"-"+policy.keys.first.upcase
 
+            policy_name = basename+"-"+policy.keys.first.upcase
             arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
             resp = begin
               desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
@@ -164,7 +166,7 @@ module MU
                 version_id: desc.policy.default_version_id
               )
 
-              ext = JSON.parse(URI.decode(version.policy_version.document))
+              ext = JSON.parse(CGI.unescape(version.policy_version.document))
               if ext != policy.values.first
                 # Special exception- we don't want to overwrite extra rules
                 # in MuSecrets policies, because our siblings might have 
@@ -184,12 +186,16 @@ module MU
 
             rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
-              MU::Cloud::AWS.iam(credentials: credentials).create_policy(
+              desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
                 policy_name: policy_name,
                 path: path+"/",
                 policy_document: JSON.generate(policy.values.first),
                 description: "Raw policy from #{basename}"
               )
+              MU.retrier([Aws::IAM::Errors::NoSuchEntity], loop_if: Proc.new { desc.nil? }) {
+                desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
+              }
+              desc
             end
             arns << resp.policy.arn
           }
@@ -216,6 +222,7 @@ module MU
         # populated with one or both depending on what this resource has
         # defined.
         def cloud_desc(use_cache: true)
+          require 'aws-sdk-iam'
 
           # we might inherit a naive cached description from the base cloud
           # layer; rearrange it to our tastes
@@ -305,8 +312,8 @@ end
         # Insert a new target entity into an existing policy. 
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        def injectPolicyTargets(policy, targets)
-          if !policy.match(/^#{@deploy.deploy_id}/)
+        def injectPolicyTargets(policy, targets, attach: false)
+          if @deploy and !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
           my_policies = cloud_desc(use_cache: false)["policies"]
@@ -316,7 +323,7 @@ end
           my_policies.each { |p|
             if p.policy_name == policy
               seen_policy = true
-              old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
+              old = MU::Cloud::AWS.iam(credentials: @credentials).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
@@ -328,7 +335,7 @@ end
                 targets.each { |target|
                   target_string = target
 
-                  if target['type']
+                  if target['type'] and @deploy
                     sibling = @deploy.findLitterMate(
                       name: target["identifier"],
                       type: target["type"]
@@ -575,7 +582,7 @@ end
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id
           }
 
@@ -609,7 +616,7 @@ end
                     policy_name: pol.policy_name
                   )
                   if resp and resp.policy_document
-                    JSON.parse(URI.decode(resp.policy_document))
+                    JSON.parse(CGI.unescape(resp.policy_document))
                   end
                 rescue ::Aws::IAM::Errors::NoSuchEntity, ::Aws::IAM::Errors::ValidationError
                   resp = MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
@@ -619,7 +626,7 @@ end
                     policy_arn: pol.arn,
                     version_id: resp.policy.default_version_id
                   )
-                  JSON.parse(URI.decode(version.policy_version.document))
+                  JSON.parse(CGI.unescape(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
@@ -635,7 +642,7 @@ end
           bok["strip_path"] = true if desc.path == "/"
 
           if desc.assume_role_policy_document
-            assume_doc = JSON.parse(URI.decode(desc.assume_role_policy_document))
+            assume_doc = JSON.parse(CGI.unescape(desc.assume_role_policy_document))
             assume_doc["Statement"].each { |s|
               bok["can_assume"] ||= []
               method = if s["Action"] == "sts:AssumeRoleWithWebIdentity"
@@ -768,12 +775,12 @@ end
         def bindTo(entitytype, entityname)
           if entitytype == "instance_profile"
             begin
-              resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
+              resp = MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
                 instance_profile_name: entityname
               ).instance_profile
 
               if !resp.roles.map { |r| r.role_name}.include?(@mu_name)
-                MU::Cloud::AWS.iam(credentials: @config['credentials']).add_role_to_instance_profile(
+                MU::Cloud::AWS.iam(credentials: @credentials).add_role_to_instance_profile(
                   instance_profile_name: entityname,
                   role_name: @mu_name
                 )
@@ -783,30 +790,30 @@ end
               raise e
             end
           elsif ["user", "group", "role"].include?(entitytype)
-            mypolicies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_policies(
+            mypolicies = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
               path_prefix: "/"+@deploy.deploy_id+"/"
             ).policies
             mypolicies.reject! { |p|
-              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
+              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}(-|$)/)
             }
 
             if @config['attachable_policies']
               @config['attachable_policies'].each { |policy_hash|
                 policy = policy_hash["id"]
                 p_arn = if !policy.match(/^arn:/i)
-                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
+                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
                 else
                   policy
                 end
 
                 subpaths = ["service-role", "aws-service-role", "job-function"]
                 begin
-                  mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(
+                  mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
                     policy_arn: p_arn
                   ).policy
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
-                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
+                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
                     retry
                   end
                   raise e
@@ -814,39 +821,52 @@ end
               }
             end
 
+            if @config['raw_policies']
+              raw_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+                @config['raw_policies'],
+                basename: @deploy.getResourceName(@config['name']),
+                credentials: @credentials
+              )
+              raw_arns.each { |p_arn|
+                mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
+                  policy_arn: p_arn
+                ).policy
+              }
+            end
+
             mypolicies.each { |p|
               if entitytype == "user"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_user_policies(
                   path_prefix: "/"+@deploy.deploy_id+"/",
                   user_name: entityname
                 )
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching IAM policy #{p.policy_name} to user #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_user_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_user_policy(
                     policy_arn: p.arn,
                     user_name: entityname
                   )
                 end
               elsif entitytype == "group"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_group_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_group_policies(
                   path_prefix: "/"+@deploy.deploy_id+"/",
                   group_name: entityname
                 )
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching policy #{p.policy_name} to group #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_group_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_group_policy(
                     policy_arn: p.arn,
                     group_name: entityname
                   )
                 end
               elsif entitytype == "role"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
                   role_name: entityname
                 )
 
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching policy #{p.policy_name} to role #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_role_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_role_policy(
                     policy_arn: p.arn,
                     role_name: entityname
                   )
@@ -867,19 +887,19 @@ end
           end
 
           resp = begin
-            MU.log "Creating instance profile #{@mu_name} #{@config['credentials']}"
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_instance_profile(
+            MU.log "Creating instance profile #{@mu_name} #{@credentials}"
+            MU::Cloud::AWS.iam(credentials: @credentials).create_instance_profile(
               instance_profile_name: @mu_name
             )
           rescue Aws::IAM::Errors::EntityAlreadyExists
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
+            MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
               instance_profile_name: @mu_name
             )
           end
 
           # make sure it's really there before moving on
           begin
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(instance_profile_name: @mu_name)
+            MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(instance_profile_name: @mu_name)
           rescue Aws::IAM::Errors::NoSuchEntity => e
             MU.log e.inspect, MU::WARN
             sleep 10
@@ -1067,6 +1087,8 @@ end
             role.delete("import")
           end
 
+          role['strip_path'] = true if role['scrub_mu_isms']
+
           # If we're attaching some managed policies, make sure all of the ones
           # that should already exist do indeed exist
           if role['attachable_policies']
@@ -1097,7 +1119,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
+                  MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
                 end
               }
             }