cloud-mu 3.4.0 → 3.5.0

data/modules/mu/providers/aws/log.rb

@@ -30,13 +30,13 @@ module MU
           @config["log_group_name"] = @mu_name
           @config["log_stream_name"] =
             if @config["enable_cloudtrail_logging"]
-              "#{MU::Cloud::AWS.credToAcct(@config['credentials'])}_CloudTrail_#{@config["region"]}"
+              "#{MU::Cloud::AWS.credToAcct(@credentials)}_CloudTrail_#{@region}"
             else
               @mu_name
             end
 
           MU.log "Creating log group #{@mu_name}"
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).create_log_group(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).create_log_group(
             log_group_name: @config["log_group_name"],
             tags: @tags
           )
@@ -45,7 +45,7 @@ module MU
           retries = 0
           max_retries = 5
           begin
-            resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @config["region"])
+            resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @region)
             if resp.nil?
               if retries >= max_retries
                 raise MuError, "Cloudwatch Logs group #{@config["log_group_name"]} creation hasn't succeeded after #{(retries*max_retries).to_s}s"
@@ -56,19 +56,19 @@ module MU
             end
           end while resp.nil?
 
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).create_log_stream(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).create_log_stream(
             log_group_name: @config["log_group_name"],
             log_stream_name: @config["log_stream_name"]
           )
 
-          MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).put_retention_policy(
+          MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).put_retention_policy(
             log_group_name: @config["log_group_name"],
             retention_in_days: @config["retention_period"]
           )
 
           if @config["filters"] && !@config["filters"].empty?
             @config["filters"].each{ |filter|
-              MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @config["credentials"]).put_metric_filter(
+              MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).put_metric_filter(
                 log_group_name: @config["log_group_name"],
                 filter_name: filter["name"],
                 filter_pattern: filter["search_pattern"],
@@ -82,8 +82,8 @@ module MU
           end
 
           if @config["enable_cloudtrail_logging"]
-            trail_resp = MU::Cloud::AWS.cloudtrail(region: @config["region"], credentials: @config["credentials"]).describe_trails.trail_list.first
-            raise MuError, "Can't find a cloudtrail in #{MU::Cloud::AWS.credToAcct(@config['credentials'])}/#{@config["region"]}. Please create cloudtrail before enabling logging on it" unless trail_resp
+            trail_resp = MU::Cloud::AWS.cloudtrail(region: @region, credentials: @credentials).describe_trails.trail_list.first
+            raise MuError, "Can't find a cloudtrail in #{MU::Cloud::AWS.credToAcct(@credentials)}/#{@region}. Please create cloudtrail before enabling logging on it" unless trail_resp
 
             iam_policy = '{
               "Version": "2012-10-17",
@@ -96,7 +96,7 @@ module MU
                     "logs:PutLogEventsBatch",
                     "logs:PutLogEvents"
                   ],
-                  "Resource": "arn:'+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+':logs:'+@config["region"]+':'+MU::Cloud::AWS.credToAcct(@config['credentials'])+':log-group:'+@config["log_group_name"]+':log-stream:'+@config["log_stream_name"]+'*"
+                  "Resource": "arn:'+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+':logs:'+@region+':'+MU::Cloud::AWS.credToAcct(@credentials)+':log-group:'+@config["log_group_name"]+':log-stream:'+@config["log_stream_name"]+'*"
                 }
               ]
             }'
@@ -132,11 +132,11 @@ module MU
               policy_document: iam_policy
             )
 
-            log_group_resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @config["region"])
+            log_group_resp = MU::Cloud::AWS::Log.getLogGroupByName(@config["log_group_name"], region: @region)
 
             retries = 0
             begin 
-              MU::Cloud::AWS.cloudtrail(region: @config["region"], credentials: @config["credentials"]).update_trail(
+              MU::Cloud::AWS.cloudtrail(region: @region, credentials: @credentials).update_trail(
                 name: trail_resp.name,
                 cloud_watch_logs_log_group_arn: log_group_resp.arn,
                 cloud_watch_logs_role_arn: iam_resp.role.arn
@@ -270,9 +270,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -283,7 +283,7 @@ module MU
           bok['name'] = cloud_desc.log_group_name.sub(/.*?\/([^\/]+)$/, '\1')
 
           if cloud_desc.metric_filter_count > 0
-            resp = MU::Cloud::AWS.cloudwatchlogs(region: @config['region'], credentials: @credentials).describe_metric_filters(
+            resp = MU::Cloud::AWS.cloudwatchlogs(region: @region, credentials: @credentials).describe_metric_filters(
               log_group_name: @cloud_id
             )
             resp.metric_filters.each { |filter|

data/modules/mu/providers/aws/msg_queue.rb

@@ -33,7 +33,7 @@ module MU
           namestr += ".fifo" if attrs['FifoQueue']
 
           MU.log "Creating SQS queue #{namestr}", details: attrs
-          resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).create_queue(
+          resp = MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).create_queue(
             queue_name: namestr,
             attributes: attrs
           )
@@ -60,7 +60,7 @@ module MU
           }
           if changed
             MU.log "Updating SQS queue #{@mu_name}", MU::NOTICE, details: new_attrs
-            MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).set_queue_attributes(
+            MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).set_queue_attributes(
               queue_url: @cloud_id,
               attributes: new_attrs
             )
@@ -71,7 +71,7 @@ module MU
         # Canonical Amazon Resource Number for this resource
         # @return [String]
         def arn
-          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":sqs:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":"+@cloud_id
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":sqs:"+@region+":"+MU::Cloud::AWS.credToAcct(@credentials)+":"+@cloud_id
         end
 
         @cloud_desc_cache = nil
@@ -83,7 +83,7 @@ module MU
           return nil if !@cloud_id
 
           if !@cloud_id
-            resp = MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).list_queues(
+            resp = MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).list_queues(
               queue_name_prefix: @mu_name
             )
             return nil if !resp or !resp.queue_urls
@@ -98,8 +98,8 @@ module MU
           return nil if !@cloud_id
           @cloud_desc_cache = MU::Cloud::AWS::MsgQueue.find(
             cloud_id: @cloud_id.dup,
-            region: @config['region'],
-            credentials: @config['credentials']
+            region: @region,
+            credentials: @credentials
           )
           @cloud_desc_cache
         end
@@ -110,8 +110,8 @@ module MU
           cloud_desc
           deploy_struct = MU::Cloud::AWS::MsgQueue.find(
             cloud_id: @cloud_id,
-            region: @config['region'],
-            credentials: @config['credentials']
+            region: @region,
+            credentials: @credentials
           )
           return deploy_struct
         end
@@ -426,7 +426,7 @@ module MU
             if sibling # resolve sibling queues to something useful
               id = sibling.cloud_id
             end
-            desc = MU::Cloud::AWS::MsgQueue.find(cloud_id: id, credentials: @config['credentials'])
+            desc = MU::Cloud::AWS::MsgQueue.find(cloud_id: id, credentials: @credentials)
             if !desc
               raise MuError, "Failed to get cloud descriptor for SQS queue #{@config['failqueue']['name']}"
             end
@@ -484,7 +484,7 @@ module MU
           end
 
           begin
-            MU::Cloud::AWS.sqs(region: @config['region'], credentials: @config['credentials']).tag_queue(
+            MU::Cloud::AWS.sqs(region: @region, credentials: @credentials).tag_queue(
               queue_url: url,
               tags: tags
             )

data/modules/mu/providers/aws/nosqldb.rb

@@ -114,11 +114,11 @@ module MU
 
           MU.log "Creating DynamoDB table #{@mu_name}", MU::NOTICE, details: params
 
-          resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).create_table(params)
+          resp = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).create_table(params)
           @cloud_id = @mu_name
 
           begin
-            resp = MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).describe_table(table_name: @cloud_id)
+            resp = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).describe_table(table_name: @cloud_id)
             sleep 5 if resp.table.table_status == "CREATING"
           end while resp.table.table_status == "CREATING"
 
@@ -130,7 +130,7 @@ module MU
             begin
               batch = items_to_write.slice!(0, (items_to_write.length >= 25 ? 25 : items_to_write.length))
               begin
-                MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).batch_write_item(
+                MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).batch_write_item(
                   request_items: {
                     @cloud_id => batch.map { |i| { put_request: { item: i } } }
                   }
@@ -162,7 +162,7 @@ module MU
             }
           end
 
-          MU::Cloud::AWS.dynamo(credentials: @config['credentials'], region: @config['region']).tag_resource(
+          MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).tag_resource(
             resource_arn: arn,
             tags: tagset
           )
@@ -281,9 +281,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -318,10 +318,10 @@ module MU
 
             bok['stream'] = cloud_desc.stream_specification.stream_view_type
 #            cloud_desc.latest_stream_arn
-#            MU::Cloud::AWS.dynamostream(credentials: @credentials, region: @config['region']).list_streams
+#            MU::Cloud::AWS.dynamostream(credentials: @credentials, region: @region).list_streams
           end
 
-          bok["populate"] = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @config['region']).scan(
+          bok["populate"] = MU::Cloud::AWS.dynamo(credentials: @credentials, region: @region).scan(
             table_name: @cloud_id
           ).items
 

data/modules/mu/providers/aws/notifier.rb

@@ -28,7 +28,7 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def create
           @cloud_id = @mu_name
-          MU::Cloud::AWS.sns(region: @config['region'], credentials: @config['credentials']).create_topic(name: @cloud_id)
+          MU::Cloud::AWS.sns(region: @region, credentials: @credentials).create_topic(name: @cloud_id)
           MU.log "Created SNS topic #{@mu_name}"
         end
 
@@ -52,7 +52,7 @@ module MU
         # @param endpoint [String]: The address, identifier, or ARN of the resource being subscribed
         # @param protocol [String]: The protocol being subscribed
         def subscribe(endpoint, protocol)
-          self.class.subscribe(arn, endpoint, protocol, region: @config['region'], credentials: @credentials)
+          self.class.subscribe(arn, endpoint, protocol, region: @region, credentials: @credentials)
         end
 
         # Subscribe something to an SNS topic
@@ -116,14 +116,14 @@ module MU
         # @return [String]
         def arn
           @cloud_id ||= @mu_name
-          "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":sns:"+@config['region']+":"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":"+@cloud_id
+          "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":sns:"+@region+":"+MU::Cloud::AWS.credToAcct(@credentials)+":"+@cloud_id
         end
 
         # Return the metadata for this user cofiguration
         # @return [Hash]
         def notify
           return nil if !@cloud_id or !cloud_desc(use_cache: false)
-          desc = MU::Cloud::AWS.sns(region: @config["region"], credentials: @config["credentials"]).get_topic_attributes(topic_arn: arn).attributes
+          desc = MU::Cloud::AWS.sns(region: @region, credentials: @credentials).get_topic_attributes(topic_arn: arn).attributes
           MU.structToHash(desc)
         end
 
@@ -165,9 +165,9 @@ module MU
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -180,7 +180,7 @@ module MU
             "lambda" => "functions",
             "sqs" => "msg_queues"
           }
-          MU::Cloud::AWS.sns(region: @config['region'], credentials: @credentials).list_subscriptions_by_topic(topic_arn: cloud_desc["TopicArn"]).subscriptions.each { |sub|
+          MU::Cloud::AWS.sns(region: @region, credentials: @credentials).list_subscriptions_by_topic(topic_arn: cloud_desc["TopicArn"]).subscriptions.each { |sub|
             bok['subscriptions'] ||= []
 
             bok['subscriptions'] << if sub.endpoint.match(/^arn:[^:]+:(sqs|lambda):([^:]+):(\d+):.*?([^:\/]+)$/)

data/modules/mu/providers/aws/role.rb

@@ -30,7 +30,7 @@ module MU
             end
           end
 
-          @mu_name ||= @deploy.getResourceName(@config["name"], max_length: 64)
+          @mu_name ||= @config['scrub_mu_isms'] ? @config['name'] : @deploy.getResourceName(@config["name"], max_length: 64)
         end
 
         # Called automatically by {MU::Deploy#createResources}
@@ -60,7 +60,7 @@ module MU
               :role_name => @mu_name,
               :description => "Generated by Mu",
               :assume_role_policy_document => gen_assume_role_policy_doc,
-              :tags => get_tag_params
+              :tags => get_tag_params(@config['scrub_mu_isms'])
             }
 
             MU.log "Creating IAM role #{@mu_name} (#{@credentials})", details: params
@@ -166,7 +166,7 @@ module MU
                 version_id: desc.policy.default_version_id
               )
 
-              ext = JSON.parse(URI.decode(version.policy_version.document))
+              ext = JSON.parse(CGI.unescape(version.policy_version.document))
               if ext != policy.values.first
                 # Special exception- we don't want to overwrite extra rules
                 # in MuSecrets policies, because our siblings might have 
@@ -194,7 +194,6 @@ module MU
               )
               MU.retrier([Aws::IAM::Errors::NoSuchEntity], loop_if: Proc.new { desc.nil? }) {
                 desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
-                pp desc
               }
               desc
             end
@@ -223,6 +222,7 @@ module MU
         # populated with one or both depending on what this resource has
         # defined.
         def cloud_desc(use_cache: true)
+          require 'aws-sdk-iam'
 
           # we might inherit a naive cached description from the base cloud
           # layer; rearrange it to our tastes
@@ -312,8 +312,8 @@ end
         # Insert a new target entity into an existing policy. 
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        def injectPolicyTargets(policy, targets)
-          if !policy.match(/^#{@deploy.deploy_id}/)
+        def injectPolicyTargets(policy, targets, attach: false)
+          if @deploy and !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
           my_policies = cloud_desc(use_cache: false)["policies"]
@@ -328,14 +328,14 @@ end
                 version_id: p.default_version_id
               ).policy_version
 
-              doc = JSON.parse URI.decode_www_form_component old.document
+              doc = JSON.parse CGI.unescape_www_form_component old.document
               need_update = false
 
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
 
-                  if target['type']
+                  if target['type'] and @deploy
                     sibling = @deploy.findLitterMate(
                       name: target["identifier"],
                       type: target["type"]
@@ -616,7 +616,7 @@ end
                     policy_name: pol.policy_name
                   )
                   if resp and resp.policy_document
-                    JSON.parse(URI.decode(resp.policy_document))
+                    JSON.parse(CGI.unescape(resp.policy_document))
                   end
                 rescue ::Aws::IAM::Errors::NoSuchEntity, ::Aws::IAM::Errors::ValidationError
                   resp = MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
@@ -626,7 +626,7 @@ end
                     policy_arn: pol.arn,
                     version_id: resp.policy.default_version_id
                   )
-                  JSON.parse(URI.decode(version.policy_version.document))
+                  JSON.parse(CGI.unescape(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
@@ -642,7 +642,7 @@ end
           bok["strip_path"] = true if desc.path == "/"
 
           if desc.assume_role_policy_document
-            assume_doc = JSON.parse(URI.decode(desc.assume_role_policy_document))
+            assume_doc = JSON.parse(CGI.unescape(desc.assume_role_policy_document))
             assume_doc["Statement"].each { |s|
               bok["can_assume"] ||= []
               method = if s["Action"] == "sts:AssumeRoleWithWebIdentity"
@@ -794,14 +794,14 @@ end
               path_prefix: "/"+@deploy.deploy_id+"/"
             ).policies
             mypolicies.reject! { |p|
-              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
+              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}(-|$)/)
             }
 
             if @config['attachable_policies']
               @config['attachable_policies'].each { |policy_hash|
                 policy = policy_hash["id"]
                 p_arn = if !policy.match(/^arn:/i)
-                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
+                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
                 else
                   policy
                 end
@@ -813,7 +813,7 @@ end
                   ).policy
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
-                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
+                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
                     retry
                   end
                   raise e
@@ -1087,6 +1087,8 @@ end
             role.delete("import")
           end
 
+          role['strip_path'] = true if role['scrub_mu_isms']
+
           # If we're attaching some managed policies, make sure all of the ones
           # that should already exist do indeed exist
           if role['attachable_policies']
@@ -1117,7 +1119,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  MU::Config.addDependency(role, target['identifier'], target['type'], no_create_wait: true)
+                  MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
                 end
               }
             }

data/modules/mu/providers/aws/search_domain.rb

@@ -36,7 +36,7 @@ module MU
 
           MU.log "Creating ElasticSearch domain #{@config['domain_name']}", details: params
           @cloud_id = @config['domain_name']
-          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).create_elasticsearch_domain(params).domain_status
+          MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).create_elasticsearch_domain(params).domain_status
 
           tagDomain
 
@@ -52,7 +52,7 @@ module MU
             waitWhileProcessing # wait until the create finishes, if still going
 
             MU.log "Updating ElasticSearch domain #{@config['domain_name']}", MU::NOTICE, details: params
-            MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).update_elasticsearch_domain_config(params)
+            MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).update_elasticsearch_domain_config(params)
           end
 
           waitWhileProcessing # don't return until creation/updating is complete
@@ -68,7 +68,7 @@ module MU
           @cloud_id ||= @config['domain_name']
           return nil if !@cloud_id
           MU.retrier([::Aws::ElasticsearchService::Errors::ResourceNotFoundException], wait: 10, max: 12) {
-            @cloud_desc_cache = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).describe_elasticsearch_domain(
+            @cloud_desc_cache = MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).describe_elasticsearch_domain(
               domain_name: @cloud_id
             ).domain_status
           }
@@ -88,7 +88,7 @@ module MU
         def notify
           return nil if !cloud_desc(use_cache: false)
           deploy_struct = MU.structToHash(cloud_desc, stringify_keys: true)
-          tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: arn).tag_list
+          tags = MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).list_tags(arn: arn).tag_list
           deploy_struct['tags'] = tags.map { |t| { t.key => t.value } }
           if deploy_struct['endpoint']
             deploy_struct['kibana'] = deploy_struct['endpoint']+"/_plugin/kibana/"
@@ -200,7 +200,7 @@ module MU
             "cloud" => "AWS",
             "credentials" => @credentials,
             "cloud_id" => @cloud_id,
-            "region" => @config['region']
+            "region" => @region
           }
 
           if !cloud_desc
@@ -241,7 +241,7 @@ module MU
             bok['identity_pool_id'] = cloud_desc.cognito_options.identity_pool_id
           end
 
-          tags = MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).list_tags(arn: cloud_desc.arn).tag_list
+          tags = MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).list_tags(arn: cloud_desc.arn).tag_list
           if tags and !tags.empty?
             bok['tags'] = MU.structToHash(tags)
           end
@@ -252,7 +252,7 @@ module MU
               cloud: "AWS",
               credentials: @credentials,
               type: "vpcs",
-              region: @config['region'],
+              region: @region,
               subnets: cloud_desc.vpc_options.subnet_ids.map { |s| { "subnet_id" => s } }
             )
             if cloud_desc.vpc_options.security_group_ids and
@@ -262,7 +262,7 @@ module MU
                   id: sg,
                   cloud: "AWS",
                   credentials: @credentials,
-                  region: @config['region'],
+                  region: @region,
                   type: "firewall_rules",
                 )
               }
@@ -683,7 +683,7 @@ module MU
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"] = {}
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:enabled] = true
               params[:log_publishing_options]["SEARCH_SLOW_LOGS"][:cloud_watch_logs_log_group_arn] = arn
-              MU::Cloud.resourceClass("AWS", "Log").allowService("es.amazonaws.com", arn, @config['region'])
+              MU::Cloud.resourceClass("AWS", "Log").allowService("es.amazonaws.com", arn, @region)
             end
           end
 
@@ -813,7 +813,7 @@ module MU
             raise MU::MuError, "Can't tag ElasticSearch domain, cloud descriptor came back without an ARN"
           end
 
-          MU::Cloud::AWS.elasticsearch(region: @config['region'], credentials: @credentials).add_tags(
+          MU::Cloud::AWS.elasticsearch(region: @region, credentials: @credentials).add_tags(
             arn: domain.arn,
             tag_list: tags
           )