RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/cloud/resource_base.rb CHANGED Viewed

@@ -250,6 +250,7 @@ module MU
               @groomclass = MU::Groomer.loadGroomer(@config["groomer"])
               if windows? or @config['active_directory'] and !@mu_windows_name
+                describe # make sure @deploydata is populated
                 if !@deploydata.nil? and !@deploydata['mu_windows_name'].nil?
                   @mu_windows_name = @deploydata['mu_windows_name']
                 else
@@ -267,6 +268,11 @@ module MU
                 attr_reader :groomer
                 attr_reader :groomerclass
                 attr_accessor :mu_windows_name # XXX might be ok as reader now
+                if @cloudparentclass.respond_to?(:customAttrReaders)
+                  @cloudparentclass.customAttrReaders.each { |a|
+                    attr_reader a
+                  }
+                end
               end
             end
             @tags["Name"] ||= @mu_name if @mu_name
@@ -411,7 +417,7 @@ module MU
 #                end
               }
-              matches = self.class.find(args)
+              matches = self.class.find(**args)
               if !matches.nil? and matches.is_a?(Hash)
 # XXX or if the hash is keyed with an ::Id element, oh boy
 #                puts matches[@cloud_id][:self_link]
@@ -529,170 +535,11 @@ module MU
           # Special dependencies: my containing VPC
           if self.class.can_live_in_vpc and !@config['vpc'].nil?
-            @config['vpc']["id"] ||= @config['vpc']["vpc_id"] # old deploys
-            @config['vpc']["name"] ||= @config['vpc']["vpc_name"] # old deploys
-            # If something hash-ified a MU::Config::Ref here, fix it
-            if !@config['vpc']["id"].nil? and @config['vpc']["id"].is_a?(Hash)
-              @config['vpc']["id"] = MU::Config::Ref.new(@config['vpc']["id"])
-            end
-            if !@config['vpc']["id"].nil?
-              if @config['vpc']["id"].is_a?(MU::Config::Ref) and !@config['vpc']["id"].kitten.nil?
-                @vpc = @config['vpc']["id"].kitten(@deploy)
-              else
-                if @config['vpc']['habitat']
-                  @config['vpc']['habitat'] = MU::Config::Ref.get(@config['vpc']['habitat'])
-                end
-                vpc_ref = MU::Config::Ref.get(@config['vpc'])
-                @vpc = vpc_ref.kitten(@deploy)
-              end
-            elsif !@config['vpc']["name"].nil? and @deploy
-              MU.log "Attempting findLitterMate on VPC for #{self}", loglevel, details: @config['vpc']
-              sib_by_name = @deploy.findLitterMate(name: @config['vpc']['name'], type: "vpcs", return_all: true, habitat: @config['vpc']['project'], debug: debug)
-              if sib_by_name.is_a?(Hash)
-                if sib_by_name.size == 1
-                  @vpc = sib_by_name.values.first
-                  MU.log "Single VPC match for #{self}", loglevel, details: @vpc.to_s
-                else
-# XXX ok but this is the wrong place for this really the config parser needs to sort this out somehow
-                  # we got multiple matches, try to pick one by preferred subnet
-                  # behavior
-                  MU.log "Sorting a bunch of VPC matches for #{self}", loglevel, details: sib_by_name.map { |s| s.to_s }.join(", ")
-                  sib_by_name.values.each { |sibling|
-                    all_private = sibling.subnets.map { |s| s.private? }.all?(true)
-                    all_public = sibling.subnets.map { |s| s.private? }.all?(false)
-                    names = sibling.subnets.map { |s| s.name }
-                    ids = sibling.subnets.map { |s| s.cloud_id }
-                    if all_private and ["private", "all_private"].include?(@config['vpc']['subnet_pref'])
-                      @vpc = sibling
-                      break
-                    elsif all_public and ["public", "all_public"].include?(@config['vpc']['subnet_pref'])
-                      @vpc = sibling
-                      break
-                    elsif @config['vpc']['subnet_name'] and
-                          names.include?(@config['vpc']['subnet_name'])
-#puts "CHOOSING #{@vpc.to_s} 'cause it has #{@config['vpc']['subnet_name']}"
-                      @vpc = sibling
-                      break
-                    elsif @config['vpc']['subnet_id'] and
-                          ids.include?(@config['vpc']['subnet_id'])
-                      @vpc = sibling
-                      break
-                    end
-                  }
-                  if !@vpc
-                    sibling = sib_by_name.values.sample
-                    MU.log "Got multiple matching VPCs for #{self.class.cfg_name} #{@mu_name}, so I'm arbitrarily choosing #{sibling.mu_name}", MU::WARN, details: @config['vpc']
-                    @vpc = sibling
-                  end
-                end
-              else
-                @vpc = sib_by_name
-                MU.log "Found exact VPC match for #{self}", loglevel, details: sib_by_name.to_s
-              end
-            else
-              MU.log "No shortcuts available to fetch VPC for #{self}", loglevel, details: @config['vpc']
-            end
-            if !@vpc and !@config['vpc']["name"].nil? and
-                @dependencies.has_key?("vpc") and
-                @dependencies["vpc"].has_key?(@config['vpc']["name"])
-              MU.log "Grabbing VPC I see in @dependencies['vpc']['#{@config['vpc']["name"]}'] for #{self}", loglevel, details: @config['vpc']
-              @vpc = @dependencies["vpc"][@config['vpc']["name"]]
-            elsif !@vpc
-              tag_key, tag_value = @config['vpc']['tag'].split(/=/, 2) if !@config['vpc']['tag'].nil?
-              if !@config['vpc'].has_key?("id") and
-                  !@config['vpc'].has_key?("deploy_id") and !@deploy.nil?
-                @config['vpc']["deploy_id"] = @deploy.deploy_id
-              end
-              MU.log "Doing findStray for VPC for #{self}", loglevel, details: @config['vpc']
-              vpcs = MU::MommaCat.findStray(
-                @config['cloud'],
-                "vpc",
-                deploy_id: @config['vpc']["deploy_id"],
-                cloud_id: @config['vpc']["id"],
-                name: @config['vpc']["name"],
-                tag_key: tag_key,
-                tag_value: tag_value,
-                habitats: [@project_id],
-                region: @config['vpc']["region"],
-                calling_deploy: @deploy,
-                credentials: @credentials,
-                dummy_ok: true,
-                debug: debug
-              )
-              @vpc = vpcs.first if !vpcs.nil? and vpcs.size > 0
-            end
-            if @vpc and @vpc.config and @vpc.config['bastion'] and
-               @vpc.config['bastion'].to_h['name'] != @config['name']
-              refhash = @vpc.config['bastion'].to_h
-              refhash['deploy_id'] ||= @vpc.deploy.deploy_id
-              natref = MU::Config::Ref.get(refhash)
-              if natref and natref.kitten(@vpc.deploy)
-                @nat = natref.kitten(@vpc.deploy)
-              end
-            end
-            if @nat.nil? and !@vpc.nil? and (
-              @config['vpc'].has_key?("nat_host_id") or
-              @config['vpc'].has_key?("nat_host_tag") or
-              @config['vpc'].has_key?("nat_host_ip") or
-              @config['vpc'].has_key?("nat_host_name")
-            )
-              nat_tag_key, nat_tag_value = @config['vpc']['nat_host_tag'].split(/=/, 2) if !@config['vpc']['nat_host_tag'].nil?
-              @nat = @vpc.findBastion(
-                nat_name: @config['vpc']['nat_host_name'],
-                nat_cloud_id: @config['vpc']['nat_host_id'],
-                nat_tag_key: nat_tag_key,
-                nat_tag_value: nat_tag_value,
-                nat_ip: @config['vpc']['nat_host_ip']
-              )
-              if @nat.nil?
-                if !@vpc.cloud_desc.nil?
-                  @nat = @vpc.findNat(
-                    nat_cloud_id: @config['vpc']['nat_host_id'],
-                    nat_filter_key: "vpc-id",
-                    region: @config['vpc']["region"],
-                    nat_filter_value: @vpc.cloud_id,
-                    credentials: @config['credentials']
-                  )
-                else
-                  @nat = @vpc.findNat(
-                    nat_cloud_id: @config['vpc']['nat_host_id'],
-                    region: @config['vpc']["region"],
-                    credentials: @config['credentials']
-                  )
-                end
-              end
-            end
-            if @vpc.nil? and @config['vpc']
-              feck = MU::Config::Ref.get(@config['vpc'])
-              feck.kitten(@deploy, debug: true)
-              pp feck
-              raise MuError.new "#{self.class.cfg_name} #{@config['name']} failed to locate its VPC", details: @config['vpc']
-            end
+            @vpc, @nat = myVpc(@config['vpc'], loglevel: loglevel, debug: debug)
           elsif self.class.cfg_name == "vpc"
             @vpc = self
           end
-          # Google accounts usually have a useful default VPC we can use
-          if @vpc.nil? and @project_id and @cloud == "Google" and
-             self.class.can_live_in_vpc
-            MU.log "Seeing about default VPC for #{self}", MU::NOTICE
-            vpcs = MU::MommaCat.findStray(
-              "Google",
-              "vpc",
-              cloud_id: "default",
-              habitats: [@project_id],
-              credentials: @credentials,
-              dummy_ok: true,
-              debug: debug
-            )
-            @vpc = vpcs.first if !vpcs.nil? and vpcs.size > 0
-          end
           # Special dependencies: LoadBalancers I've asked to attach to an
           # instance.
           if @config.has_key?("loadbalancers")
@@ -738,7 +585,7 @@ module MU
                 MU.log "Couldn't find existing resource #{ext_deploy["cloud_id"]}, #{ext_deploy["cloud_type"]}", MU::ERR if found.nil?
                 @deploy.notify(ext_deploy["cloud_type"], found.config["name"], found.deploydata, mu_name: found.mu_name, triggering_node: @mu_name)
               elsif ext_deploy["mu_name"] && ext_deploy["deploy_id"]
-                MU.log "#{self}: Importing metadata for #{ext_deploy["cloud_type"]} #{ext_deploy["mu_name"]} from #{ext_deploy["deploy_id"]}"
+                MU.log "#{self}: Importing metadata for #{ext_deploy["cloud_type"]} #{ext_deploy["mu_name"]} from #{ext_deploy["deploy_id"]}", MU::DEBUG
                 found = MU::MommaCat.findStray(
                   @config['cloud'],
                   ext_deploy["cloud_type"],
@@ -751,7 +598,7 @@ module MU
                 if found.nil?
                   MU.log "Couldn't find existing resource #{ext_deploy["mu_name"]}/#{ext_deploy["deploy_id"]}, #{ext_deploy["cloud_type"]}", MU::ERR
                 else
-                  @deploy.notify(ext_deploy["cloud_type"], found.config["name"], found.deploydata, mu_name: ext_deploy["mu_name"], triggering_node: @mu_name)
+                  @deploy.notify(ext_deploy["cloud_type"], found.config["name"], found.deploydata, mu_name: ext_deploy["mu_name"], triggering_node: @mu_name, no_write: true)
                 end
               else
                 MU.log "Trying to find existing deploy, but either the cloud_id is not valid or no mu_name and deploy_id where provided", MU::ERR
@@ -774,33 +621,209 @@ module MU
           return [@dependencies, @vpc, @loadbalancers]
         end
+        # Resolve a VPC block to an actual resource
+        def myVpc(vpc_block = @config['vpc'], loglevel: MU::DEBUG, debug: false)
+          vpc_obj = nat_obj = nil
+          vpc_block['credentials'] ||= @credentials
+          vpc_block["id"] ||= vpc_block["vpc_id"] # old deploys
+          vpc_block["name"] ||= vpc_block["vpc_name"] # old deploys
+          if vpc_block['habitat']
+            vpc_block['habitat'] = MU::Config::Ref.get(vpc_block['habitat'])
+          end
+          habitats_arg = if vpc_block['habitat']
+            [vpc_block['habitat'].id]
+          else
+            [@project_id]
+          end
+          # If something hash-ified a MU::Config::Ref here, fix it
+          if !vpc_block["id"].nil? and vpc_block["id"].is_a?(Hash)
+            vpc_block["id"] = MU::Config::Ref.new(vpc_block["id"])
+          end
+          if !vpc_block["id"].nil?
+            if vpc_block["id"].is_a?(MU::Config::Ref) and !vpc_block["id"].kitten.nil?
+              vpc_obj = vpc_block["id"].kitten(@deploy)
+            else
+              vpc_ref = MU::Config::Ref.get(vpc_block)
+              vpc_obj = vpc_ref.kitten(@deploy)
+            end
+          elsif !vpc_block["name"].nil? and @deploy
+            MU.log "Attempting findLitterMate on VPC for #{self}", loglevel, details: vpc_block
+            sib_by_name = @deploy.findLitterMate(name: vpc_block['name'], type: "vpcs", return_all: true, habitat: vpc_block['project'], debug: debug)
+            if sib_by_name.is_a?(Hash)
+              if sib_by_name.size == 1
+                vpc_obj = sib_by_name.values.first
+                MU.log "Single VPC match for #{self}", loglevel, details: vpc_obj.to_s
+              else
+# XXX ok but this is the wrong place for this really the config parser needs to sort this out somehow
+                # we got multiple matches, try to pick one by preferred subnet
+                # behavior
+                MU.log "Sorting a bunch of VPC matches for #{self}", loglevel, details: sib_by_name.map { |s| s.to_s }.join(", ")
+                sib_by_name.values.each { |sibling|
+                  all_private = sibling.subnets.map { |s| s.private? }.all?(true)
+                  all_public = sibling.subnets.map { |s| s.private? }.all?(false)
+                  names = sibling.subnets.map { |s| s.name }
+                  ids = sibling.subnets.map { |s| s.cloud_id }
+                  if all_private and ["private", "all_private"].include?(vpc_block['subnet_pref'])
+                    vpc_obj = sibling
+                    break
+                  elsif all_public and ["public", "all_public"].include?(vpc_block['subnet_pref'])
+                    vpc_obj = sibling
+                    break
+                  elsif vpc_block['subnet_name'] and
+                        names.include?(vpc_block['subnet_name'])
+#puts "CHOOSING #{vpc_obj.to_s} 'cause it has #{vpc_block['subnet_name']}"
+                    vpc_obj = sibling
+                    break
+                  elsif vpc_block['subnet_id'] and
+                        ids.include?(vpc_block['subnet_id'])
+                    vpc_obj = sibling
+                    break
+                  end
+                }
+                if !vpc_obj
+                  sibling = sib_by_name.values.sample
+                  MU.log "Got multiple matching VPCs for #{self.class.cfg_name} #{@mu_name}, so I'm arbitrarily choosing #{sibling.mu_name}", MU::WARN, details: vpc_block
+                  vpc_obj = sibling
+                end
+              end
+            else
+              vpc_obj = sib_by_name
+              MU.log "Found exact VPC match for #{self}", loglevel, details: sib_by_name.to_s
+            end
+          else
+            MU.log "No shortcuts available to fetch VPC for #{self}", loglevel, details: vpc_block
+          end
+          if !vpc_obj and !vpc_block["name"].nil? and
+              @dependencies.has_key?("vpc") and
+              @dependencies["vpc"].has_key?(vpc_block["name"])
+            MU.log "Grabbing VPC I see in @dependencies['vpc']['#{vpc_block["name"]}'] for #{self}", loglevel, details: vpc_block
+            vpc_obj = @dependencies["vpc"][vpc_block["name"]]
+          elsif !vpc_obj
+            tag_key, tag_value = vpc_block['tag'].split(/=/, 2) if !vpc_block['tag'].nil?
+            if !vpc_block.has_key?("id") and
+                !vpc_block.has_key?("deploy_id") and !@deploy.nil?
+              vpc_block["deploy_id"] = @deploy.deploy_id
+            end
+            MU.log "Doing findStray for VPC for #{self}", loglevel, details: vpc_block
+            vpcs = MU::MommaCat.findStray(
+              @config['cloud'],
+              "vpc",
+              deploy_id: vpc_block["deploy_id"],
+              cloud_id: vpc_block["id"],
+              name: vpc_block["name"],
+              tag_key: tag_key,
+              tag_value: tag_value,
+              habitats: habitats_arg,
+              region: vpc_block["region"],
+              calling_deploy: @deploy,
+              credentials: vpc_block["credentials"],
+              dummy_ok: true,
+              debug: debug
+            )
+            vpc_obj = vpcs.first if !vpcs.nil? and vpcs.size > 0
+          end
+          if vpc_obj and vpc_obj.config and vpc_obj.config['bastion'] and
+             vpc_obj.config['bastion'].to_h['name'] != @config['name']
+            refhash = vpc_obj.config['bastion'].to_h
+            refhash['deploy_id'] ||= vpc_obj.deploy.deploy_id
+            natref = MU::Config::Ref.get(refhash)
+            if natref and natref.kitten(vpc_obj.deploy)
+              nat_obj = natref.kitten(vpc_obj.deploy)
+            end
+          end
+          if nat_obj.nil? and !vpc_obj.nil? and (
+            vpc_block.has_key?("nat_host_id") or
+            vpc_block.has_key?("nat_host_tag") or
+            vpc_block.has_key?("nat_host_ip") or
+            vpc_block.has_key?("nat_host_name")
+          )
+            nat_tag_key, nat_tag_value = vpc_block['nat_host_tag'].split(/=/, 2) if !vpc_block['nat_host_tag'].nil?
+            nat_obj = vpc_obj.findBastion(
+              nat_name: vpc_block['nat_host_name'],
+              nat_cloud_id: vpc_block['nat_host_id'],
+              nat_tag_key: nat_tag_key,
+              nat_tag_value: nat_tag_value,
+              nat_ip: vpc_block['nat_host_ip']
+            )
+            if naa_obj.nil?
+              if !vpc_obj.cloud_desc.nil?
+                nat_obj = vpc_obj.findNat(
+                  nat_cloud_id: vpc_block['nat_host_id'],
+                  nat_filter_key: "vpc-id",
+                  region: vpc_block["region"],
+                  nat_filter_value: vpc_obj.cloud_id,
+                  credentials: vpc_block['credentials']
+                )
+              else
+                nat_obj = vpc_obj.findNat(
+                  nat_cloud_id: vpc_block['nat_host_id'],
+                  region: vpc_block["region"],
+                  credentials: vpc_block['credentials']
+                )
+              end
+            end
+          end
+          if vpc_obj.nil? and vpc_block
+            feck = MU::Config::Ref.get(vpc_block)
+            feck.kitten(@deploy, debug: true)
+            pp feck
+            raise MuError.new "#{self.class.cfg_name} #{@config['name']} failed to locate its VPC", details: vpc_block
+          end
+          # Google accounts usually have a useful default VPC we can use
+          if vpc_obj.nil? and @project_id and @cloud == "Google" and
+             self.class.can_live_in_vpc
+            MU.log "Seeing about default VPC for #{self}", MU::NOTICE
+            vpcs = MU::MommaCat.findStray(
+              "Google",
+              "vpc",
+              cloud_id: "default",
+              habitats: [@project_id],
+              credentials: vpc_block['credentials'],
+              dummy_ok: true,
+              debug: debug
+            )
+            vpc_obj = vpcs.first if !vpcs.nil? and vpcs.size > 0
+          end
+          [vpc_obj, nat_obj]
+        end
         # Using the automatically-defined +@vpc+ from {dependencies} in
         # conjunction with our config, return our configured subnets.
         # @return [Array<MU::Cloud::VPC::Subnet>]
-        def mySubnets
+        def mySubnets(vpc = @vpc, vpc_block = @config["vpc"])
           dependencies
-          if !@vpc or !@config["vpc"]
+          vpc ||= @vpc # in case dependencies worked it out for us
+          if !vpc or !vpc_block
             return nil
           end
-          if @config["vpc"]["subnet_id"] or @config["vpc"]["subnet_name"]
-            @config["vpc"]["subnets"] ||= []
+          if vpc_block["subnet_id"] or vpc_block["subnet_name"]
+            vpc_block["subnets"] ||= []
             subnet_block = {}
-            subnet_block["subnet_id"] = @config["vpc"]["subnet_id"] if @config["vpc"]["subnet_id"]
-            subnet_block["subnet_name"] = @config["vpc"]["subnet_name"] if @config["vpc"]["subnet_name"]
-            @config["vpc"]["subnets"] << subnet_block
-            @config["vpc"]["subnets"].uniq!
+            subnet_block["subnet_id"] = vpc_block["subnet_id"] if vpc_block["subnet_id"]
+            subnet_block["subnet_name"] = vpc_block["subnet_name"] if vpc_block["subnet_name"]
+            vpc_block["subnets"] << subnet_block
+            vpc_block["subnets"].uniq!
           end
-          if (!@config["vpc"]["subnets"] or @config["vpc"]["subnets"].empty?) and
-             !@config["vpc"]["subnet_id"]
-            return @vpc.subnets
+          if (!vpc_block["subnets"] or vpc_block["subnets"].empty?) and
+             !vpc_block["subnet_id"]
+            return vpc.subnets
           end
           subnets = []
-          @config["vpc"]["subnets"].each { |subnet|
-            subnet_obj = @vpc.getSubnet(cloud_id: subnet["subnet_id"].to_s, name: subnet["subnet_name"].to_s)
-            raise MuError.new "Couldn't find a live subnet for #{self} matching #{subnet} in #{@vpc}", details: @vpc.subnets.map { |s| s.name }.join(",") if subnet_obj.nil?
+          vpc_block["subnets"].each { |subnet|
+            subnet_obj = vpc.getSubnet(cloud_id: subnet["subnet_id"].to_s, name: subnet["subnet_name"].to_s)
+            raise MuError.new "Couldn't find a live subnet for #{self} matching #{subnet} in #{vpc}", details: vpc.subnets.map { |s| s.name }.join(",") if subnet_obj.nil?
             subnets << subnet_obj
           }
@@ -872,15 +895,23 @@ module MU
             @cloudobj.describe if method != :describe
             # Don't run through dependencies on simple attr_reader lookups
-            if ![:dependencies, :cloud_id, :config, :mu_name].include?(method)
+            if ![:dependencies, :cloud_id, :config, :mu_name, :active?].include?(method)
               @cloudobj.dependencies
             end
             retval = nil
-            if !args.nil? and args.size == 1
-              retval = @cloudobj.method(method).call(args.first)
-            elsif !args.nil? and args.size > 0
-              retval = @cloudobj.method(method).call(*args)
+            if !args.nil?
+              if args.is_a?(Hash)
+                retval = @cloudobj.method(method).call(**args)
+              elsif args.is_a?(Array)
+                if args.size == 1 and args.first.is_a?(Hash)
+                  retval = @cloudobj.method(method).call(**args.first)
+                else
+                  retval = @cloudobj.method(method).call(*args)
+                end
+              else
+                retval = @cloudobj.method(method).call(args)
+              end
             else
               retval = @cloudobj.method(method).call
             end

data/modules/mu/cloud/server_pool.rb CHANGED Viewed

	@@ -1 +1 @@
1	- ~~modules/mu/cloud/~~server.rb
1	+ server.rb

data/modules/mu/cloud/ssh_sessions.rb CHANGED Viewed

@@ -51,7 +51,7 @@ module MU
           win_set_pw = nil
           if windows? and !@config['use_cloud_provider_windows_password']
-            # This covers both the case where we have a windows password passed from a vault and where we need to use a a random Windows Admin password generated by MU::Cloud::Server.generateWindowsPassword
+            # This covers both the case where we have a windows password passed from a vault and where we need to use a a random Windows Admin password generated by MU::Cloud::Server.generatePassword
             pw = @groomer.getSecret(
               vault: @config['mu_name'],
               item: "windows_credentials",
@@ -156,9 +156,10 @@ module MU
                   :config => false,
                   :keys_only => true,
                   :keys => [ssh_keydir+"/"+nat_ssh_key, ssh_keydir+"/"+@deploy.ssh_key_name],
-                  :verify_host_key => false,
+                  :verify_host_key => :never, # grr
                   #           :verbose => :info,
-                  :host_key => "ssh-rsa",
+#                  :host_key => "ssh-rsa",
+                  :host_key => "ecdsa-sha2-nistp256",
                   :port => 22,
                   :auth_methods => ['publickey'],
                   :proxy => proxy
@@ -172,9 +173,10 @@ module MU
                   :config => false,
                   :keys_only => true,
                   :keys => [ssh_keydir+"/"+@deploy.ssh_key_name],
-                  :verify_host_key => false,
+                  :verify_host_key => :never, # grr
                   #           :verbose => :info,
-                  :host_key => "ssh-rsa",
+#                  :host_key => "ssh-rsa",
+                  :host_key => "ecdsa-sha2-nistp256",
                   :port => 22,
                   :auth_methods => ['publickey']
               )

data/modules/mu/cloud/wrappers.rb CHANGED Viewed

@@ -111,7 +111,7 @@ module MU
               credsets.each { |creds|
                 args[:credentials] = creds
-                found = cloudclass.find(args)
+                found = cloudclass.find(**args)
                 if !found.nil?
                   if found.is_a?(Hash)
                     allfound.merge!(found)
@@ -150,7 +150,7 @@ module MU
               raise MuCloudResourceNotImplemented if !cloudclass.respond_to?(:cleanup) or cloudclass.method(:cleanup).owner.to_s != "#<Class:#{cloudclass}>"
               MU.log "Invoking #{cloudclass}.cleanup from #{shortname}", MU::DEBUG, details: flags
-              cloudclass.cleanup(params)
+              cloudclass.cleanup(**params)
             rescue MuCloudResourceNotImplemented
               MU.log "No #{cloud} implementation of #{shortname}.cleanup, skipping", MU::DEBUG, details: flags
             rescue StandardError => e

data/modules/mu/cloud.rb CHANGED Viewed

@@ -246,7 +246,7 @@ module MU
         :deps_wait_on_my_creation => true,
         :waits_on_parent_completion => false,
         :class => @@generic_class_methods,
-        :instance => @@generic_instance_methods + [:groom, :registerNode]
+        :instance => @@generic_instance_methods + [:groom, :registerTarget]
       },
       :Server => {
         :has_multiples => true,

data/modules/mu/config/bucket.rb CHANGED Viewed

@@ -85,7 +85,7 @@ module MU
         if bucket['upload']
           bucket['upload'].each { |batch|
-            if !File.exists?(batch['source'])
+            if !File.exist?(batch['source'])
               MU.log "Bucket '#{bucket['name']}' specifies upload for file/directory that does not exist", MU::ERR, details: batch
               ok = false
               next

data/modules/mu/config/function.rb CHANGED Viewed

@@ -38,6 +38,11 @@ module MU
               "description" => "Triggers which will cause this function to be invoked."
             }
           },
+          "loadbalancers" => {
+            "type" => "array",
+            "minItems" => 1,
+            "items" => MU::Config::LoadBalancer.reference
+          },
           "handler" => {
             "type" => "string",
             "description" => "The function within your code that is should be called to begin execution. For Node.js, it is the module-name.export value in your function. For Java, it can be package.class-name::handler or package.class-name. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/java-programming-model-handler-types.html"
@@ -114,7 +119,7 @@ module MU
         if function['code']
           ['zip_file', 'path'].each { |src|
             if function['code'][src]
-              if !File.readable?(function['code'][src]) and !Dir.exists?(function['code'][src])
+              if !File.readable?(function['code'][src]) and !Dir.exist?(function['code'][src])
                 MU.log "Function '#{function['name']}' specifies a deployment package that I can't read at #{function['code'][src]}", MU::ERR
                 ok = false
               else

data/modules/mu/config/loadbalancer.rb CHANGED Viewed

@@ -443,13 +443,14 @@ module MU
             l["targetgroup"] = tgname
             tg = {
               "name" => tgname,
-              "proto" => l["instance_protocol"],
-              "port" => l["instance_port"]
+              "proto" => l["instance_protocol"] || l["lb_protocol"],
+              "port" => l["instance_port"] || l["lb_port"]
             }
             if l["redirect"]
               tg["proto"] ||= l["redirect"]["protocol"]
               tg["port"] ||= l["redirect"]["port"]
             end
+            tg["vpc"] = l["vpc"] if l["vpc"]
             l['healthcheck'] ||= lb['healthcheck'] if lb['healthcheck']
             if l["healthcheck"]
               hc_target = l['healthcheck']['target'].match(/^([^:]+):(\d+)(.*)/)
@@ -461,6 +462,18 @@ module MU
             end
             lb["targetgroups"] << tg
           }
+        elsif lb['listeners'].nil?
+          # well ok, manufacture listeners out of targetgroups then?
+          lb['listeners'] ||= []
+          lb["targetgroups"].each { |tg|
+            listener = {
+              "targetgroup" => tg['name'],
+              "lb_protocol" => tg["proto"],
+              "lb_port" => tg["port"]
+            }
+            listener["vpc"] = tg["vpc"] if tg["vpc"]
+            lb['listeners'] << listener
+          }
         else
           lb['listeners'].each { |l|
             found = false
@@ -477,6 +490,15 @@ module MU
           }
         end
+        lb['targetgroups'].each { |tg|
+          if tg['target']
+            tg['target']['cloud'] ||= lb['cloud']
+            if tg['target']['name']
+              MU::Config.addDependency(lb, tg['target']['name'], tg['target']['type'], their_phase: "create", my_phase: "groom")
+            end
+          end
+        }
         lb['listeners'].each { |l|
           if !l['rules'].nil? and l['rules'].size > 0
             l['rules'].each { |r|

data/modules/mu/config/ref.rb CHANGED Viewed

@@ -80,6 +80,11 @@ module MU
             end
           }
+          if MU.mommacat
+            @mommacat ||= MU.mommacat
+            @deploy_id ||= MU.mommacat.deploy_id
+          end
         }
         # if we get here, there was no match
@@ -291,6 +296,7 @@ module MU
         return nil if !cloud or !@type
         _shortclass, _cfg_name, cfg_plural, _classname, _attrs = MU::Cloud.getResourceNames(@type, false)
         if cfg_plural
           @type = cfg_plural # make sure this is the thing we expect
         else
@@ -299,6 +305,12 @@ module MU
         loglevel = debug ? MU::NOTICE : MU::DEBUG
+        if @name and !@id and !mommacat and !@deploy_id and MU.mommacat
+          MU.log "Checking active deploy for #{@type} #{@name} first", loglevel
+          resp = kitten(MU.mommacat, shallow: shallow, debug: debug, cloud: cloud)
+          return resp if resp
+        end
         if debug
           MU.log "this mf kitten", MU::WARN, details: caller
         end

data/modules/mu/config/role.rb CHANGED Viewed

@@ -28,7 +28,7 @@ module MU
             "name" => {
               "type" => "string",
               "description" => "The name of a cloud provider role to create",
-              "pattern" => '^[a-zA-Z0-9_\-]+$'
+              "pattern" => '^[a-zA-Z0-9_\-\.]+$'
             },
             "import" => {
               "type" => "array",