cloud-mu 3.6.10 → 3.6.11

data/modules/mu/master/ldap.rb

@@ -100,7 +100,7 @@ module MU
           raise MuLDAPError, "When supply credentials to getLDAPConnection, both username and password must be specified"
         end
         if !username and !password
-          bind_creds = MU::Groomer::Chef.getSecret(vault: $MU_CFG["ldap"]["bind_creds"]["vault"], item: $MU_CFG["ldap"]["bind_creds"]["item"])
+          bind_creds = MU::Groomer::Chef.getSecret(vault: $MU_CFG["ldap"]["bind_creds"]["vault"], item: "cfg_directory_adm")#$MU_CFG["ldap"]["bind_creds"]["item"])
           username = bind_creds[$MU_CFG["ldap"]["bind_creds"]["username_field"]]
           password = bind_creds[$MU_CFG["ldap"]["bind_creds"]["password_field"]]
         end
@@ -210,6 +210,7 @@ module MU
           :gidNumber => gid,
           :objectclass => ["top", "posixGroup"]
         }
+
         if !@ldap_conn.add(
               :dn => dn,
               :attributes => attr
@@ -217,7 +218,7 @@ module MU
           MU.log "Error creating #{dn}: "+getLDAPErr, MU::ERR, details: attr
           return false
         elsif @ldap_conn.get_operation_result.code != 68
-          MU.log "Created group #{dn} with gid #{gid}", MU::NOTICE
+          MU.log "Created group #{dn} with gid #{gid} (#{@ldap_conn.get_operation_result.message})", MU::NOTICE
         end
         return gid
       end
@@ -235,7 +236,7 @@ module MU
           MU.log "Custom directory service configured, not initializing bundled schema", MU::NOTICE
           return
         end
-        root_creds = MU::Groomer::Chef.getSecret(vault: "mu_ldap", item: "root_dn_user")
+        root_creds = MU::Groomer::Chef.getSecret(vault: "mu_ldap", item: "cfg_directory_adm")
         @ldap_conn = Net::LDAP.new(
           :host => "127.0.0.1",
           :encryption => {
@@ -252,7 +253,7 @@ module MU
         )
 
         # Manufacture our OU tree and groups
-        [$MU_CFG["ldap"]["base_dn"],
+        [ $MU_CFG["ldap"]["base_dn"],
           "OU=Mu-System,#{$MU_CFG["ldap"]["base_dn"]}",
           $MU_CFG["ldap"]["user_ou"],
           $MU_CFG["ldap"]["group_ou"],
@@ -397,14 +398,14 @@ module MU
 
         @can_write = true
         if !conn.add(:dn => dn, :attributes => attr)
-          MU.log "Couldn't create write-test user #{dn}, operating in read-only LDAP mode (#{getLDAPErr})", MU::NOTICE, details: attr
+          MU.log "Couldn't create write-test user #{dn}, wll operate in read-only LDAP mode (#{getLDAPErr})", MU::NOTICE, details: attr
           return false
         end
 
         # Make sure we can write various fields that we might need to touch
         [:displayName, :mail, :givenName, :sn].each { |field|
           if !conn.replace_attribute(dn, field, "foo@bar.com")
-            MU.log "Couldn't modify write-test user #{dn} field #{field.to_s}, operating in read-only LDAP mode (#{getLDAPErr})", MU::NOTICE
+            MU.log "Couldn't modify write-test user #{dn} field #{field.to_s}, will operate in read-only LDAP mode (#{getLDAPErr})", MU::NOTICE
             @can_write = false
             
           end
@@ -431,11 +432,12 @@ module MU
       # @param search [Array<String>]: Strings to search for.
       # @param exact [Boolean]: Return only exact matches for whole fields.
       # @param searchbase [String]: The DN under which to search.
+      # @param whole_desc [Boolean]: Return whole descriptors instead of just the DNs
       # @return [Array<String>]
-      def self.findGroups(search = [], exact: false, searchbase: $MU_CFG['ldap']['base_dn'])
-        if search.nil? or search.size == 0
-          raise MuLDAPError, "Need something to search for in MU::Master::LDAP.findGroups"
-        end
+      def self.findGroups(search = [], exact: false, searchbase: "OU=Groups,"+$MU_CFG['ldap']['base_dn'], whole_desc: false)
+#        if search.nil? or search.size == 0
+#          raise MuLDAPError, "Need something to search for in MU::Master::LDAP.findGroups"
+#        end
         conn = getLDAPConnection
         filter = nil
         search.each { |term|
@@ -450,14 +452,19 @@ module MU
             filter = filter | curfilter
           end
         }
-        filter = Net::LDAP::Filter.ne("objectclass", "computer") & (filter)
+        filter = if filter
+          Net::LDAP::Filter.ne("objectclass", "computer") & (filter)
+        else
+          Net::LDAP::Filter.ne("objectclass", "computer")
+        end
         groups = []
         conn.search(
           :filter => filter,
           :base => searchbase,
-          :attributes => ["objectclass"]
+          :attributes => ["objectclass"] + (whole_desc ? ["description", @gidnum_attr, @member_attr] : [])
         ) do |group|
-          groups << group.dn
+          next if group.dn == searchbase
+          groups << (whole_desc ? group : group.dn)
         end
         groups
       end
@@ -671,7 +678,7 @@ module MU
               username_filter = Net::LDAP::Filter.eq("cn", cn)
             end
             user_filter = Net::LDAP::Filter.ne("objectclass", "computer") & Net::LDAP::Filter.ne("objectclass", "group")
-            fetchattrs = ["cn", @uid_attr, "displayName", "mail"]
+            fetchattrs = ["cn", @uid_attr, "displayName", "mail", "departmentNumber"]
             fetchattrs << "employeeNumber" if $MU_CFG["ldap"]["type"] == "389 Directory Services"
             conn.search(
               :filter => username_filter & user_filter,
@@ -695,6 +702,9 @@ module MU
               begin
                 users[acct[@uid_attr].first]['uid'] = acct.employeenumber.first
               end rescue NoMethodError
+              begin
+                users[acct[@uid_attr].first]['gid'] = acct.departmentNumber.first
+              end rescue NoMethodError
             end
           }
         }
@@ -898,22 +908,25 @@ module MU
               manageGroup(group, add_users: [user])
             }
 
-            wait = 10
-            begin
-              %x{/usr/bin/getent passwd ; /usr/bin/getent group} # winbind is slow sometimes
-              Etc.getpwnam(user)
-            rescue ArgumentError
-              if wait >= 30
-                MU.log "User #{user} has been created in LDAP, but local system can't see it. Are PAM/LDAP configured correctly?", MU::ERR
-                return false
-              end
-              MU.log "User #{user} has been created in LDAP, but not yet visible to local system, waiting #{wait}s and checking again.", MU::WARN
-              sleep wait
-              wait = wait + 5
-              retry
-            end if user != "mu"
+# XXX SSSD is completely broken on Amazon 2023 for now. None of the below works.
+# We're currently relying on MU::Master.manageUser to set up a unix-side
+# user, old-school /etc/passwd style, in parallel to these LDAP entries.
+#            wait = 10
+#            begin
+#              %x{/usr/bin/getent passwd ; /usr/bin/getent group} # winbind is slow sometimes
+#              Etc.getpwnam(user)
+#            rescue ArgumentError
+#              if wait >= 30
+#                MU.log "User #{user} has been created in LDAP, but local system can't see it. Are PAM/LDAP configured correctly?", MU::ERR
+#                return false
+#              end
+#              MU.log "User #{user} has been created in LDAP, but not yet visible to local system, waiting #{wait}s and checking again.", MU::WARN
+#              sleep wait
+#              wait = wait + 5
+#              retry
+#            end if user != "mu"
             %x{/sbin/restorecon -r /home} # SELinux stupidity that oddjob misses
-            MU::Master.setLocalDataPerms(user) if Etc.getpwuid(Process.uid).name == "root" and mu_acct
+#            MU::Master.setLocalDataPerms(user) if Etc.getpwuid(Process.uid).name == "root" and mu_acct
           else
             MU.log "We are in read-only LDAP mode. You must first create #{user} in your directory and add it to #{$MU_CFG["ldap"]["user_group_dn"]}. If the user is intended to be an admin, also add it to #{$MU_CFG["ldap"]["admin_group_dn"]}.", MU::WARN
             return true
@@ -985,9 +998,13 @@ module MU
 
         cur_users = listUsers
         if cur_users.has_key?(user)
+          stubdir = File.join($MU_CFG['datadir'], "users", user)
+          if !Dir.exist?(stubdir)
+            Dir.mkdir(stubdir)
+          end
           ["realname", "email", "monitoring_email"].each { |field|
             next if !cur_users[user].has_key?(field)
-            File.open($MU_CFG['datadir']+"/users/#{user}/#{field}", File::CREAT|File::RDWR, 0640) { |f|
+            File.open("#{stubdir}/#{field}", File::CREAT|File::RDWR, 0640) { |f|
               f.puts cur_users[user][field]
             }
           }
@@ -995,7 +1012,7 @@ module MU
           MU.log "Load of current user list didn't include #{user}, even though we just created them!", MU::WARN
         end
 
-        MU::Master.setLocalDataPerms(user) if Etc.getpwuid(Process.uid).name == "root" and mu_acct
+#        MU::Master.setLocalDataPerms(user) if Etc.getpwuid(Process.uid).name == "root" and mu_acct
         ok
       end
 

data/modules/mu/master.rb

@@ -72,6 +72,46 @@ module MU
       end
     end
 
+    # Ensure that the existing list of LDAP groups has counterparts in
+    # /etc/group, and that all LDAP members also exist there.
+    # @return [Hash<String>]: A mapping of group names to gids
+    def self.syncGroups
+      groups = MU::Master::LDAP.findGroups(whole_desc: true)
+      ldapusers = MU::Master::LDAP.listUsers
+      groups.each { |g|
+        group_name = g.dn.split(/,/)[0].sub(/^cn=/i, '')
+        attempts = 0
+        group = begin
+          Etc.getgrnam(group_name)
+        rescue ArgumentError => e
+          MU.log "Creating unix group #{group_name} with gid #{g.gidnumber.first}", MU::NOTICE
+          attempts += 1
+          puts %x{/usr/sbin/groupadd --gid #{g.gidnumber.first} #{group_name}}
+          if attempts < 3
+            retry
+          else
+            raise MuError, "Failed to create group #{group_name}"
+          end
+        end
+        if group.gid != g.gidnumber.first.to_i
+          raise MuError, "GID #{group.gid.to_s} for group #{group_name} doesn't agree with LDAP, which says #{g.gidnumber.first}"
+        end
+
+        g.memberuid.each { |user|
+          begin
+            Etc.getpwnam(user)
+          rescue ArgumentError
+            next
+          end
+
+          if ldapusers[user] and !group.mem.include?(user)
+            MU.log "Adding #{user} to group #{group_name}", MU::NOTICE
+            puts %x{/usr/sbin/groupmod --append #{group_name} --users #{user}}
+          end
+        }
+      }
+    end
+
     # Create and/or update a user as appropriate (Chef, LDAP, et al).
     # @param username [String]: The canonical username to modify.
     # @param chef_username [String]: The Chef username, if different
@@ -99,12 +139,39 @@ module MU
         deleteUser(username) if create
         return false
       end
+      ldapusers = MU::Master::LDAP.listUsers
+      if !ldapusers[username]
+        MU.log "#{username} wasn't in LDAP after I added it, I don't know what to do", MU::ERR
+        deleteUser(username) if create
+        return false
+      end
+
+      # XXX the following insecure jank is a workaround for the fact that SSSD
+      # is flat broken on Amazon Linux 2023. We're managing unix passwd and
+      # group entries like cavemen.
+      ldap_desc = ldapusers[username]
+      begin
+        Etc.getpwnam(username)
+      rescue
+        syncGroups
+        MU.log "Creating unix user #{username}", MU::NOTICE, ldap_desc
+        # XXX plain-text password visible in ps! horrible!
+        puts %x{/usr/sbin/adduser "#{username}" --uid #{ldap_desc['uid']} --gid #{ldap_desc['gid']} --no-user-group --comment '#{ldap_desc['realname']},#{ldap_desc['email']},,,' --password '#{password}'}
+      end
+      syncGroups
       %x{sh -x /etc/init.d/oddjobd start 2>&1 > /dev/null} # oddjobd dies, like a lot
       begin
         Etc.getpwnam(username)
+        if password # setting a new password for an existing user
+          MU.log "Updating unix password for #{username}", MU::NOTICE
+          # XXX plain-text password visible in ps! horrible!
+          %x{echo '#{username}:#{password}' | /usr/sbin/chpasswd}
+        end
       rescue ArgumentError
         return false
       end
+      
+
       chef_username ||= username.dup
       %x{/bin/su - #{username} -c "ls > /dev/null"}
       if !MU::Master::Chef.manageUser(chef_username, ldap_user: username, name: name, email: email, admin: admin, orgs: orgs, remove_orgs: remove_orgs) and create
@@ -157,6 +224,8 @@ module MU
       end
       MU::Master::Chef.deleteUser(user)
       MU::Master::LDAP.deleteUser(user)
+      puts %x{/usr/sbin/userdel "#{user}"}
+      puts %x{/usr/sbin/groupdel "#{user}.mu-user"}
       FileUtils.rm_rf(deletia)
     end
 

data/modules/mu/mu.yaml.rb

@@ -0,0 +1,351 @@
+# Configuration schema for mu.yaml. See also {https://github.com/cloudamatic/mu/wiki/Configuration the Mu wiki}.
+#
+# Example:
+#
+# <pre>
+#      ---    
+#      public_address: 1.2.3.4    
+#      mu_admin_email: egtlabs@eglobaltech.com    
+#      mu_admin_name: Joe Schmoe    
+#      mommacat_port: 2260    
+#      banner: My Example Mu Master    
+#      mu_repository: git://github.com/cloudamatic/mu.git    
+#      repos:    
+#      - https://github.com/cloudamatic/mu_demo_platform    
+#      allow_invade_foreign_vpcs: true    
+#      ansible_dir:    
+#      aws:    
+#        egtdev:    
+#          region: us-east-1    
+#          log_bucket_name: egt-mu-log-bucket    
+#          default: true    
+#          name: egtdev    
+#        personal:    
+#          region: us-east-2    
+#          log_bucket_name: my-mu-log-bucket    
+#          name: personal    
+#        google:    
+#          egtlabs:    
+#            project: egt-labs-admin    
+#            credentials_file: /opt/mu/etc/google.json    
+#            region: us-east4    
+#            log_bucket_name: hexabucket-761234    
+#            default: true    
+# </pre>
+module MuYAML
+	# The configuration file format for Mu's main config file.
+	# Adoption Change Notifications
+	class adopt_change_notify
+		# @!group Optional parameters
+		
+		# Report modifications to adopted resources, detected by mu-adopt --diff, to the Slack webhook and channel configured under Slack Configuration.
+		#
+		# @return [Boolean]
+		attr_accessor :slack
+		
+		# If a list of details about a modified resources is longer than this number of lines (in JSON), it will be sent as an "attachment," which in Slack means a blockquote that displays a few lines with a "Show more" button. The internal default is 5 lines.
+		#
+		# @return [String]
+		attr_accessor :slack_snippet_threshold
+		# @!endgroup
+	end
+	# Amazon Web Services
+	class aws
+		# @!group Required parameters
+		
+		# **REQUIRED** - 
+		# S3 bucket into which we'll synchronize deploy secrets, and if we're hosted in AWS, collected system logs
+		#
+		# @return [String]
+		attr_accessor :log_bucket_name
+		# @!endgroup
+		# @!group Optional parameters
+		
+		# **Must match pattern `(?i-mx:^[a-z0-9]+$)`** - 
+		# Credentials used for accessing the AWS API (looks like: AKIAINWLOOAA24PBRBZA)
+		#
+		# @return [String]
+		attr_accessor :access_key
+		
+		# Credentials used for accessing the AWS API (looks like: +Z16iRP9QAq7EcjHINyEMs3oR7A76QpfaSgCBogp).
+		#
+		# @return [String]
+		attr_accessor :access_secret
+		
+		# **Must match pattern `(?-mix:^\d+$)`** - 
+		# Default target account for resources managed using these credentials. This is an AWS account number, e.g. 918972669773. If not specified, we will use the account number which owns these API keys.
+		#
+		# @return [String]
+		attr_accessor :account_number
+		
+		# A secure Chef vault and item from which to retrieve an AWS access key and secret. The vault item should have 'access_key' and 'access_secret' elements.
+		#
+		# @return [String]
+		attr_accessor :credentials
+		
+		# An INI-formatted AWS credentials file, of the type used by the AWS command-line tools. This is less secure than using 'credentials' to store these in a Chef vault. See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
+		#
+		# @return [String]
+		attr_accessor :credentials_file
+		
+		# **Default: `false`** - 
+		# If set to true, Mu will default to these AWS credentials when targeting AWS resources
+		#
+		# @return [Boolean]
+		attr_accessor :default
+		
+		# Default Amazon Web Services region in which these credentials should operate
+		#
+		# @return [String]
+		attr_accessor :region
+		# @!endgroup
+	end
+	# Microsoft Azure Cloud Computing Platform & Services
+	class azure
+		# @!group Optional parameters
+		
+		# App client id used to authenticate to our subscription. From https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview
+		#
+		# @return [String]
+		attr_accessor :client_id
+		
+		# App client secret used to authenticate to our subscription. From https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview under the 'Certificates & secrets' tab, 'Client secrets.' This can only be retrieved upon initial secret creation.
+		#
+		# @return [String]
+		attr_accessor :client_secret
+		
+		# JSON file which contains a hash of directory_id, client_id, client_secret, and subscription values. If found, these will be override values entered directly in mu-configure.
+		#
+		# @return [String]
+		attr_accessor :credentials_file
+		
+		# **Default: `false`** - 
+		# If set to true, Mu will use this set of Azure credentials when targeting Azure without a specific account having been requested
+		#
+		# @return [Boolean]
+		attr_accessor :default
+		
+		# AKA Tenant ID; the default Microsoft Azure Directory project in which we operate and deploy, from https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview
+		#
+		# @return [String]
+		attr_accessor :directory_id
+		
+		# **Default: `eastus`** - 
+		# Default Microsoft Azure region in which we operate and deploy
+		#
+		# @return [String]
+		attr_accessor :region
+		
+		# Default Microsoft Azure Subscription we will use to deploy, from https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade
+		#
+		# @return [String]
+		attr_accessor :subscription
+		# @!endgroup
+	end
+	# Google Cloud Platform
+	class google
+		# @!group Required parameters
+		
+		# **REQUIRED** - 
+		# Cloud Storage bucket into which we'll synchronize deploy secrets, and if we're hosted in GCP, collected system logs
+		#
+		# @return [String]
+		attr_accessor :log_bucket_name
+		
+		# **REQUIRED** - 
+		# Default Google Cloud Platform project in which we operate and deploy. Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON, and import that key to the vault specified here. Import example: knife vault create secrets google -J my-google-service-account.json
+		#
+		# @return [String]
+		attr_accessor :project
+		# @!endgroup
+		# @!group Optional parameters
+		
+		# A secure Chef vault and item from which to retrieve the JSON-formatted Service Account credentials for our GCP account, in the format vault:itemname (e.g. 'secrets:google'). Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON, and import that key to the vault specified here. Import example: knife vault create secrets google -J my-google-service-account.json 
+		#
+		# @return [String]
+		attr_accessor :credentials
+		
+		# JSON-formatted Service Account credentials for our GCP account, b64-encoded and dropped directly into mu.yaml. Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON and point this argument to the file. This is less secure than using 'credentials' to store in a vault.
+		#
+		# @return [String]
+		attr_accessor :credentials_encoded
+		
+		# JSON-formatted Service Account credentials for our GCP account, stored in plain text in a file. Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON and point this argument to the file. This is less secure than using 'credentials' to store in a vault.
+		#
+		# @return [String]
+		attr_accessor :credentials_file
+		
+		# For Google Cloud projects which are attached to a GSuite domain. Some API calls (groups, users, etc) require this identifier. From admin.google.com, choose Security, the Single Sign On, and look for the Entity ID field. The value after idpid= in the URL there should be the customer ID.
+		#
+		# @return [String]
+		attr_accessor :customer_id
+		
+		# **Default: `false`** - 
+		# If set to true, Mu will use this set of GCP credentials when targeting the Google Cloud without a specific account having been requested
+		#
+		# @return [Boolean]
+		attr_accessor :default
+		
+		# Optional list of projects to ignore, for credentials which have visibility into multiple projects
+		#
+		# @return [Array<String>]
+		attr_accessor :ignore_habitats
+		
+		# For Google Cloud projects which are attached to a GSuite domain. GCP service accounts cannot view or manage GSuite resources (groups, users, etc) directly, but must instead masquerade as a GSuite user which has delegated authority to the service account. See also: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
+		#
+		# @return [String]
+		attr_accessor :masequerade_as
+		
+		# For credential sets which have access to multiple GSuite or Cloud Identity orgs, you must specify a default organization (e.g. my.domain.com).
+		#
+		# @return [String]
+		attr_accessor :org
+		
+		# **Default: `us-east4`** - 
+		# Default Google Cloud Platform region in which we operate and deploy
+		#
+		# @return [String]
+		attr_accessor :region
+		
+		# Optional list of projects to which we'll restrict all of our activities.
+		#
+		# @return [Array<String>]
+		attr_accessor :restrict_to_habitats
+		# @!endgroup
+	end
+	# Slack Configuration
+	class slack
+		# @!group Optional parameters
+		
+		# The channel name (without leading #) to which alerts should be sent.
+		#
+		# @return [String]
+		attr_accessor :channel
+		
+		# The hooks.slack.com URL for the webook to which we'll send deploy notifications
+		#
+		# @return [String]
+		attr_accessor :webhook
+		# @!endgroup
+	end
+	# @!group Required parameters
+	
+	# **REQUIRED**,
+	# **Must match pattern `(?i-mx:^[a-z0-9\-_]+$)`** - 
+	# The local system's value for HOSTNAME
+	#
+	# @return [String]
+	attr_accessor :hostname
+	
+	# **REQUIRED**,
+	# **Must match pattern `(?i-mx:\A([\w+\-].?)+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z)`** - 
+	# Administative contact email
+	#
+	# @return [String]
+	attr_accessor :mu_admin_email
+	
+	# **REQUIRED**,
+	# **Must match pattern `(?-mix:^(127\.0\.0\.1|localhost)$)`** - 
+	# IP address or hostname
+	#
+	# @return [String]
+	attr_accessor :public_address
+	# @!endgroup
+	# @!group Optional parameters
+	
+	# Adoption Change Notifications
+	#
+	# @return [adopt_change_notify]
+	# @see adopt_change_notify
+	attr_accessor :adopt_change_notify
+	
+	# **Default: `false`** - 
+	# Ordinarily, Mu will automatically name, tag and generate auxiliary resources in a standard Mu-ish fashion that allows for deployment of multiple clones of a given stack. Toggling this flag will change the default behavior of mu-adopt, when it creates stack descriptors from found resources, to enable or disable this behavior (see also mu-adopt's --scrub option).
+	#
+	# @return [Boolean]
+	attr_accessor :adopt_scrub_mu_isms
+	
+	# If set to true, Mu will be allowed to modify routing and peering behavior of VPCs which it did not create, but for which it has permissions.
+	#
+	# @return [Boolean]
+	attr_accessor :allow_invade_foreign_vpcs
+	
+	# Intended for use with minimal installs which use Ansible as a groomer and which do not store Ansible artifacts in a dedicated git repository. This allows simply pointing to a local directory.
+	#
+	# @return [String]
+	attr_accessor :ansible_dir
+	
+	# Amazon Web Services
+	#
+	# @return [aws]
+	# @see aws
+	attr_accessor :aws
+	
+	# Microsoft Azure Cloud Computing Platform & Services
+	#
+	# @return [azure]
+	# @see azure
+	attr_accessor :azure
+	
+	# Login banner, displayed in various locations
+	#
+	# @return [String]
+	attr_accessor :banner
+	
+	# **Default: `false`** - 
+	# Disable the Momma Cat grooming daemon. Nodes which require asynchronous Ansible/Chef bootstraps will not function. This option is only honored in gem-based installations.
+	#
+	# @return [Boolean]
+	attr_accessor :disable_mommacat
+	
+	# **Default: `false`** - 
+	# Disable Nagios monitoring
+	#
+	# @return [Boolean]
+	attr_accessor :disable_nagios
+	
+	# Google Cloud Platform
+	#
+	# @return [google]
+	# @see google
+	attr_accessor :google
+	
+	# Optional extra Chef roles or recipes to invoke when running chef-client on this Master (ex: recipe[mycookbook::mumaster])
+	#
+	# @return [Array<String>]
+	attr_accessor :master_runlist_extras
+	
+	# **Default: `2260`**,
+	# **Must match pattern `(?i-mx:^[0-9]+$)`** - 
+	# Listen port for the Momma Cat grooming daemon
+	#
+	# @return [String]
+	attr_accessor :mommacat_port
+	
+	# **Default: `Mu Administrator`** - 
+	# Administative contact's full name
+	#
+	# @return [String]
+	attr_accessor :mu_admin_name
+	
+	# **Default: `git://github.com/cloudamatic/mu.git`**,
+	# **Must match pattern `(?-mix:(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?)`** - 
+	# Source repository for Mu tools
+	#
+	# @return [String]
+	attr_accessor :mu_repository
+	
+	# **Default: `["https://github.com/cloudamatic/mu_demo_platform"]`**,
+	# **Must match pattern `(?-mix:(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?)`** - 
+	# Optional platform repositories, as a Git URL or Github repo name (ex: eGT-Labs/fema_platform.git)
+	#
+	# @return [Array<String>]
+	attr_accessor :repos
+	
+	# Slack Configuration
+	#
+	# @return [slack]
+	# @see slack
+	attr_accessor :slack
+	# @!endgroup
+end

data/modules/mu/providers/aws/firewall_rule.rb

@@ -757,6 +757,8 @@ MU.log ".update_security_group_rule_descriptions_ingress", MU::NOTICE, details:
         end
 
         def rules_match(rule_a, rule_b)
+          a_ranges = rule_a[:ip_ranges].to_a.map { |r| MU.structToHash(r) }.sort
+          b_ranges = rule_b[:ip_ranges].to_a.map { |r| MU.structToHash(r) }.sort
           (
            rule_a[:from_port] == rule_b[:from_port] and
            rule_a[:to_port] == rule_b[:to_port] and
@@ -768,7 +770,7 @@ MU.log ".update_security_group_rule_descriptions_ingress", MU::NOTICE, details:
             ) or
             (
              !rule_a[:ip_ranges].nil? and !rule_b[:ip_ranges].nil? and
-             rule_a[:ip_ranges].sort == rule_b[:ip_ranges].sort
+             a_ranges == b_ranges
             )
            ) and
            (