The Musical Six^H^H^H Seven

CentOS 6 no longer supported for Mu Master installations

Maintenance updates of CentOS 6 ceased November 30th, 2020. Update repositories and EPEL have been shut down. As such, this platform is effectively not installable.

CentOS 7 is now the preferred platform for Mu Master installations. Standard official machine images of CentOS 7 should work on all cloud providers.

Chef updates

Mu Masters now run Chef Server 14.0.65-1. This release appears to eliminate Chef's internal use of rabbitmq, which was the culprit in many stability issues. https://github.com/chef/chef-server/blob/master/CHANGELOG.md#14065-2020-10-26

The default Chef Client version is now 16.9.29. https://docs.chef.io/release_notes_client/

Master Master enhancements

New installations will now attempt to provision a separate /opt disk for Mu, Chef, Ruby, Python, and other assorted support packages. The install process now delays installation of alternative cloud provider SDKs until this is available,, to relieve disk pressure on small machine images. This functionality is tested on AWS and GCP-hosted masters.

Apache 2.4 configuration for locally-generated documentation should be significantly more reliable.

NVME disks are now properly handled by mu_tools_disk, which will embed requested device names in disk metadata on creation and dynamically map between those and the real, kernel-generated device paths.

We now package our own Python 3.8.3, used by bundled SDKs for Azure, AWS, and Google. Available under /opt/pythons/Python-3.8.3.

Also shipping Git 2.30.0 in /opt/git/git-2.30.0, so that Bundler won't complain.

Packaged Ruby version is now 2.7.2, available in /opt/rubies/ruby-2.7.2.

The mu-tools cookbook now uses the AWS Ruby SDK v3 (from v2).

mu-configure should do a better job of detecting public IP addresses assigned by the cloud provider.

Google::Function

Regrooms will now update Cloud Functions with altered function code.

The code block now supports the path method, in addition to zip_file or gs_url.

Azure

Use KeyVault to store deploy secrets so that Windows instances can use them to configure WinRM in the future.

Improve detection of non-functional regions returned by the list_locations API call, and excise them from our own internal list.

Transient API errors should be less noisy.

Bugfixes

• Google::VPC: Covered all cases of intra-subnet naming for lookup
• AWS::VPC: properly initialize @region, @credentials, etc; tag EIPs used for NAT gateways so we can properly deallocate them later
• Use URI.open to quiet deprecation warnings
• AWS::Server: Guard some rare transient API responses
• mu-configure: Call gethostbyaddr correctly, which we apparently haven't been for a long time
• Each major provider seems to have an edge case where invalid beta regions can appear in API call results, while breaking others. There are now filters to catch many of these cases.

AWS SDK v3

AWS SDK now on version 3

In compliance with: https://aws.amazon.com/blogs/developer/deprecation-schedule-for-aws-sdk-for-ruby-v2/

Quality of Life Enhancements

• mu_tools_disk Chef resource can now map between requested device names and auto-assigned NVME devices
• AWS::Job automatically inject triggers into sibling Lambda functions when applicable
• Enhancements around messaging and locking for deployment metadata
• Refresh base images for CentOS 6/7, RHEL7, and Windows

Many Microservices, Handle It

Adoption coverage

The AWS layer now supports adoption of endpoints (API Gateway), nosqldbs (DynamoDB), search_domains (ElasticSearch), notifiers (SNS).

mu-adopt now supports a --pattern flag which can be used to filter against a resource's resolved name, discarding any that do not match.

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions
<...>
Sep 02 01:34:59 - mu-adopt - Writing to muservices.yaml
Sep 02 01:35:01 - mu-adopt - 7 notifiers
Sep 02 01:35:01 - mu-adopt - 57 functions
Sep 02 01:35:01 - mu-adopt - 4 endpoints
Sep 02 01:35:01 - mu-adopt - 2 search_domains
Sep 02 01:35:01 - mu-adopt - 5 nosqldbs
Sep 02 01:35:01 - mu-adopt - 9 jobs
Sep 02 01:35:01 - mu-adopt - 6 cdns

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions --pattern 'myapp'
<...>
Sep 02 01:37:42 - mu-adopt - 2 notifiers
Sep 02 01:37:42 - mu-adopt - 10 functions
Sep 02 01:37:42 - mu-adopt - 1 endpoints
Sep 02 01:37:42 - mu-adopt - 1 search_domains
Sep 02 01:37:42 - mu-adopt - 4 nosqldbs
Sep 02 01:37:42 - mu-adopt - 6 jobs
Sep 02 01:37:42 - mu-adopt - 2 cdns

New resource types Job and CDN

We've added a type to support AWS CloudWatch Events, called Job in deference to future implementations for other providers, and CDN, for AWS CloudFront.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/jobs.html
https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/cdns.html

---
appname: jobtest
jobs:
- name: a-job-for-a-thing
  schedule:
    minute: '0'
    hour: '1'
    day_of_month: '1'
    month: "*"
    day_of_week: "?"
    year: "*"
  targets:
  - type: functions
    name: do-thing
functions:
- name: do-thing
<...>

---
appname: cloudfront
cdns:
- name: test
  origins:
  - name: default
    bucket:
      name: bucket
  certificate:
    name: "*.example.com" # a certificate we already have in ACM
  dns_records:
  - zone:
      name: example.com # a domain we already have in Route53
  behaviors:
  - origin: default
    forwarded_values:
      headers:
      - Origin
      - Access-Control-Request-Headers
      - Access-Control-Request-Method
      - Access-Control-Allow-Origin
buckets:
- name: bucket
<...>

AWS::Function

Added a path option to the code stanza, which can be set to a directory on disk. This will be transparently zipped into a deployment package a la the existing zip_file option.

Commonly-used attributes of sibling resources, such as URLs, IP addresses, and ARNs, are now automatically exposed to Lambda functions as environment variables.

API Gateway integration should now behave correctly when specified either as one of an AWS Lambda Function's triggers, or from the endpoint side under methods => integrate_with.

Updates to code on disk should behave as expected when regrooming AWS Lambda resources.

The new invoke_on_completion stanza can be used to run an AWS Lambda function once its groom phase is complete.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/functions.html

AWS::Endpoint

API Gateways are now taggable.

Method integrations are now more robust and support more functionality, including request parameters, timeouts (timeout_in_millis), . Asynchronous requests have a special async shortcut keyword to enable this behavior, as do AWS_PROXY integrations with the proxy keyword.

The cors keyword, instead of being a boolean, is now a string so you can specify the domain names that should match, e.g. * or foo.example.com.

Logging to CloudWatch now exposed to Basket of Kittens for configuration, via the log_requests keyword and access_logs stanza.

Alias endpoints are now supported with the domain_names stanza, and automatically integrate with Route53 when possible.

endpoints:
- name: api
  deploy_to: production
  log_requests: true
  methods:
  - path: "/"
    type: POST
    cors: "*"
    responses:
    - code: 200
      body:
      - is_error: false
        content_type: application/json
    integrate_with:
      name: some-lambda
      type: functions
      integration_http_method: POST
      async: true
      backend_http_method: POST
      passthrough_behavior: WHEN_NO_MATCH
  domain_names:
  - dns_record:
      zone:
        name: example.com
    certificate:
      name: "*.example.com"

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/endpoints.html

AWS::Bucket

The upload stanza is now available for populating an S3 bucket during the groom phase, and we have exposed S3's CORS (Cross-origin resource sharing) controls.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/buckets.html

---
appname: s3test
buckets:
- name: mybucket
  web: true
  cors:
  - allowed_methods:
    - GET
    - POST
    allowed_origins:
    - "*"
  upload:
  - source: "code/build"
    destination: "/"

AWS::NoSQLDB

Added the populate stanza, which allows batch-insertion of records at creation time.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/nosqldbs.html

---
appname: dynamotest
nosqldbs:
- name: mytable
  read_capacity: 100
  write_capacity: 1
  attributes:
  - name: business_owner
    type: S
    primary_sort: true
  - name: domain
    type: S
    primary_partition: true
  populate:
  - business_owner: foo
    staff_division: bar
    operational_division: baz
    domain: example.gov
  - business_owner: bing
    staff_division: None
    operational_division: bong
    domain: example.com

Quality of Life Improvements

• AWS::SearchDomain now exposes access policies via our standard language with the policies stanza, available in addition to the existing raw access_policies. See https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/search_domains/policies.html
• AWS::ContainerCluster - Blind cleanups and lookups of EKS images should be significantly faster
• New CentOS 6 and CentOS 7 base images for AWS
• Even better Slack and console messaging from mu-deploy
• AWS::ServerPool: Modernize lookup of ALB target groups

Bugfixes

• AWS::NoSQLDB will actually apply tags to Dynamo tables
• AWS: pagination of large API result sets should be closer to universal
• MommaCat daemon startup should be somewhat better guarded
• AWS::MsgQueue and AWS::Notifier: improved resilience in their .find methods
• AWS::ContainerCluster myriad bitrot issues with ECS fixed
• AWS::Database bitrot in tests (t2.small instances seem deprecated) fixed by moving to t2.small
• Google::Role adoption bugfix for folders with nil bindings
• AWS::Role: Be sure we're binding custom inline policies properly on groom
• AWS::Function Adopt tags correctly

Many Microservices, Handle It

Adoption coverage

The AWS layer now supports adoption of endpoints (API Gateway), nosqldbs (DynamoDB), search_domains (ElasticSearch), notifiers (SNS).

mu-adopt now supports a --pattern flag which can be used to filter against a resource's resolved name, discarding any that do not match.

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions
<...>
Sep 02 01:34:59 - mu-adopt - Writing to muservices.yaml
Sep 02 01:35:01 - mu-adopt - 7 notifiers
Sep 02 01:35:01 - mu-adopt - 57 functions
Sep 02 01:35:01 - mu-adopt - 4 endpoints
Sep 02 01:35:01 - mu-adopt - 2 search_domains
Sep 02 01:35:01 - mu-adopt - 5 nosqldbs
Sep 02 01:35:01 - mu-adopt - 9 jobs
Sep 02 01:35:01 - mu-adopt - 6 cdns

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions --pattern 'myapp'
<...>
Sep 02 01:37:42 - mu-adopt - 2 notifiers
Sep 02 01:37:42 - mu-adopt - 10 functions
Sep 02 01:37:42 - mu-adopt - 1 endpoints
Sep 02 01:37:42 - mu-adopt - 1 search_domains
Sep 02 01:37:42 - mu-adopt - 4 nosqldbs
Sep 02 01:37:42 - mu-adopt - 6 jobs
Sep 02 01:37:42 - mu-adopt - 2 cdns

New resource types Job and CDN

We've added a type to support AWS CloudWatch Events, called Job in deference to future implementations for other providers, and CDN, for AWS CloudFront.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/jobs.html
https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/cdns.html

---
appname: jobtest
jobs:
- name: a-job-for-a-thing
  schedule:
    minute: '0'
    hour: '1'
    day_of_month: '1'
    month: "*"
    day_of_week: "?"
    year: "*"
  targets:
  - type: functions
    name: do-thing
functions:
- name: do-thing
<...>

---
appname: cloudfront
cdns:
- name: test
  origins:
  - name: default
    bucket:
      name: bucket
  certificate:
    name: "*.example.com" # a certificate we already have in ACM
  dns_records:
  - zone:
      name: example.com # a domain we already have in Route53
  behaviors:
  - origin: default
    forwarded_values:
      headers:
      - Origin
      - Access-Control-Request-Headers
      - Access-Control-Request-Method
      - Access-Control-Allow-Origin
buckets:
- name: bucket
<...>

AWS::Function

Added a path option to the code stanza, which can be set to a directory on disk. This will be transparently zipped into a deployment package a la the existing zip_file option.

Commonly-used attributes of sibling resources, such as URLs, IP addresses, and ARNs, are now automatically exposed to Lambda functions as environment variables.

API Gateway integration should now behave correctly when specified either as one of an AWS Lambda Function's triggers, or from the endpoint side under methods => integrate_with.

Updates to code on disk should behave as expected when regrooming AWS Lambda resources.

The new invoke_on_completion stanza can be used to run an AWS Lambda function once its groom phase is complete.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/functions.html

AWS::Endpoint

API Gateways are now taggable.

Method integrations are now more robust and support more functionality, including request parameters, timeouts (timeout_in_millis), . Asynchronous requests have a special async shortcut keyword to enable this behavior, as do AWS_PROXY integrations with the proxy keyword.

The cors keyword, instead of being a boolean, is now a string so you can specify the domain names that should match, e.g. * or foo.example.com.

Logging to CloudWatch now exposed to Basket of Kittens for configuration, via the log_requests keyword and access_logs stanza.

Alias endpoints are now supported with the domain_names stanza, and automatically integrate with Route53 when possible.

endpoints:
- name: api
  deploy_to: production
  log_requests: true
  methods:
  - path: "/"
    type: POST
    cors: "*"
    responses:
    - code: 200
      body:
      - is_error: false
        content_type: application/json
    integrate_with:
      name: some-lambda
      type: functions
      integration_http_method: POST
      async: true
      backend_http_method: POST
      passthrough_behavior: WHEN_NO_MATCH
  domain_names:
  - dns_record:
      zone:
        name: example.com
    certificate:
      name: "*.example.com"

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/endpoints.html

AWS::Bucket

The upload stanza is now available for populating an S3 bucket during the groom phase, and we have exposed S3's CORS (Cross-origin resource sharing) controls.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/buckets.html

---
appname: s3test
buckets:
- name: mybucket
  web: true
  cors:
  - allowed_methods:
    - GET
    - POST
    allowed_origins:
    - "*"
  upload:
  - source: "code/build"
    destination: "/"

AWS::NoSQLDB

Added the populate stanza, which allows batch-insertion of records at creation time.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/nosqldbs.html

---
appname: dynamotest
nosqldbs:
- name: mytable
  read_capacity: 100
  write_capacity: 1
  attributes:
  - name: business_owner
    type: S
    primary_sort: true
  - name: domain
    type: S
    primary_partition: true
  populate:
  - business_owner: foo
    staff_division: bar
    operational_division: baz
    domain: example.gov
  - business_owner: bing
    staff_division: None
    operational_division: bong
    domain: example.com

Quality of Life Improvements

• AWS::SearchDomain now exposes access policies via our standard language with the policies stanza, available in addition to the existing raw access_policies. See https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/search_domains/policies.html
• AWS::ContainerCluster - Blind cleanups and lookups of EKS images should be significantly faster
• New CentOS 6 and CentOS 7 base images for AWS
• Slightly better Slack and console messaging from mu-deploy

Bugfixes

• AWS::NoSQLDB will actually apply tags to Dynamo tables
• AWS: pagination of large API result sets should be closer to universal
• MommaCat daemon startup should be somewhat better guarded
• AWS::MsgQueue and AWS::Notifier: improved resilience in their .find methods
• AWS::ContainerCluster myriad bitrot issues with ECS fixed
• AWS::Database bitrot in tests (t2.small instances seem deprecated) fixed by moving to t2.small
• Google::Role adoption bugfix for folders with nil bindings
• AWS::Role: Be sure we're binding custom inline policies properly on groom
• AWS::Function Adopt tags correctly

Many Microservices, Handle It

Adoption coverage

The AWS layer now supports adoption of endpoints (API Gateway), nosqldbs (DynamoDB), search_domains (ElasticSearch), notifiers (SNS).

mu-adopt now supports a --pattern flag which can be used to filter against a resource's resolved name, discarding any that do not match.

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions
<...>
Sep 02 01:34:59 - mu-adopt - Writing to muservices.yaml
Sep 02 01:35:01 - mu-adopt - 7 notifiers
Sep 02 01:35:01 - mu-adopt - 57 functions
Sep 02 01:35:01 - mu-adopt - 4 endpoints
Sep 02 01:35:01 - mu-adopt - 2 search_domains
Sep 02 01:35:01 - mu-adopt - 5 nosqldbs
Sep 02 01:35:01 - mu-adopt - 9 jobs
Sep 02 01:35:01 - mu-adopt - 6 cdns

$ mu-adopt -t endpoints nosqldbs search_domains notifiers jobs cdns buckets functions --pattern 'myapp'
<...>
Sep 02 01:37:42 - mu-adopt - 2 notifiers
Sep 02 01:37:42 - mu-adopt - 10 functions
Sep 02 01:37:42 - mu-adopt - 1 endpoints
Sep 02 01:37:42 - mu-adopt - 1 search_domains
Sep 02 01:37:42 - mu-adopt - 4 nosqldbs
Sep 02 01:37:42 - mu-adopt - 6 jobs
Sep 02 01:37:42 - mu-adopt - 2 cdns

New resource types Job and CDN

We've added a type to support AWS CloudWatch Events, called Job in deference to future implementations for other providers, and CDN, for AWS CloudFront.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/jobs.html
https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/cdns.html

---
appname: jobtest
jobs:
- name: a-job-for-a-thing
  schedule:
    minute: '0'
    hour: '1'
    day_of_month: '1'
    month: "*"
    day_of_week: "?"
    year: "*"
  targets:
  - type: functions
    name: do-thing
functions:
- name: do-thing
<...>

---
appname: cloudfront
cdns:
- name: test
  origins:
  - name: default
    bucket:
      name: bucket
  certificate:
    name: "*.example.com" # a certificate we already have in ACM
  dns_records:
  - zone:
      name: example.com # a domain we already have in Route53
  behaviors:
  - origin: default
    forwarded_values:
      headers:
      - Origin
      - Access-Control-Request-Headers
      - Access-Control-Request-Method
      - Access-Control-Allow-Origin
buckets:
- name: bucket
<...>

AWS::Function

Added a path option to the code stanza, which can be set to a directory on disk. This will be transparently zipped into a deployment package a la the existing zip_file option.

Commonly-used attributes of sibling resources, such as URLs, IP addresses, and ARNs, are now automatically exposed to Lambda functions as environment variables.

API Gateway integration should now behave correctly when specified either as one of an AWS Lambda Function's triggers, or from the endpoint side under methods => integrate_with.

Updates to code on disk should behave as expected when regrooming AWS Lambda resources.

The new invoke_on_completion stanza can be used to run an AWS Lambda function once its groom phase is complete.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/functions.html

AWS::Endpoint

API Gateways are now taggable.

Method integrations are now more robust and support more functionality, including request parameters, timeouts (timeout_in_millis), . Asynchronous requests have a special async shortcut keyword to enable this behavior, as do AWS_PROXY integrations with the proxy keyword.

The cors keyword, instead of being a boolean, is now a string so you can specify the domain names that should match, e.g. * or foo.example.com.

Logging to CloudWatch now exposed to Basket of Kittens for configuration, via the log_requests keyword and access_logs stanza.

Alias endpoints are now supported with the domain_names stanza, and automatically integrate with Route53 when possible.

endpoints:
- name: api
  deploy_to: production
  log_requests: true
  methods:
  - path: "/"
    type: POST
    cors: "*"
    responses:
    - code: 200
      body:
      - is_error: false
        content_type: application/json
    integrate_with:
      name: some-lambda
      type: functions
      integration_http_method: POST
      async: true
      backend_http_method: POST
      passthrough_behavior: WHEN_NO_MATCH
  domain_names:
  - dns_record:
      zone:
        name: example.com
    certificate:
      name: "*.example.com"

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/endpoints.html

AWS::Bucket

The upload stanza is now available for populating an S3 bucket during the groom phase, and we have exposed S3's CORS (Cross-origin resource sharing) controls.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/buckets.html

---
appname: s3test
buckets:
- name: mybucket
  web: true
  cors:
  - allowed_methods:
    - GET
    - POST
    allowed_origins:
    - "*"
  upload:
  - source: "code/build"
    destination: "/"

AWS::NoSQLDB

Added the populate stanza, which allows batch-insertion of records at creation time.

https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/nosqldbs.html

---
appname: dynamotest
nosqldbs:
- name: mytable
  read_capacity: 100
  write_capacity: 1
  attributes:
  - name: business_owner
    type: S
    primary_sort: true
  - name: domain
    type: S
    primary_partition: true
  populate:
  - business_owner: foo
    staff_division: bar
    operational_division: baz
    domain: example.gov
  - business_owner: bing
    staff_division: None
    operational_division: bong
    domain: example.com

Quality of Life Improvements

• AWS::SearchDomain now exposes access policies via our standard language with the policies stanza, available in addition to the existing raw access_policies. See https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/search_domains/policies.html
• AWS::ContainerCluster - Blind cleanups and lookups of EKS images should be significantly faster
• New CentOS 6 and CentOS 7 base images for AWS

Bugfixes

• AWS::NoSQLDB will actually apply tags to Dynamo tables
• AWS: pagination of large API result sets should be closer to universal
• MommaCat daemon startup should be somewhat better guarded
• AWS::MsgQueue and AWS::Notifier: improved resilience in their .find methods
• AWS::ContainerCluster myriad bitrot issues with ECS fixed
• AWS::Database bitrot in tests (t2.small instances seem deprecated) fixed by moving to t2.small
• Google::Role adoption bugfix for folders with nil bindings

Spring Cleanse

Quality-of-Life Improvements

• Massive housecleaning in MommaCat and Cleanup modules
• mu-adopt now takes a --scrub flag, which will set scrub_mu_isms in all generated BoKs. There is an equivalent adopt_scrub_mu_isms for mu.yaml which sets default behavior.
• Two new keywords available for credentials sections of mu.yaml to control scope of activities: restrict_to_habitats and ignore_habitats. Currently only relevant for multi-project Google Cloud organizations.
• We now resolve ~ when searching for kubectl executables in PATH
• ContainerCluster resources will check/warn/fail as appropriate at parse time if no kubectl executable is available.
• Server resources will check/warn/fail as appropriate at parse time if Ansible groomer is set and no Ansible executables are available
• mu-node-manage: replace chefrun mode with groomeronly mode, and let it invoke any groomer instead of just Chef. Old chefrun flag will invoke this behavior.
• Docker image: Now ships with Ansible and kubectl

Bugfixes

• mu-tools::windows-client Chef recipe should now run successfully on hosts with non-standard admin usernames
• Windows AWS base images should now generate a random password on first boot as expected

Technical Debt February, Part 2

Windows

WinRM bootstraps are once again working. WinRM certificate authentication ceased working on recent official Microsoft base images at some point. Our workaround for now is to use password authentication over SSL.

Ansible now works correctly as a Groomer for Windows nodes, as does password retrieval for Windows hosts on Google Cloud.

Mu-flavored AWS base images are now available for the platforms win2k12, win2k16, and win2k19. Setting windows as the target platform will resolve to win2k16.

Quality-of-Life Improvements

• Massive refactoring in AWS resource implementations for improved maintainability.
• MU::Config: Cough up a filename and line number when someone references a bad ERB variable, or on ERB problems generally
• Improved test coverage

Known Issues

• Azure Windows VMs hang indefinitely, even using the official release images.
• GCP password retrieval for Windows nodes does not work consistently on 2016 or 2019
• NTLM passwords over unverified SSL, which we are currently forced to use for all WinRM connectivity, is barely secure. We have open backlog issues for figuring out why certificate auth ceased working, and why verification against our internal CA doesn't behave as expected.

Shelter Kitties

Bugfixes

• Avoid potential infinite recursion in MU::Config::Ref when loading existing resources that don't really exist
• Clean out old installs of gcloud utility when updating
• Google: minor adoption fixes
• AWS EFS: Proper VPC reference lookup

Shelter Kitties

Adoption Enhancements

AWS is now supported. Resource types implemented: VPC, FirewallRule, User, Group, Role, Log, Server. Partial progress has been made on other AWS resource types.

The --stubdeploy option now defaults to false.

Minimization of generated Baskets of Kittens is now more complete. BoKs generated by adoption should be significantly more terse.

Deploy-specific log files

Logger and Chef output pertaining to specific deploys is now duplicated into a file named log in each deployment directory.

Fargate with EKS

AWS EKS is now supported with Fargate, in lieu of using managed worker nodes. This is now the default behavior when building when flavor is set to Fargate and no ECS containers are declared.

AWS IAM Improvements

Directly-attached and inline IAM policies now exposed to users and groups, and roles now support conditions in their can_assume blocks.

Quality-of-Life Enhancements

• There is now a monitoring flag that can be set on servers and server_pools to explicitly enable/disable Chef/Nagios based monitoring of a host.
• AWS NAT Gateways should now be tagged
• mu-cleanup will behave more gracefully when an underlying resource implementation throws an error
• AWS Security Groups can now use our standardized reference schema to reference one another; references in general should be behave more reliably.

Automated testing

Added mu-run-tests utility, which runs through the Basket of Kittens library in modules/tests for improved API test coverage, currently at 25 tests. Invoked without arguments, it will conduct a simple parse test of each; with the --full argument it will deploy and clean up each in turn.

Bugfixes

• Correctly handle cross-region AWS peering
• Google VPCs should no longer generate conflicting subnet names
• Cleanup of nonexistent Chef Vaults specified in deploy metadata should no longer cause failures

Foster Family

Mu Masters in Docker

We now ship a Docker image with a gem-based Mu environment pre-installed. See https://github.com/cloudamatic/mu/wiki/Install#do-it-with-docker

Quality of Life Enhancements

• Basket of Kittens resource type docs now include examples where available, e.g. https://cloudamatic.gitlab.io/mu/MU/Config/BasketofKittens/server_pools.html
• We now attempt to clean up extraneous ~/.ssh/known_hosts entries when removing our nodes
• Attempting to deploy against a cloud provider that has no credentials configured should error more clearly
• Defunct host entries should be removed from Chef Vault client lists automatically along with the rest of the node's Chef artifacts

Bugfixes

• Fixed an issue with MommaCat not always cleansing metadata of terminated SerfverPool nodes
• AWS LoadBalancers with target groups will always have invalid characters removed from their declared names
• Standard Linux userdata will attempt to fix images that ship with their initial ssh user accounts expired