doitintl
diff --git a/‎INSTALL.md
+74 b/‎INSTALL.md
+74
diff --git a/‎README.md
+6-94 b/‎README.md
+6-94
diff --git a/‎README_architecture.md
+28 b/‎README_architecture.md
+28
diff --git a/‎README_for_dev_and_testing.md
+4-4 b/‎README_for_dev_and_testing.md
+4-4
diff --git a/‎TODO.md
+1-1 b/‎TODO.md
+1-1
diff --git a/‎deploy.sh
+9-10 b/‎deploy.sh
+9-10
@@ -0,0 +1,74 @@
+# How to Install
+
+(For the main documentation, see [README](./README.md).)
+
+## Before deploying
+
+### In which Project 
+
+* You can deploy Iris in any one project within your Google Cloud organization, but we recommend using a [new project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) just for this.
+* The script will deploy Iris (an App Engine service) into this project. That does not mean that Iris is focused on labeling this project. (See [README](./README.md).)
+
+### Needed roles for deployment
+#### Organization-level roles
+
+* Here are the required organization-level roles for you, the deployer, to allow the deploy script to set up roles and log sink. (Note that *Organization Owner* is not enough).
+    * *Organization Role Administrator* so the deployment script can create a custom IAM role for Iris that allows it to get and set labels.
+    * *Security Admin* so the deployment script can grant the needed role bindings, e.g., to the App Engine service account.
+    * *Logs Configuration Writer* so the deployment script can create an organization log sink that sends logs to
+      PubSub.
+
+#### Project-level roles
+* The required project-level roles: *Project Owner* or *Project Editor* on the project where Iris is deployed, so that the deployment script can 
+  * create role bindings, topics and subscriptions
+  * deploy App Engine. 
+  * `actAs` the serivice account `iris-msg-sender` for deploying it to allow JWT auth.
+
+* You cannot replace  *Project Owner* or *Project Editor* with fine-granted "predefined roles" are not possible because deploying Cloud Scheduler cron requires at least Editor or Owner, per GCP docs.
+
+## Deployment
+
+* Get the code with `git clone https://github.com/doitintl/iris3.git`
+* Have Python 3.9+ as your default `python3`.
+* Make sure you have these tools
+    * `envsubst`
+    * `jq`
+    * The command-line `pip3`
+    * `gcloud`. Make sure it is logged-in using an account with the [above-mentioned](#before-deploying) roles.
+* Set up the configuration
+    * Copy `config.yaml.original` to `config.yaml`.
+    * Optionally configure by editing the config file. ([See more documentation below](#configuration).)
+* As always with App Engine, a default service must exist before any other exists. So if you are working with a new project:
+  * Initialize App Engine with `gcloud app create [--region=REGION]`
+  * Deploy a simple "Hello World" default App Engine service. (See `create_project.sh` for an example (not a runnable part of the installation) of creating a project and creating the default App Engine service.)
+* Now, run `./deploy.sh <PROJECT_ID> `
+  * For documentation on usage of command-line options, run `deploy.sh -h` 
+* Choosing when the labeling occurs
+  * By default, labeling occurs on resource-creation, and also using Cloud Scheduler ("cron"). 
+    * Each of these works on certain resource types and not others (see [Supported Google Cloud resources](README#Supported Google Cloud resources) in the main README), depending on configuration (`config.yaml`).
+  * Use `-c` switch on `deploy.sh` to label using Cloud Scheduler only.
+  * Use `-e` switch on `deploy.sh` to label on-event only.
+  * If you use **both** `-c` and `-e` or **neither**, then both types of labeling occur.
+  * To label all resources, including those not configured for being labeled on Cloud Scheduler, see section "[Labeling existing resources](README.md#labeling-existing-resources)" in the main README. 
+
+
+# Configuration
+
+* Iris' config file is `config*.yaml`.
+    * All values are optional.
+    * `config.yaml.orig` has detailed documentation of the fields.
+* Alternatively, you can have `config-test.yaml`. It takes priority if both it and `config-test.yaml` are present.
+* `app.yaml` lets you configure App Engine, for example, to set a maximum number of instances. See App Engine documentation.
+* Editing `cron_full.yaml` lets you optionally change the timing for the Cloud Scheduler scheduled labelings, e.g. to do it more frequently. See Google App Engine documentation.
+
+# Uninstalling
+
+* Run script `uninstall.sh`
+* Use `uninstall.sh -h` for help.
+
+# Architecture
+Please see [README_architecture](README_architecture.md)
+
+# Development and Testing
+Please see [HACKING](./HACKING.md)
+ 
@@ -50,9 +50,7 @@ You can also  disable the scheduled labeling. See Deployment below or run `./dep
 ## Labeling existing resources
 
 * When you first use Iris, you may want to label all existing resources. Iris does not do this by default.
-* You have two choices:
-  * Set configuration `label_all_on_cron: true` before deploying. Then, on the next daily Cloud Scheduler run, all resources will be labeled. However, this will increase cost, since all resources will be rescanned every day.
-  * Alternatively, after deploying publish a PubSub message (the content doesn't matter) to `iris_label_all_topic`, for example with `gcloud pubsub topics publish iris_label_all_topic --message=does_not_matter --project $PROJECT_ID` and a full labeling will be triggered.
+* Publish a PubSub message (the content doesn't matter) to `iris_label_all_types_topic`, for example with `gcloud pubsub topics publish iris_label_all_types_topic --message=does_not_matter --project $PROJECT_ID` and a full labeling will be triggered.
 
 # Supported Google Cloud resources
 
@@ -79,99 +77,13 @@ names start `_gcp_`. The part of the function name after `_gcp_` is used for the
 * In addition to these, any labels on a project may be copied into the resourcs that are in the project, if you have enabled this in  the
   configuration file.
 
-# Installation/Deployment
-
-## Before deploying
-
-### In which Project 
-
-* You can deploy Iris in any project within your Google Cloud organization, but we recommend using a
-  [new project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project).
-
-
-### Needed roles for deployment
-#### Organization-level roles
-
-* Here are the required organization-level roles for you, the deployer, to allow the deploy script to set up roles and  log sink. (Note that *Organization Owner* is not enough).
-    * *Organization Role Administrator*  so the deployment script can create a custom IAM role for Iris that allows it to  get and set labels.
-    * *Security Admin* so the deployment script can grant the needed role bindings, e.g., to the App Engine service account.
-    * *Logs Configuration Writer* so the deployment script can create an organization log sink that sends logs to
-      PubSub.
-
-#### Project-level roles
-* The required project-level roles: *Project Owner* or *Project Editor* on the project where Iris is deployed, so that the deployment script can 
-  * create role bindings, topics and subscriptions
-  * deploy App Engine. 
-  * `actAs` the serivice account `iris-msg-sender` for deploying it to allow JWT auth.
-
-* Fine-granted "predefined roles" are not possible because deploying Cloud Scheduler cron requires at least Editor or Owner, per GCP docs.
-
- 
-
-## Deployment
-
-* Get the code with `git clone https://github.com/doitintl/iris3.git`
-* Have Python 3.9+ as your default `python3`.
-* Make sure you have these tools
-    * `envsubst`
-    * `jq`
-    * The command-line `pip3`
-    * `gcloud`. Make sure it is logged-in using an account with the [above-mentioned](#before-deploying) roles.
-* Set up the configuration
-    * Copy `config.yaml.original` to `config.yaml`.
-    * Optionally configure by editing the config file. ([See more documentation below](#configuration).)
-* As always with App Engine, a default service must exist before any other exists. So if you are working with a new project, create a simple Hello World App Engine service to fulfil that App Engine requirement. 
-* Now, run `./deploy.sh <PROJECT_ID> `.
-  * For documentation on usage of command-line options, run `deploy.sh -h` 
 
-* Choosing when the labeling occurs
-  * By default, labeling occurs on resource-creation, and also using Cloud Scheduler ("cron"). Each of these types works on certain resource types and not others (see [Supported Google Cloud Labels](#Supported Google Cloud Labels) above), depending on configuration (`config.yaml`).
-  * Use `-c` switch on `deploy.sh` to label using Cloud Scheduler only.
-  * Use `-e` switch on `deploy.sh` to label on-event only.
-  * If you use **both** `-c` and `-e` or **neither**, both types of labeling occur.
-
-
-
-# Configuration
-
-* Iris' config file is `config*.yaml`.
-    * All values are optional.
-    * `config.yaml.orig` has detailed documentation of the fields.
-* `config.yaml` is read as the production configuration file
-* Alternatively, you  can   have  `config-test.yaml`. It takes priority if both it and `config-test.yaml` are present.
-
-* `app.yaml` lets you configure App Engine, for example, to set a maximum number of instances. See App Engine documentation.
-* Editing `cron_full.yaml` lets you optionally change the timing for the Cloud Scheduler scheduled labelings, e.g. to do it  more frequently. See Google App Engine documentation.
-
-# Uninstalling
-
-* Run script `uninstall.sh`
-* * See a comment in `uninstall.sh` that describes what elements are uninstalled. The default is to uninstall everything, both the org-level components and the project-level components.
-* Run `uninstall.sh -h` for help.
-* A full uninstall will also delete the custom role. This will then block you from re-deploying  unless you first either undelete the custom role or else give a new custom-role name at the top of `custom-iris-role.yaml`.
-
+# Installing
+Please see [INSTALL](./INSTALL.md)
 # Architecture
-
-* Iris runs in Google App Engine Standard Environment (Python 3).
-* Organization-level and project-level elements
-  * First, note that Iris is an organization-level application.
-  * A single instance of Iris in one project labels all projects in an org (unless you limit it by configuration). 
-  * Iris has architecture elements which are deployed to both the org and the project.
-  * If you want a person with all permissions to deploy the org-level elements and a person without org-level permissions to redeploy only the project-level elements (e.g. when you change configuration), you can do this with flags on the script. Run `deploy.sh -h`.
-* The Cloud Scheduler "cron" job triggers Iris at configured intervals. See `cron_full.yaml` for config. The GCP Console view for this is in a  separate App Engine tab in the Cloud Scheduler view.
-* For newly created resources, a Log Sink on the organization level sends all logs for resource creation to a PubSub  topic.
-    * The Log Sink is filtered to include only supported resource types
-    * If you edit the configuration file so that  only specific projects are to be labeled, the Log Sink only captures these.
-* PubSub topics:
-    * One topic receives the resource-creation logs from the Log Sink
-    * Another topic receives messages sent by the `/schedule` Cloud Scheduler handler in `main.py`. (The `/schedule` path is triggered by the Cloud Scheduler). This then sends out messages, where each one triggers the labeling of a given resource tyope in a given project.
-    * Another topic is a dead-letter topic.
-* PubSub subscriptions
-    * There is one for each topic: These direct the messages to `/label_one` and `/do_label` in `main.py`, respectively.
-    * For security, these two PubSub subscriptions [use JWT auth](https://cloud.google.com/pubsub/docs/authenticate-push-subscriptions), where the JWT token is verified in the Iris webapp.
-    * A dead-letter subscription. This is a pull subscription. By default, it just accumulates the messages. You can use it to see statistics, or you can pull messages from it.
+Please see [README_architecture](./README_architecture.md)
 
 # Development and Testing
 
-Please see [README_for_dev_and_testing](./README_for_dev_and_testing.md)
- 
+Please see [HACKING](./HACKING.md)
+ 
@@ -0,0 +1,28 @@
+# Architecture
+
+## For the main documentation
+See [README](./README.md).
+
+## Iris' architecture
+* Iris runs in Google App Engine Standard Environment (Python 3).
+* Organization-level and project-level elements
+  * First, note that Iris is an organization-level application.
+  * A single instance of Iris in one project labels all projects in an org (unless you limit it by configuration). 
+  * Iris has architecture elements which are deployed to both the org and the project.
+  * If you want a person with all permissions to deploy the org-level elements and a person without org-level permissions to redeploy only the project-level elements (e.g. when you change configuration), you can do this with flags on the script. Run `deploy.sh -h`.
+* The Cloud Scheduler "cron" job triggers Iris at configured intervals. See `cron_full.yaml` for config. The GCP Console view for this is in a separate App Engine tab in the Cloud Scheduler view.
+* For newly created resources, a Log Sink on the organization level sends all logs for resource creation to a PubSub topic.
+    * The Log Sink is filtered to include only supported resource types
+    * If you edit the configuration file so that only specific projects are to be labeled, the Log Sink only captures these.
+* PubSub topics:
+    * One topic receives the resource-creation logs from the Log Sink
+    * Another topic receives messages sent by the `/schedule` Cloud Scheduler handler in `main.py`. (The `/schedule` path is triggered by the Cloud Scheduler). This then sends out messages, where each one triggers the labeling of a given resource tyope in a given project.
+    * Another topic is a dead-letter topic.
+* PubSub subscriptions
+    * There is one for each topic: These direct the messages to `/label_one` and `/do_label` in `main.py`, respectively.
+    * For security, these two PubSub subscriptions [use JWT auth](https://cloud.google.com/pubsub/docs/authenticate-push-subscriptions), where the JWT token is verified in the Iris webapp.
+    * A dead-letter subscription. This is a pull subscription. By default, it just accumulates the messages. You can use it to see statistics, or you can pull messages from it.
+
+# Development and Testing
+Please see [HACKING](./HACKING.md)
+ 
@@ -1,6 +1,6 @@
-# Iris: Dev and Testing
- 
-# For the main documentation
+# Iris: How to develop and test  
+
+## For the main documentation
 See [README](./README.md).
 
 ## Development tools
@@ -14,7 +14,7 @@ See [README](./README.md).
           use `export FLASK_ENV=development;export FLASK_RUN_PORT=8000;export FLASK_DEBUG=1;FLASK_APP=main.py python -m flask run`
         * In an interactive development environment, run `main.py`, first setting these environment variables.
 * For hands-on debugging
-    * Use `test_do_label` and `test_label_one` and `test_schedule` to trigger against your localhost dev-server; this should   label actual Cloud resources that you have pre-deployed.
+    * Use `test_do_label` and `test_label_one` and `test_schedule` to trigger against your localhost dev-server; this will label actual Cloud resources that you have pre-deployed.
         * See the `test_...` files for instructions.
 
 ## Adding new kinds of labels
 
@@ -2,7 +2,7 @@
 
 ## Note: see also Github Issues
 
-* P2 Memory consumption: Even an empty AppEngine app (not Iris, just a Hello World with 3 lines of code in total) crashes on out-of-memory for the smalled AppEngine instance. Google has confirmed this. See if there is a workaround.  This will save money.
+* P2 Memory consumption: Even an empty App Engine app (not Iris, just a Hello World with 3 lines of code in total) crashes on out-of-memory for the smalled App Engine instance. Google has confirmed this. See if there is a workaround.  This will save money.
 
 * P3 Label immediately after an event in certain cases, as opposed to using a daily cron as is now done.
     * Cloud SQL Instances
 
@@ -53,20 +53,19 @@ while getopts 'cepoh' opt; do
       Usage deploy.sh PROJECT_ID
           Argument:
                   The project to which Iris will be deployed
-          Options, to be given before project ID.
-            If neither -p nor -o is given, the default behavior is used:
-            to do both; this is equivalent to -p -o
-            Flags:
+          Advancd options, to be given before project ID. These are  not to be used except in advanced schenarios.
+                  A. Labeling only on-creation or on-schedule:
+                  -c: Label on Cloud Scheduler cron only
+                  -e: Label on-creation-event only
+                  The default, if neither -c or -e are given, is to enable both; equivalent to -c -e
+
+                  B. Project/Org level with -p or -o. If neither -p nor -o is given,
+                  the default behavior is to do both; equivalent to -p -o
                   -o: Deploy org-level elements like Log Sink
-                  -p: Deploy project-level elements.
-                  Org-level elements are a pre-requisite.
+                  -p: Deploy project-level elements.  Org-level elements are a pre-requisite.
                   This is useful for redeploying to the same project, e.g., to change config.
                   If you want to deploy to a *different* project,
                   then you have to deploy the org-level elements.
-                  The default, if neither -o or -p are given, is to enable both.
-                  -c: Label on Cloud Scheduler cron to add labels
-                  -e: Label on-creation-event.
-                  The default if neither -c or -e are given is to enable both.
 
           Environment variable:
                   IRIS_CUSTOM_ROLE (Optional, default is iris3) An identifier for the Iris custom role,