aws-cost-calculator-cli 1.5.1__py3-none-any.whl → 1.6.3__py3-none-any.whl

backend/handlers/profiles.py

@@ -0,0 +1,148 @@
+"""
+Lambda handler for profile CRUD operations.
+"""
+import json
+import os
+import boto3
+from datetime import datetime
+
+
+def handler(event, context):
+    """Handle profile CRUD operations."""
+    
+    # Parse request
+    try:
+        if isinstance(event.get('body'), str):
+            body = json.loads(event['body'])
+        else:
+            body = event.get('body', {})
+    except:
+        body = event
+    
+    # Validate API secret
+    headers = event.get('headers', {})
+    api_secret = headers.get('X-API-Secret') or headers.get('x-api-secret')
+    
+    secret_name = os.environ.get('SECRET_NAME', 'cost-calculator-api-secret')
+    secrets_client = boto3.client('secretsmanager')
+    
+    try:
+        secret_response = secrets_client.get_secret_value(SecretId=secret_name)
+        expected_secret = secret_response['SecretString']
+        
+        if api_secret != expected_secret:
+            return {
+                'statusCode': 401,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'error': 'Unauthorized'})
+            }
+    except Exception as e:
+        return {
+            'statusCode': 500,
+            'headers': {'Content-Type': 'application/json'},
+            'body': json.dumps({'error': f'Secret validation failed: {str(e)}'})
+        }
+    
+    # Get operation
+    operation = body.get('operation')  # list, get, create, update, delete
+    profile_name = body.get('profile_name')
+    
+    # DynamoDB table
+    table_name = os.environ.get('PROFILES_TABLE', 'cost-calculator-profiles')
+    dynamodb = boto3.resource('dynamodb')
+    table = dynamodb.Table(table_name)
+    
+    try:
+        if operation == 'list':
+            # List all profiles
+            response = table.scan()
+            profiles = response.get('Items', [])
+            return {
+                'statusCode': 200,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'profiles': profiles})
+            }
+        
+        elif operation == 'get':
+            # Get specific profile
+            if not profile_name:
+                return {
+                    'statusCode': 400,
+                    'headers': {'Content-Type': 'application/json'},
+                    'body': json.dumps({'error': 'profile_name required'})
+                }
+            
+            response = table.get_item(Key={'profile_name': profile_name})
+            if 'Item' not in response:
+                return {
+                    'statusCode': 404,
+                    'headers': {'Content-Type': 'application/json'},
+                    'body': json.dumps({'error': 'Profile not found'})
+                }
+            
+            return {
+                'statusCode': 200,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'profile': response['Item']})
+            }
+        
+        elif operation == 'create' or operation == 'update':
+            # Create or update profile
+            if not profile_name:
+                return {
+                    'statusCode': 400,
+                    'headers': {'Content-Type': 'application/json'},
+                    'body': json.dumps({'error': 'profile_name required'})
+                }
+            
+            accounts = body.get('accounts', [])
+            description = body.get('description', '')
+            
+            item = {
+                'profile_name': profile_name,
+                'accounts': accounts,
+                'description': description,
+                'updated_at': datetime.utcnow().isoformat()
+            }
+            
+            if operation == 'create':
+                item['created_at'] = datetime.utcnow().isoformat()
+            
+            table.put_item(Item=item)
+            
+            return {
+                'statusCode': 200,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'message': 'Profile saved', 'profile': item})
+            }
+        
+        elif operation == 'delete':
+            # Delete profile
+            if not profile_name:
+                return {
+                    'statusCode': 400,
+                    'headers': {'Content-Type': 'application/json'},
+                    'body': json.dumps({'error': 'profile_name required'})
+                }
+            
+            table.delete_item(Key={'profile_name': profile_name})
+            
+            return {
+                'statusCode': 200,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'message': 'Profile deleted'})
+            }
+        
+        else:
+            return {
+                'statusCode': 400,
+                'headers': {'Content-Type': 'application/json'},
+                'body': json.dumps({'error': 'Invalid operation. Use: list, get, create, update, delete'})
+            }
+    
+    except Exception as e:
+        return {
+            'statusCode': 500,
+            'headers': {'Content-Type': 'application/json'},
+            'body': json.dumps({'error': str(e)})
+        }

backend/handlers/trends.py

@@ -0,0 +1,106 @@
+"""
+Lambda handler for trends analysis.
+"""
+import json
+import boto3
+import os
+from algorithms.trends import analyze_trends
+
+# Get API secret from Secrets Manager
+secrets_client = boto3.client('secretsmanager')
+api_secret_arn = os.environ['API_SECRET_ARN']
+api_secret = secrets_client.get_secret_value(SecretId=api_secret_arn)['SecretString']
+
+
+def handler(event, context):
+    """
+    Lambda handler for trends analysis.
+    
+    Expected event:
+    {
+        "credentials": {
+            "access_key": "AKIA...",
+            "secret_key": "...",
+            "session_token": "..." (optional)
+        },
+        "accounts": ["123456789012", "987654321098"],
+        "weeks": 4
+    }
+    """
+    # Handle OPTIONS for CORS
+    if event.get('requestContext', {}).get('http', {}).get('method') == 'OPTIONS':
+        return {
+            'statusCode': 200,
+            'headers': {
+                'Access-Control-Allow-Origin': '*',
+                'Access-Control-Allow-Headers': '*',
+                'Access-Control-Allow-Methods': 'POST, OPTIONS'
+            },
+            'body': ''
+        }
+    
+    try:
+        # Validate API secret
+        headers = event.get('headers', {})
+        provided_secret = headers.get('x-api-secret') or headers.get('X-API-Secret')
+        
+        if provided_secret != api_secret:
+            return {
+                'statusCode': 401,
+                'headers': {'Access-Control-Allow-Origin': '*'},
+                'body': json.dumps({'error': 'Unauthorized'})
+            }
+        
+        # Parse request body
+        body = json.loads(event.get('body', '{}'))
+        
+        credentials = body.get('credentials', {})
+        accounts = body.get('accounts', [])
+        weeks = body.get('weeks', 3)
+        
+        if not credentials or not accounts:
+            return {
+                'statusCode': 400,
+                'headers': {'Access-Control-Allow-Origin': '*'},
+                'body': json.dumps({'error': 'Missing credentials or accounts'})
+            }
+        
+        # Create Cost Explorer client with provided credentials
+        ce_client = boto3.client(
+            'ce',
+            region_name='us-east-1',
+            aws_access_key_id=credentials['access_key'],
+            aws_secret_access_key=credentials['secret_key'],
+            aws_session_token=credentials.get('session_token')
+        )
+        
+        # Run analysis
+        trends_data = analyze_trends(ce_client, accounts, weeks)
+        
+        # Convert datetime objects to strings for JSON serialization
+        def convert_dates(obj):
+            if isinstance(obj, dict):
+                return {k: convert_dates(v) for k, v in obj.items()}
+            elif isinstance(obj, list):
+                return [convert_dates(item) for item in obj]
+            elif hasattr(obj, 'isoformat'):
+                return obj.isoformat()
+            return obj
+        
+        trends_data = convert_dates(trends_data)
+        
+        return {
+            'statusCode': 200,
+            'headers': {
+                'Access-Control-Allow-Origin': '*',
+                'Content-Type': 'application/json'
+            },
+            'body': json.dumps(trends_data)
+        }
+        
+    except Exception as e:
+        return {
+            'statusCode': 500,
+            'headers': {'Access-Control-Allow-Origin': '*'},
+            'body': json.dumps({'error': str(e)})
+        }

cost_calculator/cli.py

@@ -11,6 +11,8 @@ Usage:
 import click
 import boto3
 import json
+import os
+import platform
 from datetime import datetime, timedelta
 from pathlib import Path
 from cost_calculator.trends import format_trends_markdown
@@ -19,49 +21,143 @@ from cost_calculator.drill import format_drill_down_markdown
 from cost_calculator.executor import execute_trends, execute_monthly, execute_drill
 
 
+def apply_auth_options(config, sso=None, access_key_id=None, secret_access_key=None, session_token=None):
+    """Apply authentication options to profile config
+    
+    Args:
+        config: Profile configuration dict
+        sso: AWS SSO profile name
+        access_key_id: AWS Access Key ID
+        secret_access_key: AWS Secret Access Key
+        session_token: AWS Session Token
+    
+    Returns:
+        Updated config dict
+    """
+    import subprocess
+    
+    if sso:
+        # SSO authentication - trigger login if needed
+        try:
+            # Test if SSO session is valid
+            result = subprocess.run(
+                ['aws', 'sts', 'get-caller-identity', '--profile', sso],
+                capture_output=True,
+                text=True,
+                timeout=5
+            )
+            if result.returncode != 0:
+                if 'expired' in result.stderr.lower() or 'token' in result.stderr.lower():
+                    click.echo(f"SSO session expired or not initialized. Logging in...")
+                    subprocess.run(['aws', 'sso', 'login', '--profile', sso], check=True)
+        except Exception as e:
+            click.echo(f"Warning: Could not verify SSO session: {e}")
+        
+        config['aws_profile'] = sso
+    elif access_key_id and secret_access_key:
+        # Static credentials provided via CLI
+        config['credentials'] = {
+            'aws_access_key_id': access_key_id,
+            'aws_secret_access_key': secret_access_key,
+            'region': 'us-east-1'
+        }
+        if session_token:
+            config['credentials']['aws_session_token'] = session_token
+    
+    return config
+
+
 def load_profile(profile_name):
-    """Load profile configuration from ~/.config/cost-calculator/profiles.json"""
+    """Load profile configuration from local file or DynamoDB API"""
+    import os
+    import requests
+    
     config_dir = Path.home() / '.config' / 'cost-calculator'
     config_file = config_dir / 'profiles.json'
     creds_file = config_dir / 'credentials.json'
     
-    if not config_file.exists():
+    # Try local file first
+    if config_file.exists():
+        with open(config_file) as f:
+            profiles = json.load(f)
+        
+        if profile_name in profiles:
+            profile = profiles[profile_name]
+            
+            # Load credentials if using static credentials (not SSO)
+            if 'aws_profile' not in profile:
+                if not creds_file.exists():
+                    # Try environment variables
+                    if os.environ.get('AWS_ACCESS_KEY_ID'):
+                        profile['credentials'] = {
+                            'aws_access_key_id': os.environ['AWS_ACCESS_KEY_ID'],
+                            'aws_secret_access_key': os.environ['AWS_SECRET_ACCESS_KEY'],
+                            'aws_session_token': os.environ.get('AWS_SESSION_TOKEN')
+                        }
+                        return profile
+                    
+                    raise click.ClickException(
+                        f"No credentials found for profile '{profile_name}'.\n"
+                        f"Run: cc configure --profile {profile_name}"
+                    )
+                
+                with open(creds_file) as f:
+                    creds = json.load(f)
+                
+                if profile_name not in creds:
+                    raise click.ClickException(
+                        f"No credentials found for profile '{profile_name}'.\n"
+                        f"Run: cc configure --profile {profile_name}"
+                    )
+                
+                profile['credentials'] = creds[profile_name]
+            
+            return profile
+    
+    # Profile not found locally - try DynamoDB API
+    api_secret = os.environ.get('COST_API_SECRET')
+    if not api_secret:
         raise click.ClickException(
-            f"Profile configuration not found at {config_file}\n"
+            f"Profile '{profile_name}' not found locally and COST_API_SECRET not set.\n"
             f"Run: cc init --profile {profile_name}"
         )
     
-    with open(config_file) as f:
-        profiles = json.load(f)
-    
-    if profile_name not in profiles:
-        raise click.ClickException(
-            f"Profile '{profile_name}' not found in {config_file}\n"
-            f"Available profiles: {', '.join(profiles.keys())}"
+    try:
+        response = requests.post(
+            'https://64g7jq7sjygec2zmll5lsghrpi0txrzo.lambda-url.us-east-1.on.aws/',
+            headers={'X-API-Secret': api_secret, 'Content-Type': 'application/json'},
+            json={'operation': 'get', 'profile_name': profile_name},
+            timeout=10
         )
-    
-    profile = profiles[profile_name]
-    
-    # Load credentials if using static credentials (not SSO)
-    if 'aws_profile' not in profile:
-        if not creds_file.exists():
-            raise click.ClickException(
-                f"No credentials found for profile '{profile_name}'.\n"
-                f"Run: cc configure --profile {profile_name}"
-            )
         
-        with open(creds_file) as f:
-            creds = json.load(f)
-        
-        if profile_name not in creds:
+        if response.status_code == 200:
+            response_data = response.json()
+            # API returns {"profile": {...}} wrapper
+            profile_data = response_data.get('profile', response_data)
+            profile = {'accounts': profile_data['accounts']}
+            
+            # Check for AWS_PROFILE environment variable (SSO support)
+            if os.environ.get('AWS_PROFILE'):
+                profile['aws_profile'] = os.environ['AWS_PROFILE']
+            # Use environment credentials
+            elif os.environ.get('AWS_ACCESS_KEY_ID'):
+                profile['credentials'] = {
+                    'aws_access_key_id': os.environ['AWS_ACCESS_KEY_ID'],
+                    'aws_secret_access_key': os.environ['AWS_SECRET_ACCESS_KEY'],
+                    'aws_session_token': os.environ.get('AWS_SESSION_TOKEN')
+                }
+            
+            return profile
+        else:
             raise click.ClickException(
-                f"No credentials found for profile '{profile_name}'.\n"
-                f"Run: cc configure --profile {profile_name}"
+                f"Profile '{profile_name}' not found in DynamoDB.\n"
+                f"Run: cc profile create --name {profile_name} --accounts \"...\""
             )
-        
-        profile['credentials'] = creds[profile_name]
-    
-    return profile
+    except requests.exceptions.RequestException as e:
+        raise click.ClickException(
+            f"Failed to fetch profile from API: {e}\n"
+            f"Run: cc init --profile {profile_name}"
+        )
 
 
 def calculate_costs(profile_config, accounts, start_date, offset, window):
@@ -231,7 +327,7 @@ def calculate_costs(profile_config, accounts, start_date, offset, window):
     support_month = support_month_date - timedelta(days=1)  # Go back to previous month
     days_in_support_month = support_month.day  # This gives us the last day of the month
     
-    # Support allocation: divide by 2 (half to Khoros), then by days in month
+    # Support allocation: divide by 2 (50% allocation), then by days in month
     support_per_day = (support_cost / 2) / days_in_support_month
     
     # Calculate daily rate
@@ -290,18 +386,120 @@ def cli():
     pass
 
 
+@cli.command('setup-api')
+@click.option('--api-secret', required=True, prompt=True, hide_input=True, help='COST_API_SECRET value')
+def setup_api(api_secret):
+    """
+    Configure COST_API_SECRET for backend API access
+    
+    Saves the API secret to the appropriate location based on your OS:
+    - Mac/Linux: ~/.zshrc or ~/.bashrc
+    - Windows: User environment variables
+    
+    Example:
+      cc setup-api --api-secret your-secret-here
+      
+    Or let it prompt you (input will be hidden):
+      cc setup-api
+    """
+    system = platform.system()
+    
+    if system == "Windows":
+        # Windows: Set user environment variable
+        try:
+            import winreg
+            key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, 'Environment', 0, winreg.KEY_SET_VALUE)
+            winreg.SetValueEx(key, 'COST_API_SECRET', 0, winreg.REG_SZ, api_secret)
+            winreg.CloseKey(key)
+            click.echo("✓ COST_API_SECRET saved to Windows user environment variables")
+            click.echo("  Please restart your terminal for changes to take effect")
+        except Exception as e:
+            click.echo(f"✗ Error setting Windows environment variable: {e}", err=True)
+            click.echo("\nManual setup:")
+            click.echo("1. Open System Properties > Environment Variables")
+            click.echo("2. Add new User variable:")
+            click.echo("   Name: COST_API_SECRET")
+            click.echo(f"   Value: {api_secret}")
+            return
+    else:
+        # Mac/Linux: Add to shell profile
+        shell = os.environ.get('SHELL', '/bin/bash')
+        
+        if 'zsh' in shell:
+            profile_file = Path.home() / '.zshrc'
+        else:
+            profile_file = Path.home() / '.bashrc'
+        
+        # Check if already exists
+        export_line = f'export COST_API_SECRET="{api_secret}"'
+        
+        try:
+            if profile_file.exists():
+                content = profile_file.read_text()
+                if 'COST_API_SECRET' in content:
+                    # Replace existing
+                    lines = content.split('\n')
+                    new_lines = []
+                    for line in lines:
+                        if 'COST_API_SECRET' in line and line.strip().startswith('export'):
+                            new_lines.append(export_line)
+                        else:
+                            new_lines.append(line)
+                    profile_file.write_text('\n'.join(new_lines))
+                    click.echo(f"✓ Updated COST_API_SECRET in {profile_file}")
+                else:
+                    # Append
+                    with profile_file.open('a') as f:
+                        f.write(f'\n# AWS Cost Calculator API Secret\n{export_line}\n')
+                    click.echo(f"✓ Added COST_API_SECRET to {profile_file}")
+            else:
+                # Create new file
+                profile_file.write_text(f'# AWS Cost Calculator API Secret\n{export_line}\n')
+                click.echo(f"✓ Created {profile_file} with COST_API_SECRET")
+            
+            # Also set for current session
+            os.environ['COST_API_SECRET'] = api_secret
+            click.echo(f"✓ Set COST_API_SECRET for current session")
+            click.echo(f"\nTo use in new terminals, run: source {profile_file}")
+            
+        except Exception as e:
+            click.echo(f"✗ Error writing to {profile_file}: {e}", err=True)
+            click.echo(f"\nManual setup: Add this line to {profile_file}:")
+            click.echo(f"  {export_line}")
+            return
+
+
 @cli.command()
 @click.option('--profile', required=True, help='Profile name (e.g., myprofile)')
 @click.option('--start-date', help='Start date (YYYY-MM-DD, default: today)')
 @click.option('--offset', default=2, help='Days to go back from start date (default: 2)')
 @click.option('--window', default=30, help='Number of days to analyze (default: 30)')
 @click.option('--json-output', is_flag=True, help='Output as JSON')
-def calculate(profile, start_date, offset, window, json_output):
-    """Calculate AWS costs for the specified period"""
+@click.option('--sso', help='AWS SSO profile name (e.g., my_sso_profile)')
+@click.option('--access-key-id', help='AWS Access Key ID (for static credentials)')
+@click.option('--secret-access-key', help='AWS Secret Access Key (for static credentials)')
+@click.option('--session-token', help='AWS Session Token (for static credentials)')
+def calculate(profile, start_date, offset, window, json_output, sso, access_key_id, secret_access_key, session_token):
+    """
+    Calculate AWS costs for the specified period
+    
+    \b
+    Authentication Options:
+      1. SSO: --sso <profile_name>
+         Example: cc calculate --profile myprofile --sso my_sso_profile
+      
+      2. Static Credentials: --access-key-id, --secret-access-key, --session-token
+         Example: cc calculate --profile myprofile --access-key-id ASIA... --secret-access-key ... --session-token ...
+      
+      3. Environment Variables: AWS_PROFILE or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
+    """
     
     # Load profile configuration
     config = load_profile(profile)
     
+    # Apply authentication options
+    config = apply_auth_options(config, sso, access_key_id, secret_access_key, session_token)
+    
     # Calculate costs
     result = calculate_costs(
         profile_config=config,
@@ -547,12 +745,17 @@ def configure(profile, access_key_id, secret_access_key, session_token, region):
 @click.option('--profile', required=True, help='Profile name')
 @click.option('--weeks', default=3, help='Number of weeks to analyze (default: 3)')
 @click.option('--output', default='cost_trends.md', help='Output markdown file (default: cost_trends.md)')
-@click.option('--json-output', is_flag=True, help='Output as JSON instead of markdown')
-def trends(profile, weeks, output, json_output):
+@click.option('--json-output', is_flag=True, help='Output as JSON')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--access-key-id', help='AWS Access Key ID')
+@click.option('--secret-access-key', help='AWS Secret Access Key')
+@click.option('--session-token', help='AWS Session Token')
+def trends(profile, weeks, output, json_output, sso, access_key_id, secret_access_key, session_token):
     """Analyze cost trends with Week-over-Week and Trailing 30-Day comparisons"""
     
     # Load profile configuration
     config = load_profile(profile)
+    config = apply_auth_options(config, sso, access_key_id, secret_access_key, session_token)
     
     click.echo(f"Analyzing last {weeks} weeks...")
     click.echo("")
@@ -613,12 +816,17 @@ def trends(profile, weeks, output, json_output):
 @click.option('--profile', required=True, help='Profile name')
 @click.option('--months', default=6, help='Number of months to analyze (default: 6)')
 @click.option('--output', default='monthly_trends.md', help='Output markdown file (default: monthly_trends.md)')
-@click.option('--json-output', is_flag=True, help='Output as JSON instead of markdown')
-def monthly(profile, months, output, json_output):
+@click.option('--json-output', is_flag=True, help='Output as JSON')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--access-key-id', help='AWS Access Key ID')
+@click.option('--secret-access-key', help='AWS Secret Access Key')
+@click.option('--session-token', help='AWS Session Token')
+def monthly(profile, months, output, json_output, sso, access_key_id, secret_access_key, session_token):
     """Analyze month-over-month cost trends at service level"""
     
-    # Load profile configuration
+    # Load profile
     config = load_profile(profile)
+    config = apply_auth_options(config, sso, access_key_id, secret_access_key, session_token)
     
     click.echo(f"Analyzing last {months} months...")
     click.echo("")
@@ -680,12 +888,17 @@ def monthly(profile, months, output, json_output):
 @click.option('--account', help='Filter by account ID')
 @click.option('--usage-type', help='Filter by usage type')
 @click.option('--output', default='drill_down.md', help='Output markdown file (default: drill_down.md)')
-@click.option('--json-output', is_flag=True, help='Output as JSON instead of markdown')
-def drill(profile, weeks, service, account, usage_type, output, json_output):
+@click.option('--json-output', is_flag=True, help='Output as JSON')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--access-key-id', help='AWS Access Key ID')
+@click.option('--secret-access-key', help='AWS Secret Access Key')
+@click.option('--session-token', help='AWS Session Token')
+def drill(profile, weeks, service, account, usage_type, output, json_output, sso, access_key_id, secret_access_key, session_token):
     """Drill down into cost changes by service, account, or usage type"""
     
-    # Load profile configuration
+    # Load profile
     config = load_profile(profile)
+    config = apply_auth_options(config, sso, access_key_id, secret_access_key, session_token)
     
     # Show filters
     click.echo(f"Analyzing last {weeks} weeks...")

cost_calculator/executor.py

@@ -11,22 +11,33 @@ def get_credentials_dict(config):
     Extract credentials from config in format needed for API.
     
     Returns:
-        dict with access_key, secret_key, session_token
+        dict with access_key, secret_key, session_token, or None if profile is 'dummy'
     """
     if 'aws_profile' in config:
-        # Get temporary credentials from SSO session
-        session = boto3.Session(profile_name=config['aws_profile'])
-        credentials = session.get_credentials()
-        frozen_creds = credentials.get_frozen_credentials()
+        # Skip credential loading for dummy profile (API-only mode)
+        if config['aws_profile'] == 'dummy':
+            return None
         
-        return {
-            'access_key': frozen_creds.access_key,
-            'secret_key': frozen_creds.secret_key,
-            'session_token': frozen_creds.token
-        }
+        # Get temporary credentials from SSO session
+        try:
+            session = boto3.Session(profile_name=config['aws_profile'])
+            credentials = session.get_credentials()
+            frozen_creds = credentials.get_frozen_credentials()
+            
+            return {
+                'access_key': frozen_creds.access_key,
+                'secret_key': frozen_creds.secret_key,
+                'session_token': frozen_creds.token
+            }
+        except Exception:
+            # If profile not found, return None (API will handle)
+            return None
     else:
         # Use static credentials
-        creds = config['credentials']
+        creds = config.get('credentials', {})
+        if not creds:
+            return None
+        
         result = {
             'access_key': creds['aws_access_key_id'],
             'secret_key': creds['aws_secret_access_key']