aws-cost-calculator-cli 1.6.3__py3-none-any.whl → 2.0.0__py3-none-any.whl

cost_calculator/cli.py

@@ -67,59 +67,39 @@ def apply_auth_options(config, sso=None, access_key_id=None, secret_access_key=N
     return config
 
 
-def load_profile(profile_name):
-    """Load profile configuration from local file or DynamoDB API"""
+def get_api_secret():
+    """Get API secret from config file or environment variable"""
     import os
-    import requests
     
+    # Check environment variable first
+    api_secret = os.environ.get('COST_API_SECRET')
+    if api_secret:
+        return api_secret
+    
+    # Check config file
     config_dir = Path.home() / '.config' / 'cost-calculator'
-    config_file = config_dir / 'profiles.json'
-    creds_file = config_dir / 'credentials.json'
+    config_file = config_dir / 'config.json'
     
-    # Try local file first
     if config_file.exists():
         with open(config_file) as f:
-            profiles = json.load(f)
-        
-        if profile_name in profiles:
-            profile = profiles[profile_name]
-            
-            # Load credentials if using static credentials (not SSO)
-            if 'aws_profile' not in profile:
-                if not creds_file.exists():
-                    # Try environment variables
-                    if os.environ.get('AWS_ACCESS_KEY_ID'):
-                        profile['credentials'] = {
-                            'aws_access_key_id': os.environ['AWS_ACCESS_KEY_ID'],
-                            'aws_secret_access_key': os.environ['AWS_SECRET_ACCESS_KEY'],
-                            'aws_session_token': os.environ.get('AWS_SESSION_TOKEN')
-                        }
-                        return profile
-                    
-                    raise click.ClickException(
-                        f"No credentials found for profile '{profile_name}'.\n"
-                        f"Run: cc configure --profile {profile_name}"
-                    )
-                
-                with open(creds_file) as f:
-                    creds = json.load(f)
-                
-                if profile_name not in creds:
-                    raise click.ClickException(
-                        f"No credentials found for profile '{profile_name}'.\n"
-                        f"Run: cc configure --profile {profile_name}"
-                    )
-                
-                profile['credentials'] = creds[profile_name]
-            
-            return profile
+            config = json.load(f)
+            return config.get('api_secret')
+    
+    return None
+
+
+def load_profile(profile_name):
+    """Load profile configuration from DynamoDB API (API-only, no local files)"""
+    import requests
+    
+    # Get API secret
+    api_secret = get_api_secret()
     
-    # Profile not found locally - try DynamoDB API
-    api_secret = os.environ.get('COST_API_SECRET')
     if not api_secret:
         raise click.ClickException(
-            f"Profile '{profile_name}' not found locally and COST_API_SECRET not set.\n"
-            f"Run: cc init --profile {profile_name}"
+            "No API secret configured.\n"
+            "Run: cc configure --api-secret YOUR_SECRET\n"
+            "Or set environment variable: export COST_API_SECRET=YOUR_SECRET"
         )
     
     try:
@@ -136,8 +116,11 @@ def load_profile(profile_name):
             profile_data = response_data.get('profile', response_data)
             profile = {'accounts': profile_data['accounts']}
             
+            # If profile has aws_profile field, use it
+            if 'aws_profile' in profile_data:
+                profile['aws_profile'] = profile_data['aws_profile']
             # Check for AWS_PROFILE environment variable (SSO support)
-            if os.environ.get('AWS_PROFILE'):
+            elif os.environ.get('AWS_PROFILE'):
                 profile['aws_profile'] = os.environ['AWS_PROFILE']
             # Use environment credentials
             elif os.environ.get('AWS_ACCESS_KEY_ID'):
@@ -146,6 +129,33 @@ def load_profile(profile_name):
                     'aws_secret_access_key': os.environ['AWS_SECRET_ACCESS_KEY'],
                     'aws_session_token': os.environ.get('AWS_SESSION_TOKEN')
                 }
+            else:
+                # Try to find a matching AWS profile by name
+                # This allows "khoros" profile to work with "khoros_umbrella" AWS profile
+                import subprocess
+                try:
+                    result = subprocess.run(
+                        ['aws', 'configure', 'list-profiles'],
+                        capture_output=True,
+                        text=True,
+                        timeout=5
+                    )
+                    if result.returncode == 0:
+                        available_profiles = result.stdout.strip().split('\n')
+                        # Try exact match first
+                        if profile_name in available_profiles:
+                            profile['aws_profile'] = profile_name
+                        # Try with common suffixes
+                        elif f"{profile_name}_umbrella" in available_profiles:
+                            profile['aws_profile'] = f"{profile_name}_umbrella"
+                        elif f"{profile_name}-umbrella" in available_profiles:
+                            profile['aws_profile'] = f"{profile_name}-umbrella"
+                        elif f"{profile_name}_prod" in available_profiles:
+                            profile['aws_profile'] = f"{profile_name}_prod"
+                        # If no match found, leave it unset - user must provide --sso
+                except:
+                    # If we can't list profiles, leave it unset - user must provide --sso
+                    pass
             
             return profile
         else:
@@ -156,7 +166,7 @@ def load_profile(profile_name):
     except requests.exceptions.RequestException as e:
         raise click.ClickException(
             f"Failed to fetch profile from API: {e}\n"
-            f"Run: cc init --profile {profile_name}"
+            "Check your API secret and network connection."
         )
 
 
@@ -325,7 +335,8 @@ def calculate_costs(profile_config, accounts, start_date, offset, window):
     # Calculate days in the month that the support covers
     # Support on Nov 1 covers October (31 days)
     support_month = support_month_date - timedelta(days=1)  # Go back to previous month
-    days_in_support_month = support_month.day  # This gives us the last day of the month
+    import calendar
+    days_in_support_month = calendar.monthrange(support_month.year, support_month.month)[1]
     
     # Support allocation: divide by 2 (50% allocation), then by days in month
     support_per_day = (support_cost / 2) / days_in_support_month
@@ -386,6 +397,43 @@ def cli():
     pass
 
 
+@cli.command('setup-cur')
+@click.option('--database', required=True, prompt='CUR Athena Database', help='Athena database name for CUR')
+@click.option('--table', required=True, prompt='CUR Table Name', help='CUR table name')
+@click.option('--s3-output', required=True, prompt='S3 Output Location', help='S3 bucket for Athena query results')
+def setup_cur(database, table, s3_output):
+    """
+    Configure CUR (Cost and Usage Report) settings for resource-level queries
+    
+    Saves CUR configuration to ~/.config/cost-calculator/cur_config.json
+    
+    Example:
+      cc setup-cur --database my_cur_db --table cur_table --s3-output s3://my-bucket/
+    """
+    import json
+    
+    config_dir = Path.home() / '.config' / 'cost-calculator'
+    config_dir.mkdir(parents=True, exist_ok=True)
+    
+    config_file = config_dir / 'cur_config.json'
+    
+    config = {
+        'database': database,
+        'table': table,
+        's3_output': s3_output
+    }
+    
+    with open(config_file, 'w') as f:
+        json.dump(config, f, indent=2)
+    
+    click.echo(f"✓ CUR configuration saved to {config_file}")
+    click.echo(f"  Database: {database}")
+    click.echo(f"  Table: {table}")
+    click.echo(f"  S3 Output: {s3_output}")
+    click.echo("")
+    click.echo("You can now use: cc drill --service 'EC2 - Other' --resources")
+
+
 @cli.command('setup-api')
 @click.option('--api-secret', required=True, prompt=True, hide_input=True, help='COST_API_SECRET value')
 def setup_api(api_secret):
@@ -669,77 +717,79 @@ def setup():
 
 
 @cli.command()
-@click.option('--profile', required=True, help='Profile name to configure')
-@click.option('--access-key-id', prompt=True, hide_input=False, help='AWS Access Key ID')
-@click.option('--secret-access-key', prompt=True, hide_input=True, help='AWS Secret Access Key')
-@click.option('--session-token', default='', help='AWS Session Token (optional, for temporary credentials)')
-@click.option('--region', default='us-east-1', help='AWS Region (default: us-east-1)')
-def configure(profile, access_key_id, secret_access_key, session_token, region):
-    """Configure AWS credentials for a profile (alternative to SSO)"""
+@click.option('--api-secret', help='API secret for DynamoDB profile access')
+@click.option('--show', is_flag=True, help='Show current configuration')
+def configure(api_secret, show):
+    """
+    Configure Cost Calculator CLI settings.
     
-    config_dir = Path.home() / '.config' / 'cost-calculator'
-    config_file = config_dir / 'profiles.json'
-    creds_file = config_dir / 'credentials.json'
+    This tool requires an API secret to access profiles stored in DynamoDB.
+    The secret can be configured here or set via COST_API_SECRET environment variable.
     
-    # Create config directory if it doesn't exist
+    Examples:
+        # Configure API secret
+        cc configure --api-secret YOUR_SECRET_KEY
+        
+        # Show current configuration
+        cc configure --show
+        
+        # Use environment variable instead (no configuration needed)
+        export COST_API_SECRET=YOUR_SECRET_KEY
+    """
+    import os
+    
+    config_dir = Path.home() / '.config' / 'cost-calculator'
     config_dir.mkdir(parents=True, exist_ok=True)
+    config_file = config_dir / 'config.json'
     
-    # Load existing profiles
-    if config_file.exists() and config_file.stat().st_size > 0:
-        try:
+    if show:
+        # Show current configuration
+        if config_file.exists():
             with open(config_file) as f:
-                profiles = json.load(f)
-        except json.JSONDecodeError:
-            profiles = {}
-    else:
-        profiles = {}
-    
-    # Check if profile exists
-    if profile not in profiles:
-        click.echo(f"Error: Profile '{profile}' not found. Create it first with: cc init --profile {profile}")
+                config = json.load(f)
+                if 'api_secret' in config:
+                    masked_secret = config['api_secret'][:8] + '...' + config['api_secret'][-4:]
+                    click.echo(f"API Secret: {masked_secret} (configured)")
+                else:
+                    click.echo("API Secret: Not configured")
+        else:
+            click.echo("No configuration file found")
+        
+        # Check environment variable
+        import os
+        if os.environ.get('COST_API_SECRET'):
+            click.echo("Environment: COST_API_SECRET is set")
+        else:
+            click.echo("Environment: COST_API_SECRET is not set")
+        
         return
     
-    # Remove aws_profile if it exists (switching from SSO to static creds)
-    if 'aws_profile' in profiles[profile]:
-        del profiles[profile]['aws_profile']
-    
-    # Save updated profile
-    with open(config_file, 'w') as f:
-        json.dump(profiles, f, indent=2)
-    
-    # Load or create credentials file
-    if creds_file.exists() and creds_file.stat().st_size > 0:
-        try:
-            with open(creds_file) as f:
-                creds = json.load(f)
-        except json.JSONDecodeError:
-            creds = {}
-    else:
-        creds = {}
+    if not api_secret:
+        raise click.ClickException(
+            "Please provide --api-secret or use --show to view current configuration\n"
+            "Example: cc configure --api-secret YOUR_SECRET_KEY"
+        )
     
-    # Store credentials (encrypted would be better, but for now just file permissions)
-    creds[profile] = {
-        'aws_access_key_id': access_key_id,
-        'aws_secret_access_key': secret_access_key,
-        'region': region
-    }
+    # Load existing config
+    config = {}
+    if config_file.exists():
+        with open(config_file) as f:
+            config = json.load(f)
     
-    if session_token:
-        creds[profile]['aws_session_token'] = session_token
+    # Update API secret
+    config['api_secret'] = api_secret
     
-    # Save credentials with restricted permissions
-    with open(creds_file, 'w') as f:
-        json.dump(creds, f, indent=2)
+    # Save config
+    with open(config_file, 'w') as f:
+        json.dump(config, f, indent=2)
     
-    # Set file permissions to 600 (owner read/write only)
-    creds_file.chmod(0o600)
+    # Set restrictive permissions
+    os.chmod(config_file, 0o600)
     
-    click.echo(f"✓ AWS credentials configured for profile '{profile}'")
-    click.echo(f"✓ Credentials saved to {creds_file} (permissions: 600)")
-    click.echo(f"\nUsage: cc calculate --profile {profile}")
-    click.echo("\nNote: Credentials are stored locally. For temporary credentials,")
-    click.echo("      you'll need to reconfigure when they expire.")
-
+    masked_secret = api_secret[:8] + '...' + api_secret[-4:]
+    click.echo(f"✓ API secret configured: {masked_secret}")
+    click.echo(f"\nYou can now run: cc calculate --profile PROFILE_NAME")
+    click.echo(f"\nNote: Profiles are stored in DynamoDB and accessed via the API.")
 
 @cli.command()
 @click.option('--profile', required=True, help='Profile name')
@@ -887,14 +937,19 @@ def monthly(profile, months, output, json_output, sso, access_key_id, secret_acc
 @click.option('--service', help='Filter by service name (e.g., "EC2 - Other")')
 @click.option('--account', help='Filter by account ID')
 @click.option('--usage-type', help='Filter by usage type')
+@click.option('--resources', is_flag=True, help='Show individual resource IDs (requires CUR, uses Athena)')
 @click.option('--output', default='drill_down.md', help='Output markdown file (default: drill_down.md)')
 @click.option('--json-output', is_flag=True, help='Output as JSON')
 @click.option('--sso', help='AWS SSO profile name')
 @click.option('--access-key-id', help='AWS Access Key ID')
 @click.option('--secret-access-key', help='AWS Secret Access Key')
 @click.option('--session-token', help='AWS Session Token')
-def drill(profile, weeks, service, account, usage_type, output, json_output, sso, access_key_id, secret_access_key, session_token):
-    """Drill down into cost changes by service, account, or usage type"""
+def drill(profile, weeks, service, account, usage_type, resources, output, json_output, sso, access_key_id, secret_access_key, session_token):
+    """
+    Drill down into cost changes by service, account, or usage type
+    
+    Add --resources flag to see individual resource IDs and costs (requires CUR data via Athena)
+    """
     
     # Load profile
     config = load_profile(profile)
@@ -908,10 +963,19 @@ def drill(profile, weeks, service, account, usage_type, output, json_output, sso
         click.echo(f"  Account filter: {account}")
     if usage_type:
         click.echo(f"  Usage type filter: {usage_type}")
+    if resources:
+        click.echo(f"  Mode: Resource-level (CUR via Athena)")
     click.echo("")
     
     # Execute via API or locally
-    drill_data = execute_drill(config, weeks, service, account, usage_type)
+    drill_data = execute_drill(config, weeks, service, account, usage_type, resources)
+    
+    # Handle resource-level output differently
+    if resources:
+        from cost_calculator.cur import format_resource_output
+        output_text = format_resource_output(drill_data)
+        click.echo(output_text)
+        return
     
     if json_output:
         # Output as JSON
@@ -1084,5 +1148,852 @@ def profile(operation, name, accounts, description):
         click.echo(result.get('message', 'Operation completed'))
 
 
+@cli.command()
+@click.option('--profile', required=True, help='Profile name')
+@click.option('--sso', help='AWS SSO profile to use')
+@click.option('--weeks', default=8, help='Number of weeks to analyze')
+@click.option('--account', help='Focus on specific account ID')
+@click.option('--service', help='Focus on specific service')
+@click.option('--no-cloudtrail', is_flag=True, help='Skip CloudTrail analysis (faster)')
+@click.option('--output', default='investigation_report.md', help='Output file path')
+def investigate(profile, sso, weeks, account, service, no_cloudtrail, output):
+    """
+    Multi-stage cost investigation:
+    1. Analyze cost trends and drill-downs
+    2. Inventory actual resources in problem accounts
+    3. Analyze CloudTrail events (optional)
+    4. Generate comprehensive report
+    """
+    from cost_calculator.executor import execute_trends, execute_drill, get_credentials_dict
+    from cost_calculator.api_client import call_lambda_api, is_api_configured
+    from cost_calculator.forensics import format_investigation_report
+    from datetime import datetime, timedelta
+    
+    click.echo("=" * 80)
+    click.echo("COST INVESTIGATION")
+    click.echo("=" * 80)
+    click.echo(f"Profile: {profile}")
+    click.echo(f"Weeks: {weeks}")
+    if account:
+        click.echo(f"Account: {account}")
+    if service:
+        click.echo(f"Service: {service}")
+    click.echo("")
+    
+    # Load profile
+    config = load_profile(profile)
+    
+    # Override with SSO if provided
+    if sso:
+        config['aws_profile'] = sso
+    
+    # Validate that we have a way to get credentials
+    if 'aws_profile' not in config and 'credentials' not in config:
+        import subprocess
+        try:
+            result = subprocess.run(
+                ['aws', 'configure', 'list-profiles'],
+                capture_output=True,
+                text=True,
+                timeout=5
+            )
+            available = result.stdout.strip().split('\n') if result.returncode == 0 else []
+            suggestion = f"\nAvailable AWS profiles: {', '.join(available[:5])}" if available else ""
+        except:
+            suggestion = ""
+        
+        raise click.ClickException(
+            f"Profile '{profile}' has no AWS authentication configured.\n"
+            f"Use --sso flag to specify your AWS SSO profile:\n"
+            f"  cc investigate --profile {profile} --sso YOUR_AWS_PROFILE{suggestion}"
+        )
+    
+    # Step 1: Cost Analysis
+    click.echo("Step 1/3: Analyzing cost trends...")
+    try:
+        trends_data = execute_trends(config, weeks)
+        click.echo(f"✓ Found cost data for {weeks} weeks")
+    except Exception as e:
+        click.echo(f"✗ Error analyzing trends: {str(e)}")
+        trends_data = None
+    
+    # Step 2: Drill-down
+    click.echo("\nStep 2/3: Drilling down into costs...")
+    drill_data = None
+    if service or account:
+        try:
+            drill_data = execute_drill(config, weeks, service, account, None, False)
+            click.echo(f"✓ Drill-down complete")
+        except Exception as e:
+            click.echo(f"✗ Error in drill-down: {str(e)}")
+    
+    # Step 3: Resource Inventory
+    click.echo("\nStep 3/3: Inventorying resources...")
+    inventories = []
+    cloudtrail_analyses = []
+    
+    # Determine which accounts to investigate
+    accounts_to_investigate = []
+    if account:
+        accounts_to_investigate = [account]
+    else:
+        # Extract top cost accounts from trends/drill data
+        # For now, we'll need the user to specify
+        click.echo("⚠️  No account specified. Use --account to inventory resources.")
+    
+    # For each account, do inventory and CloudTrail via backend API
+    for acc_id in accounts_to_investigate:
+        click.echo(f"\n  Investigating account {acc_id}...")
+        
+        # Get credentials (SSO or static)
+        account_creds = get_credentials_dict(config)
+        if not account_creds:
+            click.echo(f"    ⚠️  No credentials available for account")
+            continue
+        
+        # Inventory resources via backend API only
+        if not is_api_configured():
+            click.echo(f"    ✗ API not configured. Set COST_API_SECRET environment variable.")
+            continue
+        
+        try:
+            regions = ['us-west-2', 'us-east-1', 'eu-west-1']
+            for region in regions:
+                try:
+                    inv = call_lambda_api(
+                        'forensics',
+                        account_creds,
+                        [],  # accounts not needed for forensics
+                        operation='inventory',
+                        account_id=acc_id,
+                        region=region
+                    )
+                    
+                    if not inv.get('error'):
+                        inventories.append(inv)
+                        click.echo(f"    ✓ Inventory complete for {region}")
+                        click.echo(f"      - EC2: {len(inv['ec2_instances'])} instances")
+                        click.echo(f"      - EFS: {len(inv['efs_file_systems'])} file systems ({inv.get('total_efs_size_gb', 0):,.0f} GB)")
+                        click.echo(f"      - ELB: {len(inv['load_balancers'])} load balancers")
+                        break
+                except Exception as e:
+                    continue
+        except Exception as e:
+            click.echo(f"    ✗ Inventory error: {str(e)}")
+        
+        # CloudTrail analysis via backend API only
+        if not no_cloudtrail:
+            if not is_api_configured():
+                click.echo(f"    ✗ CloudTrail skipped: API not configured")
+            else:
+                try:
+                    start_date = (datetime.now() - timedelta(days=weeks * 7)).isoformat() + 'Z'
+                    end_date = datetime.now().isoformat() + 'Z'
+                    
+                    ct_analysis = call_lambda_api(
+                        'forensics',
+                        account_creds,
+                        [],
+                        operation='cloudtrail',
+                        account_id=acc_id,
+                        start_date=start_date,
+                        end_date=end_date,
+                        region='us-west-2'
+                    )
+                    
+                    cloudtrail_analyses.append(ct_analysis)
+                    
+                    if ct_analysis.get('error'):
+                        click.echo(f"    ⚠️  CloudTrail: {ct_analysis['error']}")
+                    else:
+                        click.echo(f"    ✓ CloudTrail analysis complete")
+                        click.echo(f"      - {len(ct_analysis['event_summary'])} event types")
+                        click.echo(f"      - {len(ct_analysis['write_events'])} resource changes")
+                except Exception as e:
+                    click.echo(f"    ✗ CloudTrail error: {str(e)}")
+    
+    # Generate report
+    click.echo(f"\nGenerating report...")
+    report = format_investigation_report(trends_data, inventories, cloudtrail_analyses if not no_cloudtrail else None)
+    
+    # Write to file
+    with open(output, 'w') as f:
+        f.write(report)
+    
+    click.echo(f"\n✓ Investigation complete!")
+    click.echo(f"✓ Report saved to: {output}")
+    click.echo("")
+
+
+def find_account_profile(account_id):
+    """
+    Find the SSO profile name for a given account ID
+    Returns profile name or None
+    """
+    import subprocess
+    
+    try:
+        # Get list of profiles
+        result = subprocess.run(
+            ['aws', 'configure', 'list-profiles'],
+            capture_output=True,
+            text=True
+        )
+        
+        profiles = result.stdout.strip().split('\n')
+        
+        # Check each profile
+        for profile in profiles:
+            try:
+                result = subprocess.run(
+                    ['aws', 'sts', 'get-caller-identity', '--profile', profile],
+                    capture_output=True,
+                    text=True,
+                    timeout=5
+                )
+                
+                if account_id in result.stdout:
+                    return profile
+            except:
+                continue
+        
+        return None
+    except:
+        return None
+
+
+@cli.command()
+@click.option('--profile', required=True, help='Profile name')
+@click.option('--start-date', help='Start date (YYYY-MM-DD)')
+@click.option('--end-date', help='End date (YYYY-MM-DD)')
+@click.option('--days', type=int, default=10, help='Number of days to analyze (default: 10)')
+@click.option('--service', help='Filter by service name')
+@click.option('--account', help='Filter by account ID')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--json', 'output_json', is_flag=True, help='Output as JSON')
+def daily(profile, start_date, end_date, days, service, account, sso, output_json):
+    """
+    Get daily cost breakdown with granular detail.
+    
+    Shows day-by-day costs for specific services and accounts, useful for:
+    - Identifying cost spikes on specific dates
+    - Validating daily cost patterns
+    - Calculating precise daily averages
+    
+    Examples:
+        # Last 10 days of CloudWatch costs for specific account
+        cc daily --profile khoros --days 10 --service AmazonCloudWatch --account 820054669588
+        
+        # Custom date range with JSON output for automation
+        cc daily --profile khoros --start-date 2025-10-28 --end-date 2025-11-06 --json
+        
+        # Find high-cost days using jq
+        cc daily --profile khoros --days 30 --json | jq '.daily_costs | map(select(.cost > 1000))'
+    """
+    # Load profile
+    config = load_profile(profile)
+    
+    # Apply SSO if provided
+    if sso:
+        config['aws_profile'] = sso
+    
+    # Calculate date range
+    if end_date:
+        end = datetime.strptime(end_date, '%Y-%m-%d')
+    else:
+        end = datetime.now()
+    
+    if start_date:
+        start = datetime.strptime(start_date, '%Y-%m-%d')
+    else:
+        start = end - timedelta(days=days)
+    
+    click.echo(f"Daily breakdown: {start.strftime('%Y-%m-%d')} to {end.strftime('%Y-%m-%d')}")
+    if service:
+        click.echo(f"Service filter: {service}")
+    if account:
+        click.echo(f"Account filter: {account}")
+    click.echo("")
+    
+    # Get credentials
+    try:
+        if 'aws_profile' in config:
+            session = boto3.Session(profile_name=config['aws_profile'])
+        else:
+            creds = config['credentials']
+            session = boto3.Session(
+                aws_access_key_id=creds['aws_access_key_id'],
+                aws_secret_access_key=creds['aws_secret_access_key'],
+                aws_session_token=creds.get('aws_session_token')
+            )
+        
+        ce_client = session.client('ce', region_name='us-east-1')
+        
+        # Build filter
+        filter_parts = []
+        
+        # Account filter
+        if account:
+            filter_parts.append({
+                "Dimensions": {
+                    "Key": "LINKED_ACCOUNT",
+                    "Values": [account]
+                }
+            })
+        else:
+            filter_parts.append({
+                "Dimensions": {
+                    "Key": "LINKED_ACCOUNT",
+                    "Values": config['accounts']
+                }
+            })
+        
+        # Service filter
+        if service:
+            filter_parts.append({
+                "Dimensions": {
+                    "Key": "SERVICE",
+                    "Values": [service]
+                }
+            })
+        
+        # Exclude support and tax
+        filter_parts.append({
+            "Not": {
+                "Dimensions": {
+                    "Key": "RECORD_TYPE",
+                    "Values": ["Tax", "Support"]
+                }
+            }
+        })
+        
+        cost_filter = {"And": filter_parts} if len(filter_parts) > 1 else filter_parts[0]
+        
+        # Get daily costs
+        response = ce_client.get_cost_and_usage(
+            TimePeriod={
+                'Start': start.strftime('%Y-%m-%d'),
+                'End': (end + timedelta(days=1)).strftime('%Y-%m-%d')
+            },
+            Granularity='DAILY',
+            Metrics=['UnblendedCost'],
+            Filter=cost_filter
+        )
+        
+        # Collect results
+        daily_costs = []
+        total = 0
+        for day in response['ResultsByTime']:
+            date = day['TimePeriod']['Start']
+            cost = float(day['Total']['UnblendedCost']['Amount'])
+            total += cost
+            daily_costs.append({'date': date, 'cost': cost})
+        
+        num_days = len(response['ResultsByTime'])
+        daily_avg = total / num_days if num_days > 0 else 0
+        annual = daily_avg * 365
+        
+        # Output results
+        if output_json:
+            import json
+            result = {
+                'period': {
+                    'start': start.strftime('%Y-%m-%d'),
+                    'end': end.strftime('%Y-%m-%d'),
+                    'days': num_days
+                },
+                'filters': {
+                    'service': service,
+                    'account': account
+                },
+                'daily_costs': daily_costs,
+                'summary': {
+                    'total': total,
+                    'daily_avg': daily_avg,
+                    'annual_projection': annual
+                }
+            }
+            click.echo(json.dumps(result, indent=2))
+        else:
+            click.echo("Date       | Cost")
+            click.echo("-----------|-----------")
+            for item in daily_costs:
+                click.echo(f"{item['date']} | ${item['cost']:,.2f}")
+            click.echo("-----------|-----------")
+            click.echo(f"Total      | ${total:,.2f}")
+            click.echo(f"Daily Avg  | ${daily_avg:,.2f}")
+            click.echo(f"Annual     | ${annual:,.0f}")
+        
+    except Exception as e:
+        raise click.ClickException(f"Failed to get daily costs: {e}")
+
+
+@cli.command()
+@click.option('--profile', required=True, help='Profile name')
+@click.option('--account', help='Account ID to compare')
+@click.option('--service', help='Service to compare')
+@click.option('--before', required=True, help='Before period (YYYY-MM-DD:YYYY-MM-DD)')
+@click.option('--after', required=True, help='After period (YYYY-MM-DD:YYYY-MM-DD)')
+@click.option('--expected-reduction', type=float, help='Expected reduction percentage')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--json', 'output_json', is_flag=True, help='Output as JSON')
+def compare(profile, account, service, before, after, expected_reduction, sso, output_json):
+    """
+    Compare costs between two periods for validation and analysis.
+    
+    Perfect for:
+    - Validating cost optimization savings
+    - Before/after migration analysis
+    - Measuring impact of infrastructure changes
+    - Automated savings validation in CI/CD
+    
+    Examples:
+        # Validate Datadog migration savings (expect 50% reduction)
+        cc compare --profile khoros --account 180770971501 --service AmazonCloudWatch \
+          --before "2025-10-28:2025-11-06" --after "2025-11-17:2025-11-26" --expected-reduction 50
+        
+        # Compare total costs across all accounts
+        cc compare --profile khoros --before "2025-10-01:2025-10-31" --after "2025-11-01:2025-11-30"
+        
+        # JSON output for automated validation
+        cc compare --profile khoros --service EC2 --before "2025-10-01:2025-10-07" \
+          --after "2025-11-08:2025-11-14" --json | jq '.comparison.met_expectation'
+    """
+    # Load profile
+    config = load_profile(profile)
+    
+    # Apply SSO if provided
+    if sso:
+        config['aws_profile'] = sso
+    
+    # Parse periods
+    try:
+        before_start, before_end = before.split(':')
+        after_start, after_end = after.split(':')
+    except ValueError:
+        raise click.ClickException("Period format must be 'YYYY-MM-DD:YYYY-MM-DD'")
+    
+    if not output_json:
+        click.echo(f"Comparing periods:")
+        click.echo(f"  Before: {before_start} to {before_end}")
+        click.echo(f"  After:  {after_start} to {after_end}")
+        if service:
+            click.echo(f"  Service: {service}")
+        if account:
+            click.echo(f"  Account: {account}")
+        click.echo("")
+    
+    # Get credentials
+    try:
+        if 'aws_profile' in config:
+            session = boto3.Session(profile_name=config['aws_profile'])
+        else:
+            creds = config['credentials']
+            session = boto3.Session(
+                aws_access_key_id=creds['aws_access_key_id'],
+                aws_secret_access_key=creds['aws_secret_access_key'],
+                aws_session_token=creds.get('aws_session_token')
+            )
+        
+        ce_client = session.client('ce', region_name='us-east-1')
+        
+        # Build filter
+        def build_filter():
+            filter_parts = []
+            
+            if account:
+                filter_parts.append({
+                    "Dimensions": {
+                        "Key": "LINKED_ACCOUNT",
+                        "Values": [account]
+                    }
+                })
+            else:
+                filter_parts.append({
+                    "Dimensions": {
+                        "Key": "LINKED_ACCOUNT",
+                        "Values": config['accounts']
+                    }
+                })
+            
+            if service:
+                filter_parts.append({
+                    "Dimensions": {
+                        "Key": "SERVICE",
+                        "Values": [service]
+                    }
+                })
+            
+            filter_parts.append({
+                "Not": {
+                    "Dimensions": {
+                        "Key": "RECORD_TYPE",
+                        "Values": ["Tax", "Support"]
+                    }
+                }
+            })
+            
+            return {"And": filter_parts} if len(filter_parts) > 1 else filter_parts[0]
+        
+        cost_filter = build_filter()
+        
+        # Get before period costs
+        before_response = ce_client.get_cost_and_usage(
+            TimePeriod={
+                'Start': before_start,
+                'End': (datetime.strptime(before_end, '%Y-%m-%d') + timedelta(days=1)).strftime('%Y-%m-%d')
+            },
+            Granularity='DAILY',
+            Metrics=['UnblendedCost'],
+            Filter=cost_filter
+        )
+        
+        # Get after period costs
+        after_response = ce_client.get_cost_and_usage(
+            TimePeriod={
+                'Start': after_start,
+                'End': (datetime.strptime(after_end, '%Y-%m-%d') + timedelta(days=1)).strftime('%Y-%m-%d')
+            },
+            Granularity='DAILY',
+            Metrics=['UnblendedCost'],
+            Filter=cost_filter
+        )
+        
+        # Calculate totals
+        before_total = sum(float(day['Total']['UnblendedCost']['Amount']) for day in before_response['ResultsByTime'])
+        after_total = sum(float(day['Total']['UnblendedCost']['Amount']) for day in after_response['ResultsByTime'])
+        
+        before_days = len(before_response['ResultsByTime'])
+        after_days = len(after_response['ResultsByTime'])
+        
+        before_daily = before_total / before_days if before_days > 0 else 0
+        after_daily = after_total / after_days if after_days > 0 else 0
+        
+        reduction = before_daily - after_daily
+        reduction_pct = (reduction / before_daily * 100) if before_daily > 0 else 0
+        annual_savings = reduction * 365
+        
+        # Output results
+        if output_json:
+            import json
+            result = {
+                'before': {
+                    'period': {'start': before_start, 'end': before_end},
+                    'total': before_total,
+                    'daily_avg': before_daily,
+                    'days': before_days
+                },
+                'after': {
+                    'period': {'start': after_start, 'end': after_end},
+                    'total': after_total,
+                    'daily_avg': after_daily,
+                    'days': after_days
+                },
+                'comparison': {
+                    'daily_reduction': reduction,
+                    'reduction_pct': reduction_pct,
+                    'annual_savings': annual_savings
+                }
+            }
+            
+            if expected_reduction is not None:
+                result['comparison']['expected_reduction_pct'] = expected_reduction
+                result['comparison']['met_expectation'] = reduction_pct >= expected_reduction
+            
+            click.echo(json.dumps(result, indent=2))
+        else:
+            click.echo("Before Period:")
+            click.echo(f"  Total: ${before_total:,.2f}")
+            click.echo(f"  Daily Avg: ${before_daily:,.2f}")
+            click.echo(f"  Days: {before_days}")
+            click.echo("")
+            click.echo("After Period:")
+            click.echo(f"  Total: ${after_total:,.2f}")
+            click.echo(f"  Daily Avg: ${after_daily:,.2f}")
+            click.echo(f"  Days: {after_days}")
+            click.echo("")
+            click.echo("Comparison:")
+            click.echo(f"  Daily Reduction: ${reduction:,.2f}")
+            click.echo(f"  Reduction %: {reduction_pct:.1f}%")
+            click.echo(f"  Annual Savings: ${annual_savings:,.0f}")
+            
+            if expected_reduction is not None:
+                click.echo("")
+                if reduction_pct >= expected_reduction:
+                    click.echo(f"✅ Savings achieved: {reduction_pct:.1f}% (expected {expected_reduction}%)")
+                else:
+                    click.echo(f"⚠️  Below target: {reduction_pct:.1f}% (expected {expected_reduction}%)")
+        
+    except Exception as e:
+        raise click.ClickException(f"Comparison failed: {e}")
+
+
+@cli.command()
+@click.option('--profile', required=True, help='Profile name')
+@click.option('--tag-key', required=True, help='Tag key to filter by')
+@click.option('--tag-value', help='Tag value to filter by (optional)')
+@click.option('--start-date', help='Start date (YYYY-MM-DD)')
+@click.option('--end-date', help='End date (YYYY-MM-DD)')
+@click.option('--days', type=int, default=30, help='Number of days to analyze (default: 30)')
+@click.option('--sso', help='AWS SSO profile name')
+@click.option('--json', 'output_json', is_flag=True, help='Output as JSON')
+def tags(profile, tag_key, tag_value, start_date, end_date, days, sso, output_json):
+    """
+    Analyze costs grouped by resource tags for cost attribution.
+    
+    Useful for:
+    - Cost allocation by team, project, or environment
+    - Identifying untagged resources (cost attribution gaps)
+    - Tracking costs by cost center or department
+    - Validating tagging compliance
+    
+    Examples:
+        # See all costs by Environment tag
+        cc tags --profile khoros --tag-key "Environment" --days 30
+        
+        # Filter to specific tag value
+        cc tags --profile khoros --tag-key "Team" --tag-value "Platform" --days 30
+        
+        # Find top cost centers with JSON output
+        cc tags --profile khoros --tag-key "CostCenter" --days 30 --json | \
+          jq '.tag_costs | sort_by(-.cost) | .[:5]'
+        
+        # Identify untagged resources (look for empty tag values)
+        cc tags --profile khoros --tag-key "Owner" --days 7
+    """
+    # Load profile
+    config = load_profile(profile)
+    
+    # Apply SSO if provided
+    if sso:
+        config['aws_profile'] = sso
+    
+    # Calculate date range
+    if end_date:
+        end = datetime.strptime(end_date, '%Y-%m-%d')
+    else:
+        end = datetime.now()
+    
+    if start_date:
+        start = datetime.strptime(start_date, '%Y-%m-%d')
+    else:
+        start = end - timedelta(days=days)
+    
+    if not output_json:
+        click.echo(f"Tag-based cost analysis: {start.strftime('%Y-%m-%d')} to {end.strftime('%Y-%m-%d')}")
+        click.echo(f"Tag key: {tag_key}")
+        if tag_value:
+            click.echo(f"Tag value: {tag_value}")
+        click.echo("")
+    
+    # Get credentials
+    try:
+        if 'aws_profile' in config:
+            session = boto3.Session(profile_name=config['aws_profile'])
+        else:
+            creds = config['credentials']
+            session = boto3.Session(
+                aws_access_key_id=creds['aws_access_key_id'],
+                aws_secret_access_key=creds['aws_secret_access_key'],
+                aws_session_token=creds.get('aws_session_token')
+            )
+        
+        ce_client = session.client('ce', region_name='us-east-1')
+        
+        # Build filter
+        filter_parts = [
+            {
+                "Dimensions": {
+                    "Key": "LINKED_ACCOUNT",
+                    "Values": config['accounts']
+                }
+            },
+            {
+                "Not": {
+                    "Dimensions": {
+                        "Key": "RECORD_TYPE",
+                        "Values": ["Tax", "Support"]
+                    }
+                }
+            }
+        ]
+        
+        # Add tag filter if value specified
+        if tag_value:
+            filter_parts.append({
+                "Tags": {
+                    "Key": tag_key,
+                    "Values": [tag_value]
+                }
+            })
+        
+        cost_filter = {"And": filter_parts}
+        
+        # Get costs grouped by tag values
+        response = ce_client.get_cost_and_usage(
+            TimePeriod={
+                'Start': start.strftime('%Y-%m-%d'),
+                'End': (end + timedelta(days=1)).strftime('%Y-%m-%d')
+            },
+            Granularity='MONTHLY',
+            Metrics=['UnblendedCost'],
+            GroupBy=[{
+                'Type': 'TAG',
+                'Key': tag_key
+            }],
+            Filter=cost_filter
+        )
+        
+        # Collect results
+        tag_costs = {}
+        for period in response['ResultsByTime']:
+            for group in period['Groups']:
+                tag_val = group['Keys'][0].split('$')[1] if '$' in group['Keys'][0] else group['Keys'][0]
+                cost = float(group['Metrics']['UnblendedCost']['Amount'])
+                tag_costs[tag_val] = tag_costs.get(tag_val, 0) + cost
+        
+        # Sort by cost
+        sorted_tags = sorted(tag_costs.items(), key=lambda x: x[1], reverse=True)
+        
+        total = sum(tag_costs.values())
+        num_days = (end - start).days
+        daily_avg = total / num_days if num_days > 0 else 0
+        
+        # Output results
+        if output_json:
+            import json
+            result = {
+                'period': {
+                    'start': start.strftime('%Y-%m-%d'),
+                    'end': end.strftime('%Y-%m-%d'),
+                    'days': num_days
+                },
+                'tag_key': tag_key,
+                'tag_value_filter': tag_value,
+                'tag_costs': [{'tag_value': k, 'cost': v, 'percentage': (v/total*100) if total > 0 else 0} for k, v in sorted_tags],
+                'summary': {
+                    'total': total,
+                    'daily_avg': daily_avg,
+                    'annual_projection': daily_avg * 365
+                }
+            }
+            click.echo(json.dumps(result, indent=2))
+        else:
+            click.echo(f"Tag Value{' '*(30-len('Tag Value'))} | Cost       | %")
+            click.echo("-" * 60)
+            for tag_val, cost in sorted_tags:
+                pct = (cost / total * 100) if total > 0 else 0
+                tag_display = tag_val[:30].ljust(30)
+                click.echo(f"{tag_display} | ${cost:>9,.2f} | {pct:>5.1f}%")
+            click.echo("-" * 60)
+            click.echo(f"{'Total'.ljust(30)} | ${total:>9,.2f} | 100.0%")
+            click.echo("")
+            click.echo(f"Daily Avg: ${daily_avg:,.2f}")
+            click.echo(f"Annual Projection: ${daily_avg * 365:,.0f}")
+        
+    except Exception as e:
+        raise click.ClickException(f"Tag analysis failed: {e}")
+
+
+@cli.command()
+@click.option('--profile', required=True, help='Profile name')
+@click.option('--query', required=True, help='SQL query to execute')
+@click.option('--database', default='athenacurcfn_cloud_intelligence_dashboard', help='Athena database name')
+@click.option('--output-bucket', help='S3 bucket for query results (default: from profile)')
+@click.option('--sso', help='AWS SSO profile name')
+def query(profile, query, database, output_bucket, sso):
+    """
+    Execute custom Athena SQL query on CUR data
+    
+    Example:
+        cc query --profile khoros --query "SELECT line_item_usage_account_id, SUM(line_item_unblended_cost) as cost FROM cloud_intelligence_dashboard WHERE line_item_usage_start_date >= DATE '2025-11-01' GROUP BY 1 ORDER BY 2 DESC LIMIT 10"
+    """
+    # Load profile
+    config = load_profile(profile)
+    
+    # Apply SSO if provided
+    if sso:
+        config['aws_profile'] = sso
+    
+    # Get credentials
+    try:
+        if 'aws_profile' in config:
+            session = boto3.Session(profile_name=config['aws_profile'])
+        else:
+            creds = config['credentials']
+            session = boto3.Session(
+                aws_access_key_id=creds['aws_access_key_id'],
+                aws_secret_access_key=creds['aws_secret_access_key'],
+                aws_session_token=creds.get('aws_session_token')
+            )
+        
+        athena_client = session.client('athena', region_name='us-east-1')
+        
+        # Default output location
+        if not output_bucket:
+            output_bucket = 's3://khoros-finops-athena/athena/'
+        
+        click.echo(f"Executing query on database: {database}")
+        click.echo(f"Output location: {output_bucket}")
+        click.echo("")
+        
+        # Execute query
+        response = athena_client.start_query_execution(
+            QueryString=query,
+            QueryExecutionContext={'Database': database},
+            ResultConfiguration={'OutputLocation': output_bucket}
+        )
+        
+        query_id = response['QueryExecutionId']
+        click.echo(f"Query ID: {query_id}")
+        click.echo("Waiting for query to complete...")
+        
+        # Wait for completion
+        import time
+        max_wait = 60
+        waited = 0
+        while waited < max_wait:
+            status_response = athena_client.get_query_execution(QueryExecutionId=query_id)
+            status = status_response['QueryExecution']['Status']['State']
+            
+            if status == 'SUCCEEDED':
+                click.echo("✓ Query completed successfully")
+                break
+            elif status in ['FAILED', 'CANCELLED']:
+                reason = status_response['QueryExecution']['Status'].get('StateChangeReason', 'Unknown')
+                raise click.ClickException(f"Query {status}: {reason}")
+            
+            time.sleep(2)
+            waited += 2
+        
+        if waited >= max_wait:
+            raise click.ClickException(f"Query timeout after {max_wait}s. Check query ID: {query_id}")
+        
+        # Get results
+        results = athena_client.get_query_results(QueryExecutionId=query_id)
+        
+        # Display results
+        rows = results['ResultSet']['Rows']
+        if not rows:
+            click.echo("No results returned")
+            return
+        
+        # Header
+        headers = [col['VarCharValue'] for col in rows[0]['Data']]
+        click.echo(" | ".join(headers))
+        click.echo("-" * (len(" | ".join(headers))))
+        
+        # Data rows
+        for row in rows[1:]:
+            values = [col.get('VarCharValue', '') for col in row['Data']]
+            click.echo(" | ".join(values))
+        
+        click.echo("")
+        click.echo(f"Returned {len(rows)-1} rows")
+        
+    except Exception as e:
+        raise click.ClickException(f"Query failed: {e}")
+
+
 if __name__ == '__main__':
     cli()