aws-inventory-manager 0.13.2__py3-none-any.whl

src/models/delta_report.py

@@ -0,0 +1,122 @@
+"""Delta report models for tracking resource changes."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import TYPE_CHECKING, Any, Dict, List, Optional
+
+if TYPE_CHECKING:
+    from ..delta.models import DriftReport
+
+
+@dataclass
+class ResourceChange:
+    """Represents a modified resource in a delta report."""
+
+    resource: Any  # Current Resource instance
+    baseline_resource: Any  # Reference Resource instance (keeping field name for compatibility)
+    change_type: str  # 'modified'
+    old_config_hash: str
+    new_config_hash: str
+    changes_summary: Optional[str] = None
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary for serialization."""
+        return {
+            "arn": self.resource.arn,
+            "resource_type": self.resource.resource_type,
+            "name": self.resource.name,
+            "region": self.resource.region,
+            "change_type": self.change_type,
+            "tags": self.resource.tags,
+            "old_config_hash": self.old_config_hash,
+            "new_config_hash": self.new_config_hash,
+            "changes_summary": self.changes_summary,
+        }
+
+
+@dataclass
+class DeltaReport:
+    """Represents differences between two snapshots."""
+
+    generated_at: datetime
+    baseline_snapshot_name: str  # Reference snapshot name (keeping field name for compatibility)
+    current_snapshot_name: str
+    added_resources: List[Any] = field(default_factory=list)  # List[Resource]
+    deleted_resources: List[Any] = field(default_factory=list)  # List[Resource]
+    modified_resources: List[ResourceChange] = field(default_factory=list)
+    baseline_resource_count: int = 0  # Reference snapshot count (keeping field name for compatibility)
+    current_resource_count: int = 0
+    drift_report: Optional[DriftReport] = None  # Configuration drift details (when --show-diff is used)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary for serialization."""
+        result = {
+            "generated_at": self.generated_at.isoformat(),
+            "baseline_snapshot_name": self.baseline_snapshot_name,
+            "current_snapshot_name": self.current_snapshot_name,
+            "added_resources": [r.to_dict() for r in self.added_resources],
+            "deleted_resources": [r.to_dict() for r in self.deleted_resources],
+            "modified_resources": [r.to_dict() for r in self.modified_resources],
+            "baseline_resource_count": self.baseline_resource_count,
+            "current_resource_count": self.current_resource_count,
+            "summary": {
+                "added": len(self.added_resources),
+                "deleted": len(self.deleted_resources),
+                "modified": len(self.modified_resources),
+                "unchanged": self.unchanged_count,
+                "total_changes": self.total_changes,
+            },
+        }
+
+        # Include drift details if available
+        if self.drift_report is not None:
+            result["drift_details"] = self.drift_report.to_dict()
+
+        return result
+
+    @property
+    def total_changes(self) -> int:
+        """Total number of changes detected."""
+        return len(self.added_resources) + len(self.deleted_resources) + len(self.modified_resources)
+
+    @property
+    def unchanged_count(self) -> int:
+        """Number of unchanged resources."""
+        # Resources that existed in reference snapshot and still exist unchanged
+        return self.baseline_resource_count - len(self.deleted_resources) - len(self.modified_resources)
+
+    @property
+    def has_changes(self) -> bool:
+        """Whether any changes were detected."""
+        return self.total_changes > 0
+
+    def group_by_service(self) -> Dict[str, Dict[str, List]]:
+        """Group changes by service type.
+
+        Returns:
+            Dictionary mapping service type to changes dict with 'added', 'deleted', 'modified' lists
+        """
+
+        grouped: Dict[str, Dict[str, List[Any]]] = {}
+
+        for resource in self.added_resources:
+            service = resource.resource_type
+            if service not in grouped:
+                grouped[service] = {"added": [], "deleted": [], "modified": []}
+            grouped[service]["added"].append(resource)
+
+        for resource in self.deleted_resources:
+            service = resource.resource_type
+            if service not in grouped:
+                grouped[service] = {"added": [], "deleted": [], "modified": []}
+            grouped[service]["deleted"].append(resource)
+
+        for change in self.modified_resources:
+            service = change.resource.resource_type
+            if service not in grouped:
+                grouped[service] = {"added": [], "deleted": [], "modified": []}
+            grouped[service]["modified"].append(change)
+
+        return grouped

src/models/efs_resource.py

@@ -0,0 +1,80 @@
+"""EFS resource model."""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Any, Dict, Optional
+
+from ..utils.hash import compute_config_hash
+
+
+@dataclass
+class EFSFileSystem:
+    """Represents an AWS EFS file system."""
+
+    file_system_id: str
+    arn: str
+    encryption_enabled: bool
+    kms_key_id: Optional[str]
+    performance_mode: str  # "generalPurpose" or "maxIO"
+    lifecycle_state: str  # "available", "creating", "deleting", "deleted"
+    tags: Dict[str, str]
+    region: str
+    created_at: datetime
+
+    def validate(self) -> bool:
+        """Validate EFS file system data.
+
+        Returns:
+            True if valid, raises ValueError if invalid
+        """
+        # Validate file_system_id format (must start with fs-)
+        if not re.match(r"^fs-[a-fA-F0-9]+$", self.file_system_id):
+            raise ValueError(f"Invalid file_system_id format: {self.file_system_id}. Must match pattern: fs-*")
+
+        # Validate performance_mode
+        valid_performance_modes = ["generalPurpose", "maxIO"]
+        if self.performance_mode not in valid_performance_modes:
+            raise ValueError(
+                f"Invalid performance_mode: {self.performance_mode}. "
+                f"Must be one of: {', '.join(valid_performance_modes)}"
+            )
+
+        # Validate lifecycle_state
+        valid_states = ["available", "creating", "deleting", "deleted"]
+        if self.lifecycle_state not in valid_states:
+            raise ValueError(
+                f"Invalid lifecycle_state: {self.lifecycle_state}. " f"Must be one of: {', '.join(valid_states)}"
+            )
+
+        return True
+
+    def to_resource_dict(self) -> Dict[str, Any]:
+        """Convert to Resource-compatible dictionary.
+
+        Returns:
+            Dictionary that can be used to create a Resource object
+        """
+        # Build raw_config with all EFS-specific attributes
+        raw_config = {
+            "file_system_id": self.file_system_id,
+            "arn": self.arn,
+            "encryption_enabled": self.encryption_enabled,
+            "kms_key_id": self.kms_key_id,
+            "performance_mode": self.performance_mode,
+            "lifecycle_state": self.lifecycle_state,
+            "region": self.region,
+        }
+
+        return {
+            "arn": self.arn,
+            "resource_type": "efs:file-system",
+            "name": self.file_system_id,
+            "region": self.region,
+            "tags": self.tags,
+            "created_at": self.created_at,
+            "raw_config": raw_config,
+            "config_hash": compute_config_hash(raw_config),
+        }

src/models/elasticache_resource.py

@@ -0,0 +1,90 @@
+"""ElastiCache resource model."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any, Dict
+
+from ..utils.hash import compute_config_hash
+
+
+@dataclass
+class ElastiCacheCluster:
+    """Represents an AWS ElastiCache cluster (Redis or Memcached).
+
+    This model captures both Redis and Memcached clusters with their
+    encryption settings, node configuration, and metadata.
+
+    Attributes:
+        cluster_id: Unique identifier for the cluster (max 50 chars)
+        arn: Amazon Resource Name for the cluster
+        engine: Cache engine type (redis or memcached)
+        node_type: Cache node type (e.g., cache.t3.micro)
+        num_cache_nodes: Number of cache nodes in the cluster
+        engine_version: Engine version string
+        encryption_at_rest: Whether data at rest is encrypted
+        encryption_in_transit: Whether data in transit is encrypted
+        tags: Resource tags as key-value pairs
+        region: AWS region
+    """
+
+    cluster_id: str
+    arn: str
+    engine: str
+    node_type: str
+    num_cache_nodes: int
+    engine_version: str
+    encryption_at_rest: bool
+    encryption_in_transit: bool
+    tags: Dict[str, str] = field(default_factory=dict)
+    region: str = "us-east-1"
+
+    def __post_init__(self) -> None:
+        """Validate ElastiCache cluster data after initialization."""
+        # Validate cluster_id length (AWS limit is 50 characters)
+        if len(self.cluster_id) > 50:
+            raise ValueError("cluster_id must be 50 characters or less")
+
+        # Validate engine type
+        if self.engine not in ("redis", "memcached"):
+            raise ValueError("engine must be 'redis' or 'memcached'")
+
+        # Memcached does not support encryption at rest
+        if self.engine == "memcached" and self.encryption_at_rest:
+            raise ValueError("Memcached does not support encryption at rest")
+
+        # Validate num_cache_nodes
+        if self.num_cache_nodes < 1:
+            raise ValueError("num_cache_nodes must be at least 1")
+
+    def to_resource_dict(self) -> Dict[str, Any]:
+        """Convert ElastiCache cluster to Resource dictionary.
+
+        Returns:
+            Dictionary with Resource fields suitable for creating a Resource object
+        """
+        # Build raw_config that matches ElastiCache API response structure
+        raw_config = {
+            "CacheClusterId": self.cluster_id,
+            "ARN": self.arn,
+            "Engine": self.engine,
+            "CacheNodeType": self.node_type,
+            "NumCacheNodes": self.num_cache_nodes,
+            "EngineVersion": self.engine_version,
+            "AtRestEncryptionEnabled": self.encryption_at_rest,
+            "TransitEncryptionEnabled": self.encryption_in_transit,
+            "CacheClusterStatus": "available",
+        }
+
+        # Compute config hash from raw_config
+        config_hash = compute_config_hash(raw_config)
+
+        return {
+            "arn": self.arn,
+            "resource_type": "elasticache:cluster",
+            "name": self.cluster_id,
+            "region": self.region,
+            "tags": self.tags,
+            "config_hash": config_hash,
+            "raw_config": raw_config,
+        }

src/models/group.py

@@ -0,0 +1,318 @@
+"""Resource Group model for baseline comparison across accounts."""
+
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional
+
+
+@dataclass
+class GroupMember:
+    """A member of a resource group, identified by name and type.
+
+    Attributes:
+        resource_name: Resource name (extracted from ARN or logical ID)
+        resource_type: Resource type (e.g., s3:bucket, lambda:function)
+        original_arn: Original ARN from source snapshot (reference only)
+        match_strategy: How to match this member - 'logical_id' uses CloudFormation
+                       logical-id tag for stable matching, 'physical_name' uses name
+    """
+
+    resource_name: str
+    resource_type: str
+    original_arn: Optional[str] = None
+    match_strategy: str = "physical_name"  # 'logical_id' or 'physical_name'
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Serialize to dictionary."""
+        return {
+            "resource_name": self.resource_name,
+            "resource_type": self.resource_type,
+            "original_arn": self.original_arn,
+            "match_strategy": self.match_strategy,
+        }
+
+    @classmethod
+    def from_dict(cls, data: Dict[str, Any]) -> "GroupMember":
+        """Deserialize from dictionary."""
+        return cls(
+            resource_name=data["resource_name"],
+            resource_type=data["resource_type"],
+            original_arn=data.get("original_arn"),
+            match_strategy=data.get("match_strategy", "physical_name"),
+        )
+
+
+@dataclass
+class ResourceGroup:
+    """A named group of resources for baseline comparison.
+
+    Groups store resources by name + type to enable cross-account comparison
+    where ARNs differ (due to account IDs) but resource names are identical.
+
+    Attributes:
+        name: Unique group name
+        description: Human-readable description
+        source_snapshot: Name of snapshot used to create the group
+        members: List of group members
+        resource_count: Number of resources in the group
+        is_favorite: Whether the group is marked as favorite
+        created_at: Group creation timestamp
+        last_updated: Last modification timestamp
+        id: Database ID (set after save)
+    """
+
+    name: str
+    description: str = ""
+    source_snapshot: Optional[str] = None
+    members: List[GroupMember] = field(default_factory=list)
+    resource_count: int = 0
+    is_favorite: bool = False
+    created_at: Optional[datetime] = field(default_factory=lambda: datetime.now(timezone.utc))
+    last_updated: Optional[datetime] = field(default_factory=lambda: datetime.now(timezone.utc))
+    id: Optional[int] = None
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Serialize to dictionary for storage.
+
+        Returns:
+            Dictionary representation suitable for storage
+        """
+        return {
+            "id": self.id,
+            "name": self.name,
+            "description": self.description,
+            "source_snapshot": self.source_snapshot,
+            "members": [m.to_dict() for m in self.members],
+            "resource_count": self.resource_count,
+            "is_favorite": self.is_favorite,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+            "last_updated": self.last_updated.isoformat() if self.last_updated else None,
+        }
+
+    @classmethod
+    def from_dict(cls, data: Dict[str, Any]) -> "ResourceGroup":
+        """Deserialize from dictionary.
+
+        Args:
+            data: Dictionary loaded from storage
+
+        Returns:
+            ResourceGroup instance
+        """
+        # Handle datetime fields
+        created_at = data.get("created_at")
+        if isinstance(created_at, str):
+            created_at = datetime.fromisoformat(created_at)
+
+        last_updated = data.get("last_updated")
+        if isinstance(last_updated, str):
+            last_updated = datetime.fromisoformat(last_updated)
+
+        # Handle members
+        members_data = data.get("members", [])
+        members = [GroupMember.from_dict(m) for m in members_data]
+
+        return cls(
+            id=data.get("id"),
+            name=data["name"],
+            description=data.get("description", ""),
+            source_snapshot=data.get("source_snapshot"),
+            members=members,
+            resource_count=data.get("resource_count", len(members)),
+            is_favorite=data.get("is_favorite", False),
+            created_at=created_at,
+            last_updated=last_updated,
+        )
+
+    def add_member(
+        self,
+        resource_name: str,
+        resource_type: str,
+        original_arn: Optional[str] = None,
+        match_strategy: str = "physical_name",
+    ) -> bool:
+        """Add a resource to the group.
+
+        Args:
+            resource_name: Resource name (or logical ID if match_strategy is 'logical_id')
+            resource_type: Resource type
+            original_arn: Optional original ARN
+            match_strategy: 'logical_id' for CloudFormation logical IDs, 'physical_name' for names
+
+        Returns:
+            True if added, False if already exists
+        """
+        # Check if already exists
+        for member in self.members:
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                return False
+
+        self.members.append(GroupMember(resource_name, resource_type, original_arn, match_strategy))
+        self.resource_count = len(self.members)
+        self.last_updated = datetime.now(timezone.utc)
+        return True
+
+    def remove_member(self, resource_name: str, resource_type: str) -> bool:
+        """Remove a resource from the group.
+
+        Args:
+            resource_name: Resource name
+            resource_type: Resource type
+
+        Returns:
+            True if removed, False if not found
+        """
+        for i, member in enumerate(self.members):
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                del self.members[i]
+                self.resource_count = len(self.members)
+                self.last_updated = datetime.now(timezone.utc)
+                return True
+        return False
+
+    def has_member(self, resource_name: str, resource_type: str) -> bool:
+        """Check if a resource is in the group.
+
+        Args:
+            resource_name: Resource name
+            resource_type: Resource type
+
+        Returns:
+            True if resource is in the group
+        """
+        for member in self.members:
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                return True
+        return False
+
+
+def extract_resource_name(arn: str, resource_type: str) -> str:
+    """Extract resource name from ARN based on resource type.
+
+    ARN formats vary by service:
+    - S3: arn:aws:s3:::bucket-name
+    - Lambda: arn:aws:lambda:region:account:function:name
+    - IAM: arn:aws:iam::account:role/role-name
+    - EC2: arn:aws:ec2:region:account:instance/i-xxxx
+
+    Args:
+        arn: AWS ARN string
+        resource_type: Resource type (e.g., s3:bucket, iam:role)
+
+    Returns:
+        Extracted resource name
+    """
+    parts = arn.split(":")
+
+    # Handle different ARN formats based on service
+    if resource_type.startswith("s3:"):
+        # S3: arn:aws:s3:::bucket-name
+        return parts[-1]
+
+    elif resource_type.startswith("lambda:"):
+        # Lambda: arn:aws:lambda:region:account:function:name
+        return parts[-1]
+
+    elif resource_type.startswith("iam:"):
+        # IAM: arn:aws:iam::account:role/role-name
+        # or arn:aws:iam::account:user/user-name
+        # or arn:aws:iam::account:policy/policy-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("dynamodb:"):
+        # DynamoDB: arn:aws:dynamodb:region:account:table/table-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("sns:"):
+        # SNS: arn:aws:sns:region:account:topic-name
+        return parts[-1]
+
+    elif resource_type.startswith("sqs:"):
+        # SQS: arn:aws:sqs:region:account:queue-name
+        return parts[-1]
+
+    elif resource_type.startswith("ec2:"):
+        # EC2: arn:aws:ec2:region:account:instance/i-xxxx
+        # or arn:aws:ec2:region:account:vpc/vpc-xxxx
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("rds:"):
+        # RDS: arn:aws:rds:region:account:db:db-instance-name
+        # or arn:aws:rds:region:account:cluster:cluster-name
+        return parts[-1]
+
+    elif resource_type.startswith("secretsmanager:"):
+        # Secrets Manager: arn:aws:secretsmanager:region:account:secret:name-suffix
+        return parts[-1].split("-")[0] if "-" in parts[-1] else parts[-1]
+
+    elif resource_type.startswith("kms:"):
+        # KMS: arn:aws:kms:region:account:key/key-id
+        # or arn:aws:kms:region:account:alias/alias-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("ecs:"):
+        # ECS: arn:aws:ecs:region:account:cluster/cluster-name
+        # or arn:aws:ecs:region:account:service/cluster-name/service-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("eks:"):
+        # EKS: arn:aws:eks:region:account:cluster/cluster-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("cloudwatch:"):
+        # CloudWatch: arn:aws:cloudwatch:region:account:alarm:alarm-name
+        return parts[-1]
+
+    elif resource_type.startswith("logs:"):
+        # CloudWatch Logs: arn:aws:logs:region:account:log-group:group-name
+        return parts[-1]
+
+    elif resource_type.startswith("events:"):
+        # EventBridge: arn:aws:events:region:account:rule/rule-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("apigateway:"):
+        # API Gateway: arn:aws:apigateway:region::/restapis/api-id
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("elasticache:"):
+        # ElastiCache: arn:aws:elasticache:region:account:cluster:cluster-id
+        return parts[-1]
+
+    elif resource_type.startswith("ssm:"):
+        # SSM Parameter: arn:aws:ssm:region:account:parameter/param-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            # Handle hierarchical parameter names like /env/app/key
+            return resource_part.replace("parameter/", "").replace("parameter", "")
+        return resource_part
+
+    # Default: take last segment after / or :
+    resource_part = parts[-1]
+    if "/" in resource_part:
+        return resource_part.split("/")[-1]
+    return resource_part