aws-inventory-manager 0.17.12__py3-none-any.whl

src/models/group.py

@@ -0,0 +1,318 @@
+"""Resource Group model for baseline comparison across accounts."""
+
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional
+
+
+@dataclass
+class GroupMember:
+    """A member of a resource group, identified by name and type.
+
+    Attributes:
+        resource_name: Resource name (extracted from ARN or logical ID)
+        resource_type: Resource type (e.g., s3:bucket, lambda:function)
+        original_arn: Original ARN from source snapshot (reference only)
+        match_strategy: How to match this member - 'logical_id' uses CloudFormation
+                       logical-id tag for stable matching, 'physical_name' uses name
+    """
+
+    resource_name: str
+    resource_type: str
+    original_arn: Optional[str] = None
+    match_strategy: str = "physical_name"  # 'logical_id' or 'physical_name'
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Serialize to dictionary."""
+        return {
+            "resource_name": self.resource_name,
+            "resource_type": self.resource_type,
+            "original_arn": self.original_arn,
+            "match_strategy": self.match_strategy,
+        }
+
+    @classmethod
+    def from_dict(cls, data: Dict[str, Any]) -> "GroupMember":
+        """Deserialize from dictionary."""
+        return cls(
+            resource_name=data["resource_name"],
+            resource_type=data["resource_type"],
+            original_arn=data.get("original_arn"),
+            match_strategy=data.get("match_strategy", "physical_name"),
+        )
+
+
+@dataclass
+class ResourceGroup:
+    """A named group of resources for baseline comparison.
+
+    Groups store resources by name + type to enable cross-account comparison
+    where ARNs differ (due to account IDs) but resource names are identical.
+
+    Attributes:
+        name: Unique group name
+        description: Human-readable description
+        source_snapshot: Name of snapshot used to create the group
+        members: List of group members
+        resource_count: Number of resources in the group
+        is_favorite: Whether the group is marked as favorite
+        created_at: Group creation timestamp
+        last_updated: Last modification timestamp
+        id: Database ID (set after save)
+    """
+
+    name: str
+    description: str = ""
+    source_snapshot: Optional[str] = None
+    members: List[GroupMember] = field(default_factory=list)
+    resource_count: int = 0
+    is_favorite: bool = False
+    created_at: Optional[datetime] = field(default_factory=lambda: datetime.now(timezone.utc))
+    last_updated: Optional[datetime] = field(default_factory=lambda: datetime.now(timezone.utc))
+    id: Optional[int] = None
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Serialize to dictionary for storage.
+
+        Returns:
+            Dictionary representation suitable for storage
+        """
+        return {
+            "id": self.id,
+            "name": self.name,
+            "description": self.description,
+            "source_snapshot": self.source_snapshot,
+            "members": [m.to_dict() for m in self.members],
+            "resource_count": self.resource_count,
+            "is_favorite": self.is_favorite,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+            "last_updated": self.last_updated.isoformat() if self.last_updated else None,
+        }
+
+    @classmethod
+    def from_dict(cls, data: Dict[str, Any]) -> "ResourceGroup":
+        """Deserialize from dictionary.
+
+        Args:
+            data: Dictionary loaded from storage
+
+        Returns:
+            ResourceGroup instance
+        """
+        # Handle datetime fields
+        created_at = data.get("created_at")
+        if isinstance(created_at, str):
+            created_at = datetime.fromisoformat(created_at)
+
+        last_updated = data.get("last_updated")
+        if isinstance(last_updated, str):
+            last_updated = datetime.fromisoformat(last_updated)
+
+        # Handle members
+        members_data = data.get("members", [])
+        members = [GroupMember.from_dict(m) for m in members_data]
+
+        return cls(
+            id=data.get("id"),
+            name=data["name"],
+            description=data.get("description", ""),
+            source_snapshot=data.get("source_snapshot"),
+            members=members,
+            resource_count=data.get("resource_count", len(members)),
+            is_favorite=data.get("is_favorite", False),
+            created_at=created_at,
+            last_updated=last_updated,
+        )
+
+    def add_member(
+        self,
+        resource_name: str,
+        resource_type: str,
+        original_arn: Optional[str] = None,
+        match_strategy: str = "physical_name",
+    ) -> bool:
+        """Add a resource to the group.
+
+        Args:
+            resource_name: Resource name (or logical ID if match_strategy is 'logical_id')
+            resource_type: Resource type
+            original_arn: Optional original ARN
+            match_strategy: 'logical_id' for CloudFormation logical IDs, 'physical_name' for names
+
+        Returns:
+            True if added, False if already exists
+        """
+        # Check if already exists
+        for member in self.members:
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                return False
+
+        self.members.append(GroupMember(resource_name, resource_type, original_arn, match_strategy))
+        self.resource_count = len(self.members)
+        self.last_updated = datetime.now(timezone.utc)
+        return True
+
+    def remove_member(self, resource_name: str, resource_type: str) -> bool:
+        """Remove a resource from the group.
+
+        Args:
+            resource_name: Resource name
+            resource_type: Resource type
+
+        Returns:
+            True if removed, False if not found
+        """
+        for i, member in enumerate(self.members):
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                del self.members[i]
+                self.resource_count = len(self.members)
+                self.last_updated = datetime.now(timezone.utc)
+                return True
+        return False
+
+    def has_member(self, resource_name: str, resource_type: str) -> bool:
+        """Check if a resource is in the group.
+
+        Args:
+            resource_name: Resource name
+            resource_type: Resource type
+
+        Returns:
+            True if resource is in the group
+        """
+        for member in self.members:
+            if member.resource_name == resource_name and member.resource_type == resource_type:
+                return True
+        return False
+
+
+def extract_resource_name(arn: str, resource_type: str) -> str:
+    """Extract resource name from ARN based on resource type.
+
+    ARN formats vary by service:
+    - S3: arn:aws:s3:::bucket-name
+    - Lambda: arn:aws:lambda:region:account:function:name
+    - IAM: arn:aws:iam::account:role/role-name
+    - EC2: arn:aws:ec2:region:account:instance/i-xxxx
+
+    Args:
+        arn: AWS ARN string
+        resource_type: Resource type (e.g., s3:bucket, iam:role)
+
+    Returns:
+        Extracted resource name
+    """
+    parts = arn.split(":")
+
+    # Handle different ARN formats based on service
+    if resource_type.startswith("s3:"):
+        # S3: arn:aws:s3:::bucket-name
+        return parts[-1]
+
+    elif resource_type.startswith("lambda:"):
+        # Lambda: arn:aws:lambda:region:account:function:name
+        return parts[-1]
+
+    elif resource_type.startswith("iam:"):
+        # IAM: arn:aws:iam::account:role/role-name
+        # or arn:aws:iam::account:user/user-name
+        # or arn:aws:iam::account:policy/policy-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("dynamodb:"):
+        # DynamoDB: arn:aws:dynamodb:region:account:table/table-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("sns:"):
+        # SNS: arn:aws:sns:region:account:topic-name
+        return parts[-1]
+
+    elif resource_type.startswith("sqs:"):
+        # SQS: arn:aws:sqs:region:account:queue-name
+        return parts[-1]
+
+    elif resource_type.startswith("ec2:"):
+        # EC2: arn:aws:ec2:region:account:instance/i-xxxx
+        # or arn:aws:ec2:region:account:vpc/vpc-xxxx
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("rds:"):
+        # RDS: arn:aws:rds:region:account:db:db-instance-name
+        # or arn:aws:rds:region:account:cluster:cluster-name
+        return parts[-1]
+
+    elif resource_type.startswith("secretsmanager:"):
+        # Secrets Manager: arn:aws:secretsmanager:region:account:secret:name-suffix
+        return parts[-1].split("-")[0] if "-" in parts[-1] else parts[-1]
+
+    elif resource_type.startswith("kms:"):
+        # KMS: arn:aws:kms:region:account:key/key-id
+        # or arn:aws:kms:region:account:alias/alias-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("ecs:"):
+        # ECS: arn:aws:ecs:region:account:cluster/cluster-name
+        # or arn:aws:ecs:region:account:service/cluster-name/service-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("eks:"):
+        # EKS: arn:aws:eks:region:account:cluster/cluster-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("cloudwatch:"):
+        # CloudWatch: arn:aws:cloudwatch:region:account:alarm:alarm-name
+        return parts[-1]
+
+    elif resource_type.startswith("logs:"):
+        # CloudWatch Logs: arn:aws:logs:region:account:log-group:group-name
+        return parts[-1]
+
+    elif resource_type.startswith("events:"):
+        # EventBridge: arn:aws:events:region:account:rule/rule-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("apigateway:"):
+        # API Gateway: arn:aws:apigateway:region::/restapis/api-id
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            return resource_part.split("/")[-1]
+        return resource_part
+
+    elif resource_type.startswith("elasticache:"):
+        # ElastiCache: arn:aws:elasticache:region:account:cluster:cluster-id
+        return parts[-1]
+
+    elif resource_type.startswith("ssm:"):
+        # SSM Parameter: arn:aws:ssm:region:account:parameter/param-name
+        resource_part = parts[-1]
+        if "/" in resource_part:
+            # Handle hierarchical parameter names like /env/app/key
+            return resource_part.replace("parameter/", "").replace("parameter", "")
+        return resource_part
+
+    # Default: take last segment after / or :
+    resource_part = parts[-1]
+    if "/" in resource_part:
+        return resource_part.split("/")[-1]
+    return resource_part

src/models/inventory.py

@@ -0,0 +1,133 @@
+"""Inventory model for organizing snapshots by account and purpose."""
+
+import re
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional
+
+
+@dataclass
+class Inventory:
+    """Named container for organizing snapshots by account and purpose.
+
+    Attributes:
+        name: Unique identifier within account (alphanumeric + hyphens + underscores, 1-50 chars)
+        account_id: AWS account ID (12 digits)
+        include_tags: Tag filters (resource MUST have ALL)
+        exclude_tags: Tag filters (resource MUST NOT have ANY)
+        snapshots: List of snapshot filenames in this inventory
+        active_snapshot: Filename of active baseline snapshot
+        description: Human-readable description
+        created_at: Inventory creation timestamp (timezone-aware UTC)
+        last_updated: Last modification timestamp (timezone-aware UTC, auto-updated)
+    """
+
+    name: str
+    account_id: str
+    include_tags: Dict[str, str] = field(default_factory=dict)
+    exclude_tags: Dict[str, str] = field(default_factory=dict)
+    snapshots: List[str] = field(default_factory=list)
+    active_snapshot: Optional[str] = None
+    description: str = ""
+    created_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    last_updated: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Serialize to dictionary for YAML storage.
+
+        Returns:
+            Dictionary representation suitable for YAML serialization
+        """
+        return {
+            "name": self.name,
+            "account_id": self.account_id,
+            "description": self.description,
+            "include_tags": self.include_tags,
+            "exclude_tags": self.exclude_tags,
+            "snapshots": self.snapshots,
+            "active_snapshot": self.active_snapshot,
+            "created_at": self.created_at.isoformat(),
+            "last_updated": self.last_updated.isoformat(),
+        }
+
+    @classmethod
+    def from_dict(cls, data: Dict[str, Any]) -> "Inventory":
+        """Deserialize from dictionary (YAML load).
+
+        Args:
+            data: Dictionary loaded from YAML
+
+        Returns:
+            Inventory instance
+        """
+        # Handle datetime fields being either string or datetime (PyYAML can auto-parse)
+        created_at = data["created_at"]
+        if isinstance(created_at, str):
+            created_at = datetime.fromisoformat(created_at)
+
+        last_updated = data["last_updated"]
+        if isinstance(last_updated, str):
+            last_updated = datetime.fromisoformat(last_updated)
+
+        return cls(
+            name=data["name"],
+            account_id=data["account_id"],
+            description=data.get("description", ""),
+            include_tags=data.get("include_tags", {}),
+            exclude_tags=data.get("exclude_tags", {}),
+            snapshots=data.get("snapshots", []),
+            active_snapshot=data.get("active_snapshot"),
+            created_at=created_at,
+            last_updated=last_updated,
+        )
+
+    def add_snapshot(self, snapshot_filename: str, set_active: bool = False) -> None:
+        """Add snapshot to inventory, optionally marking as active.
+
+        Args:
+            snapshot_filename: Name of snapshot file to add
+            set_active: Whether to mark this snapshot as active baseline
+        """
+        if snapshot_filename not in self.snapshots:
+            self.snapshots.append(snapshot_filename)
+        if set_active:
+            self.active_snapshot = snapshot_filename
+        self.last_updated = datetime.now(timezone.utc)
+
+    def remove_snapshot(self, snapshot_filename: str) -> None:
+        """Remove snapshot from inventory, clearing active if it was active.
+
+        Args:
+            snapshot_filename: Name of snapshot file to remove
+        """
+        if snapshot_filename in self.snapshots:
+            self.snapshots.remove(snapshot_filename)
+        if self.active_snapshot == snapshot_filename:
+            self.active_snapshot = None
+        self.last_updated = datetime.now(timezone.utc)
+
+    def validate(self) -> List[str]:
+        """Validate inventory data, return list of errors.
+
+        Returns:
+            List of validation error messages (empty if valid)
+        """
+        errors = []
+
+        # Validate name format (alphanumeric + hyphens + underscores only)
+        if not self.name or not re.match(r"^[a-zA-Z0-9_-]+$", self.name):
+            errors.append("Name must contain only alphanumeric characters, hyphens, and underscores")
+
+        # Validate name length
+        if len(self.name) > 50:
+            errors.append("Name must be 50 characters or less")
+
+        # Validate account ID format (12 digits)
+        if not self.account_id or not re.match(r"^\d{12}$", self.account_id):
+            errors.append("Account ID must be 12 digits")
+
+        # Validate active snapshot exists in snapshots list
+        if self.active_snapshot and self.active_snapshot not in self.snapshots:
+            errors.append("Active snapshot must exist in snapshots list")
+
+        return errors

src/models/protection_rule.py

@@ -0,0 +1,123 @@
+"""Protection rule model.
+
+Configuration defining which resources should never be deleted.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from enum import Enum
+from typing import Optional
+
+
+class RuleType(Enum):
+    """Protection rule type."""
+
+    TAG = "tag"
+    TYPE = "type"
+    AGE = "age"
+    COST = "cost"
+    NATIVE = "native"
+
+
+@dataclass
+class ProtectionRule:
+    """Protection rule entity.
+
+    Configuration defining which resources should never be deleted. Rules are
+    evaluated against resources before deletion, with higher priority rules
+    taking precedence.
+
+    Rule types and patterns:
+        - TAG: Match resources by tag key/value
+            patterns: {tag_key: str, tag_values: list, match_mode: str}
+        - TYPE: Match resources by AWS type
+            patterns: {resource_types: list, match_mode: str}
+        - AGE: Protect resources younger than threshold
+            patterns: {environment: str}, threshold_value: days
+        - COST: Protect resources exceeding cost threshold
+            patterns: {action: str}, threshold_value: USD/month
+        - NATIVE: Check AWS native protection flags
+            patterns: {protection_types: list}
+
+    Validation rules:
+        - patterns cannot be empty
+        - priority must be 1-100
+        - AGE and COST rules require threshold_value >= 0
+
+    Attributes:
+        rule_id: Unique identifier
+        rule_type: Rule type (tag, type, age, cost, native)
+        enabled: Whether rule is active
+        priority: Rule precedence (1=highest)
+        patterns: Type-specific match patterns
+        threshold_value: Numeric threshold for age/cost rules (optional)
+        description: Human-readable explanation (optional)
+    """
+
+    rule_id: str
+    rule_type: RuleType
+    enabled: bool
+    priority: int
+    patterns: dict = field(default_factory=dict)
+    threshold_value: Optional[float] = None
+    description: Optional[str] = None
+
+    def validate(self) -> bool:
+        """Validate rule configuration.
+
+        Returns:
+            True if validation passes
+
+        Raises:
+            ValueError: If any validation rule fails
+        """
+        # Threshold requirements
+        if self.rule_type in [RuleType.AGE, RuleType.COST]:
+            if self.threshold_value is None or self.threshold_value < 0:
+                raise ValueError(f"{self.rule_type.value} rule requires positive threshold")
+
+        # Pattern validation
+        if not self.patterns:
+            raise ValueError("Patterns cannot be empty")
+
+        # Priority range
+        if not (1 <= self.priority <= 100):
+            raise ValueError("Priority must be 1-100")
+
+        return True
+
+    def matches(self, resource: dict) -> bool:
+        """Check if resource matches this rule.
+
+        Args:
+            resource: Resource metadata dictionary
+
+        Returns:
+            True if resource matches this protection rule
+        """
+        if not self.enabled:
+            return False
+
+        if self.rule_type == RuleType.TAG:
+            tag_key = self.patterns.get("tag_key")
+            tag_values = self.patterns.get("tag_values", [])
+            resource_tag_value = resource.get("tags", {}).get(tag_key)
+            return resource_tag_value in tag_values
+
+        elif self.rule_type == RuleType.TYPE:
+            resource_types = self.patterns.get("resource_types", [])
+            return resource.get("resource_type") in resource_types
+
+        elif self.rule_type == RuleType.AGE:
+            resource_age_days = resource.get("age_days", 0)
+            return resource_age_days < self.threshold_value
+
+        elif self.rule_type == RuleType.COST:
+            resource_cost = resource.get("estimated_monthly_cost", 0)
+            return resource_cost >= self.threshold_value
+
+        elif self.rule_type == RuleType.NATIVE:
+            return resource.get("has_native_protection", False)
+
+        return False