aws-inventory-manager 0.17.12__py3-none-any.whl

src/restore/audit.py

@@ -0,0 +1,175 @@
+"""Audit storage for deletion operations.
+
+Stores and retrieves audit logs in YAML format for compliance and troubleshooting.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime
+from pathlib import Path
+from typing import Optional
+
+import yaml
+
+from src.models.deletion_operation import DeletionOperation
+from src.models.deletion_record import DeletionRecord
+
+
+class AuditStorage:
+    """Audit log storage and retrieval.
+
+    Stores deletion operation audit logs as YAML files organized by year/month.
+    Supports querying operations by date range and retrieving detailed operation logs.
+
+    Storage structure:
+        ~/.snapshots/audit-logs/
+            2025/
+                11/
+                    operation-op_123.yaml
+                    operation-op_456.yaml
+
+    Attributes:
+        storage_dir: Base directory for audit logs
+    """
+
+    def __init__(self, storage_dir: Optional[str] = None) -> None:
+        """Initialize audit storage.
+
+        Args:
+            storage_dir: Base directory for audit logs (default: ~/.snapshots/audit-logs)
+        """
+        if storage_dir is None:
+            storage_dir = str(Path.home() / ".snapshots" / "audit-logs")
+
+        self.storage_dir = Path(storage_dir)
+        self.storage_dir.mkdir(parents=True, exist_ok=True)
+
+    def log_operation(self, operation: DeletionOperation, records: list[DeletionRecord]) -> None:
+        """Log deletion operation to audit storage.
+
+        Creates YAML file with operation metadata and all deletion records.
+        Overwrites existing log if operation ID already exists.
+
+        Args:
+            operation: Deletion operation to log
+            records: List of deletion records for this operation
+        """
+        # Create year/month directory structure
+        year = operation.timestamp.year
+        month = operation.timestamp.month
+        year_month_dir = self.storage_dir / str(year) / f"{month:02d}"
+        year_month_dir.mkdir(parents=True, exist_ok=True)
+
+        # Create audit log structure
+        audit_data = {
+            "metadata": {
+                "version": "1.0",
+                "log_type": "resource_deletion",
+                "created_at": datetime.utcnow().isoformat() + "Z",
+            },
+            "operation": {
+                "operation_id": operation.operation_id,
+                "baseline_snapshot": operation.baseline_snapshot,
+                "timestamp": operation.timestamp.isoformat() + "Z",
+                "aws_profile": operation.aws_profile,
+                "account_id": operation.account_id,
+                "mode": operation.mode.value,
+                "status": operation.status.value,
+                "filters": operation.filters,
+                "total_resources": operation.total_resources,
+                "succeeded_count": operation.succeeded_count,
+                "failed_count": operation.failed_count,
+                "skipped_count": operation.skipped_count,
+                "started_at": operation.started_at.isoformat() + "Z" if operation.started_at else None,
+                "completed_at": operation.completed_at.isoformat() + "Z" if operation.completed_at else None,
+                "duration_seconds": operation.duration_seconds,
+            },
+            "records": [
+                {
+                    "record_id": record.record_id,
+                    "operation_id": record.operation_id,
+                    "resource_arn": record.resource_arn,
+                    "resource_id": record.resource_id,
+                    "resource_type": record.resource_type,
+                    "region": record.region,
+                    "timestamp": record.timestamp.isoformat() + "Z",
+                    "status": record.status.value,
+                    "error_code": record.error_code,
+                    "error_message": record.error_message,
+                    "protection_reason": record.protection_reason,
+                    "deletion_tier": record.deletion_tier,
+                    "tags": record.tags,
+                    "estimated_monthly_cost": record.estimated_monthly_cost,
+                }
+                for record in records
+            ],
+        }
+
+        # Write YAML file
+        audit_file = year_month_dir / f"operation-{operation.operation_id}.yaml"
+        with open(audit_file, "w") as f:
+            yaml.dump(audit_data, f, default_flow_style=False, sort_keys=False)
+
+    def get_operation(self, operation_id: str) -> Optional[dict]:
+        """Retrieve operation audit log by ID.
+
+        Args:
+            operation_id: Operation ID to retrieve
+
+        Returns:
+            Audit log dictionary if found, None otherwise
+        """
+        # Search all year/month directories
+        for year_dir in self.storage_dir.glob("*"):
+            if not year_dir.is_dir():
+                continue
+
+            for month_dir in year_dir.glob("*"):
+                if not month_dir.is_dir():
+                    continue
+
+                audit_file = month_dir / f"operation-{operation_id}.yaml"
+                if audit_file.exists():
+                    with open(audit_file, "r") as f:
+                        return yaml.safe_load(f)
+
+        return None
+
+    def query_operations(self, since: Optional[datetime] = None, until: Optional[datetime] = None) -> list[dict]:
+        """Query operations within date range.
+
+        Args:
+            since: Start date (inclusive), None for all
+            until: End date (inclusive), None for all
+
+        Returns:
+            List of operation audit logs matching criteria
+        """
+        results = []
+
+        # Search all year/month directories
+        for year_dir in sorted(self.storage_dir.glob("*")):
+            if not year_dir.is_dir():
+                continue
+
+            for month_dir in sorted(year_dir.glob("*")):
+                if not month_dir.is_dir():
+                    continue
+
+                for audit_file in sorted(month_dir.glob("operation-*.yaml")):
+                    with open(audit_file, "r") as f:
+                        audit_data = yaml.safe_load(f)
+
+                    # Parse timestamp
+                    timestamp_str = audit_data["operation"]["timestamp"]
+                    timestamp = datetime.fromisoformat(timestamp_str.rstrip("Z"))
+
+                    # Filter by date range
+                    if since and timestamp < since:
+                        continue
+                    if until and timestamp > until:
+                        continue
+
+                    results.append(audit_data)
+
+        return results

src/restore/cleaner.py

@@ -0,0 +1,461 @@
+"""Resource cleaner for restoration operations.
+
+Main orchestrator for resource cleanup/restoration with preview and execution modes.
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from datetime import datetime
+from typing import Any, Optional
+
+from src.delta.calculator import DeltaCalculator
+from src.models.deletion_operation import DeletionOperation, OperationMode, OperationStatus
+from src.models.deletion_record import DeletionRecord, DeletionStatus
+from src.restore.audit import AuditStorage
+from src.restore.dependency import DependencyResolver
+from src.restore.safety import SafetyChecker
+from src.snapshot.storage import SnapshotStorage
+
+logger = logging.getLogger(__name__)
+
+
+class ResourceCleaner:
+    """Resource cleaner orchestrator.
+
+    Coordinates resource cleanup/restoration operations with safety checks,
+    dependency resolution, and audit logging. Supports both preview (dry-run)
+    and execution modes.
+
+    Attributes:
+        snapshot_storage: Snapshot storage for baseline comparison
+        safety_checker: Safety checker for protection rules
+        audit_storage: Audit storage for deletion logs
+        dependency_resolver: Dependency resolver for deletion ordering
+    """
+
+    def __init__(
+        self,
+        snapshot_storage: SnapshotStorage,
+        safety_checker: SafetyChecker,
+        audit_storage: AuditStorage,
+    ) -> None:
+        """Initialize resource cleaner.
+
+        Args:
+            snapshot_storage: Snapshot storage instance
+            safety_checker: Safety checker with protection rules
+            audit_storage: Audit storage for logging
+        """
+        self.snapshot_storage = snapshot_storage
+        self.safety_checker = safety_checker
+        self.audit_storage = audit_storage
+        self.dependency_resolver = DependencyResolver()
+
+    def preview(
+        self,
+        baseline_snapshot: str,
+        account_id: str,
+        aws_profile: Optional[str] = None,
+        resource_types: Optional[list[str]] = None,
+        regions: Optional[list[str]] = None,
+    ) -> DeletionOperation:
+        """Preview resources that would be deleted (dry-run mode).
+
+        Identifies resources created after baseline snapshot and applies protection
+        rules without performing any deletions.
+
+        Args:
+            baseline_snapshot: Name of baseline snapshot to compare against
+            account_id: AWS account ID to validate
+            aws_profile: AWS profile name (optional)
+            resource_types: Filter by resource types (optional)
+            regions: Filter by regions (optional)
+
+        Returns:
+            DeletionOperation in planned status with resource counts
+
+        Raises:
+            ValueError: If snapshot not found or account ID mismatch
+        """
+        # Validate snapshot exists and load it
+        try:
+            snapshot = self.snapshot_storage.load_snapshot(baseline_snapshot)
+        except (FileNotFoundError, ValueError):
+            raise ValueError(f"Snapshot '{baseline_snapshot}' not found")
+
+        # Validate account ID matches
+        snapshot_account = snapshot.account_id
+        if snapshot_account != account_id:
+            raise ValueError(
+                f"Account ID mismatch: snapshot has {snapshot_account}, " f"current credentials have {account_id}"
+            )
+
+        # Collect current resources
+        current_resources = self._collect_current_resources(account_id, regions)
+
+        # Create a temporary snapshot for current state
+        from src.models.snapshot import Snapshot
+
+        current_snapshot = Snapshot(
+            name="current",
+            created_at=datetime.utcnow(),
+            account_id=account_id,
+            regions=regions or snapshot.regions,
+            resources=[self._dict_to_resource(r) for r in current_resources],
+            resource_count=len(current_resources),
+        )
+
+        # Calculate delta (new resources since baseline)
+        delta_calc = DeltaCalculator(reference_snapshot=snapshot, current_snapshot=current_snapshot)
+        delta_result = delta_calc.calculate()
+
+        # Get added resources (convert back to dict format for filtering)
+        new_resources = [self._resource_to_dict(r) for r in delta_result.added_resources]
+
+        # Apply filters
+        filtered_resources = self._apply_filters(
+            new_resources,
+            resource_types=resource_types,
+            regions=regions,
+        )
+
+        # Apply protection rules and count protected resources
+        protected_count = 0
+
+        for resource in filtered_resources:
+            is_protected, reason = self.safety_checker.is_protected(resource)
+
+            if is_protected:
+                protected_count += 1
+
+        # Create operation
+        operation = DeletionOperation(
+            operation_id=f"op_{uuid.uuid4()}",
+            baseline_snapshot=baseline_snapshot,
+            timestamp=datetime.utcnow(),
+            account_id=account_id,
+            mode=OperationMode.DRY_RUN,
+            status=OperationStatus.PLANNED,
+            total_resources=len(filtered_resources),
+            succeeded_count=0,
+            failed_count=0,
+            skipped_count=protected_count,
+            aws_profile=aws_profile,
+            filters=self._build_filters_dict(resource_types, regions),
+        )
+
+        return operation
+
+    def execute(
+        self,
+        baseline_snapshot: str,
+        account_id: str,
+        confirmed: bool = False,
+        aws_profile: Optional[str] = None,
+        resource_types: Optional[list[str]] = None,
+        regions: Optional[list[str]] = None,
+    ) -> DeletionOperation:
+        """Execute resource deletion to restore to baseline (execution mode).
+
+        Performs actual deletion of resources created after baseline snapshot with
+        protection checks and audit logging.
+
+        Args:
+            baseline_snapshot: Name of baseline snapshot to restore to
+            account_id: AWS account ID to validate
+            confirmed: Must be True to proceed with deletion
+            aws_profile: AWS profile name (optional)
+            resource_types: Filter by resource types (optional)
+            regions: Filter by regions (optional)
+
+        Returns:
+            DeletionOperation with execution results
+
+        Raises:
+            ValueError: If not confirmed or snapshot not found or account ID mismatch
+        """
+        # Require confirmation for destructive operations
+        if not confirmed:
+            raise ValueError("Deletion requires explicit confirmation. Set confirmed=True or use --confirm flag.")
+
+        # Validate snapshot exists and load it
+        try:
+            snapshot = self.snapshot_storage.load_snapshot(baseline_snapshot)
+        except (FileNotFoundError, ValueError):
+            raise ValueError(f"Snapshot '{baseline_snapshot}' not found")
+
+        # Validate account ID matches
+        snapshot_account = snapshot.account_id
+        if snapshot_account != account_id:
+            raise ValueError(
+                f"Account ID mismatch: snapshot has {snapshot_account}, " f"current credentials have {account_id}"
+            )
+
+        # Collect current resources
+        current_resources = self._collect_current_resources(account_id, regions)
+
+        # Create a temporary snapshot for current state
+        from src.models.snapshot import Snapshot
+
+        current_snapshot = Snapshot(
+            name="current",
+            created_at=datetime.utcnow(),
+            account_id=account_id,
+            regions=regions or snapshot.regions,
+            resources=[self._dict_to_resource(r) for r in current_resources],
+            resource_count=len(current_resources),
+        )
+
+        # Calculate delta (new resources since baseline)
+        delta_calc = DeltaCalculator(reference_snapshot=snapshot, current_snapshot=current_snapshot)
+        delta_result = delta_calc.calculate()
+
+        # Get added resources (convert back to dict format for filtering)
+        new_resources = [self._resource_to_dict(r) for r in delta_result.added_resources]
+
+        # Apply filters
+        filtered_resources = self._apply_filters(
+            new_resources,
+            resource_types=resource_types,
+            regions=regions,
+        )
+
+        # Import at module level to avoid UnboundLocalError
+
+        # Execute deletions with protection checks
+        succeeded_count = 0
+        failed_count = 0
+        skipped_count = 0
+        deletion_records = []
+        operation_id = f"op_{uuid.uuid4()}"
+
+        for resource in filtered_resources:
+            record_id = f"rec_{uuid.uuid4()}"
+
+            # Check protection rules
+            is_protected, reason = self.safety_checker.is_protected(resource)
+
+            if is_protected:
+                skipped_count += 1
+                # Create deletion record for skipped resource
+                record = DeletionRecord(
+                    record_id=record_id,
+                    operation_id=operation_id,
+                    resource_id=resource.get("resource_id", ""),
+                    resource_arn=resource.get("arn", ""),
+                    resource_type=resource.get("resource_type", ""),
+                    region=resource.get("region", ""),
+                    status=DeletionStatus.SKIPPED,
+                    protection_reason=reason or "Protected by safety rules",
+                    timestamp=datetime.utcnow(),
+                )
+                deletion_records.append(record)
+                continue
+
+            # Attempt deletion
+            success = self._delete_resource(resource, aws_profile)
+
+            if success:
+                succeeded_count += 1
+                # Create successful deletion record
+                record = DeletionRecord(
+                    record_id=record_id,
+                    operation_id=operation_id,
+                    resource_id=resource.get("resource_id", ""),
+                    resource_arn=resource.get("arn", ""),
+                    resource_type=resource.get("resource_type", ""),
+                    region=resource.get("region", ""),
+                    status=DeletionStatus.SUCCEEDED,
+                    timestamp=datetime.utcnow(),
+                )
+            else:
+                failed_count += 1
+                # Create failed deletion record
+                record = DeletionRecord(
+                    record_id=record_id,
+                    operation_id=operation_id,
+                    resource_id=resource.get("resource_id", ""),
+                    resource_arn=resource.get("arn", ""),
+                    resource_type=resource.get("resource_type", ""),
+                    region=resource.get("region", ""),
+                    status=DeletionStatus.FAILED,
+                    error_code="DeletionFailed",
+                    error_message="Resource deletion failed",
+                    timestamp=datetime.utcnow(),
+                )
+            deletion_records.append(record)
+
+        # Determine final status
+        if failed_count > 0:
+            if succeeded_count > 0:
+                final_status = OperationStatus.PARTIAL
+            else:
+                final_status = OperationStatus.FAILED
+        else:
+            final_status = OperationStatus.COMPLETED
+
+        # Create operation (use same operation_id from records)
+        operation = DeletionOperation(
+            operation_id=operation_id,
+            baseline_snapshot=baseline_snapshot,
+            timestamp=datetime.utcnow(),
+            account_id=account_id,
+            mode=OperationMode.EXECUTE,
+            status=final_status,
+            total_resources=len(filtered_resources),
+            succeeded_count=succeeded_count,
+            failed_count=failed_count,
+            skipped_count=skipped_count,
+            aws_profile=aws_profile,
+            filters=self._build_filters_dict(resource_types, regions),
+        )
+
+        # Log operation to audit storage with deletion records
+        self.audit_storage.log_operation(operation, deletion_records)
+
+        return operation
+
+    def _delete_resource(self, resource: dict, aws_profile: Optional[str] = None) -> bool:
+        """Delete a single AWS resource.
+
+        Args:
+            resource: Resource dictionary with type, ARN, region
+            aws_profile: AWS profile name (optional)
+
+        Returns:
+            True if deletion succeeded, False otherwise
+        """
+        from src.restore.deleter import ResourceDeleter
+
+        deleter = ResourceDeleter(aws_profile=aws_profile)
+
+        resource_type = resource.get("resource_type", "")
+        resource_id = resource.get("resource_id", "")
+        region = resource.get("region", "")
+        arn = resource.get("arn", "")
+
+        success, error_message = deleter.delete_resource(
+            resource_type=resource_type,
+            resource_id=resource_id,
+            region=region,
+            arn=arn,
+        )
+
+        if not success:
+            logger.warning(f"Failed to delete {resource_type} {resource_id}: {error_message}")
+
+        return success
+
+    def _collect_current_resources(self, account_id: str, regions: Optional[list[str]] = None) -> list[dict]:
+        """Collect current resources from AWS account.
+
+        This is a placeholder that would normally call AWS APIs to collect
+        current resource state. For testing, this is mocked.
+
+        Args:
+            account_id: AWS account ID
+            regions: Regions to collect from (optional)
+
+        Returns:
+            List of current resources
+        """
+        # Placeholder - in real implementation, would use snapshot capturer
+        # or similar mechanism to collect current state
+        return []
+
+    def _apply_filters(
+        self,
+        resources: list[dict],
+        resource_types: Optional[list[str]] = None,
+        regions: Optional[list[str]] = None,
+    ) -> list[dict]:
+        """Apply filters to resource list.
+
+        Args:
+            resources: List of resources to filter
+            resource_types: Filter by resource types (optional)
+            regions: Filter by regions (optional)
+
+        Returns:
+            Filtered list of resources
+        """
+        filtered = resources
+
+        if resource_types:
+            filtered = [r for r in filtered if r.get("resource_type") in resource_types]
+
+        if regions:
+            filtered = [r for r in filtered if r.get("region") in regions]
+
+        return filtered
+
+    def _build_filters_dict(
+        self,
+        resource_types: Optional[list[str]] = None,
+        regions: Optional[list[str]] = None,
+    ) -> Optional[dict]:
+        """Build filters dictionary for operation metadata.
+
+        Args:
+            resource_types: Resource types filter
+            regions: Regions filter
+
+        Returns:
+            Filters dictionary or None if no filters
+        """
+        filters = {}
+
+        if resource_types:
+            filters["resource_types"] = resource_types
+
+        if regions:
+            filters["regions"] = regions
+
+        return filters if filters else None
+
+    def _resource_to_dict(self, resource: Any) -> dict:
+        """Convert Resource object to dictionary format.
+
+        Args:
+            resource: Resource object from snapshot
+
+        Returns:
+            Dictionary representation of resource
+        """
+        # Resource objects have these attributes
+        return {
+            "resource_id": resource.name,  # Resource uses 'name' field
+            "resource_type": resource.resource_type,
+            "region": resource.region,
+            "arn": resource.arn,
+            "tags": resource.tags,
+            "estimated_monthly_cost": getattr(resource, "estimated_monthly_cost", None),
+        }
+
+    def _dict_to_resource(self, resource_dict: dict) -> Any:
+        """Convert dictionary to Resource object.
+
+        Args:
+            resource_dict: Dictionary representation of resource
+
+        Returns:
+            Resource object
+        """
+        import hashlib
+
+        from src.models.resource import Resource
+
+        # Generate config hash from resource dict for comparison
+        config_str = f"{resource_dict.get('arn', '')}{resource_dict.get('resource_type', '')}"
+        config_hash = hashlib.sha256(config_str.encode()).hexdigest()
+
+        return Resource(
+            arn=resource_dict.get("arn", ""),
+            resource_type=resource_dict.get("resource_type", ""),
+            name=resource_dict.get("resource_id", ""),
+            region=resource_dict.get("region", ""),
+            config_hash=config_hash,
+            tags=resource_dict.get("tags", {}),
+        )