aws-inventory-manager 0.2.0__py3-none-any.whl

src/snapshot/filter.py

@@ -0,0 +1,245 @@
+"""Resource filtering for creating historical and tagged baselines."""
+
+import logging
+from datetime import datetime
+from typing import Dict, List, Optional
+
+from ..models.resource import Resource
+
+logger = logging.getLogger(__name__)
+
+
+class ResourceFilter:
+    """Filter resources by creation date and tags."""
+
+    def __init__(
+        self,
+        before_date: Optional[datetime] = None,
+        after_date: Optional[datetime] = None,
+        required_tags: Optional[Dict[str, str]] = None,
+        include_tags: Optional[Dict[str, str]] = None,
+        exclude_tags: Optional[Dict[str, str]] = None,
+    ):
+        """Initialize resource filter.
+
+        Args:
+            before_date: Include only resources created before this date (exclusive)
+            after_date: Include only resources created on or after this date (inclusive)
+            required_tags: DEPRECATED - use include_tags instead (kept for backward compatibility)
+            include_tags: Resources must have ALL these tags (AND logic)
+            exclude_tags: Resources must NOT have ANY of these tags (OR logic)
+        """
+        self.before_date = before_date
+        self.after_date = after_date
+        # Support both required_tags (deprecated) and include_tags (new)
+        self.include_tags = include_tags or required_tags or {}
+        self.exclude_tags = exclude_tags or {}
+        # Keep required_tags for backward compatibility
+        self.required_tags = self.include_tags
+
+        # Statistics
+        self.stats = {
+            "total_collected": 0,
+            "date_matched": 0,
+            "tag_matched": 0,
+            "final_count": 0,
+            "filtered_out_by_date": 0,
+            "filtered_out_by_tags": 0,
+            "filtered_out_by_exclude_tags": 0,
+            "missing_creation_date": 0,
+        }
+
+    def apply(self, resources: List[Resource]) -> List[Resource]:
+        """Apply filters to a list of resources.
+
+        Args:
+            resources: List of resources to filter
+
+        Returns:
+            Filtered list of resources
+        """
+        self.stats["total_collected"] = len(resources)
+        filtered = []
+
+        for resource in resources:
+            if self._matches_filters(resource):
+                filtered.append(resource)
+
+        self.stats["final_count"] = len(filtered)
+
+        logger.debug(
+            f"Filtering complete: {self.stats['total_collected']} collected, "
+            f"{self.stats['final_count']} matched filters"
+        )
+
+        return filtered
+
+    def _matches_filters(self, resource: Resource) -> bool:
+        """Check if a resource matches all filters.
+
+        Args:
+            resource: Resource to check
+
+        Returns:
+            True if resource matches all filters
+        """
+        # Check date filters
+        if not self._matches_date_filter(resource):
+            self.stats["filtered_out_by_date"] += 1
+            return False
+
+        self.stats["date_matched"] += 1
+
+        # Check exclude tags first (if resource has any excluded tags, reject immediately)
+        if not self._matches_exclude_filter(resource):
+            self.stats["filtered_out_by_exclude_tags"] += 1
+            return False
+
+        # Check include tag filters
+        if not self._matches_tag_filter(resource):
+            self.stats["filtered_out_by_tags"] += 1
+            return False
+
+        self.stats["tag_matched"] += 1
+
+        return True
+
+    def _matches_date_filter(self, resource: Resource) -> bool:
+        """Check if resource matches date filters.
+
+        Args:
+            resource: Resource to check
+
+        Returns:
+            True if resource matches date filters (or no date filters specified)
+        """
+        # If no date filters, everything matches
+        if not self.before_date and not self.after_date:
+            return True
+
+        # If resource has no creation date, we can't filter by date
+        if not resource.created_at:
+            self.stats["missing_creation_date"] += 1
+            # For resources without creation dates, include them if we're being permissive
+            # This is a design choice - could also exclude them
+            logger.debug(f"Resource {resource.arn} has no creation date - including by default")
+            return True
+
+        # Make sure resource.created_at is timezone-aware for comparison
+        resource_date = resource.created_at
+        if resource_date.tzinfo is None:
+            # Assume UTC if no timezone
+            from datetime import timezone as tz
+
+            resource_date = resource_date.replace(tzinfo=tz.utc)
+
+        # Check before_date filter (exclusive)
+        if self.before_date:
+            # Make sure before_date is timezone-aware
+            before_date_aware = self.before_date
+            if before_date_aware.tzinfo is None:
+                from datetime import timezone as tz
+
+                before_date_aware = before_date_aware.replace(tzinfo=tz.utc)
+
+            if resource_date >= before_date_aware:
+                logger.debug(f"Resource {resource.name} created {resource_date} " f"is not before {before_date_aware}")
+                return False
+
+        # Check after_date filter (inclusive)
+        if self.after_date:
+            # Make sure after_date is timezone-aware
+            after_date_aware = self.after_date
+            if after_date_aware.tzinfo is None:
+                from datetime import timezone as tz
+
+                after_date_aware = after_date_aware.replace(tzinfo=tz.utc)
+
+            if resource_date < after_date_aware:
+                logger.debug(f"Resource {resource.name} created {resource_date} " f"is before {after_date_aware}")
+                return False
+
+        return True
+
+    def _matches_tag_filter(self, resource: Resource) -> bool:
+        """Check if resource has all include tags (AND logic).
+
+        Args:
+            resource: Resource to check
+
+        Returns:
+            True if resource has all include tags (or no tag filters specified)
+        """
+        # If no include tag filters, everything matches
+        if not self.include_tags:
+            return True
+
+        # Check if resource has ALL include tags with matching values (AND logic)
+        for key, value in self.include_tags.items():
+            if key not in resource.tags:
+                logger.debug(f"Resource {resource.name} missing include tag: {key}")
+                return False
+
+            if resource.tags[key] != value:
+                logger.debug(
+                    f"Resource {resource.name} tag {key}={resource.tags[key]} " f"does not match required value {value}"
+                )
+                return False
+
+        return True
+
+    def _matches_exclude_filter(self, resource: Resource) -> bool:
+        """Check if resource has any exclude tags (OR logic).
+
+        Args:
+            resource: Resource to check
+
+        Returns:
+            True if resource does NOT have any exclude tags (or no exclude filters specified)
+        """
+        # If no exclude tag filters, everything matches
+        if not self.exclude_tags:
+            return True
+
+        # Check if resource has ANY of the exclude tags (OR logic)
+        for key, value in self.exclude_tags.items():
+            if key in resource.tags and resource.tags[key] == value:
+                logger.debug(f"Resource {resource.name} has exclude tag {key}={value}")
+                return False
+
+        return True
+
+    def get_filter_summary(self) -> str:
+        """Get a human-readable summary of applied filters.
+
+        Returns:
+            Formatted string describing the filters
+        """
+        parts = []
+
+        if self.before_date:
+            parts.append(f"created before {self.before_date.strftime('%Y-%m-%d')}")
+
+        if self.after_date:
+            parts.append(f"created on/after {self.after_date.strftime('%Y-%m-%d')}")
+
+        if self.include_tags:
+            tag_strs = [f"{k}={v}" for k, v in self.include_tags.items()]
+            parts.append(f"include tags: {', '.join(tag_strs)}")
+
+        if self.exclude_tags:
+            tag_strs = [f"{k}={v}" for k, v in self.exclude_tags.items()]
+            parts.append(f"exclude tags: {', '.join(tag_strs)}")
+
+        if not parts:
+            return "No filters applied"
+
+        return "Filters: " + " AND ".join(parts)
+
+    def get_statistics_summary(self) -> Dict[str, int]:
+        """Get filtering statistics.
+
+        Returns:
+            Dictionary of filtering statistics
+        """
+        return self.stats.copy()

src/snapshot/inventory_storage.py

@@ -0,0 +1,264 @@
+"""Storage service for inventory management."""
+
+import logging
+import os
+from pathlib import Path
+from typing import List, Optional, Union
+
+import yaml
+
+from ..models.inventory import Inventory
+from ..utils.paths import get_snapshot_storage_path
+
+logger = logging.getLogger(__name__)
+
+
+class InventoryNotFoundError(Exception):
+    """Raised when an inventory cannot be found."""
+
+    pass
+
+
+class InventoryStorage:
+    """Manage inventory storage and retrieval.
+
+    Handles CRUD operations for inventories stored in inventories.yaml file.
+    Uses atomic writes (temp file + rename) for crash safety.
+    """
+
+    def __init__(self, storage_dir: Optional[Union[str, Path]] = None):
+        """Initialize inventory storage.
+
+        Args:
+            storage_dir: Directory containing inventories.yaml (default: ~/.snapshots via get_snapshot_storage_path())
+        """
+        self.storage_dir = get_snapshot_storage_path(storage_dir)
+        self.inventory_file = self.storage_dir / "inventories.yaml"
+
+        # Ensure storage directory exists
+        self.storage_dir.mkdir(parents=True, exist_ok=True)
+
+    def load_all(self) -> List[Inventory]:
+        """Load all inventories from inventories.yaml.
+
+        Returns:
+            List of all inventories (empty list if file doesn't exist)
+        """
+        if not self.inventory_file.exists():
+            logger.debug("No inventories.yaml file found, returning empty list")
+            return []
+
+        try:
+            with open(self.inventory_file, "r") as f:
+                data = yaml.safe_load(f)
+
+            if not data or "inventories" not in data:
+                logger.debug("Empty or invalid inventories.yaml, returning empty list")
+                return []
+
+            inventories = [Inventory.from_dict(inv_data) for inv_data in data["inventories"]]
+            logger.debug(f"Loaded {len(inventories)} inventories from storage")
+            return inventories
+
+        except yaml.YAMLError as e:
+            logger.error(f"Failed to parse inventories.yaml: {e}")
+            raise ValueError(f"Corrupted inventories file: {e}")
+        except Exception as e:
+            logger.error(f"Failed to load inventories: {e}")
+            raise
+
+    def load_by_account(self, account_id: str) -> List[Inventory]:
+        """Load inventories for specific account.
+
+        Args:
+            account_id: AWS account ID (12 digits)
+
+        Returns:
+            List of inventories for the account
+        """
+        all_inventories = self.load_all()
+        account_inventories = [inv for inv in all_inventories if inv.account_id == account_id]
+        logger.debug(f"Found {len(account_inventories)} inventories for account {account_id}")
+        return account_inventories
+
+    def get_by_name(self, name: str, account_id: str) -> Inventory:
+        """Get specific inventory by name and account.
+
+        Args:
+            name: Inventory name
+            account_id: AWS account ID
+
+        Returns:
+            Inventory instance
+
+        Raises:
+            InventoryNotFoundError: If inventory not found
+        """
+        account_inventories = self.load_by_account(account_id)
+
+        for inventory in account_inventories:
+            if inventory.name == name:
+                logger.debug(f"Found inventory '{name}' for account {account_id}")
+                return inventory
+
+        raise InventoryNotFoundError(f"Inventory '{name}' not found for account {account_id}")
+
+    def get_or_create_default(self, account_id: str) -> Inventory:
+        """Get default inventory, creating if it doesn't exist.
+
+        Args:
+            account_id: AWS account ID
+
+        Returns:
+            Default inventory instance
+        """
+        try:
+            return self.get_by_name("default", account_id)
+        except InventoryNotFoundError:
+            # Auto-create default inventory
+            from datetime import datetime, timezone
+
+            default = Inventory(
+                name="default",
+                account_id=account_id,
+                description="Auto-created default inventory",
+                include_tags={},
+                exclude_tags={},
+                snapshots=[],
+                active_snapshot=None,
+                created_at=datetime.now(timezone.utc),
+                last_updated=datetime.now(timezone.utc),
+            )
+            self.save(default)
+            logger.info(f"Created default inventory for account {account_id}")
+            return default
+
+    def save(self, inventory: Inventory) -> None:
+        """Save/update single inventory using atomic write.
+
+        Args:
+            inventory: Inventory to save
+
+        Raises:
+            ValueError: If inventory validation fails
+        """
+        # Validate inventory before saving
+        errors = inventory.validate()
+        if errors:
+            raise ValueError(f"Invalid inventory: {', '.join(errors)}")
+
+        # Load all inventories
+        all_inventories = self.load_all()
+
+        # Find and update existing, or append new
+        updated = False
+        for i, existing in enumerate(all_inventories):
+            if existing.name == inventory.name and existing.account_id == inventory.account_id:
+                all_inventories[i] = inventory
+                updated = True
+                logger.debug(f"Updated inventory '{inventory.name}' for account {inventory.account_id}")
+                break
+
+        if not updated:
+            all_inventories.append(inventory)
+            logger.debug(f"Added new inventory '{inventory.name}' for account {inventory.account_id}")
+
+        # Write atomically
+        self._atomic_write(all_inventories)
+
+    def delete(self, name: str, account_id: str, delete_snapshots: bool = False) -> int:
+        """Delete inventory, optionally deleting its snapshot files.
+
+        Args:
+            name: Inventory name
+            account_id: AWS account ID
+            delete_snapshots: Whether to delete snapshot files
+
+        Returns:
+            Number of snapshot files deleted (0 if delete_snapshots=False)
+
+        Raises:
+            InventoryNotFoundError: If inventory not found
+        """
+        # Load inventory to get snapshot list
+        inventory = self.get_by_name(name, account_id)
+
+        # Delete snapshot files if requested
+        deleted_count = 0
+        if delete_snapshots:
+            snapshots_dir = self.storage_dir / "snapshots"
+            for snapshot_file in inventory.snapshots:
+                snapshot_path = snapshots_dir / snapshot_file
+                try:
+                    if snapshot_path.exists():
+                        snapshot_path.unlink()
+                        deleted_count += 1
+                        logger.debug(f"Deleted snapshot file: {snapshot_file}")
+                except Exception as e:
+                    logger.warning(f"Failed to delete snapshot file {snapshot_file}: {e}")
+
+        # Remove inventory from list
+        all_inventories = self.load_all()
+        all_inventories = [inv for inv in all_inventories if not (inv.name == name and inv.account_id == account_id)]
+
+        # Write atomically
+        self._atomic_write(all_inventories)
+        logger.info(f"Deleted inventory '{name}' for account {account_id}")
+
+        return deleted_count
+
+    def exists(self, name: str, account_id: str) -> bool:
+        """Check if inventory exists.
+
+        Args:
+            name: Inventory name
+            account_id: AWS account ID
+
+        Returns:
+            True if inventory exists, False otherwise
+        """
+        try:
+            self.get_by_name(name, account_id)
+            return True
+        except InventoryNotFoundError:
+            return False
+
+    def validate_unique(self, name: str, account_id: str) -> bool:
+        """Validate that (name, account_id) combination is unique.
+
+        Args:
+            name: Inventory name
+            account_id: AWS account ID
+
+        Returns:
+            True if unique, False if already exists
+        """
+        return not self.exists(name, account_id)
+
+    def _atomic_write(self, inventories: List[Inventory]) -> None:
+        """Write inventories using atomic rename pattern.
+
+        This ensures crash safety - either the full write succeeds or it doesn't.
+        Uses temp file + os.replace() which is atomic on all platforms.
+
+        Args:
+            inventories: List of all inventories to write
+        """
+        # Prepare data structure
+        data = {"inventories": [inv.to_dict() for inv in inventories]}
+
+        # Write to temp file
+        temp_path = self.inventory_file.with_suffix(".tmp")
+        try:
+            with open(temp_path, "w") as f:
+                yaml.safe_dump(data, f, default_flow_style=False, sort_keys=False)
+
+            # Atomic rename (replaces existing file)
+            os.replace(temp_path, self.inventory_file)
+            logger.debug(f"Wrote {len(inventories)} inventories to storage")
+
+        except Exception:
+            # Clean up temp file on error
+            if temp_path.exists():
+                temp_path.unlink()
+            raise

src/snapshot/resource_collectors/__init__.py

@@ -0,0 +1,5 @@
+"""Resource collectors for AWS services."""
+
+from typing import List
+
+__all__: List[str] = []

src/snapshot/resource_collectors/apigateway.py

@@ -0,0 +1,140 @@
+"""API Gateway resource collector."""
+
+from typing import List
+
+from ...models.resource import Resource
+from ...utils.hash import compute_config_hash
+from .base import BaseResourceCollector
+
+
+class APIGatewayCollector(BaseResourceCollector):
+    """Collector for AWS API Gateway resources (REST, HTTP, WebSocket APIs)."""
+
+    @property
+    def service_name(self) -> str:
+        return "apigateway"
+
+    def collect(self) -> List[Resource]:
+        """Collect API Gateway resources.
+
+        Collects:
+        - REST APIs (v1)
+        - HTTP APIs (v2)
+        - WebSocket APIs (v2)
+
+        Returns:
+            List of API Gateway APIs
+        """
+        resources = []
+
+        # Collect REST APIs (v1)
+        resources.extend(self._collect_rest_apis())
+
+        # Collect HTTP and WebSocket APIs (v2)
+        resources.extend(self._collect_v2_apis())
+
+        self.logger.debug(f"Collected {len(resources)} API Gateway APIs in {self.region}")
+        return resources
+
+    def _collect_rest_apis(self) -> List[Resource]:
+        """Collect REST APIs (API Gateway v1).
+
+        Returns:
+            List of REST API resources
+        """
+        resources = []
+        client = self._create_client()
+
+        try:
+            paginator = client.get_paginator("get_rest_apis")
+            for page in paginator.paginate():
+                for api in page.get("items", []):
+                    api_id = api["id"]
+                    api_name = api["name"]
+
+                    # Get tags
+                    tags = {}
+                    try:
+                        tag_response = client.get_tags(
+                            resourceArn=f"arn:aws:apigateway:{self.region}::/restapis/{api_id}"
+                        )
+                        tags = tag_response.get("tags", {})
+                    except Exception as e:
+                        self.logger.debug(f"Could not get tags for REST API {api_id}: {e}")
+
+                    # Build ARN
+                    arn = f"arn:aws:apigateway:{self.region}::/restapis/{api_id}"
+
+                    # Extract creation date
+                    created_at = api.get("createdDate")
+
+                    # Create resource
+                    resource = Resource(
+                        arn=arn,
+                        resource_type="AWS::ApiGateway::RestApi",
+                        name=api_name,
+                        region=self.region,
+                        tags=tags,
+                        config_hash=compute_config_hash(api),
+                        created_at=created_at,
+                        raw_config=api,
+                    )
+                    resources.append(resource)
+
+        except Exception as e:
+            self.logger.error(f"Error collecting REST APIs in {self.region}: {e}")
+
+        return resources
+
+    def _collect_v2_apis(self) -> List[Resource]:
+        """Collect HTTP and WebSocket APIs (API Gateway v2).
+
+        Returns:
+            List of v2 API resources
+        """
+        resources = []
+
+        try:
+            client = self._create_client("apigatewayv2")
+
+            paginator = client.get_paginator("get_apis")
+            for page in paginator.paginate():
+                for api in page.get("Items", []):
+                    api_id = api["ApiId"]
+                    api_name = api["Name"]
+                    protocol_type = api["ProtocolType"]  # HTTP or WEBSOCKET
+
+                    # Get tags
+                    tags = api.get("Tags", {})
+
+                    # Build ARN
+                    arn = f"arn:aws:apigateway:{self.region}::/apis/{api_id}"
+
+                    # Extract creation date
+                    created_at = api.get("CreatedDate")
+
+                    # Determine resource type based on protocol
+                    if protocol_type == "HTTP":
+                        resource_type = "AWS::ApiGatewayV2::Api::HTTP"
+                    elif protocol_type == "WEBSOCKET":
+                        resource_type = "AWS::ApiGatewayV2::Api::WebSocket"
+                    else:
+                        resource_type = f"AWS::ApiGatewayV2::Api::{protocol_type}"
+
+                    # Create resource
+                    resource = Resource(
+                        arn=arn,
+                        resource_type=resource_type,
+                        name=api_name,
+                        region=self.region,
+                        tags=tags,
+                        config_hash=compute_config_hash(api),
+                        created_at=created_at,
+                        raw_config=api,
+                    )
+                    resources.append(resource)
+
+        except Exception as e:
+            self.logger.error(f"Error collecting API Gateway v2 APIs in {self.region}: {e}")
+
+        return resources