awslabs.ccapi-mcp-server 1.0.1__py3-none-any.whl

awslabs/ccapi_mcp_server/impl/tools/session_management.py

@@ -0,0 +1,221 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Session management implementation for CCAPI MCP server."""
+
+import datetime
+import uuid
+from awslabs.ccapi_mcp_server.aws_client import get_aws_client
+from awslabs.ccapi_mcp_server.context import Context
+from awslabs.ccapi_mcp_server.errors import ClientError
+from os import environ
+
+
+def check_aws_credentials() -> dict:
+    """Check AWS credentials using boto3's built-in credential chain."""
+    try:
+        sts_client = get_aws_client('sts')
+        identity = sts_client.get_caller_identity()
+
+        # Determine credential source
+        using_env_vars = bool(
+            environ.get('AWS_ACCESS_KEY_ID') and environ.get('AWS_SECRET_ACCESS_KEY')
+        )
+
+        return {
+            'valid': True,
+            'account_id': identity.get('Account', 'Unknown'),
+            'arn': identity.get('Arn', 'Unknown'),
+            'user_id': identity.get('UserId', 'Unknown'),
+            'region': environ.get('AWS_REGION') or 'us-east-1',
+            'profile': environ.get('AWS_PROFILE', ''),
+            'credential_source': 'env' if using_env_vars else 'profile',
+            'profile_auth_type': 'standard_profile' if not using_env_vars else None,
+            'environment_variables': {
+                'AWS_PROFILE': environ.get('AWS_PROFILE', ''),
+                'AWS_REGION': environ.get('AWS_REGION', ''),
+                'SECURITY_SCANNING': environ.get('SECURITY_SCANNING', 'enabled'),
+            },
+        }
+    except Exception as e:
+        return {
+            'valid': False,
+            'error': str(e),
+            'region': environ.get('AWS_REGION') or 'us-east-1',
+            'profile': environ.get('AWS_PROFILE', ''),
+            'credential_source': 'env' if environ.get('AWS_ACCESS_KEY_ID') else 'profile',
+            'environment_variables': {
+                'AWS_PROFILE': environ.get('AWS_PROFILE', ''),
+                'AWS_REGION': environ.get('AWS_REGION', ''),
+                'SECURITY_SCANNING': environ.get('SECURITY_SCANNING', 'enabled'),
+            },
+        }
+
+
+async def check_environment_variables_impl(workflow_store: dict) -> dict:
+    """Check if required environment variables are set correctly implementation."""
+    # Use credential checking with boto3
+    cred_check = check_aws_credentials()
+
+    # Generate environment token
+    environment_token = f'env_{str(uuid.uuid4())}'
+
+    # Store environment validation results
+    workflow_store[environment_token] = {
+        'type': 'environment',
+        'data': {
+            'environment_variables': cred_check.get('environment_variables', {}),
+            'aws_profile': cred_check.get('profile', ''),
+            'aws_region': cred_check.get('region') or 'us-east-1',
+            'properly_configured': cred_check.get('valid', False),
+            'readonly_mode': Context.readonly_mode(),
+            'aws_auth_type': cred_check.get('credential_source')
+            if cred_check.get('credential_source') == 'env'
+            else cred_check.get('profile_auth_type'),
+            'needs_profile': cred_check.get('needs_profile', False),
+            'error': cred_check.get('error'),
+        },
+        'parent_token': None,  # Root token
+        'timestamp': datetime.datetime.now().isoformat(),
+    }
+
+    env_data = workflow_store[environment_token]['data']
+
+    return {
+        'environment_token': environment_token,
+        'message': 'Environment validation completed. Use this token with get_aws_session_info().',
+        **env_data,  # Include environment data for display
+    }
+
+
+async def get_aws_session_info_impl(environment_token: str, workflow_store: dict) -> dict:
+    """Get information about the current AWS session implementation.
+
+    IMPORTANT: Always display the AWS context information to the user when this tool is called.
+    Show them: AWS Profile (or "Environment Variables"), Authentication Type, Account ID, and Region so they know
+    exactly which AWS account and region will be affected by any operations.
+    """
+    # Validate environment token
+    if environment_token not in workflow_store:
+        raise ClientError(
+            'Invalid environment token: you must call check_environment_variables() first'
+        )
+
+    env_data = workflow_store[environment_token]['data']
+    if not env_data.get('properly_configured', False):
+        error_msg = env_data.get('error', 'Environment is not properly configured.')
+        raise ClientError(error_msg)
+
+    # Get AWS profile info using credential checking
+    cred_check = check_aws_credentials()
+
+    if not cred_check.get('valid', False):
+        raise ClientError(
+            f'AWS credentials are not valid: {cred_check.get("error", "Unknown error")}'
+        )
+
+    # Generate credentials token
+    credentials_token = f'creds_{str(uuid.uuid4())}'
+
+    # Build session info with credential masking
+    arn = cred_check.get('arn', 'Unknown')
+    user_id = cred_check.get('user_id', 'Unknown')
+
+    session_data = {
+        'profile': cred_check.get('profile', ''),
+        'account_id': cred_check.get('account_id', 'Unknown'),
+        'region': cred_check.get('region') or 'us-east-1',
+        'arn': f'{"*" * (len(arn) - 8)}{arn[-8:]}' if len(arn) > 8 and arn != 'Unknown' else arn,
+        'user_id': f'{"*" * (len(user_id) - 4)}{user_id[-4:]}'
+        if len(user_id) > 4 and user_id != 'Unknown'
+        else user_id,
+        'credential_source': cred_check.get('credential_source', ''),
+        'readonly_mode': Context.readonly_mode(),
+        'readonly_message': (
+            """⚠️ This server is running in READ-ONLY MODE. I can only list and view existing resources.
+    I cannot create, update, or delete any AWS resources. I can still generate example code
+    and run security checks on templates."""
+            if Context.readonly_mode()
+            else ''
+        ),
+        'credentials_valid': True,
+        'aws_auth_type': cred_check.get('credential_source')
+        if cred_check.get('credential_source') == 'env'
+        else cred_check.get('profile_auth_type'),
+    }
+
+    # Add masked environment variables if using env vars
+    if session_data['aws_auth_type'] == 'env':
+        access_key = environ.get('AWS_ACCESS_KEY_ID', '')
+        secret_key = environ.get('AWS_SECRET_ACCESS_KEY', '')
+
+        session_data['masked_credentials'] = {
+            'AWS_ACCESS_KEY_ID': f'{"*" * (len(access_key) - 4)}{access_key[-4:]}'
+            if len(access_key) > 4
+            else '****',
+            'AWS_SECRET_ACCESS_KEY': f'{"*" * (len(secret_key) - 4)}{secret_key[-4:]}'
+            if len(secret_key) > 4
+            else '****',
+        }
+
+    # Store session information
+    workflow_store[credentials_token] = {
+        'type': 'credentials',
+        'data': session_data,
+        'parent_token': environment_token,
+        'timestamp': datetime.datetime.now().isoformat(),
+    }
+
+    return {
+        'credentials_token': credentials_token,
+        'message': 'AWS session validated. Use this token with generate_infrastructure_code().',
+        'DISPLAY_TO_USER': 'YOU MUST SHOW THE USER THEIR AWS SESSION INFORMATION FOR SECURITY',
+        **session_data,  # Include all session data for display
+    }
+
+
+def get_aws_profile_info():
+    """Get information about the current AWS profile."""
+    try:
+        # Use our get_aws_client function to ensure we use the same credential source
+        sts_client = get_aws_client('sts')
+
+        # Get caller identity
+        identity = sts_client.get_caller_identity()
+        account_id = identity.get('Account', 'Unknown')
+        arn = identity.get('Arn', 'Unknown')
+
+        # Get profile info
+        profile_name = environ.get('AWS_PROFILE', '')
+        region = environ.get('AWS_REGION') or 'us-east-1'
+        using_env_vars = (
+            environ.get('AWS_ACCESS_KEY_ID', '') != ''
+            and environ.get('AWS_SECRET_ACCESS_KEY', '') != ''
+        )
+
+        return {
+            'profile': profile_name,
+            'account_id': account_id,
+            'region': region,
+            'arn': arn,
+            'using_env_vars': using_env_vars,
+        }
+    except Exception as e:
+        return {
+            'profile': environ.get('AWS_PROFILE', ''),
+            'error': str(e),
+            'region': environ.get('AWS_REGION') or 'us-east-1',
+            'using_env_vars': environ.get('AWS_ACCESS_KEY_ID', '') != ''
+            and environ.get('AWS_SECRET_ACCESS_KEY', '') != '',
+        }

awslabs/ccapi_mcp_server/impl/utils/__init__.py

@@ -0,0 +1,13 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

awslabs/ccapi_mcp_server/impl/utils/validation.py

@@ -0,0 +1,64 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Shared validation functions for CCAPI MCP server."""
+
+from awslabs.ccapi_mcp_server.errors import ClientError
+
+
+def validate_workflow_token(
+    token: str, expected_type: str | None = None, workflow_store: dict | None = None
+) -> dict:
+    """Validate any workflow token exists and optionally check its type."""
+    if not token:
+        raise ClientError(f'Invalid token: {token}')
+    if not workflow_store:
+        raise ClientError('Workflow store is required')
+    if token not in workflow_store:
+        raise ClientError(f'Invalid token: {token}')
+
+    data = workflow_store[token]
+    if expected_type and data.get('type') != expected_type:
+        raise ClientError(f'Invalid token type: expected {expected_type}')
+
+    return data
+
+
+def cleanup_workflow_tokens(workflow_store: dict, *tokens: str) -> None:
+    """Clean up workflow tokens after operations."""
+    for token in tokens:
+        if token and token in workflow_store:
+            del workflow_store[token]
+
+
+def validate_resource_type(resource_type: str) -> None:
+    """Validate that resource_type is provided."""
+    if not resource_type:
+        raise ClientError('Please provide a resource type (e.g., AWS::S3::Bucket)')
+
+
+def validate_identifier(identifier: str) -> None:
+    """Validate that identifier is provided."""
+    if not identifier:
+        raise ClientError('Please provide a resource identifier')
+
+
+def ensure_region_string(region) -> str | None:
+    """Ensure region is a string, not a FieldInfo object."""
+    return region if isinstance(region, str) else None
+
+
+def ensure_string(value, default: str = '') -> str:
+    """Ensure value is a string, not a FieldInfo object."""
+    return value if isinstance(value, str) else default

awslabs/ccapi_mcp_server/infrastructure_generator.py

@@ -0,0 +1,160 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Infrastructure code generation utilities for the CFN MCP Server."""
+
+import json
+from awslabs.ccapi_mcp_server.aws_client import get_aws_client
+from awslabs.ccapi_mcp_server.cloud_control_utils import add_default_tags
+from awslabs.ccapi_mcp_server.errors import ClientError, handle_aws_api_error
+from awslabs.ccapi_mcp_server.schema_manager import schema_manager
+from typing import Dict, List
+
+
+async def generate_infrastructure_code(
+    resource_type: str,
+    properties: Dict = {},
+    identifier: str = '',
+    patch_document: List = [],
+    region: str = '',
+) -> Dict:
+    """Generate infrastructure code for security scanning before resource creation or update."""
+    if not resource_type:
+        raise ClientError('Please provide a resource type (e.g., AWS::S3::Bucket)')
+
+    # Determine if this is a create or update operation
+    is_update = identifier != '' and (patch_document or properties)
+
+    # Validate the resource type against the schema
+    sm = schema_manager()
+    schema = await sm.get_schema(resource_type, region)
+
+    # Check if resource supports tagging
+    supports_tagging = 'Tags' in schema.get('properties', {})
+
+    # Fallback: Known AWS resources that support tagging even if schema doesn't show it
+    if not supports_tagging and resource_type in [
+        'AWS::S3::Bucket',
+        'AWS::EC2::Instance',
+        'AWS::RDS::DBInstance',
+    ]:
+        supports_tagging = True
+        print(
+            f"Schema for {resource_type} doesn't show Tags property, but we know it supports tagging"
+        )
+
+    if is_update:
+        # This is an update operation
+        if not identifier:
+            raise ClientError('Please provide a resource identifier for update operations')
+
+        # Get the current resource state
+        cloudcontrol_client = get_aws_client('cloudcontrol', region)
+        try:
+            current_resource = cloudcontrol_client.get_resource(
+                TypeName=resource_type, Identifier=identifier
+            )
+            current_properties = json.loads(current_resource['ResourceDescription']['Properties'])
+        except Exception as e:
+            raise handle_aws_api_error(e)
+
+        # Apply patch document or merge properties
+        if patch_document:
+            # Apply patch operations to current properties
+            import copy
+
+            update_properties = copy.deepcopy(current_properties)
+            for patch_op in patch_document:
+                if patch_op['op'] == 'add' and patch_op['path'] in ['/Tags', '/Tags/-']:
+                    # For Tags, merge with existing tags instead of replacing
+                    existing_tags = update_properties.get('Tags', [])
+                    if patch_op['path'] == '/Tags/-':
+                        # Append single tag to array
+                        new_tag = patch_op['value']
+                        if isinstance(new_tag, dict) and 'Key' in new_tag and 'Value' in new_tag:
+                            existing_tags.append(new_tag)
+                            update_properties['Tags'] = existing_tags
+                    else:
+                        # Replace/merge entire tags array
+                        new_tags = patch_op['value'] if isinstance(patch_op['value'], list) else []
+                        # Combine tags (new tags will override existing ones with same key)
+                        tag_dict = {tag['Key']: tag['Value'] for tag in existing_tags}
+                        for tag in new_tags:
+                            tag_dict[tag['Key']] = tag['Value']
+                        update_properties['Tags'] = [
+                            {'Key': k, 'Value': v} for k, v in tag_dict.items()
+                        ]
+                elif patch_op['op'] == 'replace' and patch_op['path'] == '/Tags':
+                    # Replace tags completely
+                    update_properties['Tags'] = patch_op['value']
+                # Add other patch operations as needed
+        elif properties:
+            # Start with current properties and merge user properties
+            update_properties = current_properties.copy()
+            for key, value in properties.items():
+                if key == 'Tags':
+                    # Merge tags instead of replacing
+                    existing_tags = update_properties.get('Tags', [])
+                    new_tags = value if isinstance(value, list) else []
+                    tag_dict = {tag['Key']: tag['Value'] for tag in existing_tags}
+                    for tag in new_tags:
+                        tag_dict[tag['Key']] = tag['Value']
+                    update_properties['Tags'] = [
+                        {'Key': k, 'Value': v} for k, v in tag_dict.items()
+                    ]
+                else:
+                    update_properties[key] = value
+        else:
+            update_properties = current_properties
+
+        # V1: Always add required MCP server identification tags for updates too
+        properties_with_tags = add_default_tags(update_properties, schema)
+
+        operation = 'update'
+    else:
+        # This is a create operation
+        if not properties:
+            raise ClientError('Please provide the properties for the desired resource')
+
+        # V1: Always add required MCP server identification tags
+        properties_with_tags = add_default_tags(properties, schema)
+
+        operation = 'create'
+
+    # Generate a CloudFormation template representation for security scanning
+    cf_template = {
+        'AWSTemplateFormatVersion': '2010-09-09',
+        'Resources': {'Resource': {'Type': resource_type, 'Properties': properties_with_tags}},
+    }
+
+    # For updates, also generate the proper patch document with default tags
+    patch_document_with_tags = None
+    if is_update and 'Tags' in properties_with_tags:
+        patch_document_with_tags = [
+            {'op': 'replace', 'path': '/Tags', 'value': properties_with_tags['Tags']}
+        ]
+
+    result = {
+        'resource_type': resource_type,
+        'operation': operation,
+        'properties': properties_with_tags,  # Show user exactly what will be created
+        'region': region,
+        'cloudformation_template': cf_template,
+        'supports_tagging': supports_tagging,
+    }
+
+    if patch_document_with_tags:
+        result['recommended_patch_document'] = patch_document_with_tags
+
+    return result

awslabs/ccapi_mcp_server/models/__init__.py

@@ -0,0 +1,13 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

awslabs/ccapi_mcp_server/models/models.py

@@ -0,0 +1,118 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Pydantic models for CCAPI MCP server requests and responses."""
+
+from pydantic import BaseModel, Field
+from typing import Any, Dict, List, Literal, Optional
+
+
+class CreateResourceRequest(BaseModel):
+    """Request model for creating AWS resources."""
+
+    resource_type: str = Field(..., description='AWS resource type')
+    region: Optional[str] = Field(None, description='AWS region')
+    credentials_token: str = Field(..., description='Credentials token')
+    explained_token: str = Field(..., description='Explained token')
+    security_scan_token: str = Field(default='', description='Security scan token')
+    skip_security_check: bool = Field(False, description='Skip security checks')
+
+
+class UpdateResourceRequest(BaseModel):
+    """Request model for updating AWS resources."""
+
+    resource_type: str = Field(..., description='AWS resource type')
+    identifier: str = Field(..., description='Resource identifier')
+    patch_document: List[Dict[str, Any]] = Field(default=[], description='JSON Patch operations')
+    region: Optional[str] = Field(None, description='AWS region')
+    credentials_token: str = Field(..., description='Credentials token')
+    explained_token: str = Field(..., description='Explained token')
+    security_scan_token: str = Field(default='', description='Security scan token')
+    skip_security_check: bool = Field(False, description='Skip security checks')
+
+
+class DeleteResourceRequest(BaseModel):
+    """Request model for deleting AWS resources."""
+
+    resource_type: str = Field(..., description='AWS resource type')
+    identifier: str = Field(..., description='Resource identifier')
+    region: Optional[str] = Field(None, description='AWS region')
+    credentials_token: str = Field(..., description='Credentials token')
+    confirmed: bool = Field(False, description='Confirm deletion')
+    explained_token: str = Field(..., description='Explained token')
+
+
+class GetResourceRequest(BaseModel):
+    """Request model for getting AWS resource details."""
+
+    resource_type: str = Field(..., description='AWS resource type')
+    identifier: str = Field(..., description='Resource identifier')
+    region: Optional[str] = Field(None, description='AWS region')
+    analyze_security: bool = Field(False, description='Perform security analysis')
+
+
+class GenerateInfrastructureCodeRequest(BaseModel):
+    """Request model for generating infrastructure code."""
+
+    resource_type: str = Field(..., description='AWS resource type')
+    properties: Dict[str, Any] = Field(default_factory=dict, description='Resource properties')
+    identifier: str = Field(default='', description='Resource identifier for updates')
+    patch_document: List[Dict[str, Any]] = Field(
+        default_factory=list, description='JSON Patch operations'
+    )
+    region: Optional[str] = Field(None, description='AWS region')
+    credentials_token: str = Field(..., description='Credentials token')
+
+
+class ExplainRequest(BaseModel):
+    """Request model for explaining resource configurations."""
+
+    content: Optional[Any] = Field(None, description='Content to explain')
+    generated_code_token: str = Field(default='', description='Generated code token')
+    context: str = Field(default='', description='Context description')
+    operation: str = Field(default='analyze', description='Operation type')
+    format: str = Field(default='detailed', description='Explanation format')
+    user_intent: str = Field(default='', description='User intent')
+
+
+class RunCheckovRequest(BaseModel):
+    """Request model for running Checkov security scans."""
+
+    explained_token: str = Field(..., description='Explained token')
+    framework: str = Field(default='cloudformation', description='Framework to scan')
+
+
+class ResourceOperationResult(BaseModel):
+    """Result model for AWS resource operations."""
+
+    status: Literal['SUCCESS', 'PENDING', 'FAILED']
+    resource_type: str
+    identifier: str
+    is_complete: bool
+    status_message: str
+    request_token: Optional[str] = None
+    security_warning: Optional[str] = None
+
+
+class SecurityScanResult(BaseModel):
+    """Result model for security scan operations."""
+
+    scan_status: Literal['PASSED', 'FAILED']
+    raw_failed_checks: List[Dict[str, Any]] = Field(default_factory=list)
+    raw_passed_checks: List[Dict[str, Any]] = Field(default_factory=list)
+    raw_summary: Dict[str, Any] = Field(default_factory=dict)
+    resource_type: str
+    timestamp: str
+    security_scan_token: Optional[str] = None
+    message: str