PyPI - granny-devops - Versions diffs - 0.4.0__py3-none-any.whl - Mend

granny-devops 0.4.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

granny/__init__.py +19 -0
granny/analyze/__init__.py +6 -0
granny/analyze/lambdas.py +59 -0
granny/analyze/vpcs.py +57 -0
granny/cdn/__init__.py +9 -0
granny/cdn/bunny.py +231 -0
granny/cli/__init__.py +0 -0
granny/cli/analyze.py +66 -0
granny/cli/cdn.py +210 -0
granny/cli/create.py +94 -0
granny/cli/credentials.py +99 -0
granny/cli/dns.py +290 -0
granny/cli/docker.py +165 -0
granny/cli/edge.py +106 -0
granny/cli/email.py +224 -0
granny/cli/main.py +98 -0
granny/cli/serverless.py +278 -0
granny/cli/storage.py +249 -0
granny/create/__init__.py +4 -0
granny/create/auto_certificate.py +1899 -0
granny/create/cloudfront-security-headers.js +53 -0
granny/create/manage-dns.sh +321 -0
granny/create/manage_mailjet_contacts.py +619 -0
granny/create/registrars.py +363 -0
granny/create/setup_aws_cloudfront.py +2808 -0
granny/create/setup_bunny_edge_script.py +923 -0
granny/create/setup_bunny_storage.py +1719 -0
granny/create/setup_cognito_identity_pool.py +740 -0
granny/create/setup_hetzner_bunny.py +1482 -0
granny/create/setup_mailjet_dns.py +1103 -0
granny/create/setup_private_cdn.py +547 -0
granny/create/setup_s3_website.py +1512 -0
granny/create/setup_scaleway_faas.py +1165 -0
granny/create/setup_workmail.py +1217 -0
granny/create/www-redirect-function.js +17 -0
granny/credentials/__init__.py +15 -0
granny/credentials/secrets.py +403 -0
granny/dns/__init__.py +22 -0
granny/dns/base.py +113 -0
granny/dns/bunny.py +150 -0
granny/dns/cloudflare.py +192 -0
granny/dns/cloudns.py +162 -0
granny/dns/desec.py +152 -0
granny/dns/factory.py +72 -0
granny/dns/hetzner.py +165 -0
granny/dns/manual.py +64 -0
granny/dns/records.py +29 -0
granny/docker/__init__.py +5 -0
granny/docker/build_base.py +204 -0
granny/edge/__init__.py +5 -0
granny/edge/bunny.py +147 -0
granny/email/__init__.py +7 -0
granny/email/mailjet.py +119 -0
granny/email/mailjet_contacts.py +115 -0
granny/email/ses_forwarding.py +281 -0
granny/email/workmail.py +145 -0
granny/report.py +128 -0
granny/serverless/__init__.py +5 -0
granny/serverless/scaleway.py +264 -0
granny/storage/__init__.py +7 -0
granny/storage/aws.py +113 -0
granny/storage/bunny.py +98 -0
granny/storage/hetzner.py +118 -0
granny_devops-0.4.0.dist-info/METADATA +445 -0
granny_devops-0.4.0.dist-info/RECORD +68 -0
granny_devops-0.4.0.dist-info/WHEEL +4 -0
granny_devops-0.4.0.dist-info/entry_points.txt +2 -0
granny_devops-0.4.0.dist-info/licenses/LICENSE +21 -0

granny/cli/create.py ADDED Viewed

@@ -0,0 +1,94 @@
+"""`granny create ...` -- dispatch over granny/create/*.py.
+Each subcommand loads the matching script from the in-package ``granny.create``
+module and invokes its argparse ``main()`` with forwarded argv. Scripts live
+inside the package so the CLI is self-contained (no external ``tools/`` dir).
+Adding a new command: drop the script in ``granny/create/`` and add an entry
+to ``COMMANDS`` below.
+"""
+from __future__ import annotations
+import importlib
+import sys
+from pathlib import Path
+from types import ModuleType
+import click
+_CREATE_DIR = Path(__file__).resolve().parent.parent / "create"
+# subcommand name -> script filename (relative to granny/create/)
+COMMANDS: dict[str, str] = {
+    "aws-cloudfront": "setup_aws_cloudfront.py",
+    "bunny-edge-script": "setup_bunny_edge_script.py",
+    "bunny-storage": "setup_bunny_storage.py",
+    "cognito-identity-pool": "setup_cognito_identity_pool.py",
+    "hetzner-bunny": "setup_hetzner_bunny.py",
+    "mailjet-dns": "setup_mailjet_dns.py",
+    "private-cdn": "setup_private_cdn.py",
+    "s3-website": "setup_s3_website.py",
+    "scaleway-faas": "setup_scaleway_faas.py",
+    "workmail": "setup_workmail.py",
+    "auto-certificate": "auto_certificate.py",
+    "mailjet-contacts": "manage_mailjet_contacts.py",
+}
+def _load_script(filename: str) -> ModuleType:
+    """Import a script from granny.create by filename."""
+    path = _CREATE_DIR / filename
+    if not path.is_file():
+        raise click.ClickException(f"Script not found: {path}")
+    module_name = f"granny.create.{path.stem}"
+    try:
+        return importlib.import_module(module_name)
+    except Exception as exc:
+        raise click.ClickException(f"Cannot load {module_name}: {exc}") from exc
+def _make_command(name: str, filename: str) -> click.Command:
+    """Build a click command that forwards argv to a script's main()."""
+    @click.command(
+        name=name,
+        context_settings={
+            "ignore_unknown_options": True,
+            "allow_extra_args": True,
+            "help_option_names": [],  # let the script's own -h/--help through
+        },
+        help=(
+            f"Run granny/create/{filename}. All arguments are forwarded; "
+            f"use `-- --help` to see the script's own flags."
+        ),
+    )
+    @click.argument("script_args", nargs=-1, type=click.UNPROCESSED)
+    def _cmd(script_args: tuple[str, ...]) -> None:
+        module = _load_script(filename)
+        if not hasattr(module, "main"):
+            raise click.ClickException(f"{filename} has no main() function")
+        original_argv = sys.argv
+        sys.argv = [filename, *script_args]
+        try:
+            rc = module.main()
+        except SystemExit as exc:
+            rc = exc.code if isinstance(exc.code, int) else (1 if exc.code else 0)
+        finally:
+            sys.argv = original_argv
+        if rc:
+            sys.exit(rc)
+    return _cmd
+@click.group()
+def create() -> None:
+    """Provision and configure cloud resources."""
+for _name, _filename in COMMANDS.items():
+    create.add_command(_make_command(_name, _filename))

granny/cli/credentials.py ADDED Viewed

@@ -0,0 +1,99 @@
+"""CLI commands for credential management."""
+import sys
+import click
+@click.group()
+def credentials() -> None:
+    """Manage credentials and vault secrets."""
+@credentials.command()
+@click.argument("name")
+def get(name: str) -> None:
+    """Retrieve a secret by env var name (e.g. BUNNY_API_KEY)."""
+    from granny.credentials import get_secret
+    value = get_secret(name)
+    if value:
+        click.echo(value)
+    else:
+        click.echo(f"Secret {name!r} not found", err=True)
+        sys.exit(1)
+@credentials.command()
+@click.option(
+    "--keys",
+    default=None,
+    help="Comma-separated list of env var names (default: all registered)",
+)
+def status(keys: str | None) -> None:
+    """Show resolution status for registered secrets."""
+    from granny.credentials.secrets import SECRET_MAP, get_secret
+    key_list = keys.split(",") if keys else list(SECRET_MAP.keys())
+    for key in sorted(key_list):
+        value = get_secret(key)
+        indicator = "ok" if value else "MISSING"
+        click.echo(f"  {key:<30} {indicator}")
+@credentials.command("show-key")
+@click.argument("name")
+@click.option("--masked/--no-masked", default=True, help="Mask the middle of the key (default: masked)")
+def show_key(name: str, masked: bool) -> None:
+    """Print a credential by name from the OS keystore (Windows Credential Manager / Keychain).
+    Requires the [vault] extra: pip install granny-devops[vault]
+    """
+    try:
+        from locke.keystore import get_credential
+    except ImportError:
+        click.echo(
+            "locke not installed — install with: pip install 'granny-devops[vault]'",
+            err=True,
+        )
+        sys.exit(1)
+    try:
+        value = get_credential(name)
+    except Exception as e:
+        click.echo(f"Keystore access failed: {e}", err=True)
+        sys.exit(1)
+    if not value:
+        click.echo(f"{name} not found in keystore", err=True)
+        sys.exit(1)
+    if masked:
+        display = f"{value[:4]}…{value[-4:]}" if len(value) > 8 else "****"
+        click.echo(f"{display}  (length={len(value)})")
+    else:
+        click.echo(value)
+@credentials.command("test-vault")
+def test_vault() -> None:
+    """Test connectivity to Vaultwarden via Locke.
+    Requires the [vault] extra: pip install granny-devops[vault]
+    """
+    from granny.credentials.secrets import _LOCKE_AVAILABLE, _get_vault_client
+    if not _LOCKE_AVAILABLE:
+        click.echo(
+            "locke not installed — install with: pip install 'granny-devops[vault]'",
+            err=True,
+        )
+        sys.exit(1)
+    client = _get_vault_client()
+    if client:
+        click.echo("Vault connection: OK")
+    else:
+        click.echo("Vault connection: FAILED", err=True)
+        sys.exit(1)

granny/cli/dns.py ADDED Viewed

@@ -0,0 +1,290 @@
+"""``granny dns`` — provider-agnostic DNS record CRUD.
+Replaces ``tools/create/manage-dns.sh`` with a native Python CLI that works
+against Cloudflare, Bunny, Hetzner, deSEC, ClouDNS, or a manual stub. The
+legacy bash script still works; this command is the preferred entry point.
+"""
+from __future__ import annotations
+import json
+import logging
+import os
+import click
+import requests
+from granny.dns import DNSRecord, get_provider, provider_choices
+from granny.dns.base import DNSProvider
+logger = logging.getLogger(__name__)
+DEFAULT_PROVIDER_ENV = "GRANNY_DNS_PROVIDER"
+DEFAULT_DOMAIN_ENV = "GRANNY_DNS_DOMAIN"
+def _split_fqdn(value: str, domain: str | None) -> tuple[str, str]:
+    """Split ``value`` into (short_name, zone_name).
+    - ``api.example.com`` + ``None`` → (``api``, ``example.com``)
+    - ``example.com`` + ``None``     → (``@``,   ``example.com``)
+    - ``api``         + ``example.com`` → (``api``, ``example.com``)
+    - ``@``           + ``example.com`` → (``@``,   ``example.com``)
+    Raises ``click.UsageError`` if ``value`` is a bare subdomain and
+    ``domain`` is not supplied.
+    """
+    value = value.strip().rstrip(".")
+    if not value:
+        raise click.UsageError("NAME cannot be empty")
+    if domain:
+        domain = domain.strip().rstrip(".").lower()
+    if "." in value:
+        value_lower = value.lower()
+        if domain and value_lower != domain and not value_lower.endswith(f".{domain}"):
+            raise click.UsageError(
+                f"{value!r} is not under domain {domain!r}"
+            )
+        if domain is None:
+            return ("@", value_lower)
+        if value_lower == domain:
+            return ("@", domain)
+        short = value_lower[: -(len(domain) + 1)]
+        return (short, domain)
+    # Bare label — needs a domain.
+    if not domain:
+        raise click.UsageError(
+            "Bare subdomain requires --domain (or set $GRANNY_DNS_DOMAIN)"
+        )
+    if value == "@":
+        return ("@", domain)
+    return (value, domain)
+def _provider_instance(name: str | None) -> DNSProvider:
+    resolved = name or os.environ.get(DEFAULT_PROVIDER_ENV)
+    if not resolved:
+        raise click.UsageError(
+            "--provider is required (or set $GRANNY_DNS_PROVIDER). "
+            f"Choices: {', '.join(provider_choices())}"
+        )
+    try:
+        return get_provider(resolved)
+    except ValueError as exc:
+        raise click.UsageError(str(exc))
+    except Exception as exc:
+        raise click.ClickException(f"Failed to initialize provider {resolved!r}: {exc}")
+def _detect_public_ip() -> str:
+    """Best-effort public IP lookup — mirrors manage-dns.sh."""
+    for url in (
+        "https://api.ipify.org",
+        "https://ifconfig.me",
+        "https://icanhazip.com",
+    ):
+        try:
+            resp = requests.get(url, timeout=5)
+            if resp.status_code == 200 and resp.text.strip():
+                return resp.text.strip()
+        except requests.RequestException:
+            continue
+    raise click.ClickException("Could not auto-detect public IP; pass VALUE explicitly.")
+def _format_table(records: list[DNSRecord]) -> str:
+    if not records:
+        return "(no records)"
+    rows = [
+        (rec.type, rec.fqdn or rec.name or "@", rec.value, str(rec.ttl))
+        for rec in records
+    ]
+    widths = [max(len(r[i]) for r in rows) for i in range(4)]
+    return "\n".join(
+        "  ".join(row[i].ljust(widths[i]) for i in range(4)) for row in rows
+    )
+def _format_record(record: DNSRecord) -> str:
+    payload = {
+        "name": record.fqdn or record.name,
+        "type": record.type,
+        "value": record.value,
+        "ttl": record.ttl,
+        "id": record.id,
+    }
+    return json.dumps(payload, indent=2)
+provider_option = click.option(
+    "--provider",
+    "-p",
+    default=None,
+    help=(
+        "DNS provider. Choices: "
+        + ", ".join(provider_choices())
+        + f". Default from ${DEFAULT_PROVIDER_ENV}."
+    ),
+)
+domain_option = click.option(
+    "--domain",
+    "-d",
+    default=lambda: os.environ.get(DEFAULT_DOMAIN_ENV),
+    help=f"Zone/domain to operate on. Default from ${DEFAULT_DOMAIN_ENV}.",
+)
+@click.group()
+def dns() -> None:
+    """Provider-agnostic DNS record management."""
+@dns.command("list")
+@provider_option
+@domain_option
+@click.option("--type", "record_type", default=None, help="Filter by record type.")
+def list_cmd(provider: str | None, domain: str | None, record_type: str | None) -> None:
+    """List records in a zone."""
+    if not domain:
+        raise click.UsageError("--domain is required")
+    dns_provider = _provider_instance(provider)
+    zone_id = dns_provider.get_zone_id(domain)
+    records = dns_provider.list_records(zone_id, record_type=record_type)
+    click.echo(_format_table(records))
+@dns.command("get")
+@click.argument("name")
+@provider_option
+@domain_option
+@click.option("--type", "record_type", default="A", show_default=True)
+def get_cmd(
+    name: str, provider: str | None, domain: str | None, record_type: str
+) -> None:
+    """Get a record by short name or FQDN."""
+    short, zone_name = _split_fqdn(name, domain)
+    dns_provider = _provider_instance(provider)
+    zone_id = dns_provider.get_zone_id(zone_name)
+    record = dns_provider.get_record(zone_id, short, record_type)
+    if not record:
+        full = zone_name if short == "@" else f"{short}.{zone_name}"
+        click.echo(f"No {record_type} record found for {full}")
+        raise SystemExit(1)
+    click.echo(_format_record(record))
+@dns.command("add")
+@click.argument("name")
+@click.argument("value", required=False)
+@provider_option
+@domain_option
+@click.option("--type", "record_type", default="A", show_default=True)
+@click.option("--ttl", default=300, show_default=True, type=int)
+@click.option("--proxied/--no-proxied", default=False, help="Cloudflare proxy flag.")
+def add_cmd(
+    name: str,
+    value: str | None,
+    provider: str | None,
+    domain: str | None,
+    record_type: str,
+    ttl: int,
+    proxied: bool,
+) -> None:
+    """Create or update a record (upsert).
+    If VALUE is omitted and --type is A, auto-detects your public IP (same
+    behavior as ``manage-dns.sh add <name>``).
+    """
+    short, zone_name = _split_fqdn(name, domain)
+    if value is None:
+        if record_type.upper() != "A":
+            raise click.UsageError("VALUE required unless --type A")
+        value = _detect_public_ip()
+        click.echo(f"Auto-detected public IP: {value}")
+    dns_provider = _provider_instance(provider)
+    zone_id = dns_provider.get_zone_id(zone_name)
+    record = dns_provider.upsert_record(
+        zone_id, short, record_type, value, ttl=ttl, proxied=proxied
+    )
+    full = zone_name if short == "@" else f"{short}.{zone_name}"
+    click.echo(f"OK {record_type} {full} -> {value}")
+    click.echo(_format_record(record))
+@dns.command("upsert")
+@click.argument("name")
+@click.argument("value")
+@provider_option
+@domain_option
+@click.option("--type", "record_type", default="A", show_default=True)
+@click.option("--ttl", default=300, show_default=True, type=int)
+@click.option("--proxied/--no-proxied", default=False)
+def upsert_cmd(
+    name: str,
+    value: str,
+    provider: str | None,
+    domain: str | None,
+    record_type: str,
+    ttl: int,
+    proxied: bool,
+) -> None:
+    """Explicit upsert (same as ``add`` but requires VALUE)."""
+    short, zone_name = _split_fqdn(name, domain)
+    dns_provider = _provider_instance(provider)
+    zone_id = dns_provider.get_zone_id(zone_name)
+    record = dns_provider.upsert_record(
+        zone_id, short, record_type, value, ttl=ttl, proxied=proxied
+    )
+    click.echo(_format_record(record))
+@dns.command("delete")
+@click.argument("name")
+@provider_option
+@domain_option
+@click.option("--type", "record_type", default="A", show_default=True)
+@click.option("--yes", is_flag=True, help="Skip confirmation prompt.")
+def delete_cmd(
+    name: str,
+    provider: str | None,
+    domain: str | None,
+    record_type: str,
+    yes: bool,
+) -> None:
+    """Delete a record."""
+    short, zone_name = _split_fqdn(name, domain)
+    dns_provider = _provider_instance(provider)
+    zone_id = dns_provider.get_zone_id(zone_name)
+    record = dns_provider.get_record(zone_id, short, record_type)
+    full = zone_name if short == "@" else f"{short}.{zone_name}"
+    if not record:
+        click.echo(f"No {record_type} record found for {full}")
+        raise SystemExit(1)
+    if not yes:
+        click.confirm(f"Delete {record_type} {full} -> {record.value}?", abort=True)
+    dns_provider.delete_record(zone_id, record.id)
+    click.echo(f"Deleted {record_type} {full}")
+@dns.command("nameservers")
+@click.argument("domain")
+@provider_option
+def nameservers_cmd(domain: str, provider: str | None) -> None:
+    """Print the authoritative nameservers the provider has for DOMAIN.
+    Useful before flipping registrar delegation with ``granny create
+    bunny-storage --registrar easyname``.
+    """
+    dns_provider = _provider_instance(provider)
+    try:
+        ns_list = dns_provider.get_nameservers(domain)
+    except NotImplementedError as exc:
+        raise click.ClickException(str(exc))
+    if not ns_list:
+        click.echo(f"No nameservers found for {domain}")
+        raise SystemExit(1)
+    for ns in ns_list:
+        click.echo(ns)

granny/cli/docker.py ADDED Viewed

@@ -0,0 +1,165 @@
+"""CLI commands for Docker multi-arch image builds."""
+from __future__ import annotations
+import sys
+from pathlib import Path
+import click
+@click.group()
+def docker() -> None:
+    """Docker multi-arch build helpers."""
+@docker.command("build-base")
+@click.option(
+    "--context",
+    "context_dir",
+    type=click.Path(exists=True, file_okay=False, path_type=Path),
+    default=Path.cwd(),
+    show_default="current directory",
+    help="Build context directory (where the Dockerfile lives).",
+)
+@click.option(
+    "--dockerfile",
+    type=click.Path(path_type=Path),
+    default=Path("Dockerfile.base"),
+    show_default=True,
+    help="Dockerfile path (relative to --context or absolute).",
+)
+@click.option(
+    "--image",
+    required=True,
+    help="Image reference without tag, e.g. budelius/icaap-climaterisk-base.",
+)
+@click.option(
+    "--hash-file",
+    "hash_files",
+    type=click.Path(path_type=Path),
+    multiple=True,
+    required=True,
+    help="File whose content contributes to DEPS_HASH. Pass multiple times. Order matters.",
+)
+@click.option(
+    "--platforms",
+    default="linux/amd64,linux/arm64",
+    show_default=True,
+    help="Comma-separated buildx platforms.",
+)
+@click.option(
+    "--builder",
+    default="granny-multiarch",
+    show_default=True,
+    help="buildx builder name. Created on demand.",
+)
+@click.option(
+    "--secret",
+    "secrets",
+    multiple=True,
+    help=(
+        "BuildKit secret, format: id=ENV_VAR. The value is read from the env "
+        "var (populated via granny.credentials) and mounted as "
+        "/run/secrets/<id> during build. Pass multiple times."
+    ),
+)
+@click.option(
+    "--login-docker-hub/--no-login-docker-hub",
+    default=True,
+    show_default=True,
+    help="docker login to Docker Hub using DOCKER_HUB_USER/DOCKER_HUB_TOKEN from granny's vault.",
+)
+@click.option(
+    "--force/--no-force",
+    default=False,
+    show_default=True,
+    help="Rebuild even if the DEPS_HASH tag already exists in the registry.",
+)
+def build_base(
+    context_dir: Path,
+    dockerfile: Path,
+    image: str,
+    hash_files: tuple[Path, ...],
+    platforms: str,
+    builder: str,
+    secrets: tuple[str, ...],
+    login_docker_hub: bool,
+    force: bool,
+) -> None:
+    """Build and push a multi-arch Docker base image with deterministic tagging.
+    Computes a short sha256 over --hash-file contents, tags the image as
+    `<image>:<hash>` and `<image>:latest`, and pushes. Skips the build if the
+    hash tag already exists in the registry (unless --force).
+    Credentials are fetched from granny's Vaultwarden vault via granny.credentials.
+    Secrets are mounted into BuildKit via --mount=type=secret so they never
+    enter image history.
+    """
+    import os
+    import subprocess
+    from granny.credentials import load_secrets_into_env
+    from granny.docker.build_base import BuildBaseConfig, build_base_image
+    # Parse --secret flags: each is "id=ENV_VAR"
+    secret_map: dict[str, str] = {}
+    for s in secrets:
+        if "=" not in s:
+            click.echo(f"Invalid --secret value {s!r}, expected id=ENV_VAR", err=True)
+            sys.exit(2)
+        sid, env = s.split("=", 1)
+        secret_map[sid.strip()] = env.strip()
+    # Load required secrets from vault into os.environ (env var wins if set)
+    required_env_vars = set(secret_map.values())
+    if login_docker_hub:
+        required_env_vars.update({"DOCKER_HUB_USER", "DOCKER_HUB_TOKEN"})
+    if required_env_vars:
+        results = load_secrets_into_env(list(required_env_vars))
+        missing = [k for k, ok in results.items() if not ok]
+        if missing:
+            click.echo(
+                f"Missing secrets (not in env): {', '.join(sorted(missing))}\n"
+                f"Set them in .env / .deploy.env or export them in your shell.",
+                err=True,
+            )
+            sys.exit(1)
+    # Login to Docker Hub before the build so buildx can push.
+    if login_docker_hub:
+        user = os.environ["DOCKER_HUB_USER"]
+        token = os.environ["DOCKER_HUB_TOKEN"]
+        click.echo(f"Logging into Docker Hub as {user}...")
+        result = subprocess.run(
+            ["docker", "login", "--username", user, "--password-stdin"],
+            input=token,
+            text=True,
+            capture_output=True,
+            check=False,
+        )
+        if result.returncode != 0:
+            click.echo(f"docker login failed: {result.stderr.strip()}", err=True)
+            sys.exit(result.returncode)
+    cfg = BuildBaseConfig(
+        context=context_dir,
+        dockerfile=dockerfile,
+        image=image,
+        hash_files=list(hash_files),
+        platforms=platforms,
+        builder=builder,
+        secrets=secret_map,
+        force=force,
+    )
+    try:
+        deps_hash, was_built = build_base_image(cfg)
+    except Exception as e:
+        click.echo(f"build-base failed: {e}", err=True)
+        sys.exit(1)
+    if was_built:
+        click.echo(f"Pushed: {image}:{deps_hash}")
+        click.echo(f"Pushed: {image}:latest")
+    else:
+        click.echo(f"Skipped: {image}:{deps_hash} already exists in registry")