granny-devops 0.4.0__tar.gz → 0.5.0__tar.gz

{granny_devops-0.4.0 → granny_devops-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.4.0
+Version: 0.5.0
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License

{granny_devops-0.4.0 → granny_devops-0.5.0}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.4.0"
+__version__ = "0.5.0"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

granny_devops-0.5.0/granny/cli/cloudflare.py

@@ -0,0 +1,225 @@
+"""``granny cloudflare`` — Workers / D1 / R2 resource management."""
+
+from __future__ import annotations
+
+import json as _json
+
+import click
+
+
+@click.group("cloudflare")
+def cloudflare() -> None:
+    """Cloudflare Workers / D1 / R2 / KV resource management.
+
+    For DNS-only operations see ``granny dns`` (Cloudflare is one of the
+    supported providers there). This group handles the account-level
+    resources that Workers-based apps depend on.
+    """
+
+
+# -- D1 -----------------------------------------------------------------------
+
+
+@cloudflare.group("d1")
+def d1_group() -> None:
+    """D1 database management."""
+
+
+@d1_group.command("list")
+def d1_list() -> None:
+    """List D1 databases in the account."""
+    from granny.cloudflare.d1 import D1Client
+
+    for db in D1Client().list_databases():
+        click.echo(f"  {db.get('uuid', '?'):<38} {db.get('name', '?')}")
+
+
+@d1_group.command("create")
+@click.argument("name")
+@click.option("--location", default=None, help="Primary location hint (e.g. weur).")
+def d1_create(name: str, location: str | None) -> None:
+    """Create a D1 database (idempotent)."""
+    from granny.cloudflare.d1 import D1Client
+
+    db = D1Client().create_database(name, primary_location_hint=location)
+    click.echo(f"D1 database: {db['name']} uuid={db['uuid']}")
+
+
+# -- R2 -----------------------------------------------------------------------
+
+
+@cloudflare.group("r2")
+def r2_group() -> None:
+    """R2 bucket management."""
+
+
+@r2_group.command("list")
+def r2_list() -> None:
+    """List R2 buckets in the account."""
+    from granny.cloudflare.r2 import R2Client
+
+    for b in R2Client().list_buckets():
+        click.echo(f"  {b.get('name'):<40} created={b.get('creation_date', '?')}")
+
+
+@r2_group.command("create")
+@click.argument("name")
+@click.option("--location", default=None, help="Location hint (e.g. WEUR).")
+def r2_create(name: str, location: str | None) -> None:
+    """Create an R2 bucket (idempotent)."""
+    from granny.cloudflare.r2 import R2Client
+
+    b = R2Client().create_bucket(name, location=location)
+    click.echo(f"R2 bucket: {b.get('name')}")
+
+
+# -- Workers secrets ----------------------------------------------------------
+
+
+@cloudflare.group("workers")
+def workers_group() -> None:
+    """Workers script + secrets management."""
+
+
+@workers_group.command("list")
+def workers_list() -> None:
+    """List Worker scripts in the account."""
+    from granny.cloudflare.workers import WorkersClient
+
+    for s in WorkersClient().list_scripts():
+        click.echo(f"  {s.get('id'):<40} modified={s.get('modified_on', '?')}")
+
+
+@workers_group.command("secret-put")
+@click.argument("script_name")
+@click.argument("secret_name")
+@click.option(
+    "--from-vault",
+    is_flag=True,
+    help="Resolve SECRET_NAME via granny credentials (vault/env) instead of prompting.",
+)
+@click.option("--value", default=None, help="Plaintext value (avoid in shell history).")
+def workers_secret_put(
+    script_name: str, secret_name: str, from_vault: bool, value: str | None
+) -> None:
+    """Create or update a Worker secret."""
+    from granny.cloudflare.workers import WorkersClient
+
+    if value is None:
+        if from_vault:
+            from granny.credentials.secrets import get_secret
+
+            value = get_secret(secret_name)
+            if not value:
+                raise click.ClickException(f"Vault lookup for {secret_name} returned nothing.")
+        else:
+            value = click.prompt(f"Value for {secret_name}", hide_input=True)
+    WorkersClient().put_secret(script_name, secret_name, value)
+    click.echo(f"Secret set: {script_name}.{secret_name}")
+
+
+@workers_group.command("secret-list")
+@click.argument("script_name")
+def workers_secret_list(script_name: str) -> None:
+    """List Worker secret names (values are not retrievable)."""
+    from granny.cloudflare.workers import WorkersClient
+
+    for s in WorkersClient().list_secrets(script_name):
+        click.echo(f"  {s.get('name'):<32} type={s.get('type', '?')}")
+
+
+# -- Composite: Workers site provisioning -------------------------------------
+
+
+@cloudflare.group("site")
+def site_group() -> None:
+    """Workers site provisioning (D1 + R2 + secrets in one pass)."""
+
+
+@site_group.command("provision")
+@click.argument("site_name")
+@click.option(
+    "--media-bucket",
+    default=None,
+    help="R2 bucket name (default: <site>-media).",
+)
+@click.option(
+    "--d1-location",
+    default=None,
+    help="D1 primary location hint (e.g. weur).",
+)
+@click.option(
+    "--secret",
+    "secrets",
+    multiple=True,
+    help="Secret to push (format: NAME or NAME=VALUE). Repeatable.",
+)
+@click.option(
+    "--secret-from-vault",
+    "vault_secrets",
+    multiple=True,
+    help="Secret name to resolve via granny vault and push. Repeatable.",
+)
+@click.option("--json", "json_out", is_flag=True, help="Emit JSON summary.")
+def site_provision(
+    site_name: str,
+    media_bucket: str | None,
+    d1_location: str | None,
+    secrets: tuple[str, ...],
+    vault_secrets: tuple[str, ...],
+    json_out: bool,
+) -> None:
+    """One-shot provisioning for a Workers site.
+
+    Creates (idempotently) the D1 database, R2 bucket, and pushes the
+    requested secrets to the Worker. The Worker script itself must already
+    have been deployed once via ``wrangler deploy`` -- this command does not
+    upload code. Typical flow::
+
+        wrangler deploy                                      # first deploy
+        granny cloudflare site provision my-site \\
+          --secret-from-vault MAILJET_API_KEY \\
+          --secret-from-vault MAILJET_SECRET_KEY \\
+          --secret AUTH_SECRET=$(openssl rand -hex 32)
+    """
+    from granny.cloudflare.d1 import D1Client
+    from granny.cloudflare.r2 import R2Client
+    from granny.cloudflare.workers import WorkersClient
+    from granny.credentials.secrets import get_secret
+
+    bucket = media_bucket or f"{site_name}-media"
+
+    summary: dict[str, object] = {"site": site_name}
+
+    db = D1Client().create_database(site_name, primary_location_hint=d1_location)
+    summary["d1"] = {"name": db["name"], "uuid": db["uuid"]}
+
+    b = R2Client().create_bucket(bucket)
+    summary["r2"] = {"name": b.get("name", bucket)}
+
+    pushed: list[str] = []
+    w = WorkersClient()
+    for spec in secrets:
+        if "=" in spec:
+            name, _, val = spec.partition("=")
+        else:
+            name = spec
+            val = click.prompt(f"Value for {name}", hide_input=True)
+        w.put_secret(site_name, name, val)
+        pushed.append(name)
+    for name in vault_secrets:
+        val = get_secret(name)
+        if not val:
+            click.echo(f"warn: vault lookup for {name} returned empty; skipping", err=True)
+            continue
+        w.put_secret(site_name, name, val)
+        pushed.append(name)
+    summary["secrets_pushed"] = pushed
+
+    if json_out:
+        click.echo(_json.dumps(summary, indent=2))
+    else:
+        click.echo(f"D1:      {db['name']} ({db['uuid']})")
+        click.echo(f"R2:      {summary['r2']['name']}")
+        click.echo(f"Secrets: {', '.join(pushed) if pushed else '(none)'}")
+        click.echo("Now paste the D1 uuid into your wrangler.jsonc and redeploy.")

{granny_devops-0.4.0 → granny_devops-0.5.0}/granny/cli/docker.py

@@ -120,8 +120,10 @@ def build_base(
         missing = [k for k, ok in results.items() if not ok]
         if missing:
             click.echo(
-                f"Missing secrets (not in env): {', '.join(sorted(missing))}\n"
-                f"Set them in .env / .deploy.env or export them in your shell.",
+                f"Missing secrets (not in env or vault): {', '.join(sorted(missing))}\n"
+                f"Set them in .env / .deploy.env, export them in your shell, "
+                f"or — with the [vault] extra installed — import via "
+                f"`locke vault import kv --folder granny/infra --from-file .locke/vault-import.json`.",
                 err=True,
             )
             sys.exit(1)

{granny_devops-0.4.0 → granny_devops-0.5.0}/granny/cli/main.py

@@ -70,6 +70,11 @@ def _register_commands() -> None:
         cli.add_command(dns)
     except ImportError:
         pass
+    try:
+        from granny.cli.cloudflare import cloudflare
+        cli.add_command(cloudflare)
+    except ImportError:
+        pass
     try:
         from granny.cli.storage import storage
         cli.add_command(storage)

granny_devops-0.5.0/granny/cloudflare/__init__.py

@@ -0,0 +1,109 @@
+"""Cloudflare provider — Workers / D1 / R2 / KV resource management.
+
+Separate from ``granny.dns.cloudflare`` which handles only zone + DNS records.
+This package covers the *account-level* resources that Workers-based apps
+depend on.
+
+All resources share a single ``CloudflareAccountClient`` whose token comes
+from the granny credential chain (``CLOUDFLARE_API_TOKEN`` via vault/env).
+The token must have at least the following scopes for a full Workers deploy:
+
+- Account → Workers Scripts → Edit
+- Account → D1 → Edit
+- Account → Workers R2 Storage → Edit
+- Account → Workers KV Storage → Edit
+- Zone → Workers Routes → Edit (for the target zone)
+- Zone → DNS → Edit (for custom-domain attach; also covered by granny.dns)
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+
+import requests
+
+from granny.credentials.secrets import get_secret
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://api.cloudflare.com/client/v4"
+
+
+class CloudflareAccountClient:
+    """Thin wrapper over the Cloudflare v4 REST API, scoped to one account."""
+
+    def __init__(
+        self,
+        api_token: str | None = None,
+        account_id: str | None = None,
+    ) -> None:
+        api_token = api_token or get_secret("CLOUDFLARE_API_TOKEN")
+        if not api_token:
+            raise ValueError("CLOUDFLARE_API_TOKEN not set (env or vault).")
+        account_id = account_id or os.environ.get("CLOUDFLARE_ACCOUNT_ID")
+        if not account_id:
+            # Try to resolve via /accounts (requires Account:List).
+            resp = requests.get(
+                f"{API_BASE}/accounts",
+                headers={"Authorization": f"Bearer {api_token}"},
+                timeout=15,
+            )
+            results = resp.json().get("result") or []
+            if len(results) == 1:
+                account_id = results[0]["id"]
+            else:
+                raise ValueError(
+                    "CLOUDFLARE_ACCOUNT_ID not set and couldn't auto-resolve "
+                    "(token lacks Account:List or multiple accounts visible). "
+                    "Set CLOUDFLARE_ACCOUNT_ID explicitly."
+                )
+        self.account_id = account_id
+        self.session = requests.Session()
+        self.session.headers.update(
+            {
+                "Authorization": f"Bearer {api_token}",
+                "Content-Type": "application/json",
+            }
+        )
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        params: dict | None = None,
+        json: dict | None = None,
+        raw_body: bytes | None = None,
+        extra_headers: dict | None = None,
+    ) -> dict:
+        url = f"{API_BASE}{path}"
+        headers = dict(self.session.headers)
+        if extra_headers:
+            headers.update(extra_headers)
+        if raw_body is not None:
+            # Caller is sending a non-JSON payload (e.g. multipart upload).
+            headers.pop("Content-Type", None)
+            resp = requests.request(
+                method, url, headers=headers, params=params, data=raw_body, timeout=60
+            )
+        else:
+            resp = self.session.request(
+                method, url, params=params, json=json, timeout=60
+            )
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"Cloudflare {method} {path} failed: {resp.status_code} {resp.text}"
+            )
+        body = resp.json()
+        if not body.get("success", True):
+            raise RuntimeError(
+                f"Cloudflare {method} {path} error: {body.get('errors')}"
+            )
+        return body
+
+    # -- Account scoping helper -----------------------------------------------
+
+    def acct(self, subpath: str) -> str:
+        """Build a path rooted at /accounts/<id>."""
+        return f"/accounts/{self.account_id}{subpath}"

granny_devops-0.5.0/granny/cloudflare/d1.py

@@ -0,0 +1,42 @@
+"""Cloudflare D1 — create, list, execute SQL."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from granny.cloudflare import CloudflareAccountClient
+
+
+class D1Client:
+    def __init__(self, client: CloudflareAccountClient | None = None) -> None:
+        self.c = client or CloudflareAccountClient()
+
+    def list_databases(self) -> list[dict[str, Any]]:
+        body = self.c._request("GET", self.c.acct("/d1/database"))
+        return body.get("result") or []
+
+    def get_database(self, name: str) -> dict[str, Any] | None:
+        for db in self.list_databases():
+            if db.get("name") == name:
+                return db
+        return None
+
+    def create_database(self, name: str, primary_location_hint: str | None = None) -> dict[str, Any]:
+        """Create a D1 database. Returns the full DB record including `uuid`."""
+        existing = self.get_database(name)
+        if existing:
+            return existing
+        payload: dict[str, Any] = {"name": name}
+        if primary_location_hint:
+            payload["primary_location_hint"] = primary_location_hint
+        body = self.c._request("POST", self.c.acct("/d1/database"), json=payload)
+        return body["result"]
+
+    def execute_sql(self, database_id: str, sql: str) -> list[dict[str, Any]]:
+        """Execute one or more SQL statements against a D1 database."""
+        body = self.c._request(
+            "POST",
+            self.c.acct(f"/d1/database/{database_id}/query"),
+            json={"sql": sql},
+        )
+        return body.get("result") or []

granny_devops-0.5.0/granny/cloudflare/r2.py

@@ -0,0 +1,33 @@
+"""Cloudflare R2 — bucket management."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from granny.cloudflare import CloudflareAccountClient
+
+
+class R2Client:
+    def __init__(self, client: CloudflareAccountClient | None = None) -> None:
+        self.c = client or CloudflareAccountClient()
+
+    def list_buckets(self) -> list[dict[str, Any]]:
+        body = self.c._request("GET", self.c.acct("/r2/buckets"))
+        return body.get("result", {}).get("buckets") or []
+
+    def get_bucket(self, name: str) -> dict[str, Any] | None:
+        for b in self.list_buckets():
+            if b.get("name") == name:
+                return b
+        return None
+
+    def create_bucket(self, name: str, location: str | None = None) -> dict[str, Any]:
+        """Idempotent bucket create — returns the bucket record."""
+        existing = self.get_bucket(name)
+        if existing:
+            return existing
+        payload: dict[str, Any] = {"name": name}
+        if location:
+            payload["locationHint"] = location
+        body = self.c._request("POST", self.c.acct("/r2/buckets"), json=payload)
+        return body.get("result") or {"name": name}

granny_devops-0.5.0/granny/cloudflare/workers.py

@@ -0,0 +1,44 @@
+"""Cloudflare Workers — script metadata + secrets management.
+
+Deploying the actual Worker bundle is left to ``wrangler deploy`` which the
+user already runs from their project directory. Granny's job here is to
+manage the surrounding infrastructure: secrets, custom domains, D1/R2/KV
+bindings that wrangler's config file references.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from granny.cloudflare import CloudflareAccountClient
+
+
+class WorkersClient:
+    def __init__(self, client: CloudflareAccountClient | None = None) -> None:
+        self.c = client or CloudflareAccountClient()
+
+    def list_scripts(self) -> list[dict[str, Any]]:
+        body = self.c._request("GET", self.c.acct("/workers/scripts"))
+        return body.get("result") or []
+
+    def put_secret(self, script_name: str, name: str, value: str) -> dict[str, Any]:
+        """Create or update a plaintext secret binding on a Worker."""
+        body = self.c._request(
+            "PUT",
+            self.c.acct(f"/workers/scripts/{script_name}/secrets"),
+            json={"name": name, "text": value, "type": "secret_text"},
+        )
+        return body.get("result") or {}
+
+    def delete_secret(self, script_name: str, name: str) -> None:
+        self.c._request(
+            "DELETE",
+            self.c.acct(f"/workers/scripts/{script_name}/secrets/{name}"),
+        )
+
+    def list_secrets(self, script_name: str) -> list[dict[str, Any]]:
+        """Returns metadata only (names + types), not the plaintext values."""
+        body = self.c._request(
+            "GET", self.c.acct(f"/workers/scripts/{script_name}/secrets")
+        )
+        return body.get("result") or []

{granny_devops-0.4.0 → granny_devops-0.5.0}/granny/email/mailjet.py

@@ -80,8 +80,38 @@ def parse_spf(spf_record: str) -> tuple[list[str], str]:
     """Parse an SPF record into (mechanisms, qualifier).
 
     Returns e.g. (["include:_spf.google.com", "include:spf.mailjet.com"], "~all").
+
+    Some DNS providers (notably Cloudflare) return TXT record content with
+    surrounding quotes (``"v=spf1 ..."``) and split long records into
+    multiple quoted strings (``"v=spf1 ..." "include:other.com -all"``).
+    Strip those before tokenizing so callers can pass raw provider values.
     """
-    parts = spf_record.strip().split()
+    raw = spf_record.strip()
+    # Concatenate adjacent quoted strings (RFC 1035 multi-string TXT)
+    # and unwrap any single wrapping pair: `"foo" "bar"` -> `foo bar`,
+    # `"foo"` -> `foo`. Naive unquote -- SPF values don't contain literal
+    # backslash-escaped quotes in practice.
+    if '"' in raw:
+        chunks: list[str] = []
+        in_quote = False
+        buf: list[str] = []
+        for ch in raw:
+            if ch == '"':
+                in_quote = not in_quote
+                continue
+            if in_quote:
+                buf.append(ch)
+            elif ch.isspace() and buf:
+                chunks.append("".join(buf))
+                buf = []
+        if buf:
+            chunks.append("".join(buf))
+        if chunks:
+            # SPF tokens are whitespace-separated; rejoin with a space so a
+            # multi-string TXT split between tokens reconstructs cleanly.
+            raw = " ".join(chunks)
+
+    parts = raw.split()
     mechanisms: list[str] = []
     qualifier = "~all"
     for part in parts:

{granny_devops-0.4.0 → granny_devops-0.5.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "granny-devops"
-version = "0.4.0"
+version = "0.5.0"
 description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
 readme = "README.md"
 license = { file = "LICENSE" }
@@ -22,9 +22,10 @@ dev = [
     "ruff>=0.11",
     "twine>=6.1",
 ]
-# Vaultwarden-backed credential resolution via Locke is intentionally not
-# declared here because PyPI rejects direct Git dependencies. Install Locke
-# separately from its repository when vault-backed local secrets are needed.
+# Vaultwarden-backed credential resolution via Locke. The published wheel
+# leaves this extra empty because PyPI rejects direct Git dependencies; for
+# local editable installs Locke is wired in via `[tool.uv]` dev-dependencies
+# below, so `uv sync` activates vault support automatically.
 vault = []
 # CDN and DNS providers
 cdn = [
@@ -100,3 +101,11 @@ packages = ["granny"]
 
 [tool.hatch.build.targets.sdist]
 include = ["granny"]
+
+# uv-only configuration. PyPI publishes ignore this section -- it activates
+# vault support (Locke) for local editable installs via `uv sync`, without
+# polluting the published wheel's metadata with a Git URL that PyPI rejects.
+[tool.uv]
+dev-dependencies = [
+    "locke @ git+https://gitlab.com/martin-wieser/locke.git#subdirectory=python",
+]