granny-devops 0.7.0__tar.gz → 0.9.0__tar.gz

{granny_devops-0.7.0 → granny_devops-0.9.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.7.0
+Version: 0.9.0
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -263,6 +263,10 @@ granny analyze gpus --provider aws --profile prod --profile dev
 granny analyze credits                             # available balances
 granny analyze costs                               # MTD + month-end forecast
 
+# AWS Capacity Blocks for ML -- discover available H100/H200/A100 blocks
+granny analyze capacity-blocks --instance-type p5.48xlarge --hours 24
+granny analyze capacity-blocks --instance-type p5e.48xlarge --count 2 --hours 168
+
 # Cloudflare account resources (Workers, D1, R2, KV)
 granny cloudflare d1 create my-app
 granny cloudflare r2 create my-app-media
@@ -282,6 +286,13 @@ granny email workmail create-user example.com --email user@example.com
 granny create s3-website example.com --help
 granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
+
+# Authentik admin (provider + application + group plumbing)
+granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
+granny authentik list providers
+granny authentik rotate-secret stoz3n-dash-staging
+granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
 ## Capability matrix
@@ -298,6 +309,7 @@ granny create mailjet-dns example.com
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
+| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
 
 ## As a library
 

{granny_devops-0.7.0 → granny_devops-0.9.0}/README.md

@@ -131,6 +131,10 @@ granny analyze gpus --provider aws --profile prod --profile dev
 granny analyze credits                             # available balances
 granny analyze costs                               # MTD + month-end forecast
 
+# AWS Capacity Blocks for ML -- discover available H100/H200/A100 blocks
+granny analyze capacity-blocks --instance-type p5.48xlarge --hours 24
+granny analyze capacity-blocks --instance-type p5e.48xlarge --count 2 --hours 168
+
 # Cloudflare account resources (Workers, D1, R2, KV)
 granny cloudflare d1 create my-app
 granny cloudflare r2 create my-app-media
@@ -150,6 +154,13 @@ granny email workmail create-user example.com --email user@example.com
 granny create s3-website example.com --help
 granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
+
+# Authentik admin (provider + application + group plumbing)
+granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
+granny authentik list providers
+granny authentik rotate-secret stoz3n-dash-staging
+granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
 ## Capability matrix
@@ -166,6 +177,7 @@ granny create mailjet-dns example.com
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
+| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
 
 ## As a library
 

{granny_devops-0.7.0 → granny_devops-0.9.0}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.7.0"
+__version__ = "0.8.0"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

{granny_devops-0.7.0 → granny_devops-0.9.0}/granny/analyze/__init__.py

@@ -17,9 +17,11 @@ def __getattr__(name: str):
     if name in {
         "GpuInstance",
         "GpuReservation",
+        "CapacityBlockOffering",
         "aws_profiles",
         "list_aws_gpu_instances",
         "list_aws_gpu_reservations",
+        "list_aws_capacity_block_offerings",
         "gcp_projects",
         "list_gcp_gpu_instances",
         "list_gcp_gpu_reservations",

{granny_devops-0.7.0 → granny_devops-0.9.0}/granny/analyze/gpus.py

@@ -16,7 +16,7 @@ from __future__ import annotations
 import logging
 import re
 from dataclasses import dataclass, field
-from datetime import datetime, timezone
+from datetime import datetime, timedelta, timezone
 
 logger = logging.getLogger(__name__)
 
@@ -148,6 +148,24 @@ class GpuReservation:
     commitment_term: str | None
 
 
+@dataclass
+class CapacityBlockOffering:
+    """An available EC2 Capacity Block for ML offering (not yet purchased)."""
+
+    account: str
+    region: str
+    zone: str
+    offering_id: str
+    instance_type: str
+    instance_count: int
+    duration_hours: int
+    start_time: str
+    end_time: str
+    upfront_fee: float
+    currency: str
+    tenancy: str
+
+
 # ---------------------------------------------------------------------------
 # AWS
 # ---------------------------------------------------------------------------
@@ -315,6 +333,97 @@ def list_aws_gpu_reservations(
     return results
 
 
+# Regions where Capacity Blocks for ML are generally available.
+# describe-capacity-block-offerings only works here; other regions return
+# UnsupportedOperation. Update as AWS rolls out to new regions.
+_AWS_CAPACITY_BLOCK_REGIONS: tuple[str, ...] = (
+    "us-east-1",
+    "us-east-2",
+    "us-west-2",
+    "eu-west-1",
+    "eu-west-2",
+    "eu-north-1",
+    "eu-central-1",
+    "ap-northeast-1",
+    "ap-southeast-2",
+)
+
+
+def list_aws_capacity_block_offerings(
+    instance_type: str,
+    instance_count: int = 1,
+    duration_hours: int = 24,
+    start_window_days: int = 30,
+    profiles: list[str] | None = None,
+    regions: list[str] | None = None,
+) -> list[CapacityBlockOffering]:
+    """Find available EC2 Capacity Block offerings for ML GPU instances.
+
+    Args:
+        instance_type: GPU instance type, e.g. ``p5.48xlarge`` or ``p5e.48xlarge``.
+        instance_count: How many instances the block must hold.
+        duration_hours: Block length in hours (AWS supports 1, 6, 12, 24, 48,
+            72, 168, 336, 504, 672 ... — pass what you need).
+        start_window_days: Search for blocks starting between now and this many
+            days out.
+        profiles: AWS profiles to query (default: all configured profiles).
+        regions: Regions to query (default: the known Capacity-Block-enabled
+            regions; pass an explicit list to override).
+
+    Returns:
+        Offerings sorted cheapest-first.
+    """
+    import boto3
+    from botocore.exceptions import BotoCoreError, ClientError
+
+    profiles = profiles or aws_profiles()
+    regions = regions or list(_AWS_CAPACITY_BLOCK_REGIONS)
+    now = datetime.now(timezone.utc)
+    end = now + timedelta(days=start_window_days)
+
+    out: list[CapacityBlockOffering] = []
+    for profile in profiles:
+        for region in regions:
+            try:
+                session = boto3.Session(profile_name=profile if profile != "default" else None)
+                ec2 = session.client("ec2", region_name=region)
+                paginator = ec2.get_paginator("describe_capacity_block_offerings")
+                for page in paginator.paginate(
+                    InstanceType=instance_type,
+                    InstanceCount=instance_count,
+                    CapacityDurationHours=duration_hours,
+                    StartDateRange=now,
+                    EndDateRange=end,
+                ):
+                    for o in page.get("CapacityBlockOfferings", []):
+                        try:
+                            fee = float(o.get("UpfrontFee", 0) or 0)
+                        except (TypeError, ValueError):
+                            fee = 0.0
+                        out.append(
+                            CapacityBlockOffering(
+                                account=profile,
+                                region=region,
+                                zone=o.get("AvailabilityZone", ""),
+                                offering_id=o.get("CapacityBlockOfferingId", ""),
+                                instance_type=o.get("InstanceType", instance_type),
+                                instance_count=o.get("InstanceCount", instance_count),
+                                duration_hours=o.get(
+                                    "CapacityBlockDurationHours", duration_hours
+                                ),
+                                start_time=_iso(o.get("StartDate")) or "",
+                                end_time=_iso(o.get("EndDate")) or "",
+                                upfront_fee=fee,
+                                currency=o.get("CurrencyCode", "USD"),
+                                tenancy=o.get("Tenancy", "default"),
+                            )
+                        )
+            except (BotoCoreError, ClientError) as e:
+                logger.debug("AWS %s/%s capacity-block offerings: %s", profile, region, e)
+    out.sort(key=lambda o: (o.upfront_fee, o.start_time))
+    return out
+
+
 # ---------------------------------------------------------------------------
 # GCP
 # ---------------------------------------------------------------------------

granny_devops-0.9.0/granny/authentik/__init__.py

@@ -0,0 +1,33 @@
+"""Authentik management — REST API wrapper + per-stage stoz3n-dash provisioning.
+
+Powered by the ``AUTHENTIK_API_TOKEN`` secret (resolves via env var or
+Vaultwarden under ``granny/infra/authentik-api-token``) and the
+non-secret ``AUTHENTIK_URL`` (default ``https://auth.pseekoo.io``).
+
+Public API::
+
+    from granny.authentik import AuthentikClient, STOZ3N_DASH_STAGES, provision_stoz3n_dash
+
+    client = AuthentikClient.from_environment()
+    result = provision_stoz3n_dash(client, stage="development")
+    print(result.client_id, result.client_secret)
+"""
+
+from granny.authentik.client import AuthentikClient, AuthentikError
+from granny.authentik.provision import (
+    ADMIN_GROUP_NAME,
+    OIDC_SCOPES,
+    STOZ3N_DASH_STAGES,
+    ProvisionResult,
+    provision_stoz3n_dash,
+)
+
+__all__ = [
+    "ADMIN_GROUP_NAME",
+    "AuthentikClient",
+    "AuthentikError",
+    "OIDC_SCOPES",
+    "ProvisionResult",
+    "STOZ3N_DASH_STAGES",
+    "provision_stoz3n_dash",
+]

granny_devops-0.9.0/granny/authentik/client.py

@@ -0,0 +1,258 @@
+"""Thin wrapper around the Authentik REST API.
+
+Uses ``requests`` (already a granny core dependency) so this module does
+not require any optional extras.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+import requests
+
+logger = logging.getLogger(__name__)
+
+
+class AuthentikError(RuntimeError):
+    """Raised on non-2xx responses from the Authentik API."""
+
+    def __init__(self, status: int, body: str) -> None:
+        super().__init__(f"HTTP {status}: {body[:400]}")
+        self.status = status
+        self.body = body
+
+
+class AuthentikClient:
+    """Authenticated client for the Authentik v3 REST API.
+
+    Construct directly when you already have the credentials, or use
+    :meth:`from_environment` to resolve via granny's normal env/vault
+    pipeline.
+    """
+
+    def __init__(self, base_url: str, token: str, *, timeout: float = 30.0) -> None:
+        self.base_url = base_url.rstrip("/")
+        self._token = token
+        self._timeout = timeout
+        self._session = requests.Session()
+        self._session.headers.update(
+            {
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/json",
+            }
+        )
+
+    @classmethod
+    def from_environment(cls) -> "AuthentikClient":
+        """Build a client from env vars + Vaultwarden fallback.
+
+        Resolution order for the token (explicit env always wins so a
+        rotated value in ``.env`` is picked up immediately without having
+        to invalidate the vault session cache):
+
+        1. ``AK_TOKEN`` (env / .env / .deploy.env) — short alias matching
+           the standalone Authentik scripts.
+        2. ``AUTHENTIK_API_TOKEN`` (env / .env / .deploy.env or
+           Vaultwarden at ``granny/infra/authentik-api-token``, via the
+           normal :func:`granny.credentials.get_secret` chain).
+
+        For the base URL, ``AUTHENTIK_URL`` wins; default
+        ``https://auth.pseekoo.io``.
+        """
+        import os
+
+        from granny.credentials import get_secret
+
+        token = os.environ.get("AK_TOKEN") or get_secret("AUTHENTIK_API_TOKEN")
+        if not token:
+            raise AuthentikError(
+                0,
+                "AUTHENTIK_API_TOKEN (or AK_TOKEN) is not set. "
+                "Either export it, add it to .env/.deploy.env, or push the "
+                "token to Vaultwarden under granny/infra/authentik-api-token "
+                "and install the [vault] extra.",
+            )
+        base_url = os.environ.get("AUTHENTIK_URL") or "https://auth.pseekoo.io"
+        return cls(base_url=base_url, token=token)
+
+    # ── HTTP plumbing ────────────────────────────────────────────────────
+
+    def request(
+        self,
+        method: str,
+        path: str,
+        *,
+        body: Any = None,
+        params: dict[str, Any] | None = None,
+    ) -> Any:
+        """Execute one API request and return the decoded JSON body.
+
+        Returns ``None`` on 204 / empty bodies.
+        """
+        if not path.startswith("/"):
+            path = "/" + path
+        url = self.base_url + path
+        clean_params = {k: v for k, v in (params or {}).items() if v is not None}
+        resp = self._session.request(
+            method=method.upper(),
+            url=url,
+            params=clean_params or None,
+            json=body,
+            timeout=self._timeout,
+        )
+        if resp.status_code >= 400:
+            raise AuthentikError(resp.status_code, resp.text)
+        if not resp.content:
+            return None
+        try:
+            return resp.json()
+        except ValueError:
+            return resp.text
+
+    def paginate(self, path: str, params: dict[str, Any] | None = None) -> list[dict[str, Any]]:
+        """Walk an Authentik list endpoint, returning all pages concatenated."""
+        out: list[dict[str, Any]] = []
+        page = 1
+        while True:
+            p = dict(params or {})
+            p["page"] = page
+            data = self.request("GET", path, params=p) or {}
+            out.extend(data.get("results", []))
+            if not data.get("pagination", {}).get("next"):
+                break
+            page += 1
+        return out
+
+    # ── High-level lookups ───────────────────────────────────────────────
+
+    def find_flow_pk(self, slug: str) -> str:
+        results = self.request("GET", "/api/v3/flows/instances/", params={"slug": slug}).get(
+            "results", []
+        )
+        for f in results:
+            if f["slug"] == slug:
+                return f["pk"]
+        raise AuthentikError(404, f"No flow with slug={slug!r}")
+
+    def find_signing_key_pk(self, *, prefer_self_signed: bool = True) -> str:
+        """Return the pk of a key pair that can sign tokens."""
+        keys = self.paginate("/api/v3/crypto/certificatekeypairs/")
+        candidates = [k for k in keys if k.get("private_key_available")]
+        if not candidates:
+            raise AuthentikError(404, "No usable signing key pairs found")
+        if prefer_self_signed:
+            for k in candidates:
+                if "self-signed" in k["name"].lower():
+                    return k["pk"]
+        return candidates[0]["pk"]
+
+    def find_scope_mappings(self, scope_names: tuple[str, ...] | list[str]) -> list[str]:
+        """Resolve scope-property-mapping pks by ``scope_name``."""
+        mappings = self.paginate("/api/v3/propertymappings/provider/scope/")
+        by_scope = {m["scope_name"]: m["pk"] for m in mappings}
+        try:
+            return [by_scope[scope] for scope in scope_names]
+        except KeyError as exc:
+            raise AuthentikError(404, f"Scope mapping for {exc.args[0]!r} not found") from exc
+
+    def find_group_by_name(self, name: str) -> dict[str, Any] | None:
+        for g in self.request("GET", "/api/v3/core/groups/", params={"name": name}).get(
+            "results", []
+        ):
+            if g["name"] == name:
+                return g
+        return None
+
+    def find_user_by_username(self, username: str) -> dict[str, Any] | None:
+        for u in self.request("GET", "/api/v3/core/users/", params={"username": username}).get(
+            "results", []
+        ):
+            if u["username"] == username:
+                return u
+        return None
+
+    def find_provider_by_name(self, name: str) -> dict[str, Any] | None:
+        for p in self.request("GET", "/api/v3/providers/oauth2/", params={"name": name}).get(
+            "results", []
+        ):
+            if p["name"] == name:
+                return p
+        return None
+
+    def find_application_by_slug(self, slug: str) -> dict[str, Any] | None:
+        """Look up an application by slug.
+
+        Uses a direct GET on the slug-keyed detail endpoint instead of the
+        list endpoint. Authentik's application list quietly hides records
+        whose policy bindings restrict ``view`` permissions, even for
+        superusers — direct GET by slug bypasses that filter.
+        """
+        try:
+            return self.request("GET", f"/api/v3/core/applications/{slug}/")
+        except AuthentikError as exc:
+            if exc.status == 404:
+                return None
+            raise
+
+    def find_provider_by_pk(self, pk: int | str) -> dict[str, Any] | None:
+        """Look up an OAuth2 provider by primary key (integer)."""
+        try:
+            return self.request("GET", f"/api/v3/providers/oauth2/{pk}/")
+        except AuthentikError as exc:
+            if exc.status == 404:
+                return None
+            raise
+
+    # ── Mutating helpers ─────────────────────────────────────────────────
+
+    def ensure_group(self, name: str) -> dict[str, Any]:
+        """Create a group if missing; return the (existing or new) group dict."""
+        existing = self.find_group_by_name(name)
+        if existing:
+            return existing
+        return self.request("POST", "/api/v3/core/groups/", body={"name": name})
+
+    def add_user_to_group(self, username: str, group_name: str) -> None:
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        group = self.find_group_by_name(group_name)
+        if not group:
+            raise AuthentikError(
+                404, f"Group {group_name!r} not found — create it with ensure_group first"
+            )
+        self.request(
+            "POST",
+            f"/api/v3/core/groups/{group['pk']}/add_user/",
+            body={"pk": user["pk"]},
+        )
+
+    def remove_user_from_group(self, username: str, group_name: str) -> None:
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        group = self.find_group_by_name(group_name)
+        if not group:
+            raise AuthentikError(404, f"Group {group_name!r} not found")
+        self.request(
+            "POST",
+            f"/api/v3/core/groups/{group['pk']}/remove_user/",
+            body={"pk": user["pk"]},
+        )
+
+    def rotate_client_secret(self, provider_name: str) -> dict[str, Any]:
+        """Rotate ``client_secret`` on an existing OAuth2 provider.
+
+        Authentik regenerates the secret server-side when we PATCH it to
+        an empty string. The returned dict carries the new value (when
+        the API echoes it back — varies by version).
+        """
+        provider = self.find_provider_by_name(provider_name)
+        if not provider:
+            raise AuthentikError(404, f"Provider {provider_name!r} not found")
+        return self.request(
+            "PATCH",
+            f"/api/v3/providers/oauth2/{provider['pk']}/",
+            body={"client_secret": ""},
+        )