granny-devops 0.9.3__tar.gz → 0.11.0__tar.gz

{granny_devops-0.9.3 → granny_devops-0.11.0}/.gitignore

@@ -67,3 +67,4 @@ vaultwarden-import-*.csv
 /dist/
 /build/
 
+/.claude/scheduled_*.lock

{granny_devops-0.9.3 → granny_devops-0.11.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.9.3
+Version: 0.11.0
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -305,6 +305,21 @@ granny elk add-user user@example.com \
   --full-name "Example User" \
   --role kibana_admin \
   --generate-password
+
+# Azure -- subscriptions, ARM deployments, OpenAI, App Service, VM sizes
+granny azure account whoami                                  # signed-in identity
+granny azure account list                                    # subscriptions
+granny azure deployment list --subscription <id> --all-groups
+granny azure openai accounts --subscription <id>
+granny azure openai deployments --subscription <id> --kind OpenAI
+granny azure webapp list --subscription <id>
+granny azure vm-sizes list --subscription <id> --location polandcentral
+
+# Search-engine indexing (IndexNow + Google Indexing API)
+granny indexing generate-key                                 # mint an IndexNow key
+granny indexing submit https://example.com/new-page          # notify every engine
+granny indexing indexnow https://example.com/p1 https://example.com/p2
+granny indexing google https://example.com/job-posting --action URL_UPDATED
 ```
 
 ## Capability matrix
@@ -323,6 +338,8 @@ granny elk add-user user@example.com \
 | SSL automation | Bunny, Cloudflare, ACM |
 | SSO / IdP | Authentik (provider, application, group, and user operations) |
 | Observability admin | Elasticsearch / Kibana native-user management |
+| Azure ops | Identity, subscriptions, ARM deployments, Cognitive Services (Azure OpenAI), App Service, VM sizes, compute quota |
+| Search indexing | IndexNow (Bing/Yandex/Seznam/Naver/Yep), Google Indexing API |
 
 ## As a library
 
@@ -352,6 +369,8 @@ load_secrets_into_env()
 granny/
   cli/           Click command groups (granny <group> <verb>)
   analyze/      Cross-cloud inventory (AWS, GCP, Azure)
+  authentik/    Authentik admin
+  azure/        Azure account, ARM deployments, Cognitive, App Service, VM sizes, quota
   cdn/          Bunny CDN
   cloudflare/   Cloudflare Workers / D1 / R2 / KV
   create/       Standalone setup scripts (granny create <name>)
@@ -359,7 +378,9 @@ granny/
   dns/          Provider-agnostic DNS CRUD
   docker/       Multi-arch image builds
   edge/         Bunny Edge Scripting
+  elk/          Elasticsearch / Kibana security user management
   email/        Mailjet, WorkMail, SES forwarding
+  indexing/     IndexNow + Google Indexing API
   serverless/   Scaleway FaaS
   storage/      Object storage (AWS / Bunny / Hetzner)
 ```

{granny_devops-0.9.3 → granny_devops-0.11.0}/README.md

@@ -173,6 +173,21 @@ granny elk add-user user@example.com \
   --full-name "Example User" \
   --role kibana_admin \
   --generate-password
+
+# Azure -- subscriptions, ARM deployments, OpenAI, App Service, VM sizes
+granny azure account whoami                                  # signed-in identity
+granny azure account list                                    # subscriptions
+granny azure deployment list --subscription <id> --all-groups
+granny azure openai accounts --subscription <id>
+granny azure openai deployments --subscription <id> --kind OpenAI
+granny azure webapp list --subscription <id>
+granny azure vm-sizes list --subscription <id> --location polandcentral
+
+# Search-engine indexing (IndexNow + Google Indexing API)
+granny indexing generate-key                                 # mint an IndexNow key
+granny indexing submit https://example.com/new-page          # notify every engine
+granny indexing indexnow https://example.com/p1 https://example.com/p2
+granny indexing google https://example.com/job-posting --action URL_UPDATED
 ```
 
 ## Capability matrix
@@ -191,6 +206,8 @@ granny elk add-user user@example.com \
 | SSL automation | Bunny, Cloudflare, ACM |
 | SSO / IdP | Authentik (provider, application, group, and user operations) |
 | Observability admin | Elasticsearch / Kibana native-user management |
+| Azure ops | Identity, subscriptions, ARM deployments, Cognitive Services (Azure OpenAI), App Service, VM sizes, compute quota |
+| Search indexing | IndexNow (Bing/Yandex/Seznam/Naver/Yep), Google Indexing API |
 
 ## As a library
 
@@ -220,6 +237,8 @@ load_secrets_into_env()
 granny/
   cli/           Click command groups (granny <group> <verb>)
   analyze/      Cross-cloud inventory (AWS, GCP, Azure)
+  authentik/    Authentik admin
+  azure/        Azure account, ARM deployments, Cognitive, App Service, VM sizes, quota
   cdn/          Bunny CDN
   cloudflare/   Cloudflare Workers / D1 / R2 / KV
   create/       Standalone setup scripts (granny create <name>)
@@ -227,7 +246,9 @@ granny/
   dns/          Provider-agnostic DNS CRUD
   docker/       Multi-arch image builds
   edge/         Bunny Edge Scripting
+  elk/          Elasticsearch / Kibana security user management
   email/        Mailjet, WorkMail, SES forwarding
+  indexing/     IndexNow + Google Indexing API
   serverless/   Scaleway FaaS
   storage/      Object storage (AWS / Bunny / Hetzner)
 ```

{granny_devops-0.9.3 → granny_devops-0.11.0}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.9.3"
+__version__ = "0.11.0"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

granny_devops-0.11.0/granny/analyze/gpu_pricing.py

@@ -0,0 +1,199 @@
+"""Forward-looking GPU cluster cost estimation for AWS.
+
+Pulls live on-demand rates from the AWS Pricing API and effective hourly
+rates from Capacity Block offerings via ``describe_capacity_block_offerings``,
+then multiplies by hours and node count.
+
+The Pricing API runs only in ``us-east-1`` and ``ap-south-1`` but returns
+prices for every region. It does not need any non-default IAM permissions
+in most accounts. Capacity Block discovery does need an authenticated
+profile.
+
+Compute dominates an H100/H200 cluster's monthly bill by 2+ orders of
+magnitude (one ``p5en.48xlarge`` is ~$98/hr on-demand; the 100GB EBS root
+is ~$8/mo). We do not surface storage/network/data-transfer here -- treat
+the number as ``+/- 5%``.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+# AWS Pricing API uses human-readable "location" strings rather than
+# region codes. This covers the regions where p5e / p5en (H200) are sold.
+_PRICING_LOCATIONS: dict[str, str] = {
+    "us-east-1": "US East (N. Virginia)",
+    "us-east-2": "US East (Ohio)",
+    "us-west-1": "US West (N. California)",
+    "us-west-2": "US West (Oregon)",
+    "eu-west-1": "Europe (Ireland)",
+    "eu-west-2": "Europe (London)",
+    "eu-west-3": "Europe (Paris)",
+    "eu-central-1": "Europe (Frankfurt)",
+    "eu-north-1": "Europe (Stockholm)",
+    "ap-northeast-1": "Asia Pacific (Tokyo)",
+    "ap-northeast-2": "Asia Pacific (Seoul)",
+    "ap-southeast-1": "Asia Pacific (Singapore)",
+    "ap-southeast-2": "Asia Pacific (Sydney)",
+    "ap-south-1": "Asia Pacific (Mumbai)",
+    "ca-central-1": "Canada (Central)",
+}
+
+
+@dataclass
+class GpuClusterCostEstimate:
+    """Per-region, per-pricing-plan estimate for a GPU cluster.
+
+    ``hourly_per_node`` is the canonical figure; ``monthly_*`` are derived
+    by multiplying by ``hours_per_month`` and ``node_count``. ``None`` means
+    the underlying API returned nothing (region unsupported, no capacity).
+    """
+
+    instance_type: str
+    region: str
+    node_count: int
+    plan: str  # 'ondemand' or 'capacity-block'
+    hourly_per_node: float | None
+    monthly_per_node: float | None
+    monthly_total: float | None
+    hours_per_month: float
+    currency: str
+    notes: str
+
+
+def get_aws_ondemand_hourly(
+    instance_type: str,
+    region: str,
+    profile: str | None = None,
+) -> float | None:
+    """Return the on-demand USD/hour price for a Linux instance in the region.
+
+    Returns ``None`` if the Pricing API has no matching offer (typically
+    means the instance type is not yet sold in that region).
+    """
+    import boto3
+    from botocore.exceptions import BotoCoreError, ClientError
+
+    location = _PRICING_LOCATIONS.get(region)
+    if not location:
+        raise ValueError(
+            f"Unmapped Pricing API location for region {region!r}; "
+            f"add it to _PRICING_LOCATIONS"
+        )
+
+    session = boto3.Session(profile_name=profile if profile and profile != "default" else None)
+    pricing = session.client("pricing", region_name="us-east-1")
+
+    filters = [
+        {"Type": "TERM_MATCH", "Field": "ServiceCode", "Value": "AmazonEC2"},
+        {"Type": "TERM_MATCH", "Field": "instanceType", "Value": instance_type},
+        {"Type": "TERM_MATCH", "Field": "location", "Value": location},
+        {"Type": "TERM_MATCH", "Field": "tenancy", "Value": "Shared"},
+        {"Type": "TERM_MATCH", "Field": "operatingSystem", "Value": "Linux"},
+        {"Type": "TERM_MATCH", "Field": "preInstalledSw", "Value": "NA"},
+        {"Type": "TERM_MATCH", "Field": "capacitystatus", "Value": "Used"},
+        {"Type": "TERM_MATCH", "Field": "marketoption", "Value": "OnDemand"},
+    ]
+    try:
+        resp = pricing.get_products(ServiceCode="AmazonEC2", Filters=filters, MaxResults=20)
+    except (BotoCoreError, ClientError) as e:
+        raise RuntimeError(f"AWS Pricing API call failed: {e}") from e
+
+    for raw in resp.get("PriceList", []):
+        doc = json.loads(raw)
+        for term in doc.get("terms", {}).get("OnDemand", {}).values():
+            for dim in term.get("priceDimensions", {}).values():
+                price = dim.get("pricePerUnit", {}).get("USD")
+                if price and float(price) > 0:
+                    return float(price)
+    return None
+
+
+def _capacity_block_hourly(
+    instance_type: str,
+    node_count: int,
+    region: str,
+    profile: str | None,
+) -> tuple[float | None, str]:
+    """Return ``(effective_hourly_per_node, note)`` from cheapest current block."""
+    from granny.analyze.gpus import list_aws_capacity_block_offerings
+
+    offerings = list_aws_capacity_block_offerings(
+        instance_type=instance_type,
+        instance_count=node_count,
+        duration_hours=24,
+        start_window_days=30,
+        profiles=[profile] if profile else None,
+        regions=[region],
+    )
+    if not offerings:
+        return None, "No Capacity Block offerings in the next 30 days"
+
+    cheapest = offerings[0]
+    hours = cheapest.duration_hours or 24
+    nodes = cheapest.instance_count or node_count or 1
+    per_node_hour = cheapest.upfront_fee / (nodes * hours)
+    note = (
+        f"From cheapest 24h block: ${cheapest.upfront_fee:,.2f} upfront for "
+        f"{cheapest.instance_count}x at {cheapest.start_time[:10]}"
+    )
+    return per_node_hour, note
+
+
+def estimate_cluster_monthly(
+    instance_type: str,
+    node_count: int,
+    region: str,
+    plan: str = "ondemand",
+    hours_per_month: float = 730.0,
+    profile: str | None = None,
+) -> GpuClusterCostEstimate:
+    """Estimate the monthly cost of a GPU cluster in one region under one plan.
+
+    Args:
+        instance_type: EC2 instance type, e.g. ``p5en.48xlarge`` (H200 x8).
+        node_count: Number of nodes the cluster runs at full active load.
+        region: AWS region code.
+        plan: ``"ondemand"`` (Pricing API) or ``"capacity-block"`` (derives
+            an effective hourly from the cheapest 24h block currently sold).
+        hours_per_month: 730 = full 24/7 month; 168 = one week per month;
+            etc. Use this to model partial-month usage.
+        profile: AWS profile (needed only for ``"capacity-block"``).
+    """
+    notes: list[str] = []
+    hourly: float | None = None
+
+    if plan == "ondemand":
+        hourly = get_aws_ondemand_hourly(instance_type, region, profile)
+        if hourly is None:
+            notes.append(
+                f"Pricing API has no on-demand offer for {instance_type} in {region}"
+            )
+    elif plan == "capacity-block":
+        hourly, cb_note = _capacity_block_hourly(instance_type, node_count, region, profile)
+        notes.append(cb_note)
+    else:
+        raise ValueError(
+            f"plan must be 'ondemand' or 'capacity-block', got {plan!r}"
+        )
+
+    monthly_per_node = hourly * hours_per_month if hourly is not None else None
+    monthly_total = monthly_per_node * node_count if monthly_per_node is not None else None
+
+    return GpuClusterCostEstimate(
+        instance_type=instance_type,
+        region=region,
+        node_count=node_count,
+        plan=plan,
+        hourly_per_node=hourly,
+        monthly_per_node=monthly_per_node,
+        monthly_total=monthly_total,
+        hours_per_month=hours_per_month,
+        currency="USD",
+        notes="; ".join(n for n in notes if n),
+    )

granny_devops-0.11.0/granny/aws/__init__.py

@@ -0,0 +1 @@
+"""AWS helpers for granny (service quotas, ...)."""

granny_devops-0.11.0/granny/aws/quota.py

@@ -0,0 +1,163 @@
+"""AWS Service Quotas inspection and increase-request helpers.
+
+Thin boto3 wrapper around the `service-quotas` API. Read paths (`get`,
+`status`) need `servicequotas:GetServiceQuota` /
+`servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota`; the write
+path (`request`) needs `servicequotas:RequestServiceQuotaIncrease`.
+
+A small registry of commonly-needed EC2 quota codes is included so callers
+can say `--gpu` instead of memorising `L-DB2E81BA`.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+import boto3
+
+# Friendly aliases -> (service_code, quota_code). EC2 on-demand vCPU quotas.
+# https://docs.aws.amazon.com/ec2/latest/userguide/ec2-resource-limits.html
+QUOTA_ALIASES: dict[str, tuple[str, str]] = {
+    # G and VT instances (NVIDIA L4 / A10G / T4 etc) -- the one that gates g6/g5.
+    "gpu": ("ec2", "L-DB2E81BA"),
+    "g-and-vt": ("ec2", "L-DB2E81BA"),
+    # P instances (A100/H100 etc).
+    "p": ("ec2", "L-417A185B"),
+    # Standard on-demand (A/C/D/H/I/M/R/T/Z).
+    "standard": ("ec2", "L-1216C47A"),
+    # Inf (Inferentia).
+    "inf": ("ec2", "L-1945791B"),
+}
+
+
+@dataclass
+class ServiceQuota:
+    service_code: str
+    quota_code: str
+    quota_name: str
+    value: float | None
+    adjustable: bool
+    unit: str | None
+    region: str
+    raw: dict[str, Any]
+
+
+@dataclass
+class QuotaChangeRequest:
+    service_code: str
+    quota_code: str
+    quota_name: str
+    desired_value: float
+    status: str | None
+    request_id: str | None
+    case_id: str | None
+    region: str
+    raw: dict[str, Any]
+
+
+def resolve_alias(alias_or_code: str) -> tuple[str, str]:
+    """Map a friendly alias (``gpu``) to ``(service_code, quota_code)``.
+
+    If the input already looks like a raw quota code (``L-...``) it is
+    returned against the default ``ec2`` service.
+    """
+    key = alias_or_code.strip().lower()
+    if key in QUOTA_ALIASES:
+        return QUOTA_ALIASES[key]
+    return ("ec2", alias_or_code.strip())
+
+
+def _client(profile: str | None, region: str | None) -> Any:
+    session = boto3.Session(
+        profile_name=profile if profile and profile != "default" else None,
+        region_name=region,
+    )
+    return session.client("service-quotas")
+
+
+def get_quota(
+    *,
+    service_code: str,
+    quota_code: str,
+    profile: str | None = None,
+    region: str | None = None,
+) -> ServiceQuota:
+    """Return the current (applied) value for one quota."""
+    client = _client(profile, region)
+    resolved_region = client.meta.region_name
+    resp = client.get_service_quota(ServiceCode=service_code, QuotaCode=quota_code)
+    q = resp.get("Quota", {})
+    return ServiceQuota(
+        service_code=service_code,
+        quota_code=quota_code,
+        quota_name=q.get("QuotaName", ""),
+        value=q.get("Value"),
+        adjustable=bool(q.get("Adjustable", False)),
+        unit=q.get("Unit"),
+        region=resolved_region,
+        raw=q,
+    )
+
+
+def request_increase(
+    *,
+    service_code: str,
+    quota_code: str,
+    desired_value: float,
+    profile: str | None = None,
+    region: str | None = None,
+) -> QuotaChangeRequest:
+    """Submit a quota-increase request. Idempotency is AWS-side: a pending
+    request for the same quota will be rejected by the API."""
+    client = _client(profile, region)
+    resolved_region = client.meta.region_name
+    resp = client.request_service_quota_increase(
+        ServiceCode=service_code,
+        QuotaCode=quota_code,
+        DesiredValue=desired_value,
+    )
+    r = resp.get("RequestedQuota", {})
+    return QuotaChangeRequest(
+        service_code=service_code,
+        quota_code=quota_code,
+        quota_name=r.get("QuotaName", ""),
+        desired_value=r.get("DesiredValue", desired_value),
+        status=r.get("Status"),
+        request_id=r.get("Id"),
+        case_id=r.get("CaseId"),
+        region=resolved_region,
+        raw=r,
+    )
+
+
+def list_requested_changes(
+    *,
+    service_code: str,
+    quota_code: str,
+    profile: str | None = None,
+    region: str | None = None,
+) -> list[QuotaChangeRequest]:
+    """Return the change-request history for one quota (most recent first)."""
+    client = _client(profile, region)
+    resolved_region = client.meta.region_name
+    resp = client.list_requested_service_quota_change_history_by_quota(
+        ServiceCode=service_code,
+        QuotaCode=quota_code,
+    )
+    out: list[QuotaChangeRequest] = []
+    for r in resp.get("RequestedQuotas", []):
+        out.append(
+            QuotaChangeRequest(
+                service_code=service_code,
+                quota_code=quota_code,
+                quota_name=r.get("QuotaName", ""),
+                desired_value=r.get("DesiredValue", 0.0),
+                status=r.get("Status"),
+                request_id=r.get("Id"),
+                case_id=r.get("CaseId"),
+                region=resolved_region,
+                raw=r,
+            )
+        )
+    return out

granny_devops-0.11.0/granny/azure/__init__.py

@@ -0,0 +1 @@
+"""Azure operational helpers."""

granny_devops-0.11.0/granny/azure/_client.py

@@ -0,0 +1,81 @@
+"""Shared Azure Resource Manager HTTP helpers.
+
+Used by every module under ``granny.azure`` except ``quota.py``, which keeps
+its own copy for historical reasons. New modules should route through here.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+from collections.abc import Iterator
+from typing import Any
+
+import requests
+
+MANAGEMENT_SCOPE = "https://management.azure.com/.default"
+MANAGEMENT_URL = "https://management.azure.com"
+
+
+def get_management_token() -> str:
+    """Return an ARM bearer token from the default credential chain."""
+    try:
+        from azure.identity import DefaultAzureCredential
+    except ImportError as e:
+        raise RuntimeError(
+            "Azure support requires the [azure] extra: "
+            "pip install 'granny-devops[azure]'"
+        ) from e
+
+    credential = DefaultAzureCredential()
+    return credential.get_token(MANAGEMENT_SCOPE).token
+
+
+def headers(token: str | None = None) -> dict[str, str]:
+    """Authorization headers for ARM REST calls."""
+    bearer = token if token is not None else get_management_token()
+    return {
+        "Authorization": f"Bearer {bearer}",
+        "Content-Type": "application/json",
+    }
+
+
+def get(url: str, *, token: str | None = None) -> dict[str, Any]:
+    """Issue a GET against ARM and return the JSON body."""
+    response = requests.get(url, headers=headers(token), timeout=60)
+    if response.status_code == 404:
+        raise KeyError(f"Azure resource not found: {url}")
+    if response.status_code != 200:
+        raise_response_error("GET", url, response)
+    return response.json()
+
+
+def paginate(url: str, *, token: str | None = None) -> Iterator[dict[str, Any]]:
+    """Yield each item from a paginated ARM ``value``/``nextLink`` collection."""
+    bearer = token if token is not None else get_management_token()
+    next_url: str | None = url
+    while next_url:
+        data = get(next_url, token=bearer)
+        for item in data.get("value", []):
+            yield item
+        next_url = data.get("nextLink")
+
+
+def decode_jwt_payload(token: str) -> dict[str, Any]:
+    """Return the unverified JWT payload claims for ``token``."""
+    parts = token.split(".")
+    if len(parts) < 2:
+        return {}
+    payload_b64 = parts[1] + "=" * (-len(parts[1]) % 4)
+    try:
+        return json.loads(base64.urlsafe_b64decode(payload_b64))
+    except (ValueError, json.JSONDecodeError):
+        return {}
+
+
+def raise_response_error(method: str, url: str, response: requests.Response) -> None:
+    """Wrap a non-OK ARM response in a uniform RuntimeError."""
+    snippet = response.text[:1000]
+    raise RuntimeError(
+        f"Azure ARM {method} {url} failed: {response.status_code} {snippet}"
+    )

granny_devops-0.11.0/granny/azure/account.py

@@ -0,0 +1,90 @@
+"""Azure account and subscription helpers."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+from granny.azure import _client
+
+_SUBSCRIPTIONS_API_VERSION = "2022-12-01"
+_TENANTS_API_VERSION = "2022-12-01"
+
+
+@dataclass
+class AzureIdentity:
+    object_id: str | None
+    tenant_id: str | None
+    user_principal_name: str | None
+    display_name: str | None
+    app_id: str | None
+    identity_type: str | None
+    audience: str | None
+    raw_claims: dict[str, Any]
+
+
+@dataclass
+class AzureSubscription:
+    subscription_id: str
+    display_name: str
+    state: str | None
+    tenant_id: str | None
+    raw: dict[str, Any]
+
+
+@dataclass
+class AzureTenant:
+    tenant_id: str
+    display_name: str | None
+    default_domain: str | None
+    raw: dict[str, Any]
+
+
+def get_signed_in_identity() -> AzureIdentity:
+    """Return identity info derived from the current ARM access token."""
+    token = _client.get_management_token()
+    claims = _client.decode_jwt_payload(token)
+    return AzureIdentity(
+        object_id=claims.get("oid"),
+        tenant_id=claims.get("tid"),
+        user_principal_name=claims.get("upn") or claims.get("unique_name"),
+        display_name=claims.get("name"),
+        app_id=claims.get("appid") or claims.get("azp"),
+        identity_type=claims.get("idtyp"),
+        audience=claims.get("aud"),
+        raw_claims=claims,
+    )
+
+
+def list_subscriptions() -> list[AzureSubscription]:
+    """List subscriptions visible to the signed-in identity."""
+    url = (
+        f"{_client.MANAGEMENT_URL}/subscriptions"
+        f"?api-version={_SUBSCRIPTIONS_API_VERSION}"
+    )
+    return [_parse_subscription(item) for item in _client.paginate(url)]
+
+
+def list_tenants() -> list[AzureTenant]:
+    """List tenants visible to the signed-in identity."""
+    url = f"{_client.MANAGEMENT_URL}/tenants?api-version={_TENANTS_API_VERSION}"
+    return [_parse_tenant(item) for item in _client.paginate(url)]
+
+
+def _parse_subscription(item: dict[str, Any]) -> AzureSubscription:
+    return AzureSubscription(
+        subscription_id=item.get("subscriptionId", ""),
+        display_name=item.get("displayName", ""),
+        state=item.get("state"),
+        tenant_id=item.get("tenantId"),
+        raw=item,
+    )
+
+
+def _parse_tenant(item: dict[str, Any]) -> AzureTenant:
+    return AzureTenant(
+        tenant_id=item.get("tenantId", ""),
+        display_name=item.get("displayName"),
+        default_domain=item.get("defaultDomain"),
+        raw=item,
+    )