magic-pocket-cli 0.2.0__py3-none-any.whl

magic_pocket_cli-0.2.0.dist-info/METADATA

@@ -0,0 +1,14 @@
+Metadata-Version: 2.4
+Name: magic-pocket-cli
+Version: 0.2.0
+Summary: CLI and deploy tools for magic-pocket.
+Requires-Python: >=3.10
+Requires-Dist: awscrt>=0.19.0
+Requires-Dist: click>=8.1.7
+Requires-Dist: deepdiff>=6.7.1
+Requires-Dist: jinja2>=3.1.3
+Requires-Dist: magic-pocket>=0.2.0
+Requires-Dist: pathspec>=1.0.4
+Requires-Dist: python-on-whales>=0.68.0
+Requires-Dist: pyyaml>=6.0.1
+Requires-Dist: requests>=2.31.0

magic_pocket_cli-0.2.0.dist-info/RECORD

@@ -0,0 +1,65 @@
+pocket_cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pocket_cli/django_cli.py,sha256=dMy530NG_JuTh8Ij280kYntkttmiSlguxFMthcf4s6M,15630
+pocket_cli/mediator.py,sha256=xJbVM6c8T26WQe4gihNwDngEF7VPIGRFW_l3FNu4lTw,8875
+pocket_cli/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pocket_cli/cli/aws_auth.py,sha256=UyH3U8m6nQYggHC9RVK8zxk8YpjoAV50nGy75ZT97kk,1561
+pocket_cli/cli/awscontainer_cli.py,sha256=XnUrLcWrNhG_wocNjJ_lAXZ2TlH5llQRZHB5KL2g9dk,12366
+pocket_cli/cli/cloudfront_cli.py,sha256=HHhsAaxR6md6gVdKs8XCuetm-_NhMEjqaxVdsgiOCFY,3981
+pocket_cli/cli/cloudfront_keys_cli.py,sha256=h7oBRjZBSNVmIVIlY35AMr1LDYISV914h4zHQ8mWY2Q,2228
+pocket_cli/cli/cloudfront_waf_cli.py,sha256=uMMEFbCveS71fcTMDUljwwjdGZemQF9XhPsZ5GRKf_0,2208
+pocket_cli/cli/deploy_cli.py,sha256=leZaj5ACmzD-kW_-HK7tiCTW_M8gA0H4BpTUw3ykPuo,11172
+pocket_cli/cli/destroy_cli.py,sha256=QDQ-fXIBd527G5upxudTh37FDfilpv038oaeg-IUSek,13037
+pocket_cli/cli/dsql_cli.py,sha256=-46jydJ5-VNsuz_MjUtHl4upE_OjkiGuGTFPv9eXiTs,1559
+pocket_cli/cli/main_cli.py,sha256=R6YykChh9PjFbupHvTtHMkFb1pJOqPaVguipK_DHLPs,2209
+pocket_cli/cli/migrate_cli.py,sha256=hoPlWmcwxjACUBE81m_aNOMJUhgKNdybTTrdgE00_ZQ,5343
+pocket_cli/cli/neon_cli.py,sha256=sYfFFcC2z51mPmwco4ztGnVwEDpAKKeRD-IWQJ4R5Xc,2661
+pocket_cli/cli/permissions_cli.py,sha256=DWnuOWzPoQH3n4g-RTVCjpwtAnwy25yCi6t7Uq5jgnY,1444
+pocket_cli/cli/rds_cli.py,sha256=CKkPLlWMhSBY_JaNqrCLaCh9eDk9IYB8xtHdzerN1Pk,1800
+pocket_cli/cli/runtime_config_cli.py,sha256=aXNOtEVK6pdSifezRik8J59tBNP4Z0Qmxxeo8j00tB0,5664
+pocket_cli/cli/s3_cli.py,sha256=k7oXK7TxAe_h43wB39DFIEuLNI5pn7Ih58jixv3PYb0,1964
+pocket_cli/cli/status_cli.py,sha256=aQ8RlIqD3yI2evCrv9EsUOVYySCk_10S0maEsi2_8tE,2039
+pocket_cli/cli/tidb_cli.py,sha256=4LpBhA0R1dH0YlRC5jSmIm5ybD6hRGZieeGJ4Vi_vZ8,1985
+pocket_cli/cli/vpc_cli.py,sha256=45EzCmOudaCq4OjtkXlU-FHzFl1Bq8i9CZ-7Tf7Svi0,2363
+pocket_cli/cli/waf_cli.py,sha256=KrKnd9Czmo7KtI860gsJKj8D4lVnzRQjGcEwP7RhhEs,6931
+pocket_cli/resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pocket_cli/resources/awscontainer.py,sha256=uM8G7wGazSERNGim-DY6LCVomkvvEAKEME4pyKFWwbU,9854
+pocket_cli/resources/cloudfront.py,sha256=jnhdWlAGAYulGo8We8aScpB8fq9c3EPnHrWUyk30Qmk,19853
+pocket_cli/resources/cloudfront_acm.py,sha256=FcilpNv3kWkXr3rasVjDWkAzdXqO19cvscZhtIOHuqc,1543
+pocket_cli/resources/cloudfront_keys.py,sha256=2mqar5CvL7fgXNErFZy__-ZNCGVq_sPfvPINAxr0yoA,2708
+pocket_cli/resources/cloudfront_waf.py,sha256=btGB_j5yfQyjNVxlvuHqcS29F5poN3u3Wdn-nEk0L4U,2207
+pocket_cli/resources/dsql.py,sha256=VfmDz0Crv8QN-vulrVRhLMzdJ6I3igr88xI3cLPMZL4,4844
+pocket_cli/resources/neon.py,sha256=gc0c0O6iYWmtQLsmc_NqHRp1kiA7BR5Sq4VSdDYpsPc,11558
+pocket_cli/resources/rds.py,sha256=rTyLfMQVOMCmXrVse-7h6rv423jlYU7JdNnG1pKtxHE,28039
+pocket_cli/resources/s3.py,sha256=gTisgRP-rfDgLpNq_WdUkMcOzpKv-kd1SnyPMO8BoU0,11407
+pocket_cli/resources/tidb.py,sha256=0MuIzXtxVvDIzroOwXefrF6i6IaKitn4TYynsHB9JWw,9918
+pocket_cli/resources/upstash.py,sha256=zQBGELyj51sJXeNc8dmg087U_b4I1kcNikmKFS4PirU,4993
+pocket_cli/resources/vpc.py,sha256=Ordq-NzW6JtfoL5wSJx8wVfuaSIsVu5riVNOloFsvX8,1748
+pocket_cli/resources/aws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pocket_cli/resources/aws/cloudformation.py,sha256=PhStRkUUE7XTMQKrlmGHnnbtfDCK3-kdXIv65QLJDKM,27056
+pocket_cli/resources/aws/ecr.py,sha256=rz1ew-_4INcA4_vToPDmt8062cGkOA_Kyo1WaDsopCk,4758
+pocket_cli/resources/aws/efs.py,sha256=Efpc_gew1zRP84UNjFh6BE1p-ZO0LSgK_Rn2HnUTh4w,3959
+pocket_cli/resources/aws/lambdahandler.py,sha256=omAnYWDxzSfuAaOzADN07EOuv_YruZmbr9cqnuOyDrA,6648
+pocket_cli/resources/aws/s3_utils.py,sha256=V7OxvCIBPQzbGNPzjQykxv6FyXE2AgD9oTx0S1QtHxg,2239
+pocket_cli/resources/aws/state.py,sha256=8aW74aVKw-8l_87mskFR7o2Wo_YBJRF89keSwn5EArs,2460
+pocket_cli/resources/aws/builders/__init__.py,sha256=rXDg-eloadb9Mq5Px0YQJS74bCzmt8aQ1HeNI-vaatQ,1498
+pocket_cli/resources/aws/builders/codebuild.py,sha256=uQPrXON3iejuiv_mer1Imge0tVcLTrWBnDCidzxrP60,12928
+pocket_cli/resources/aws/builders/depot.py,sha256=uefBJzVsAJYNZ_tjcfaS0Hq3cbtT9cgQ-6fjSHiVLmk,2332
+pocket_cli/resources/aws/builders/docker.py,sha256=FS8GSuBdC3WcXDGOapUqMnUK_q6Lgv0TKAz0OXL07Ug,859
+pocket_cli/resources/aws/builders/dockerignore.py,sha256=KQCoDxO1WRNYoupAlBJkwB4L2l6DUNCsaYUpIPwwRtE,1342
+pocket_cli/templates/cloudformation/awscontainer.yaml,sha256=D-5WYQBUm0jz4l8p3_E9HKzeNUAG2JA1f2OZrSduUp4,17755
+pocket_cli/templates/cloudformation/cf_function_api_host.js,sha256=3gvODZucBKysLzMwIjT5dD2aomO67b5PEVqBrXVj6iI,162
+pocket_cli/templates/cloudformation/cf_function_spa_auth.js,sha256=1lWrhMtiiSbDg0nIkv7wgga7LXCEiRsGHU-N4WnpvFo,1226
+pocket_cli/templates/cloudformation/cf_function_spa_fallback.js,sha256=LU8qCe-xQni8xQDhQ149EG1zGDS2WR9iKRkw8rOpg-8,215
+pocket_cli/templates/cloudformation/cloudfront.yaml,sha256=SeBGabd0Ne06c9JMiabsbq1j2Qr5bqS475rU-Wyubl4,11032
+pocket_cli/templates/cloudformation/cloudfront_acm.yaml,sha256=vtzGST1Xups1MTHOk-NNw8qf74EhrTOIfWrIAHZUJ60,1158
+pocket_cli/templates/cloudformation/cloudfront_keys.yaml,sha256=Cj3MDanxK-5l-0YHb4jloc5leMv7KRK4F4UK7Q5K83o,781
+pocket_cli/templates/cloudformation/cloudfront_waf.yaml,sha256=TTWxEF5b1X8hUxpjqPUfvog08Q4-tm4y7zmZsmTVrpQ,3199
+pocket_cli/templates/cloudformation/vpc.yaml,sha256=jV11OzAVhjOn36uO3PKWDpdEFqJD9TreCFV177lbcdY,5085
+pocket_cli/templates/init/django-dotenv.env,sha256=sgYd_76armFBDDOVEYB4B0PZp0UR8soEf5RJ0NwVwEk,73
+pocket_cli/templates/init/django-settings.py,sha256=6LJWDGaGhazcqsGc-XNPZ9qUAcuUciykd90slD1Y-og,3600
+pocket_cli/templates/init/pocket.Dockerfile,sha256=d0DMct6vZIo9daxioZWT0k3CvqUhG9JlW2XqXjWNytM,688
+pocket_cli/templates/init/pocket_simple.toml,sha256=OcyI0_w65uztA_pfYfqxzCmh1WShORpX4-6lkAwA7Lg,852
+magic_pocket_cli-0.2.0.dist-info/METADATA,sha256=EAwxE7JcfHPmxxQwX6by7dnq5ALTftGPCHap_RlXFXE,417
+magic_pocket_cli-0.2.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+magic_pocket_cli-0.2.0.dist-info/entry_points.txt,sha256=X84PBkd02_mFxiCPs97TMJCQo6SwLYjBTxs450JwPfw,56
+magic_pocket_cli-0.2.0.dist-info/RECORD,,

magic_pocket_cli-0.2.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

magic_pocket_cli-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pocket = pocket_cli.cli.main_cli:main

pocket_cli/cli/aws_auth.py

@@ -0,0 +1,48 @@
+from __future__ import annotations
+
+import boto3
+from botocore.exceptions import (
+    ClientError,
+    NoCredentialsError,
+    TokenRetrievalError,
+)
+
+from pocket.utils import echo
+
+
+def check_aws_credentials() -> None:
+    """AWS 認証情報が有効か確認し、無効ならガイドを表示して終了する"""
+    try:
+        sts = boto3.client("sts")
+        sts.get_caller_identity()
+    except TokenRetrievalError:
+        _print_auth_guide("SSO トークンの有効期限が切れています。")
+        raise SystemExit(1) from None
+    except NoCredentialsError:
+        _print_auth_guide("AWS 認証情報が見つかりません。")
+        raise SystemExit(1) from None
+    except ClientError as e:
+        if e.response["Error"]["Code"] in (
+            "ExpiredToken",
+            "ExpiredTokenException",
+        ):
+            _print_auth_guide("AWS 認証トークンの有効期限が切れています。")
+            raise SystemExit(1) from None
+        raise
+
+
+def _print_auth_guide(message: str) -> None:
+    echo.danger(message)
+    echo.info("")
+    echo.info("以下のいずれかで認証してください:")
+    echo.info("")
+    echo.info("  SSO の場合:")
+    echo.info("    aws sso login")
+    echo.info("    aws sso login --profile <profile-name>")
+    echo.info("")
+    echo.info("  IAM ユーザーの場合:")
+    echo.info("    aws configure")
+    echo.info("")
+    echo.info("  環境変数の場合:")
+    echo.info("    export AWS_ACCESS_KEY_ID=...")
+    echo.info("    export AWS_SECRET_ACCESS_KEY=...")

pocket_cli/cli/awscontainer_cli.py

@@ -0,0 +1,328 @@
+from __future__ import annotations
+
+import webbrowser
+
+import boto3
+import click
+from botocore.exceptions import ClientError
+
+from pocket.context import Context
+from pocket.runtime import get_secrets
+from pocket.utils import echo
+from pocket_cli.mediator import Mediator
+from pocket_cli.resources.awscontainer import AwsContainer
+
+
+@click.group()
+def awscontainer():
+    pass
+
+
+def get_awscontainer_resource(stage):
+    context = Context.from_toml(stage=stage)
+    if not context.awscontainer:
+        echo.danger("awscontainer is not configured for this stage")
+        raise Exception("awscontainer is not configured for this stage")
+    return AwsContainer(context=context.awscontainer)
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def yaml(stage):
+    ac = get_awscontainer_resource(stage)
+    print(ac.stack.yaml)
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def yaml_diff(stage):
+    ac = get_awscontainer_resource(stage)
+    print(ac.stack.yaml_diff.to_json(indent=2))
+
+
+@awscontainer.group()
+def secrets():
+    pass
+
+
+@secrets.command("list")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--show-values", is_flag=True, default=False)
+def list_secrets(stage, show_values):
+    ac = get_awscontainer_resource(stage)
+    sc = ac.context.secrets
+    if not sc:
+        echo.warning("secrets is not configured for this stage")
+        return
+    for key, spec in sc.user.items():
+        effective_store = spec.store or sc.store
+        print("%s: %s (store=%s)" % (key, spec.name, effective_store))
+        if show_values:
+            if effective_store == "sm":
+                client = boto3.client("secretsmanager", region_name=sc.region)
+                value = client.get_secret_value(SecretId=spec.name)["SecretString"]
+            else:
+                client = boto3.client("ssm", region_name=sc.region)
+                value = client.get_parameter(Name=spec.name, WithDecryption=True)[
+                    "Parameter"
+                ]["Value"]
+            print("  - " + value)
+    for key, pocket_secret in sc.managed.items():
+        status = "CREATED" if key in sc.pocket_store.secrets else "NOEXIST"
+        print("%s: %s %s" % (key, pocket_secret.type, pocket_secret.options))
+        print("  - " + status)
+        if (status == "CREATED") and show_values:
+            value = sc.pocket_store.secrets[key]
+            if isinstance(value, str):
+                print("  - " + value)
+            else:
+                for k, v in value.items():
+                    print(f"  - {k}: {v}")
+
+
+@secrets.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def create_pocket_managed(stage):
+    ac = get_awscontainer_resource(stage)
+    sc = ac.context.secrets
+    if not sc:
+        echo.warning("secrets is not configured for this stage")
+        return
+    mediator = Mediator(Context.from_toml(stage=stage))
+    mediator.create_pocket_managed_secrets()
+
+
+def _confirm_delete_pocket_managed_secrets(awscontainer: AwsContainer):
+    sc = awscontainer.context.secrets
+    if not sc:
+        echo.warning("secrets is not configured")
+        return
+    existing_secret_keys = [
+        key for key in sc.managed.keys() if key in sc.pocket_store.secrets
+    ]
+    if not existing_secret_keys:
+        echo.warning("No pocket managed secets are created yet.")
+        return
+    echo.warning("You are deleting pocket managed secrets.")
+    echo.info("Deleting secrets:")
+    for key in existing_secret_keys:
+        echo.info(" - " + key)
+    echo.danger("This data cannot be restored!")
+    click.confirm("Do you realy want to delete pocket managed secrets?", abort=True)
+
+
+@secrets.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def delete_pocket_managed(stage):
+    ac = get_awscontainer_resource(stage)
+    _confirm_delete_pocket_managed_secrets(ac)
+    if ac.context.secrets:
+        ac.context.secrets.pocket_store.delete_secrets()
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def create(stage):
+    ac = get_awscontainer_resource(stage)
+    if not ac.status == "NOEXIST":
+        echo.warning("AWS lambda container is already created.")
+    else:
+        mediator = Mediator(Context.from_toml(stage=stage))
+        ac.create(mediator)
+        echo.success("Created: lambda")
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--with-secrets", is_flag=True, default=False)
+def destroy(stage, with_secrets):
+    ac = get_awscontainer_resource(stage)
+    if ac.stack.status == "NOEXIST":
+        echo.warning("No AWS lambda container found.")
+    else:
+        ac.stack.delete()
+        echo.success("Aws lambda container was destroyed.")
+    if ac.ecr.exists():
+        ac.ecr.delete()
+        echo.success("ECR repository was deleted.")
+    else:
+        echo.warning("No ECR repository found.")
+    if with_secrets:
+        _confirm_delete_pocket_managed_secrets(ac)
+        if ac.context.secrets:
+            ac.context.secrets.pocket_store.delete_secrets()
+            echo.success("Pocket managed secrets were deleted.")
+    else:
+        echo.warning("Pocket managed secrets still exists.")
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def update(stage):
+    ac = get_awscontainer_resource(stage)
+    if ac.status == "NOEXIST":
+        echo.warning("AWS lambda has not created yet.")
+        return
+    if ac.status == "FAILED":
+        echo.danger("AWS lambda has failed. Please check console.")
+        return
+    if ac.status == "PROGRESS":
+        echo.warning("AWS lambda is updating. Please wait.")
+        return
+    mediator = Mediator(Context.from_toml(stage=stage))
+    ac.update(mediator)
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def status(stage):
+    ac = get_awscontainer_resource(stage)
+    if ac.status == "COMPLETED":
+        echo.success("Container is working!!!")
+    elif ac.status == "NOEXIST":
+        echo.warning("Container has not created yet.")
+    elif ac.status == "FAILED":
+        echo.danger("Container has failed. Please check console.")
+    else:
+        echo.warning("Container stack status: %s" % ac.stack.status)
+
+
+def _resolve_lambda_target_handlers(
+    context: Context, handler_name: str | None
+) -> list[str]:
+    """reload-env / status-env の対象 handler を解決する。"""
+    assert context.awscontainer is not None
+    handlers = context.awscontainer.handlers
+    if handler_name:
+        if handler_name not in handlers:
+            raise click.ClickException(
+                "handler '%s' が見つかりません。利用可能: %s"
+                % (handler_name, ", ".join(sorted(handlers.keys())))
+            )
+        return [handler_name]
+    return list(handlers.keys())
+
+
+def _function_name(context: Context, handler_key: str) -> str:
+    assert context.awscontainer is not None
+    # deploy 側 (LambdaHandlerContext.function_name = resource_prefix + key) と同じ
+    # 正準名を参照する。slug から再構成すると prefix_template / namespace
+    # (既定 `pocket`) を取りこぼすため、handler context の値をそのまま使う。
+    return context.awscontainer.handlers[handler_key].function_name
+
+
+def _fetch_lambda_env(client, function_name: str) -> dict[str, str]:
+    """Lambda の現状 Environment.Variables を取得する。"""
+    try:
+        config = client.get_function_configuration(FunctionName=function_name)
+    except ClientError as e:
+        if e.response.get("Error", {}).get("Code") == "ResourceNotFoundException":
+            raise click.ClickException(
+                "Lambda function '%s' が見つかりません。先に `pocket deploy` を"
+                "実行してください。" % function_name
+            ) from e
+        raise
+    return dict(config.get("Environment", {}).get("Variables", {}))
+
+
+@awscontainer.command("reload-env")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option(
+    "--handler", default=None, help="特定 handler のみ対象 (省略時は全 handler)"
+)
+def reload_env(stage, handler):
+    """SSM/Secrets Manager の最新値で Lambda env を即時更新する (CFn を介さない)。
+
+    deploy 時の CFn snapshot を base に、secrets (managed + user) の最新値を
+    boto3 で取得して上書きし、`update_function_configuration` で Lambda に反映。
+    side-channel update なので container 再生成が即座に走り、warm container
+    内の古い os.environ もリセットされる。
+
+    設計思想は `pocket waf ip` と同じ (CFn template は deploy 時 snapshot、
+    実体は CLI で直接更新、次 deploy で自己治癒)。
+    """
+    context = Context.from_toml(stage=stage)
+    if not context.awscontainer:
+        raise click.ClickException("[awscontainer] が設定されていません")
+
+    fresh_secrets = get_secrets(stage)
+    if not fresh_secrets:
+        echo.warning("secrets が宣言されていません。何もしません。")
+        return
+
+    lambda_client = boto3.client("lambda", region_name=context.awscontainer.region)
+    targets = _resolve_lambda_target_handlers(context, handler)
+
+    for h_name in targets:
+        function_name = _function_name(context, h_name)
+        current = _fetch_lambda_env(lambda_client, function_name)
+        new_env = {**current, **fresh_secrets}
+        if new_env == current:
+            echo.info("[%s] 差分なし (handler 内 env は既に最新)" % h_name)
+            continue
+        changed = sorted(k for k in fresh_secrets if current.get(k) != fresh_secrets[k])
+        lambda_client.update_function_configuration(
+            FunctionName=function_name,
+            Environment={"Variables": new_env},
+        )
+        echo.success(
+            "[%s] env を更新しました (%d/%d 秘密値を反映、warm container は再生成)"
+            % (h_name, len(changed), len(fresh_secrets))
+        )
+        for k in changed:
+            echo.log("  - %s" % k)
+
+
+@awscontainer.command("status-env")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option(
+    "--handler", default=None, help="特定 handler のみ対象 (省略時は全 handler)"
+)
+def status_env(stage, handler):
+    """Lambda の現在 env と SSM/SM 上の宣言値の drift を表示する。"""
+    context = Context.from_toml(stage=stage)
+    if not context.awscontainer:
+        raise click.ClickException("[awscontainer] が設定されていません")
+
+    fresh_secrets = get_secrets(stage)
+    lambda_client = boto3.client("lambda", region_name=context.awscontainer.region)
+    targets = _resolve_lambda_target_handlers(context, handler)
+
+    any_drift = False
+    for h_name in targets:
+        function_name = _function_name(context, h_name)
+        current = _fetch_lambda_env(lambda_client, function_name)
+        drift = [k for k in fresh_secrets if current.get(k) != fresh_secrets[k]]
+        echo.info(
+            "[%s] secret keys: %d declared, drift: %d"
+            % (h_name, len(fresh_secrets), len(drift))
+        )
+        for k in sorted(drift):
+            if k not in current:
+                echo.warning("  + %s (Lambda に未反映、reload-env で投入)" % k)
+            else:
+                echo.warning("  ~ %s (Lambda 値が古い、reload-env で更新)" % k)
+        if drift:
+            any_drift = True
+    if any_drift:
+        echo.warning(
+            "drift があります。`pocket resource awscontainer reload-env` で同期できます。"
+        )
+    else:
+        echo.success("drift なし。Lambda env と secrets は同期されています。")
+
+
+@awscontainer.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--openpath")
+def url(stage, openpath):
+    ac = get_awscontainer_resource(stage)
+    if ac.status == "COMPLETED":
+        if endpoint := ac.endpoints.get("wsgi"):
+            echo.success(f"wsgi url: {endpoint}")
+            if openpath:
+                webbrowser.open(endpoint + "/" + openpath)
+        else:
+            echo.warning("wsgi endpoint not found.")
+    else:
+        echo.warning("Container is not working.")

pocket_cli/cli/cloudfront_cli.py

@@ -0,0 +1,116 @@
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.cloudfront import CloudFront
+
+
+@click.group()
+def cloudfront():
+    pass
+
+
+def get_cloudfront_resources(stage, name=None):
+    context = Context.from_toml(stage=stage)
+    if not context.cloudfront:
+        echo.danger("cloudfront is not configured for this stage")
+        raise Exception("cloudfront is not configured for this stage")
+    if name:
+        if name not in context.cloudfront:
+            echo.danger("cloudfront '%s' is not configured" % name)
+            raise Exception("cloudfront '%s' is not configured" % name)
+        return [CloudFront(context.cloudfront[name])]
+    return [CloudFront(cf_ctx) for cf_ctx in context.cloudfront.values()]
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        print(cf.stack.yaml)
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml_diff(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        print(cf.stack.yaml_diff.to_json(indent=2))
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def context(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        print(cf.context.model_dump_json(indent=2))
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def create(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        cf.create()
+    echo.success("cloudfront store was created")
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def destroy(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        cf.delete()
+    echo.success("cloudfront store was deleted successfully.")
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def update(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        if cf.status == "NOEXIST":
+            echo.warning("CloudFront resource has not created yet.")
+            continue
+        if cf.status == "FAILED":
+            echo.danger(
+                "CloudFront resource creation has failed. Please check console."
+            )
+            continue
+        if cf.status == "PROGRESS":
+            echo.warning("CloudFront is updating. Please wait.")
+            continue
+        cf.update()
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+@click.option("--skip-build", is_flag=True, default=False)
+def upload(stage, name, skip_build):
+    for cf in get_cloudfront_resources(stage, name):
+        if not cf.context.uploadable_routes:
+            echo.info("[%s] アップロード対象のルートがありません" % cf.context.name)
+            continue
+        echo.info("[%s] アップロード開始" % cf.context.name)
+        cf.upload(skip_build=skip_build)
+    echo.success("アップロード完了")
+
+
+@cloudfront.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def status(stage, name):
+    for cf in get_cloudfront_resources(stage, name):
+        echo.info("[%s]" % cf.context.name)
+        if cf.status == "COMPLETED":
+            echo.success("COMPLETED")
+        else:
+            print(cf.status)

pocket_cli/cli/cloudfront_keys_cli.py

@@ -0,0 +1,68 @@
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.cloudfront_keys import CloudFrontKeys
+
+
+@click.group()
+def cloudfront_keys():
+    pass
+
+
+def get_cloudfront_keys_resources(stage, name=None):
+    context = Context.from_toml(stage=stage)
+    if not context.cloudfront:
+        echo.danger("cloudfront is not configured for this stage")
+        raise Exception("cloudfront is not configured for this stage")
+    results = []
+    for cf_name, cf_ctx in context.cloudfront.items():
+        if not cf_ctx.signing_key:
+            continue
+        if name and cf_name != name:
+            continue
+        results.append(CloudFrontKeys(cf_ctx))
+    if name and not results:
+        echo.danger("cloudfront_keys '%s' is not configured" % name)
+        raise Exception("cloudfront_keys '%s' is not configured" % name)
+    return results
+
+
+@cloudfront_keys.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml(stage, name):
+    for cfk in get_cloudfront_keys_resources(stage, name):
+        echo.info("[%s]" % cfk.context.name)
+        print(cfk.stack.yaml)
+
+
+@cloudfront_keys.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml_diff(stage, name):
+    for cfk in get_cloudfront_keys_resources(stage, name):
+        echo.info("[%s]" % cfk.context.name)
+        print(cfk.stack.yaml_diff.to_json(indent=2))
+
+
+@cloudfront_keys.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def status(stage, name):
+    for cfk in get_cloudfront_keys_resources(stage, name):
+        echo.info("[%s]" % cfk.context.name)
+        if cfk.status == "COMPLETED":
+            echo.success("COMPLETED")
+        else:
+            print(cfk.status)
+
+
+@cloudfront_keys.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def destroy(stage, name):
+    for cfk in get_cloudfront_keys_resources(stage, name):
+        echo.info("[%s]" % cfk.context.name)
+        cfk.delete()
+    echo.success("cloudfront_keys was deleted successfully.")