magic-pocket-cli 0.2.0__py3-none-any.whl

pocket_cli/cli/cloudfront_waf_cli.py

@@ -0,0 +1,68 @@
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.cloudfront_waf import CloudFrontWaf
+
+
+@click.group()
+def cloudfront_waf():
+    pass
+
+
+def get_cloudfront_waf_resources(stage, name=None):
+    context = Context.from_toml(stage=stage)
+    if not context.cloudfront:
+        echo.danger("cloudfront is not configured for this stage")
+        raise Exception("cloudfront is not configured for this stage")
+    results = []
+    for cf_name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.waf is None:
+            continue
+        if name and cf_name != name:
+            continue
+        results.append(CloudFrontWaf(cf_ctx))
+    if name and not results:
+        echo.danger("cloudfront_waf '%s' is not configured" % name)
+        raise Exception("cloudfront_waf '%s' is not configured" % name)
+    return results
+
+
+@cloudfront_waf.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml(stage, name):
+    for waf in get_cloudfront_waf_resources(stage, name):
+        echo.info("[%s]" % waf.context.name)
+        print(waf.stack.yaml)
+
+
+@cloudfront_waf.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def yaml_diff(stage, name):
+    for waf in get_cloudfront_waf_resources(stage, name):
+        echo.info("[%s]" % waf.context.name)
+        print(waf.stack.yaml_diff.to_json(indent=2))
+
+
+@cloudfront_waf.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def status(stage, name):
+    for waf in get_cloudfront_waf_resources(stage, name):
+        echo.info("[%s]" % waf.context.name)
+        if waf.status == "COMPLETED":
+            echo.success("COMPLETED")
+        else:
+            print(waf.status)
+
+
+@cloudfront_waf.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", default=None)
+def destroy(stage, name):
+    for waf in get_cloudfront_waf_resources(stage, name):
+        echo.info("[%s]" % waf.context.name)
+        waf.delete()
+    echo.success("cloudfront_waf was deleted successfully.")

pocket_cli/cli/deploy_cli.py

@@ -0,0 +1,274 @@
+import inspect
+import webbrowser
+
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.mediator import Mediator
+from pocket_cli.resources.aws.state import StateStore
+from pocket_cli.resources.awscontainer import AwsContainer
+from pocket_cli.resources.cloudfront import CloudFront
+from pocket_cli.resources.cloudfront_acm import CloudFrontAcm
+from pocket_cli.resources.cloudfront_keys import CloudFrontKeys
+from pocket_cli.resources.cloudfront_waf import CloudFrontWaf
+from pocket_cli.resources.dsql import Dsql
+from pocket_cli.resources.neon import Neon
+from pocket_cli.resources.rds import Rds
+from pocket_cli.resources.s3 import S3
+from pocket_cli.resources.tidb import TiDb
+from pocket_cli.resources.upstash import Upstash
+from pocket_cli.resources.vpc import Vpc
+
+
+def _append_infra_resources(resources, context: Context, state_bucket: str):
+    """VPC / RDS / CloudFrontKeys / AwsContainer をまとめて追加"""
+    if context.awscontainer and context.awscontainer.vpc:
+        if context.awscontainer.vpc.manage:
+            resources.append(Vpc(context.awscontainer.vpc))
+    if context.dsql:
+        resources.append(Dsql(context.dsql))
+    if context.rds:
+        resources.append(Rds(context.rds))
+    for _name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.signing_key:
+            resources.append(CloudFrontKeys(cf_ctx))
+    if context.awscontainer:
+        resources.append(
+            AwsContainer(
+                context.awscontainer,
+                state_bucket=state_bucket,
+                rds_context=context.rds,
+                dsql_context=context.dsql,
+                scheduler_context=context.scheduler,
+            )
+        )
+
+
+def get_resources(context: Context, *, state_bucket: str = ""):
+    resources = []
+    # ACM 証明書を最初にデプロイ（us-east-1、DNS 検証に時間がかかる）
+    for _name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.domain:
+            resources.append(CloudFrontAcm(cf_ctx))
+    # WAF (IPSet + WebACL) も us-east-1 必須、CloudFront stack より前に作成
+    for _name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.waf is not None:
+            resources.append(CloudFrontWaf(cf_ctx))
+    if context.neon:
+        resources.append(Neon(context.neon))
+    if context.tidb:
+        resources.append(TiDb(context.tidb))
+    if context.upstash:
+        resources.append(Upstash(context.upstash))
+    if context.s3:
+        resources.append(S3(context.s3, cloudfront_contexts=context.cloudfront))
+    _append_infra_resources(resources, context, state_bucket)
+    for _name, cf_ctx in context.cloudfront.items():
+        resources.append(CloudFront(cf_ctx))
+    return resources
+
+
+def _create_state_store(context: Context) -> StateStore:
+    assert context.general
+    resource_prefix = context.general.prefix_template.format(
+        stage=context.stage,
+        project=context.project_name,
+        namespace=context.general.namespace,
+    )
+    bucket_name = f"{resource_prefix}state"
+    return StateStore(bucket_name, context.general.region)
+
+
+def deploy_init_resources(context: Context, *, state_bucket: str = ""):
+    for resource in get_resources(context, state_bucket=state_bucket):
+        target_name = resource.__class__.__name__
+        echo.log("Deploy init %s..." % target_name)
+        resource.deploy_init()
+
+
+def deploy_frontend(context: Context, *, skip_build: bool = False):
+    for _name, cf_ctx in context.cloudfront.items():
+        cf = CloudFront(cf_ctx)
+        if not cf_ctx.uploadable_routes:
+            continue
+        if cf.status == "NOEXIST":
+            echo.warning("CloudFront '%s' が未作成です。スキップします。" % cf_ctx.name)
+            continue
+        cf.upload(skip_build=skip_build)
+
+
+def upload_managed_assets(context: Context):
+    """CloudFront resource ごとに managed_assets を S3 に同期する。
+
+    deploy_resources の後で呼ぶことで、CFn stack の有無に関わらず毎回実行される。
+    差分検知 (ローカル MD5 vs S3 ETag) により変更ファイルのみ PutObject される。
+    """
+    for _name, cf_ctx in context.cloudfront.items():
+        if not cf_ctx.managed_assets:
+            continue
+        cf = CloudFront(cf_ctx)
+        cf.upload_managed_assets()
+
+
+def deploy_resources(context: Context, *, state_bucket: str = ""):
+    state_store = _create_state_store(context)
+    # state bucket は deploy_init_resources の前に作成済み
+    # ここでは念のため再確認
+    state_store.ensure_bucket()
+
+    mediator = Mediator(context)
+    resources = get_resources(context, state_bucket=state_bucket)
+    for resource in resources:
+        target_name = resource.__class__.__name__
+        if resource.status == "NOEXIST":
+            echo.log("Creating %s..." % target_name)
+            if "mediator" in inspect.signature(resource.create).parameters:
+                resource.create(mediator)
+            else:
+                resource.create()
+            state_store.record(resource.state_info())
+        elif resource.status == "REQUIRE_UPDATE":
+            echo.log("Updating %s..." % target_name)
+            if "mediator" in inspect.signature(resource.update).parameters:
+                resource.update(mediator)
+            else:
+                resource.update()
+            state_store.record(resource.state_info())
+        else:
+            echo.log("%s is already the latest version." % target_name)
+    # stack 作成/更新が終わった後の後付け状態 (bucket policy / KVS など) を
+    # 冪等に確保する。wait_status が timeout した次の deploy でも復旧できる。
+    for resource in resources:
+        hook = getattr(resource, "ensure_post_deploy_state", None)
+        if hook is None:
+            continue
+        if "mediator" in inspect.signature(hook).parameters:
+            hook(mediator)
+        else:
+            hook()
+
+
+def apply_skip_check_existing(context: Context) -> None:
+    """DB リソース (neon/tidb/upstash) の存在確認を一律 skip させる。
+
+    `--skip-check-existing` 指定時に呼ぶ。pocket.toml を編集せず、その deploy
+    実行に限り外部 SaaS API への存在確認 call を回避する (deploy ロールに
+    DB credentials を渡さず deploy を完走させる用途)。toml 側の
+    `skip_check_existing` フラグと同義で、こちらは実行時上書き。
+    """
+    for db_ctx in (context.neon, context.tidb, context.upstash):
+        if db_ctx is not None:
+            db_ctx.skip_check_existing = True
+
+
+def build_image(context: Context, *, tag: str) -> str:
+    """awscontainer image を指定 tag で build & push する (deploy はしない)。
+
+    build once 用。codebuild backend は source upload に state bucket を要するため、
+    deploy と同様に先に state bucket を確保してから build する。戻り値は ecr_name:tag。
+    """
+    if context.awscontainer is None:
+        raise click.ClickException("awscontainer がこの stage に設定されていません。")
+    state_store = _create_state_store(context)
+    state_store.ensure_bucket()
+    ac = AwsContainer(context.awscontainer, state_bucket=state_store.bucket_name)
+    ac.build(tag)
+    return f"{context.awscontainer.ecr_name}:{tag}"
+
+
+def _deploy_pipeline(context: Context, *, openpath=None, skip_frontend=False):
+    """deploy / promote 共通のパイプライン本体。
+
+    promote 時は context.awscontainer.promote_commit_hash が設定済みで、
+    deploy_init 内の image build が retag に置き換わる以外は deploy と同一。
+    """
+    # CodeBuildがソースアップロードにstate bucketを必要とするため、先に作成
+    state_store = _create_state_store(context)
+    state_store.ensure_bucket()
+    state_bucket = state_store.bucket_name
+    deploy_init_resources(context, state_bucket=state_bucket)
+    deploy_resources(context, state_bucket=state_bucket)
+    upload_managed_assets(context)
+    if not skip_frontend:
+        deploy_frontend(context)
+    # デプロイ完了後の URL 表示
+    url = _get_deploy_url(context)
+    if url:
+        echo.success(f"url: {url}")
+        if openpath:
+            webbrowser.open(url + "/" + openpath)
+
+
+@click.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--openpath")
+@click.option("--skip-frontend", is_flag=True, default=False)
+@click.option(
+    "--skip-check-existing",
+    is_flag=True,
+    default=False,
+    help="neon/tidb/upstash の存在確認 API を skip し COMPLETED 扱いで deploy",
+)
+def deploy(stage: str, openpath, skip_frontend, skip_check_existing):
+    from pocket_cli.cli.aws_auth import check_aws_credentials
+
+    check_aws_credentials()
+    context = Context.from_toml(stage=stage)
+    if skip_check_existing:
+        apply_skip_check_existing(context)
+    _deploy_pipeline(context, openpath=openpath, skip_frontend=skip_frontend)
+
+
+@click.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--commit-hash", required=True, help="昇格する image の git commit hash")
+@click.option("--openpath")
+@click.option("--skip-frontend", is_flag=True, default=False)
+@click.option(
+    "--skip-check-existing",
+    is_flag=True,
+    default=False,
+    help="neon/tidb/upstash の存在確認 API を skip し COMPLETED 扱いで deploy",
+)
+def promote(stage: str, commit_hash, openpath, skip_frontend, skip_check_existing):
+    """build 済みの :<commit-hash> image へ stage を向けて deploy する (再ビルドなし)。
+
+    `pocket django build` で push した image に :<stage> タグを移し、
+    インフラ/Lambda を更新する。image build は行わない (build once の昇格)。
+    """
+    from pocket_cli.cli.aws_auth import check_aws_credentials
+
+    check_aws_credentials()
+    context = Context.from_toml(stage=stage)
+    if context.awscontainer is None:
+        raise click.ClickException("awscontainer がこの stage に設定されていません。")
+    if skip_check_existing:
+        apply_skip_check_existing(context)
+    context.awscontainer.promote_commit_hash = commit_hash
+    _deploy_pipeline(context, openpath=openpath, skip_frontend=skip_frontend)
+
+
+def _get_deploy_url(context: Context) -> str | None:
+    """デプロイ後に表示する URL を決定する。
+
+    CloudFront がある場合はそのドメイン（カスタム or 自動生成）を優先し、
+    なければ API Gateway の wsgi エンドポイントを返す。
+    """
+    # CloudFront ドメインを優先
+    for _name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.domain:
+            return f"https://{cf_ctx.domain}"
+        cf = CloudFront(cf_ctx)
+        if cf.stack.output:
+            domain = cf.stack.output.get("DistributionDomainName")
+            if domain:
+                return f"https://{domain}"
+
+    # フォールバック: API Gateway
+    if context.awscontainer:
+        ac = AwsContainer(context.awscontainer)
+        endpoint = ac.endpoints.get("wsgi")
+        if endpoint:
+            return endpoint
+    return None

pocket_cli/cli/destroy_cli.py

@@ -0,0 +1,358 @@
+import boto3
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.aws.builders.codebuild import CodeBuildBuilder
+from pocket_cli.resources.aws.state import StateStore
+from pocket_cli.resources.awscontainer import AwsContainer
+from pocket_cli.resources.cloudfront import CloudFront
+from pocket_cli.resources.cloudfront_acm import CloudFrontAcm
+from pocket_cli.resources.cloudfront_keys import CloudFrontKeys
+from pocket_cli.resources.dsql import Dsql
+from pocket_cli.resources.neon import Neon
+from pocket_cli.resources.rds import Rds
+from pocket_cli.resources.s3 import S3
+from pocket_cli.resources.tidb import TiDb
+from pocket_cli.resources.upstash import Upstash
+from pocket_cli.resources.vpc import Vpc
+
+
+def _create_state_store(context: Context) -> StateStore:
+    assert context.general
+    resource_prefix = context.general.prefix_template.format(
+        stage=context.stage,
+        project=context.project_name,
+        namespace=context.general.namespace,
+    )
+    bucket_name = f"{resource_prefix}state"
+    return StateStore(bucket_name, context.general.region)
+
+
+def _create_codebuild_builder(context: Context) -> CodeBuildBuilder | None:
+    """CodeBuildBuilder インスタンスを作成（リソース確認用）"""
+    if not context.awscontainer or not context.general:
+        return None
+    resource_prefix = context.general.prefix_template.format(
+        stage=context.stage,
+        project=context.project_name,
+        namespace=context.general.namespace,
+    )
+    state_bucket = f"{resource_prefix}state"
+    return CodeBuildBuilder(
+        region=context.general.region,
+        resource_prefix=resource_prefix,
+        state_bucket=state_bucket,
+        permissions_boundary=context.awscontainer.permissions_boundary,
+    )
+
+
+def _collect_vpc_targets(context: Context) -> list[str]:
+    """VPC 関連の削除対象を収集"""
+    if not context.awscontainer or not context.awscontainer.vpc:
+        return []
+    if not context.awscontainer.vpc.manage:
+        return ["VPC (外部 VPC consumer タグ削除)"]
+    vpc = Vpc(context.awscontainer.vpc)
+    vpc_parts = []
+    if vpc.stack.status != "NOEXIST":
+        vpc_parts.append("CFNスタック")
+        if vpc.stack.consumers:
+            vpc_parts.append("consumers: %s" % ", ".join(vpc.stack.consumers))
+    if vpc.efs and vpc.efs.exists():
+        vpc_parts.append("EFS")
+    if vpc_parts:
+        return ["VPC (%s)" % " + ".join(vpc_parts)]
+    return []
+
+
+def _collect_awscontainer_targets(context: Context, with_secrets: bool):
+    """AwsContainer 関連の削除対象を収集"""
+    targets: list[str] = []
+    if not context.awscontainer:
+        return targets
+
+    ac = AwsContainer(context.awscontainer)
+    parts = ["CFNスタック"]
+    if ac.ecr.exists():
+        if context.awscontainer.ecr_name_overridden:
+            parts.append("ECR は ecr_name 明示指定のため削除対象外")
+        else:
+            parts.append("ECR")
+    if with_secrets and context.awscontainer.secrets:
+        parts.append("secrets")
+
+    # CodeBuildリソースの存在チェック（設定に関わらず）
+    cb = _create_codebuild_builder(context)
+    if cb and (cb.project_exists() or cb.role_exists()):
+        parts.append("CodeBuild")
+
+    targets.append("AwsContainer (%s)" % " + ".join(parts))
+    targets.extend(_collect_vpc_targets(context))
+
+    return targets
+
+
+def _collect_database_targets(context: Context) -> list[str]:
+    """データベース関連の削除対象を収集"""
+    targets: list[str] = []
+    if context.dsql:
+        dsql = Dsql(context.dsql)
+        if dsql.status != "NOEXIST":
+            targets.append("DSQL クラスター: %s" % context.dsql.tag_name)
+    if context.rds:
+        rds = Rds(context.rds)
+        if rds.status != "NOEXIST":
+            targets.append("RDS Aurora クラスター: %s" % context.rds.cluster_identifier)
+    if context.tidb:
+        targets.append("TiDB クラスタ")
+    if context.upstash:
+        targets.append("Upstash Redis: %s" % context.upstash.database_name)
+    if context.neon:
+        targets.append("Neon ブランチ")
+    return targets
+
+
+def _collect_targets(context: Context, with_secrets: bool, with_state_bucket: bool):
+    """削除対象のリソース一覧を収集"""
+    targets: list[str] = []
+
+    for name, cf_ctx in context.cloudfront.items():
+        targets.append("CloudFront '%s' (CFNスタック + バケットポリシー)" % name)
+        if cf_ctx.domain:
+            targets.append("CloudFront ACM '%s' (us-east-1 証明書)" % name)
+
+    targets.extend(_collect_awscontainer_targets(context, with_secrets))
+    targets.extend(_collect_database_targets(context))
+
+    for name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.signing_key:
+            targets.append("CloudFrontKeys '%s' (CFNスタック)" % name)
+
+    if context.s3 and S3(context.s3).exists():
+        targets.append("S3 バケット: %s" % context.s3.bucket_name)
+
+    if with_state_bucket:
+        targets.append("ステートバケット")
+
+    return targets
+
+
+def _destroy_codebuild(context: Context) -> None:
+    """CodeBuildプロジェクト + IAMロールを削除（設定に関わらず存在すれば削除）"""
+    cb = _create_codebuild_builder(context)
+    if cb is None:
+        return
+    if cb.project_exists() or cb.role_exists():
+        echo.log("Destroying CodeBuild resources...")
+        cb.delete()
+        echo.success("CodeBuild resources were deleted.")
+
+
+def _destroy_log_groups(context: Context):
+    """Lambda が自動作成したロググループを削除"""
+    if not context.awscontainer:
+        return
+    logs_client = boto3.client("logs", region_name=context.awscontainer.region)
+    for handler_ctx in context.awscontainer.handlers.values():
+        log_group_name = handler_ctx.log_group_name
+        try:
+            logs_client.delete_log_group(logGroupName=log_group_name)
+            echo.log("Deleted log group: %s" % log_group_name)
+        except logs_client.exceptions.ResourceNotFoundException:
+            pass
+
+
+def _destroy_awscontainer(context: Context, with_secrets: bool):
+    """AwsContainer 関連リソースを削除"""
+    if not context.awscontainer:
+        return
+
+    ac = AwsContainer(context.awscontainer)
+    if ac.stack.status != "NOEXIST":
+        echo.log("Destroying AwsContainer stack...")
+        ac.stack.delete()
+        echo.success("AwsContainer stack was destroyed.")
+
+    if ac.ecr.exists():
+        if context.awscontainer.ecr_name_overridden:
+            echo.warning(
+                "ECR repository '%s' は ecr_name で明示指定されているため削除"
+                "しません (他 stage と共有の可能性があります)。"
+                "不要な場合は手動で削除してください。" % context.awscontainer.ecr_name
+            )
+        else:
+            echo.log("Destroying ECR repository...")
+            ac.ecr.delete()
+            echo.success("ECR repository was deleted.")
+
+    _destroy_codebuild(context)
+
+    _destroy_log_groups(context)
+
+    if with_secrets and context.awscontainer.secrets:
+        echo.log("Destroying pocket managed secrets...")
+        context.awscontainer.secrets.pocket_store.delete_secrets()
+        echo.success("Pocket managed secrets were deleted.")
+
+    _destroy_vpc(context)
+
+
+def _destroy_dsql(context: Context):
+    """DSQL クラスターを削除"""
+    if not context.dsql:
+        return
+    dsql = Dsql(context.dsql)
+    if dsql.status == "NOEXIST":
+        return
+    echo.log("Destroying DSQL cluster...")
+    dsql.delete()
+
+
+def _destroy_rds(context: Context):
+    """RDS Aurora クラスターを削除"""
+    if not context.rds:
+        return
+    rds = Rds(context.rds)
+    if rds.status == "NOEXIST":
+        return
+    echo.log("Destroying RDS Aurora cluster...")
+    rds.delete()
+    echo.success("RDS Aurora cluster was destroyed. Final snapshot was created.")
+
+
+def _destroy_vpc(context: Context):
+    """VPC 関連リソースを削除"""
+    if not context.awscontainer or not context.awscontainer.vpc:
+        return
+    vpc_ctx = context.awscontainer.vpc
+    if not vpc_ctx.manage:
+        # 外部 VPC: consumer タグのみ削除
+        from pocket_cli.resources.aws.cloudformation import VpcStack
+
+        vpc_stack = VpcStack(vpc_ctx)
+        if vpc_stack.status != "NOEXIST":
+            slug = context.stage + "-" + context.project_name
+            vpc_stack.remove_consumer_tag(slug)
+            echo.log("外部 VPC の consumer タグを削除しました。")
+        return
+    # managed VPC: consumer チェック後に削除
+    vpc = Vpc(vpc_ctx)
+    if vpc.stack.consumers:
+        echo.danger("VPC に consumer がいるため削除できません:")
+        for c in vpc.stack.consumers:
+            echo.info("  - %s" % c)
+        return
+    has_stack = vpc.stack.status != "NOEXIST"
+    has_efs = vpc.efs and vpc.efs.exists()
+    if has_stack or has_efs:
+        echo.log("Destroying VPC...")
+        vpc.delete()
+        echo.success("VPC was destroyed.")
+
+
+def _destroy_cloudfront_and_acm(context: Context):
+    """CloudFront ディストリビューションと ACM 証明書を削除"""
+    for name, cf_ctx in context.cloudfront.items():
+        cf = CloudFront(cf_ctx)
+        if cf.stack.status != "NOEXIST":
+            echo.log("Destroying CloudFront '%s'..." % name)
+            cf.delete()
+            echo.success("CloudFront '%s' was destroyed." % name)
+        if cf_ctx.domain:
+            acm = CloudFrontAcm(cf_ctx)
+            if acm.stack.status != "NOEXIST":
+                echo.log("Destroying CloudFront ACM '%s'..." % name)
+                acm.delete()
+                echo.success("CloudFront ACM '%s' was destroyed." % name)
+
+
+def _destroy_resources(context: Context, with_secrets: bool, with_state_bucket: bool):
+    """リソースをデプロイの逆順で削除"""
+    # 1. CloudFront + ACM
+    _destroy_cloudfront_and_acm(context)
+
+    # 2. AwsContainer (CFNスタック + ECR + secrets) + 3. VPC
+    _destroy_awscontainer(context, with_secrets)
+
+    # 2.5. DSQL
+    _destroy_dsql(context)
+
+    # 2.6. RDS（AwsContainer の後、VPC の前）
+    _destroy_rds(context)
+
+    # 3.5. CloudFrontKeys（AwsContainer の後、S3 の前）
+    for name, cf_ctx in context.cloudfront.items():
+        if cf_ctx.signing_key:
+            cfk = CloudFrontKeys(cf_ctx)
+            if cfk.stack.status != "NOEXIST":
+                echo.log("Destroying CloudFrontKeys '%s'..." % name)
+                cfk.delete()
+                echo.success("CloudFrontKeys '%s' was destroyed." % name)
+
+    # 4. S3 バケット
+    if context.s3 and S3(context.s3).exists():
+        echo.log("Destroying S3 bucket...")
+        S3(context.s3).delete()
+        echo.success("S3 bucket was deleted.")
+
+    # 5. TiDB クラスタ
+    if context.tidb and TiDb(context.tidb).cluster:
+        echo.log("Destroying TiDB cluster...")
+        TiDb(context.tidb).delete_cluster()
+        echo.success("TiDB cluster was deleted.")
+
+    # 5.5. Upstash Redis
+    if context.upstash:
+        upstash = Upstash(context.upstash)
+        if upstash.database:
+            upstash.delete_database()
+
+    # 6. Neon ブランチ
+    if context.neon and Neon(context.neon).branch:
+        echo.log("Destroying Neon branch...")
+        Neon(context.neon).delete_branch()
+        echo.success("Neon branch was deleted.")
+
+    # 7. ステートバケット
+    if with_state_bucket:
+        state_store = _create_state_store(context)
+        echo.log("Destroying state bucket...")
+        state_store.delete_bucket()
+        echo.success("State bucket was deleted.")
+
+
+@click.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option(
+    "--without-secrets",
+    is_flag=True,
+    default=False,
+    help="シークレットを削除せずに残す",
+)
+@click.option("--with-state-bucket", is_flag=True, default=False)
+@click.option(
+    "--yes", "-y", is_flag=True, default=False, help="確認プロンプトをスキップ"
+)
+def destroy(stage: str, without_secrets: bool, with_state_bucket: bool, yes: bool):
+    """ステージの全リソースを一括削除"""
+    from pocket_cli.cli.aws_auth import check_aws_credentials
+
+    check_aws_credentials()
+    context = Context.from_toml(stage=stage)
+    with_secrets = not without_secrets
+    targets = _collect_targets(context, with_secrets, with_state_bucket)
+
+    if not targets:
+        echo.warning("削除対象のリソースが見つかりません。")
+        return
+
+    echo.danger("以下のリソースを削除します:")
+    for target in targets:
+        echo.info("  - %s" % target)
+    echo.danger("この操作は取り消せません！")
+    if not yes:
+        click.confirm("stage '%s' の全リソースを削除しますか？" % stage, abort=True)
+
+    _destroy_resources(context, with_secrets, with_state_bucket)
+    echo.success("stage '%s' の全リソースを削除しました。" % stage)