magic-pocket-cli 0.2.0__py3-none-any.whl

pocket_cli/cli/s3_cli.py

@@ -0,0 +1,69 @@
+from pprint import pprint
+
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.s3 import S3
+
+
+@click.group()
+def s3():
+    pass
+
+
+def get_s3_resource(stage):
+    context = Context.from_toml(stage=stage)
+    if not context.s3:
+        echo.danger("s3 is not configured for this stage")
+        raise Exception("s3 is not configured for this stage")
+    return S3(context=context.s3)
+
+
+@s3.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def context(stage):
+    storage = get_s3_resource(stage)
+    pprint(storage.context.model_dump())
+
+
+@s3.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def create(stage):
+    """S3 バケットを作成、または既存バケットの設定 (PAB / CORS / versioning /
+    lifecycle) を冪等に reconcile する。"""
+    storage = get_s3_resource(stage)
+    already_exists = storage.exists()
+    storage.ensure_exists()
+    if already_exists:
+        echo.success(
+            "Reconciled: bucket %s (PAB / CORS / versioning / lifecycle)"
+            % storage.context.bucket_name
+        )
+    else:
+        echo.success("Created: bucket %s" % storage.context.bucket_name)
+
+
+@s3.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def destroy(stage):
+    storage = get_s3_resource(stage)
+    if not storage.exists():
+        echo.warning("No S3 bucket found.")
+        return
+    echo.danger("S3バケットの全データが失われます。")
+    click.confirm(
+        "バケット '%s' を削除しますか？" % storage.context.bucket_name, abort=True
+    )
+    storage.delete()
+    echo.success("S3 bucket was deleted.")
+
+
+@s3.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def status(stage):
+    storage = get_s3_resource(stage)
+    if storage.exists():
+        echo.success("Storage found")
+    else:
+        echo.warning("Storage not found")

pocket_cli/cli/status_cli.py

@@ -0,0 +1,56 @@
+import click
+
+from pocket.context import Context
+from pocket.resources.aws.secretsmanager import PocketSecretIsNotReady
+from pocket.utils import echo
+from pocket_cli.cli.deploy_cli import get_resources
+from pocket_cli.resources.awscontainer import AwsContainer
+
+
+def show_status_message(resource):
+    target_name = resource.__class__.__name__
+    message = f"{target_name} status: {resource.status}"
+    echo_fn = {
+        "NOEXIST": echo.info,
+        "REQUIRE_UPDATE": echo.warning,
+        "PROGRESS": echo.warning,
+        "COMPLETED": echo.success,
+        "FAILED": echo.danger,
+    }[resource.status]
+    echo_fn(message)
+
+
+def show_info_message(resource):
+    if hasattr(resource, "description"):
+        echo.info(resource.description)
+    if isinstance(resource, AwsContainer) and resource.context.secrets:
+        if resource.context.secrets.managed:
+            try:
+                _ = resource.context.secrets.pocket_store.arn
+            except PocketSecretIsNotReady:
+                echo.warning(
+                    "Because pocket managed secrets is not ready yet, "
+                    "the context is not ready to use."
+                )
+                echo.warning("Just use it for reference.")
+                echo.info("You can create pocket managed secrets by running the below.")
+                echo.info("pocket resource awscontainer secrets create-pocket-managed")
+
+        try:
+            _ = resource.context.secrets.allowed_sm_resources
+        except PocketSecretIsNotReady:
+            echo.warning("Please create pocket secrets first.")
+            return
+    print(resource.context.model_dump_json(indent=2))
+
+
+@click.command()
+@click.option("--show-info", is_flag=True, default=False)
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def status(stage, show_info):
+    context = Context.from_toml(stage=stage)
+    resources = get_resources(context)
+    for resource in resources:
+        show_status_message(resource)
+        if show_info:
+            show_info_message(resource)

pocket_cli/cli/tidb_cli.py

@@ -0,0 +1,73 @@
+from pprint import pprint
+
+import click
+
+from pocket.context import Context
+from pocket.utils import echo
+from pocket_cli.resources.tidb import TiDb
+
+
+@click.group()
+def tidb():
+    pass
+
+
+def get_tidb_resource(stage):
+    context = Context.from_toml(stage=stage)
+    if not context.tidb:
+        echo.danger("tidb is not configured for this stage")
+        raise ValueError("tidb is not configured for this stage")
+    return TiDb(context=context.tidb)
+
+
+@tidb.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def context(stage):
+    resource = get_tidb_resource(stage)
+    pprint(resource.context.model_dump())
+
+
+@tidb.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def create(stage):
+    resource = get_tidb_resource(stage)
+    resource.create()
+    echo.success("TiDB cluster and database created")
+
+
+@tidb.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def reset_database(stage):
+    resource = get_tidb_resource(stage)
+    resource.reset_database()
+    echo.success("Reset database")
+
+
+@tidb.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def delete(stage):
+    resource = get_tidb_resource(stage)
+    resource.delete_cluster()
+    echo.success("Cluster was deleted successfully.")
+
+
+@tidb.command()
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+def status(stage):
+    resource = get_tidb_resource(stage)
+    if resource.project:
+        echo.success("Project found")
+    else:
+        echo.warning("Project not found")
+        return
+    if resource.cluster:
+        echo.success(
+            "Cluster found: %s (%s)" % (resource.cluster.name, resource.cluster.status)
+        )
+    else:
+        echo.warning("Cluster not found")
+        return
+    if resource.cluster.status == "ACTIVE":
+        echo.success("Database url: %s" % resource.database_url)
+    else:
+        echo.warning("Cluster status: %s" % resource.cluster.status)

pocket_cli/cli/vpc_cli.py

@@ -0,0 +1,92 @@
+import click
+
+from pocket.general_context import VpcContext
+from pocket.utils import echo
+from pocket_cli.resources.vpc import Vpc
+
+
+@click.group()
+def vpc():
+    pass
+
+
+def get_vpc_resource():
+    vpc_context = VpcContext.from_toml()
+    return Vpc(vpc_context)
+
+
+@vpc.command()
+def yaml():
+    vpc = get_vpc_resource()
+    print(vpc.stack.yaml)
+
+
+@vpc.command()
+def yaml_diff():
+    vpc = get_vpc_resource()
+    print(vpc.stack.yaml_diff.to_json(indent=2))
+
+
+@vpc.command()
+def create():
+    vpc = get_vpc_resource()
+    if not vpc.context.manage:
+        echo.danger("外部 VPC は他で管理されています。")
+        return
+    if not vpc.status == "NOEXIST":
+        echo.warning("AWS vpc is already created.")
+    else:
+        vpc.create()
+        echo.success("Created: vpc")
+
+
+@vpc.command()
+def update():
+    vpc = get_vpc_resource()
+    if not vpc.context.manage:
+        echo.danger("外部 VPC は他で管理されています。")
+        return
+    if vpc.status == "NOEXIST":
+        echo.warning("vpc has not created yet.")
+        return
+    if vpc.status == "FAILED":
+        echo.danger("vpc has failed. Please check console.")
+        return
+    if vpc.status == "PROGRESS":
+        echo.warning("vpc is updating. Please wait.")
+        return
+    vpc.update()
+
+
+@vpc.command()
+def destroy():
+    vpc = get_vpc_resource()
+    if not vpc.context.manage:
+        echo.danger("外部 VPC は他で管理されています。")
+        return
+    if vpc.stack.consumers:
+        echo.danger("VPC に consumer がいるため削除できません:")
+        for c in vpc.stack.consumers:
+            echo.info("  - %s" % c)
+        return
+    has_stack = vpc.stack.status != "NOEXIST"
+    has_efs = vpc.efs and vpc.efs.exists()
+    if not has_stack and not has_efs:
+        echo.warning("No VPC resources found.")
+        return
+    click.confirm("VPC を削除しますか？", abort=True)
+    vpc.delete()
+    echo.success("VPC was destroyed.")
+
+
+@vpc.command()
+def status():
+    vpc = get_vpc_resource()
+    if vpc.status == "COMPLETED":
+        echo.success("Vpc has been created.")
+    elif vpc.status == "NOEXIST":
+        echo.warning("Vpc has not created yet.")
+    elif vpc.status == "FAILED":
+        echo.danger("Vpc has failed. Please check console.")
+    else:
+        echo.warning("Vpc stack status: %s" % vpc.stack.status)

pocket_cli/cli/waf_cli.py

@@ -0,0 +1,182 @@
+"""`pocket waf ip ...` — IPSet を CFN を介さず直接更新する CLI。
+
+WebACL / IPSet 自体は CFn (CloudFrontWafStack) が us-east-1 に作成し、
+Addresses は CFn template 上は常に空。実際の CIDR 一覧はこの CLI が
+`update_ip_set` boto3 で side-channel 更新する (1 件追加で CFn を回したくない
+ため)。CFn 視点では Addresses は常に drift 状態だが、これは仕様。
+"""
+
+from __future__ import annotations
+
+import urllib.request
+
+import boto3
+import click
+
+from pocket.context import CloudFrontContext, Context
+from pocket.utils import echo
+from pocket_cli.resources.aws.cloudformation import CloudFrontWafStack
+
+
+@click.group()
+def waf():
+    pass
+
+
+@waf.group()
+def ip():
+    pass
+
+
+def _get_cf_context(stage: str, name: str) -> CloudFrontContext:
+    context = Context.from_toml(stage=stage)
+    if not context.cloudfront:
+        raise click.ClickException("cloudfront is not configured for this stage")
+    if name not in context.cloudfront:
+        raise click.ClickException("cloudfront '%s' is not configured" % name)
+    cf_ctx = context.cloudfront[name]
+    if cf_ctx.waf is None:
+        raise click.ClickException(
+            "cloudfront '%s' has no [cloudfront.%s.waf] block" % (name, name)
+        )
+    if not cf_ctx.waf.enable_ip_set:
+        raise click.ClickException(
+            "cloudfront '%s' is configured with [cloudfront.%s.waf]"
+            " enable_ip_set = false, so there is no IPSet to operate on."
+            " Set `enable_ip_set = true` (default) to use `pocket waf ip ...`."
+            % (name, name)
+        )
+    return cf_ctx
+
+
+def _get_ip_set_meta(cf_ctx: CloudFrontContext) -> tuple[str, str]:
+    """CFn stack output から IPSet の (Name, Id) を取得する。"""
+    stack = CloudFrontWafStack(cf_ctx)
+    output = stack.output
+    if not output:
+        raise click.ClickException(
+            "WAF stack '%s' が見つかりません。先に `pocket deploy` を実行してください。"
+            % stack.name
+        )
+    name = output.get("IPSetName")
+    set_id = output.get("IPSetId")
+    if not name or not set_id:
+        raise click.ClickException(
+            "WAF stack output に IPSetName / IPSetId がありません: %s" % stack.name
+        )
+    return name, set_id
+
+
+def _wafv2_client():
+    # Scope=CLOUDFRONT は us-east-1 でしか操作できない
+    return boto3.client("wafv2", region_name="us-east-1")
+
+
+def _fetch_ip_set(client, set_name: str, set_id: str) -> tuple[list[str], str]:
+    res = client.get_ip_set(Name=set_name, Scope="CLOUDFRONT", Id=set_id)
+    return list(res["IPSet"]["Addresses"]), res["LockToken"]
+
+
+def _write_ip_set(client, set_name: str, set_id: str, addresses: list[str], lock: str):
+    client.update_ip_set(
+        Name=set_name,
+        Scope="CLOUDFRONT",
+        Id=set_id,
+        Addresses=addresses,
+        LockToken=lock,
+    )
+
+
+def _detect_self_ipv4() -> str:
+    """1 次: AWS checkip、fallback: ipify。/32 を付けた CIDR を返す。"""
+    for url in ("https://checkip.amazonaws.com", "https://api.ipify.org"):
+        try:
+            with urllib.request.urlopen(url, timeout=5) as r:
+                ip = r.read().decode("utf-8").strip()
+            if ip:
+                return f"{ip}/32"
+        except Exception as e:  # noqa: BLE001
+            echo.warning("IP 検出失敗 (%s): %s" % (url, e))
+    raise click.ClickException("自分の Global IP を取得できませんでした")
+
+
+@ip.command("list")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", required=True, help="CloudFront name (pocket.toml の key)")
+def ip_list(stage, name):
+    """IPSet 内 CIDR 一覧を表示する。"""
+    cf_ctx = _get_cf_context(stage, name)
+    set_name, set_id = _get_ip_set_meta(cf_ctx)
+    client = _wafv2_client()
+    addresses, _ = _fetch_ip_set(client, set_name, set_id)
+    if not addresses:
+        echo.warning(
+            "IPSet は空です (deny-all 状態)。"
+            "`pocket waf ip add self --name %s --stage %s` で自分の IP を"
+            "追加してください。" % (name, stage)
+        )
+        return
+    for cidr in addresses:
+        click.echo(cidr)
+
+
+@ip.command("add")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", required=True, help="CloudFront name (pocket.toml の key)")
+@click.argument("cidr")
+def ip_add(stage, name, cidr):
+    """任意 CIDR を IPSet に追加。`self` で自分の IP を追加 (重複は dedup)。"""
+    cf_ctx = _get_cf_context(stage, name)
+    set_name, set_id = _get_ip_set_meta(cf_ctx)
+    client = _wafv2_client()
+    if cidr == "self":
+        cidr = _detect_self_ipv4()
+        echo.info("検出した自分の IP: %s" % cidr)
+    addresses, lock = _fetch_ip_set(client, set_name, set_id)
+    if cidr in addresses:
+        echo.info("%s は既に登録済みです。" % cidr)
+        return
+    new_addresses = addresses + [cidr]
+    _write_ip_set(client, set_name, set_id, new_addresses, lock)
+    echo.success("追加しました: %s (合計 %d entries)" % (cidr, len(new_addresses)))
+
+
+@ip.command("remove")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", required=True, help="CloudFront name (pocket.toml の key)")
+@click.argument("cidr")
+def ip_remove(stage, name, cidr):
+    """指定 CIDR を IPSet から削除。"""
+    cf_ctx = _get_cf_context(stage, name)
+    set_name, set_id = _get_ip_set_meta(cf_ctx)
+    client = _wafv2_client()
+    addresses, lock = _fetch_ip_set(client, set_name, set_id)
+    if cidr not in addresses:
+        echo.warning("%s は IPSet に存在しません。" % cidr)
+        return
+    new_addresses = [a for a in addresses if a != cidr]
+    _write_ip_set(client, set_name, set_id, new_addresses, lock)
+    echo.success("削除しました: %s (残り %d entries)" % (cidr, len(new_addresses)))
+
+
+@ip.command("clear")
+@click.option("--stage", envvar="POCKET_DEPLOY_STAGE", prompt=True)
+@click.option("--name", required=True, help="CloudFront name (pocket.toml の key)")
+@click.option("--yes", is_flag=True, default=False, help="確認プロンプトをスキップ")
+def ip_clear(stage, name, yes):
+    """IPSet を空にする (= deny-all 状態に戻す)。確認プロンプトあり。"""
+    cf_ctx = _get_cf_context(stage, name)
+    set_name, set_id = _get_ip_set_meta(cf_ctx)
+    client = _wafv2_client()
+    addresses, lock = _fetch_ip_set(client, set_name, set_id)
+    if not addresses:
+        echo.info("IPSet は既に空です。")
+        return
+    if not yes:
+        click.confirm(
+            "%d 件の CIDR を全削除して deny-all 状態にします。よろしいですか？"
+            % len(addresses),
+            abort=True,
+        )
+    _write_ip_set(client, set_name, set_id, [], lock)
+    echo.success("IPSet を全削除しました (deny-all 状態)。")