runbooks 0.2.3__py3-none-any.whl → 0.6.1__py3-none-any.whl

runbooks/cfat/src/actions/get-enabled-org-policy-types.ts

@@ -0,0 +1,40 @@
+import { OrganizationsClient, ListRootsCommand, ListRootsCommandInput, ListRootsResponse } from "@aws-sdk/client-organizations";
+import { PolicyTypesEnabled } from '../types';
+
+async function getEnabledOrgPolicyTypes(region: string ): Promise<PolicyTypesEnabled> {
+  const orgClient = new OrganizationsClient({ region });
+  let policyTypesEnabled:PolicyTypesEnabled = {
+    scpEnabled: false,
+    tagPolicyEnabled: false,
+    backupPolicyEnabled : false
+  };
+  try {
+    const input: ListRootsCommandInput = {};
+    const command = new ListRootsCommand(input);
+    const roots: ListRootsResponse = await orgClient.send(command);
+    if (roots.Roots) {
+        if (roots.Roots[0].PolicyTypes) {
+            for (const enabledPolicy of roots.Roots[0].PolicyTypes) {
+                if (enabledPolicy.Type == 'SERVICE_CONTROL_POLICY' && enabledPolicy.Status == 'ENABLED') {
+                  policyTypesEnabled.scpEnabled = true;
+                }
+                if (enabledPolicy.Type == 'TAG_POLICY' && enabledPolicy.Status == 'ENABLED') {
+                  policyTypesEnabled.tagPolicyEnabled = true;
+                }
+                if (enabledPolicy.Type == 'BACKUP_POLICY' && enabledPolicy.Status == 'ENABLED') {
+                  policyTypesEnabled.backupPolicyEnabled = true;
+                }
+            }// end for
+        }// end if
+    }// end if
+  }
+  catch (error) {
+      console.error(`An error occurred: ${error}`);
+  }
+  finally {
+    orgClient.destroy();
+    return policyTypesEnabled ;
+  }
+}
+
+export default getEnabledOrgPolicyTypes;

runbooks/cfat/src/actions/get-enabled-org-services.ts

@@ -0,0 +1,26 @@
+import { OrganizationsClient, ListAWSServiceAccessForOrganizationCommand, ListAWSServiceAccessForOrganizationResponse } from "@aws-sdk/client-organizations";
+import { OrgService} from '../types';
+
+
+async function getEnabledOrgServices(region:string): Promise<OrgService[]>  {
+  const discoveredOrgServices: OrgService[] = []
+  const orgClient = new OrganizationsClient({ region });
+  try {
+    const orgServiceAccessCommand = new ListAWSServiceAccessForOrganizationCommand({});
+    const orgServiceAccessResponse: ListAWSServiceAccessForOrganizationResponse = await orgClient.send(orgServiceAccessCommand);
+    if(orgServiceAccessResponse.EnabledServicePrincipals && orgServiceAccessResponse.EnabledServicePrincipals.length > 0){
+      orgServiceAccessResponse.EnabledServicePrincipals
+      for(const orgService of orgServiceAccessResponse.EnabledServicePrincipals){
+        const foundOrgService: OrgService = {service: orgService.ServicePrincipal ?? ""}
+        discoveredOrgServices.push(foundOrgService)
+      }
+    }
+  } catch (error) {
+    console.error('Error checking service access:', error);
+  } finally {
+    orgClient.destroy();
+    return discoveredOrgServices;
+  }
+};
+
+export default getEnabledOrgServices

runbooks/cfat/src/actions/get-idc-info.ts

@@ -0,0 +1,34 @@
+import { SSOAdminClient,
+  ListInstancesCommand
+} from "@aws-sdk/client-sso-admin";
+import { IdCInfo } from "../types";
+
+async function getIdcInfo(regionList: string[]): Promise<IdCInfo> {
+  let idcDetails: IdCInfo = {found: false}
+  for (const region of regionList){
+    const ssoAdminClient = new SSOAdminClient({region});
+    try {
+      const ssoInput = {
+        MaxResults: Number("100")
+      };
+      const command = new ListInstancesCommand(ssoInput);
+      const ssoInstanceResponse = await ssoAdminClient.send(command);
+      if (ssoInstanceResponse.Instances && ssoInstanceResponse.Instances.length > 0) {
+        const ssoInstance = ssoInstanceResponse.Instances[0];
+        idcDetails.found = true;
+        idcDetails.region = region;
+        idcDetails.arn = ssoInstance.InstanceArn
+        idcDetails.id = ssoInstance.IdentityStoreId
+        break
+      }
+    } catch (error) {
+      console.log(`Error looking for AWS Identity Center details in region ${region}`)
+    }
+    finally {
+      ssoAdminClient.destroy();
+    }
+ }
+ return idcDetails;
+};
+
+export default getIdcInfo;

runbooks/cfat/src/actions/get-org-da-accounts.ts

@@ -0,0 +1,34 @@
+import { OrganizationsClient, ListDelegatedAdministratorsCommand, ListDelegatedServicesForAccountCommand} from "@aws-sdk/client-organizations";
+import { OrgDelegatedAdminAccount } from '../types';
+
+async function getOrgDaAccounts(): Promise<OrgDelegatedAdminAccount[]> {
+  let orgDaDetails: OrgDelegatedAdminAccount[] = []
+  const orgClient = new OrganizationsClient({ region: 'us-east-1' });
+  let orgDaDetail: OrgDelegatedAdminAccount = {}
+  try {
+    const command = new ListDelegatedAdministratorsCommand({});
+    const response = await orgClient.send(command);
+    if(response.DelegatedAdministrators){
+      for (const da of response.DelegatedAdministrators) {
+        const input = {AccountId: da.Id};
+        const command = new ListDelegatedServicesForAccountCommand(input);
+        const accountResponse = await orgClient.send(command);
+        if(accountResponse.DelegatedServices){
+          orgDaDetail = {
+            services: accountResponse.DelegatedServices,
+            accountName: da.Name
+          }
+          orgDaDetails.push(orgDaDetail)
+        }
+      }
+    }
+  } catch (error) {
+    console.log(`Error looking for delegated services.`)
+  }
+  finally {
+    orgClient.destroy();
+  }
+ return orgDaDetails;
+};
+
+export default getOrgDaAccounts;

runbooks/cfat/src/actions/get-org-details.ts

@@ -0,0 +1,35 @@
+import { OrganizationsClient, DescribeOrganizationCommand ,ListRootsCommand, DescribeOrganizationResponse, ListRootsResponse} from "@aws-sdk/client-organizations";
+import { OrgInfo } from '../types';
+
+async function getOrgDetails(region: string ): Promise<OrgInfo> {
+  const orgClient = new OrganizationsClient({ region });
+  let orgDetails: OrgInfo = {}
+  try {
+    const orgDescribeCommand = new DescribeOrganizationCommand({});
+    const orgData: DescribeOrganizationResponse = await orgClient.send(orgDescribeCommand)
+    if (orgData.Organization) {
+      orgDetails.id = orgData.Organization.Id ?? "";
+     // console.log(`Organization ID: ${orgDetails.id}` );
+      orgDetails.arn = orgData.Organization.Arn ?? "";
+     // console.log(`Organization ARN: ${orgDetails.arn}`);
+    }
+      const command = new ListRootsCommand({})
+      const roots: ListRootsResponse = await orgClient.send(command);
+      if (roots.Roots) {
+        orgDetails.rootOuId = roots.Roots[0].Id
+       // console.log(`AWS Org root ou id: ${orgDetails.rootOuId}`)
+      }
+    else {
+        console.log('No info found for your AWS Organization.');
+    }
+  }
+  catch (error) {
+      console.error(`An error occurred: ${error}`);
+  }
+  finally {
+    orgClient.destroy();
+    return orgDetails ;
+  }
+}
+
+export default getOrgDetails;

runbooks/cfat/src/actions/get-org-member-accounts.ts

@@ -0,0 +1,44 @@
+import { OrganizationsClient, ListAccountsCommand, ListAccountsCommandOutput } from '@aws-sdk/client-organizations';
+import { OrgMemberAccount } from '../types';
+
+async function getOrgMemberAccounts(): Promise<OrgMemberAccount[]> {
+  let orgMemberAccountInfo: OrgMemberAccount[] = []
+  const orgsClient = new OrganizationsClient({ region: 'us-east-1' });
+  const input = {
+    MaxResults: Number("200"),
+  };
+  try {
+    let response: ListAccountsCommandOutput = await orgsClient.send(new ListAccountsCommand({}));
+    if(response.Accounts && response.Accounts.length > 0){
+      for (const account of response.Accounts){
+        let orgMemberAccount: OrgMemberAccount = {
+          accountName: account.Name,
+          accountEmail: account.Email,
+        }
+        orgMemberAccountInfo.push(orgMemberAccount)
+      }
+      do {
+        if(response.NextToken){
+          response = await orgsClient.send(new ListAccountsCommand({NextToken: response.NextToken}));
+          if(response.Accounts && response.Accounts.length > 0){
+            for (const account of response.Accounts){
+              let orgMemberAccount: OrgMemberAccount = {
+                accountName: account.Name,
+                accountEmail: account.Email,
+              }
+              orgMemberAccountInfo.push(orgMemberAccount)
+            }
+          }
+        }
+      }while(response.NextToken)
+    }
+  } catch (error) {
+    console.error('Error listing AWS accounts:', error);
+  }
+  finally {
+    orgsClient.destroy()
+  }
+  return orgMemberAccountInfo
+}
+
+export default getOrgMemberAccounts;

runbooks/cfat/src/actions/get-org-ous.ts

@@ -0,0 +1,35 @@
+import { OrganizationsClient, ListOrganizationalUnitsForParentCommand, ListOrganizationalUnitsForParentResponse, ListAccountsForParentCommand } from "@aws-sdk/client-organizations";
+import { OUInfo } from '../types';
+
+
+async function getOrgTopLevelOus(region:string, rootOuId: string ): Promise<OUInfo[]>  {
+  const orgClient = new OrganizationsClient({ region });
+  let topLevelOus: OUInfo[] = []
+  try {
+    const listOUsCommand = new ListOrganizationalUnitsForParentCommand({
+      ParentId: rootOuId,
+    });
+    const listOUsResponse: ListOrganizationalUnitsForParentResponse = await orgClient.send(listOUsCommand);
+    if(listOUsResponse.OrganizationalUnits){
+      for (const ou of  listOUsResponse.OrganizationalUnits ){
+        let topLevelOu:OUInfo = {
+          id: ou.Id,
+          name: ou.Name
+        }
+        const accountResponse = await orgClient.send(new ListAccountsForParentCommand({ ParentId: ou.Id }));
+        if(accountResponse.Accounts && accountResponse.Accounts.length > 0){
+          topLevelOu.accounts = accountResponse.Accounts
+        }
+        topLevelOus.push(topLevelOu)
+      }
+    }
+  } catch (error) {
+    console.error('Error checking service access:', error);
+    return []
+  } finally {
+    orgClient.destroy();
+  }
+  return topLevelOus
+};
+
+export default getOrgTopLevelOus

runbooks/cfat/src/actions/get-regions.ts

@@ -0,0 +1,22 @@
+import { EC2Client, DescribeRegionsCommand, DescribeRegionsResult } from "@aws-sdk/client-ec2";
+
+async function getAllRegions(): Promise<string[]> {
+  // grabbing all regions from us-east-1
+  const ec2Client = new EC2Client({ region: "us-east-1" });
+  try {
+    const describeRegionsCommand = new DescribeRegionsCommand({});
+    const response = await ec2Client.send(describeRegionsCommand);
+    const regions: string[] = [];
+    for (const region of response.Regions || []) {
+      regions.push(region.RegionName || "");
+    }
+    return regions
+  } catch (error) {
+    console.error("Error retrieving regions:", error);
+    return []
+  } finally {
+    ec2Client.destroy();
+  }
+}
+
+export default getAllRegions

runbooks/cfat/src/actions/zip-assessment.ts

@@ -0,0 +1,27 @@
+import fs from 'fs';
+import path from 'path';
+import archiver from 'archiver';
+
+async function zipAssessmentFiles(): Promise<void> {
+  try {
+    const output = fs.createWriteStream(path.join(process.cwd(), 'assessment.zip'));
+    const archive = archiver('zip', {
+      zlib: { level: 9 }, // Sets the compression level.
+    });
+
+    archive.pipe(output);
+
+    // Add the files to the archive
+    archive.file(path.join(process.cwd(), 'cfat.txt'), { name: 'cfat.txt' });
+    archive.file(path.join(process.cwd(), 'cfat-checks.csv'), { name: 'cfat-checks.csv' });
+    archive.file(path.join(process.cwd(), 'asana-import.csv'), { name: 'asana-import.csv' });
+    archive.file(path.join(process.cwd(), 'jira-import.csv'), { name: 'jira-import.csv' });
+    archive.finalize();
+
+    console.log('Zip file created successfully!');
+  } catch (err) {
+    console.error('Error creating zip file:', err);
+  }
+}
+
+export default zipAssessmentFiles;

runbooks/cfat/src/types/index.d.ts

@@ -0,0 +1,147 @@
+import { DelegatedServices } from "@aws-sdk/client-organizations";
+
+export interface CfatCheck {
+  check:string;
+  description:string;
+  status:string;
+  required:boolean;
+  weight:number
+  loe:number
+  remediationLink?: string;
+}
+
+export interface AccountType {
+  isInOrganization: boolean;
+  isManagementAccount?: boolean;
+};
+
+export interface ControlTowerInfo {
+  controlTowerRegion?: string;
+  latestAvailableVersion?: string;
+  deployedVersion?: string
+  driftStatus?: string;
+  status?: string
+}
+
+export interface Ec2Check {
+  region?: string;
+  ec2Found?: boolean
+}
+
+export interface CloudTrailInfo{
+  region?: string;
+  trailFound?: boolean;
+  isOrgTrail?: boolean;
+  isMultiRegion?: boolean;
+}
+export interface VpcCheck {
+  region?: string;
+  vpcFound?: boolean
+}
+export interface IamUserInfo {
+  userName: string;
+  accessKeyId?: string;
+  lastUsed?: string;
+};
+
+export interface IdCInfo{
+  found: boolean;
+  region?: string
+  arn?: string;
+  id?: string;
+}
+
+export interface LegacyCurInfo{
+  isLegacyCurSetup: boolean;
+};
+
+export interface OrgService {
+  service: string;
+};
+
+export interface OrgInfo {
+  arn?: string,
+  id?: string,
+  rootOuId?: string
+}
+
+interface OUInfo {
+  id?: string;
+  name?: string;
+  accounts?: Account[];
+}
+
+export interface OrgCloudFormationStatus {
+  status: string
+};
+
+export interface PolicyTypesEnabled {
+  scpEnabled: boolean;
+  tagPolicyEnabled: boolean;
+  backupPolicyEnabled: boolean;
+};
+
+export interface OrgDelegatedAdminAccount {
+  accountName?: string;
+  services?: DelegatedServices[];
+}
+
+export interface ConfigInfo {
+  region?: string;
+  configRecorderFound?: boolean
+  configDeliveryChannelFound?: boolean
+}
+
+export interface OrgMemberAccount {
+  accountName?: string;
+  accountEmail?: string;
+}
+
+export interface Task {
+  title: string;
+  category?: string;
+  detail?:string;
+  remediationLink?: string;
+}
+
+export interface CloudFoundationAssessment {
+  organizationDeploy?: Boolean;
+  managementAccount?: Boolean;
+  isLegacyCurSetup?: Boolean;
+  vpcChecks?: VpcCheck[];
+  ec2Checks?: Ec2Check[];
+  iamUserChecks?: IamUserInfo[];
+  orgArn?: string,
+  orgId?: string,
+  orgRootOuId?: string;
+  orgServices?: OrgService[]
+  orgCloudFormationStatus?: string;
+  orgMemberAccounts?: OrgMemberAccount[];
+  orgDelegatedAdminAccounts?: OrgDelegatedAdminAccount[];
+  orgOuInfo?: OUInfo[];
+  controlTowerRegion?: string;
+  controlTowerLatestAvailableVersion?: string;
+  controlTowerDeployedVersion?: string
+  controlTowerDriftStatus?: string;
+  controlTowerStatus?: string;
+  scpEnabled?: boolean;
+  tagPolicyEnabled?: boolean;
+  backupPolicyEnabled?: boolean;
+  configDetails?: ConfigInfo[];
+  cloudTrailDetails?: CloudTrailInfo[];
+  idcInfo?: IdCInfo;
+  cfatChecks?: CfatCheck[];
+}
+
+interface JiraCSVData {
+  [key: string]: {
+    Summary: string;
+    Description: string;
+    Status: string;
+  };
+}
+
+interface CSVOptions {
+  headers?: { [key: string]: string };
+  filename?: string;
+}

runbooks/cfat/tests/__init__.py

@@ -0,0 +1,141 @@
+"""
+Comprehensive Test Suite for Cloud Foundations Assessment Tool (CFAT).
+
+This test module provides enterprise-grade testing for CFAT functionality
+including:
+
+- Unit tests for all core components
+- Integration tests with moto AWS mocking
+- CLI argument parsing validation
+- Performance and load testing
+- Compliance framework testing
+- Report generation testing
+
+Testing Strategy:
+- Use moto for AWS service mocking to avoid real AWS calls
+- Test argument parsing separately from AWS API calls
+- Create common test fixtures to reduce duplication (DRY)
+- Focus on integration tests that verify real-world usage patterns
+- Maintain test compatibility with existing workflows
+
+The test suite is designed to be autonomous and can run without
+AWS credentials or network access.
+"""
+
+from datetime import datetime
+from typing import Any, Dict
+
+import pytest
+
+from runbooks.cfat.models import AssessmentReport, AssessmentResult, AssessmentSummary, CheckStatus, Severity
+
+
+# Test fixtures and utilities
+def create_sample_assessment_result(
+    finding_id: str = "TEST-001",
+    check_name: str = "test_check",
+    category: str = "test",
+    status: CheckStatus = CheckStatus.PASS,
+    severity: Severity = Severity.INFO,
+    message: str = "Test check passed",
+    execution_time: float = 0.1,
+) -> AssessmentResult:
+    """Create a sample assessment result for testing."""
+    return AssessmentResult(
+        finding_id=finding_id,
+        check_name=check_name,
+        check_category=category,
+        status=status,
+        severity=severity,
+        message=message,
+        execution_time=execution_time,
+        recommendations=["Test recommendation"] if status == CheckStatus.FAIL else [],
+    )
+
+
+def create_sample_assessment_summary(
+    total_checks: int = 10,
+    passed_checks: int = 8,
+    failed_checks: int = 2,
+    skipped_checks: int = 0,
+    error_checks: int = 0,
+    warnings: int = 1,
+    critical_issues: int = 1,
+    total_execution_time: float = 5.0,
+) -> AssessmentSummary:
+    """Create a sample assessment summary for testing."""
+    return AssessmentSummary(
+        total_checks=total_checks,
+        passed_checks=passed_checks,
+        failed_checks=failed_checks,
+        skipped_checks=skipped_checks,
+        error_checks=error_checks,
+        warnings=warnings,
+        critical_issues=critical_issues,
+        total_execution_time=total_execution_time,
+    )
+
+
+def create_sample_assessment_report(
+    account_id: str = "123456789012",
+    region: str = "us-east-1",
+    profile: str = "test",
+    version: str = "0.5.0",
+    num_results: int = 5,
+) -> AssessmentReport:
+    """Create a sample assessment report for testing."""
+    results = []
+    for i in range(num_results):
+        status = CheckStatus.PASS if i % 3 != 0 else CheckStatus.FAIL
+        severity = Severity.CRITICAL if i == 0 else Severity.WARNING if i == 1 else Severity.INFO
+        result = create_sample_assessment_result(
+            finding_id=f"TEST-{i + 1:03d}",
+            check_name=f"test_check_{i + 1}",
+            category="test",
+            status=status,
+            severity=severity,
+            message=f"Test check {i + 1} result",
+        )
+        results.append(result)
+
+    # Calculate summary from results
+    passed = len([r for r in results if r.status == CheckStatus.PASS])
+    failed = len([r for r in results if r.status == CheckStatus.FAIL])
+    warnings = len([r for r in results if r.severity == Severity.WARNING])
+    critical = len([r for r in results if r.severity == Severity.CRITICAL])
+
+    summary = create_sample_assessment_summary(
+        total_checks=len(results),
+        passed_checks=passed,
+        failed_checks=failed,
+        warnings=warnings,
+        critical_issues=critical,
+    )
+
+    return AssessmentReport(
+        account_id=account_id,
+        region=region,
+        profile=profile,
+        version=version,
+        included_checks=["test"],
+        severity_threshold=Severity.INFO,
+        results=results,
+        summary=summary,
+    )
+
+
+# Common test constants
+TEST_ACCOUNT_ID = "123456789012"
+TEST_REGION = "us-east-1"
+TEST_PROFILE = "test-profile"
+
+# Test markers
+pytest_markers = [
+    "unit: Unit tests (fast, no external dependencies)",
+    "integration: Integration tests with moto AWS mocking",
+    "cli: Tests CLI argument parsing and validation",
+    "assessment: Tests for assessment engine functionality",
+    "reporting: Tests for report generation",
+    "models: Tests for data model validation",
+    "slow: Slow tests (long-running operations)",
+]