runbooks 0.2.5__py3-none-any.whl → 0.6.1__py3-none-any.whl

runbooks/inventory/ec2_vpc_utils.py

@@ -0,0 +1,341 @@
+def del_vpc(ocredentials, fVPCId, fRegion):
+    """
+    ocredentials looks like this:
+            session_vpc = boto3.Session(
+                    aws_access_key_id = ocredentials['AccessKeyId'],
+                    aws_secret_access_key = ocredentials['SecretAccessKey'],
+                    aws_session_token = ocredentials['SessionToken'],
+                    region_name=fRegion)
+    fVPCId is a string with the VPC ID in it
+    fRegion is the string that represents the AWS region name
+    """
+
+    import logging
+
+    import boto3
+    from botocore.exceptions import ClientError
+    from colorama import Fore, init
+
+    # ERASE_LINE = '\x1b[2K'
+
+    def find_and_delete_vpc_endpoints(fVPC_client, fVpcId, fRegion):
+        import logging
+
+        vpc_endpoints = fVPC_client.describe_vpc_endpoints(Filters=[{"Name": "vpc-id", "Values": [fVpcId]}])
+        vpc_endpoints_to_delete = []
+        logging.info("Found %s vpc endpoints", len(vpc_endpoints))
+        for x in range(len(vpc_endpoints["VpcEndpoints"])):
+            vpc_endpoints_to_delete.append(vpc_endpoints["VpcEndpoints"][x]["VpcEndpointId"])
+
+        logging.warning("Found %s endpoints in vpc", len(vpc_endpoints_to_delete))
+        if len(vpc_endpoints_to_delete) > 0:
+            try:
+                response = fVPC_client.delete_vpc_endpoints(VpcEndpointIds=vpc_endpoints_to_delete)
+                return 0
+            except ClientError as my_error:
+                print(my_error)
+                return 1
+        else:
+            logging.warning("No Endpoints found to delete")
+            return 0
+
+    def find_and_delete_vpc_security_groups(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        vpc_security_groups = fVPC_client.describe_security_groups(Filters=[{"Name": "vpc-id", "Values": [fVpcId]}])
+        for x in range(len(vpc_security_groups["SecurityGroups"])):
+            if vpc_security_groups["SecurityGroups"][x]["GroupName"] == "default":
+                logging.info("Only found default security groups. These will auto-delete")
+                continue
+            else:
+                try:
+                    logging.info("Deleting security group %s", vpc_security_groups["SecurityGroups"][x]["GroupId"])
+                    response = fVPC_client.delete_security_group(
+                        GroupId=vpc_security_groups["SecurityGroups"][x]["GroupId"]
+                    )
+                except ClientError as my_Error:
+                    print(my_Error)
+                    return 1
+        return 0
+
+    def find_and_delete_vpc_peering_connections(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        vpc_peering_connections = fVPC_client.describe_vpc_peering_connections(
+            Filters=[{"Name": "requester-vpc-info.vpc-id", "Values": [fVpcId]}]
+        )
+        for x in range(len(vpc_peering_connections["VpcPeeringConnections"])):
+            try:
+                response = fVPC_client.delete_vpc_peering_connection(
+                    VpcPeeringConnectionId=vpc_peering_connections["VpcPeeringConnections"][x]["VpcPeeringConnectionId"]
+                )
+            except ClientError as my_Error:
+                print(my_Error)
+                return 1
+        return 0
+
+    def find_and_delete_vpc_route_tables(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        vpc_route_tables = fVPC_client.describe_route_tables(Filters=[{"Name": "vpc-id", "Values": [fVpcId]}])
+        vpc_route_tables_to_delete = list()
+        for x in range(len(vpc_route_tables["RouteTables"])):
+            rRouteTableId = vpc_route_tables["RouteTables"][x]["RouteTableId"]
+            # Add all route tables to the delete list...
+            vpc_route_tables_to_delete.append(rRouteTableId)
+            for y in range(len(vpc_route_tables["RouteTables"][x]["Associations"])):
+                rIsMain = vpc_route_tables["RouteTables"][x]["Associations"][y]["Main"]
+                # However, since we can't disassociate the "Main" Route Table, and we can't delete it, we remove it from our list.
+                if rIsMain:
+                    vpc_route_tables_to_delete.remove(rRouteTableId)
+                    continue
+                rRouteAssociation = vpc_route_tables["RouteTables"][x]["Associations"][y]["RouteTableAssociationId"]
+                try:
+                    disassociateresponse = fVPC_client.disassociate_route_table(AssociationId=rRouteAssociation)
+                    logging.critical("Disassociated Route Table ID: %s", rRouteTableId)
+                except ClientError as my_Error:
+                    print(my_Error)
+                    return 1
+
+            # pprint.pprint(vpc_route_tables_to_delete)
+            for RtTbl in vpc_route_tables_to_delete:
+                try:
+                    deleteresponse = fVPC_client.delete_route_table(RouteTableId=RtTbl)
+                    print("Deleted Route Table ID:", RtTbl)
+                    vpc_route_tables_to_delete.remove(RtTbl)
+                except ClientError as my_Error:
+                    print(my_Error)
+                    return 1
+        return 0
+
+    def find_and_delete_vpc_nacls(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        vpc_nacls = fVPC_client.describe_network_acls(Filters=[{"Name": "vpc-id", "Values": [fVpcId]}])
+
+        for x in range(len(vpc_nacls["NetworkAcls"])):
+            if vpc_nacls["NetworkAcls"][x]["IsDefault"]:
+                continue
+            else:
+                try:
+                    response = fVPC_client.delete_network_acl(NetworkAclId=vpc_nacls["NetworkAcls"][x]["NetworkAclId"])
+                # pprint.pprint(response)
+                except ClientError as my_Error:
+                    print(my_Error)
+                    return 1
+        return 0
+
+    def find_and_delete_subnets(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        subnets = fVPC_client.describe_subnets(Filters=[{"Name": "vpc-id", "Values": [fVpcId]}])
+        # print("Found",len(subnets['Subnets']),"Subnets")
+
+        # pprint.pprint(vpc_nacls)
+        # pprint.pprint(vpc_nacls['NetworkAcls'][0]['IsDefault'])
+        # print("There are "+str(len(subnets['Subnets']))+" subnets")
+        # print("There are "+str(len(vpc_route_tables['RouteTables'][0]['Routes']))+" routes in the first table")
+        for x in range(len(subnets["Subnets"])):
+            try:
+                rSubnetId = subnets["Subnets"][x]["SubnetId"]
+                response = fVPC_client.delete_subnet(SubnetId=rSubnetId)
+            # pprint.pprint(response)
+            except ClientError as my_Error:
+                print(my_Error)
+                return 1
+        return 0
+
+    def find_and_delete_NAT_gateways(fVPC_client, fVpcId, fRegion):
+        import time
+
+        from botocore.exceptions import ClientError
+
+        cyclesWaited = 0
+        nat_gateways = fVPC_client.describe_nat_gateways(
+            Filters=[{"Name": "vpc-id", "Values": [fVpcId]}, {"Name": "state", "Values": ["available"]}]
+        )
+        rNatGWList = []
+        if len(nat_gateways["NatGateways"]) > 0:
+            logging.info("Found %s NAT Gateways", len(nat_gateways["NatGateways"]))
+            for x in range(len(nat_gateways["NatGateways"])):
+                rNatGWList.append(nat_gateways["NatGateways"][x]["NatGatewayId"])
+                try:
+                    deleteresponse = fVPC_client.delete_nat_gateway(NatGatewayId=rNatGWList[x])
+                except ClientError as my_Error:
+                    print(my_Error)
+                    return 1
+            print("Waiting for the NAT Gateways to be fully deleted")
+            verify_nat_gws_are_gone = nat_gateways
+            while len(verify_nat_gws_are_gone["NatGateways"]) > 0:
+                verify_nat_gws_are_gone = fVPC_client.describe_nat_gateways(
+                    Filters=[{"Name": "state", "Values": ["available", "pending", "deleting", "failed"]}],
+                    NatGatewayIds=rNatGWList,
+                )
+                cyclesWaited += 1
+                if cyclesWaited % 5 == 0:
+                    logging.info("Still waiting on NAT Gateways to be deleted...")
+            # print(".", end='', flush=True)
+            time.sleep(10)
+        return 0
+
+    def find_and_delete_gateways(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        gateways = fVPC_client.describe_internet_gateways(Filters=[{"Name": "attachment.vpc-id", "Values": [fVpcId]}])
+        for x in range(len(gateways["InternetGateways"])):
+            rGatewayId = gateways["InternetGateways"][x]["InternetGatewayId"]
+            try:
+                detachresponse = fVPC_client.detach_internet_gateway(InternetGatewayId=rGatewayId, VpcId=fVpcId)
+            except ClientError as my_Error:
+                print(my_Error)
+                return 1
+            try:
+                deleteresponse = fVPC_client.delete_internet_gateway(InternetGatewayId=rGatewayId)
+            except ClientError as my_Error:
+                print(my_Error)
+                return 1
+        return 0
+
+    def find_and_delete_virtual_gateways(fVPC_client, fVpcId, fRegion):
+        import time
+
+        from botocore.exceptions import ClientError
+
+        cyclesWaited = 0
+        vgws = fVPC_client.describe_vpn_gateways(
+            Filters=[
+                {"Name": "attachment.vpc-id", "Values": [fVpcId]},
+                {"Name": "attachment.state", "Values": ["attached"]},
+            ]
+        )
+        rVPN_GatewayList = list()
+        for x in range(len(vgws["VpnGateways"])):
+            rVPN_GatewayList.append(vgws["VpnGateways"][x]["VpnGatewayId"])
+            try:
+                detachresponse = fVPC_client.detach_vpn_gateway(VpnGatewayId=rVPN_GatewayList[x], VpcId=fVpcId)
+            except ClientError as my_Error:
+                print(my_Error)
+                return 1
+
+            print("Waiting for the VPN Gateways to be fully detached")
+            verify_vgws_are_gone = vgws
+            while len(verify_vgws_are_gone["VpnGateways"]) > 0:
+                verify_vgws_are_gone = fVPC_client.describe_vpn_gateways(
+                    Filters=[
+                        {"Name": "attachment.state", "Values": ["attached", "detaching"]},
+                    ],
+                    VpnGatewayIds=rVPN_GatewayList,
+                )
+                cyclesWaited += 1
+                if cyclesWaited % 5 == 0:
+                    logging.info("Still waiting on VGWS to be deleted...")
+                # pprint.pprint(verify_nat_gws_are_gone)
+                time.sleep(10)
+        return 0
+
+    def delete_vpc(fVPC_client, fVpcId, fRegion):
+        from botocore.exceptions import ClientError
+
+        try:
+            response = fVPC_client.delete_vpc(VpcId=fVpcId)
+            return 0
+        except ClientError as my_Error:
+            print(my_Error)
+            return 1
+
+    ###### Main ########################################
+    session_vpc = boto3.Session(
+        aws_access_key_id=ocredentials["AccessKeyId"],
+        aws_secret_access_key=ocredentials["SecretAccessKey"],
+        aws_session_token=ocredentials["SessionToken"],
+        region_name=fRegion,
+    )
+    client_vpc = session_vpc.client("ec2")
+    try:
+        # 1. Call EC2.Client.describe_vpc_endpoints. Filter on your VPC id. Call EC2.client.delete_vpc_endpoints on each
+        print(f"Deleting vpc in {fRegion}...", end="", flush=True)
+
+        logging.info(f"Deleting vpc-endpoints... for vpc {fVPCId} in region {fRegion}")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_vpc_endpoints(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_endpoints deletion script")
+            return 1  # out of the try
+        # 2. Call VPC.security_groups. Delete the group unless its group_name attribute is "main". The main security group will be deleted via VPC.delete().
+        logging.info("Deleting security groups...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_vpc_security_groups(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_security_group deletion script")
+            return 1  # out of the try
+
+        # 3. Call EC2.Client.describe_vpc_peering_connections. Filter on your VPC id as the requester-vpc-info.vpc-id. (My VPC is a requester. There is also accepter-vpc-info.vpc-id among other filters.) Iterate through the entries keyed by VpcPeeringConnections. Get an instance of the peering connection by instantiating a EC2.ServiceResource.VpcPeeringConnection with the VpcPeeringConnectionId. Call VpcPeeringConnection.delete() to remove the peering connection.
+        logging.info("Deleting vpc peering connections...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_vpc_peering_connections(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_peering_connection deletion script")
+            return 1  # out of the try
+
+        # Need to figure a way to wait on this operation, if there are Gateways to be deleted.
+        logging.info("Deleting NAT Gateways...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_NAT_gateways(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_NAT_gateways deletion script")
+            return 1  # out of the try
+
+        # 4. Call vpc.route_tables.all() and iterate through the route tables. For each route table, iterate through its routes using the RouteTable.routes attribute. Delete the routes where route['Origin'] is 'CreateRoute'. I deleted using EC2.Client.delete_route using EC2.RouteTable.id and route['DestinationCidrBlock']. After removing the routes, call EC2.RouteTable.delete() to remove the route table itself. I set up exception handlers for each delete. Not every route table can be deleted, but I haven't cracked the code. Maybe next week.
+        logging.info("Deleting vpc route tables...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_vpc_route_tables(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_route_tables deletion script")
+            return 1  # out of the try
+
+        # 5. Iterate through vpc.network_acls.all(), test12 the NetworkAcl.is_default attribute and call NetworkAcl.delete for non-default acls.
+        logging.info("Deleting vpc network access control lists...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_vpc_nacls(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_nacls deletion script")
+            return 1  # out of the try
+
+        #
+        # 6. Iterate through vpc.subnets.all().network_interfaces.all(). Call EC2.NetworkInterface.delete() on each.
+        logging.info("Deleting subnets...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_subnets(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_subnets deletion script")
+            return 1  # out of the try
+        #
+        # 7. Iterate through vpc.internet_gateways.all(). Call EC2.InternetGateway.delete() on each.
+        logging.info("Deleting Internet Gateways...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_gateways(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_gateways deletion script")
+            return 1  # out of the try
+
+        # Virtual Gateway
+        logging.info("Deleting Virtual Customer Gateways...")
+        print(".", end="", flush=True)
+        ResultGood = find_and_delete_virtual_gateways(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the vpc_virtual_gateways deletion script")
+            return 1  # out of the try
+
+        #
+        # 8. Call vpc.delete()
+        print("!")
+        ResultGood = delete_vpc(client_vpc, fVPCId, fRegion) == 0
+        if not ResultGood:
+            logging.error("Something failed in the final vpc deletion script")
+            return 1  # out of the try
+    except ClientError as my_Error:
+        print(my_Error)
+        print(f"{Fore.RED}What to do now?{Fore.RESET}")
+        return 1
+
+    return 0

runbooks/inventory/find_cfn_drift_detection.py

@@ -0,0 +1,272 @@
+#!/usr/bin/env python3
+
+"""
+AWS CloudFormation Stack Drift Detection Enablement Script
+
+This enterprise-grade script provides comprehensive CloudFormation drift detection enablement
+across multi-account AWS Organizations environments. Designed for infrastructure teams managing
+CloudFormation stacks at scale, offering automated drift detection initialization, stack
+discovery with filtering capabilities, and organizational governance support for infrastructure
+configuration management and compliance monitoring.
+
+Key Features:
+    - Multi-account, multi-region CloudFormation stack discovery and drift detection enablement
+    - Fragment-based stack filtering for targeted drift detection operations
+    - Stack status filtering supporting active and deleted stack analysis
+    - Enterprise governance support with organizational context and account exclusion
+    - Comprehensive error handling for authorization and access control issues
+    - Progress tracking and operational feedback for large-scale drift detection operations
+
+Drift Detection Capabilities:
+    - Automated drift detection enablement for discovered CloudFormation stacks
+    - Stack-level drift detection initialization with operational logging
+    - Regional drift detection coverage for comprehensive infrastructure monitoring
+    - Fragment-based stack targeting for selective drift detection operations
+    - Status-based stack filtering for active vs historical stack analysis
+
+Authentication & Access:
+    - AWS Organizations support for centralized CloudFormation stack management
+    - Cross-account role assumption for organizational stack visibility
+    - Regional validation and opt-in status verification for CloudFormation availability
+    - Profile-based authentication with comprehensive credential management
+
+Performance & Scalability:
+    - Progress bars and operational feedback for large-scale drift detection operations
+    - Efficient credential management for multi-account stack enumeration
+    - Regional optimization with targeted CloudFormation API calls
+    - Memory-efficient processing for extensive stack inventories
+
+Enterprise Use Cases:
+    - Infrastructure configuration drift detection and compliance monitoring
+    - CloudFormation stack governance and change management automation
+    - Organizational infrastructure audit and drift analysis
+    - Automated configuration compliance validation across organizational accounts
+
+Security & Compliance:
+    - Account exclusion capabilities preventing drift detection on sensitive accounts
+    - Comprehensive audit logging for drift detection operations and stack access
+    - Regional access validation preventing unauthorized stack enumeration
+    - Safe credential handling with automatic session management
+
+Dependencies:
+    - boto3: AWS SDK for CloudFormation API access
+    - colorama: Terminal output formatting and colored display
+    - Custom modules: Inventory_Modules, ArgumentsClass, account_class for enterprise operations
+
+Output Format:
+    - Real-time progress feedback with account and region context
+    - Comprehensive drift detection summary with stack counts and regional coverage
+    - Operational logging for audit trails and troubleshooting
+
+Future Enhancements:
+    - Drift detection status monitoring using describe_stack_drift_detection_status
+    - Enhanced progress tracking and drift detection result analysis
+    - Multi-threaded processing for improved performance at scale
+"""
+
+import logging
+
+import Inventory_Modules
+from account_class import aws_acct_access
+from ArgumentsClass import CommonArguments
+from botocore.exceptions import ClientError
+from colorama import Fore, init
+
+init()
+__version__ = "2023.05.04"
+
+# Configure comprehensive argument parsing for CloudFormation drift detection operations
+parser = CommonArguments()
+parser.singleprofile()  # Single AWS profile for organizational drift detection management
+parser.multiregion()  # Multi-region support for comprehensive CloudFormation coverage
+parser.verbosity()  # Logging verbosity controls for operational visibility
+parser.version(__version__)
+
+# Enhanced CLI arguments for targeted CloudFormation drift detection operations
+parser.my_parser.add_argument(
+    "-f",
+    "--fragment",
+    dest="pstackfrag",
+    metavar="CloudFormation stack fragment",
+    default="all",
+    help="String fragment of CloudFormation stack names for targeted drift detection filtering. "
+    "Supports partial name matching for flexible stack identification and selective drift analysis.",
+)
+parser.my_parser.add_argument(
+    "-s",
+    "--status",
+    dest="pstatus",
+    metavar="CloudFormation status",
+    default="active",
+    help="Stack status filter determining drift detection scope. "
+    "'active' for CREATE_COMPLETE stacks only, 'all' includes DELETE_COMPLETE stacks for historical analysis.",
+)
+parser.my_parser.add_argument(
+    "-k",
+    "--skip",
+    dest="pSkipAccounts",
+    nargs="*",
+    metavar="Accounts to leave alone",
+    default=[],
+    help="Account exclusion list preventing drift detection on sensitive or core organizational accounts. "
+    "Provides safety controls for production and management account protection.",
+)
+args = parser.my_parser.parse_args()
+
+# Extract and configure parameters from parsed command-line arguments
+pProfile = args.Profile  # AWS profile for organizational CloudFormation access
+pRegionList = args.Regions  # Target regions for comprehensive drift detection coverage
+pstackfrag = args.pstackfrag  # Stack name fragments for targeted drift detection filtering
+pstatus = args.pstatus  # Stack status filter for active vs historical analysis
+AccountsToSkip = args.pSkipAccounts  # Account exclusion list for production safety
+verbose = args.loglevel  # Logging verbosity for operational visibility
+
+# Configure comprehensive logging for CloudFormation drift detection operations
+logging.basicConfig(level=verbose, format="[%(filename)s:%(lineno)s - %(funcName)20s() ] %(message)s")
+logging.getLogger("boto3").setLevel(logging.CRITICAL)  # Suppress AWS SDK logging
+logging.getLogger("botocore").setLevel(logging.CRITICAL)  # Suppress AWS core logging
+logging.getLogger("s3transfer").setLevel(logging.CRITICAL)  # Suppress S3 transfer logging
+logging.getLogger("urllib3").setLevel(logging.CRITICAL)  # Suppress HTTP logging
+
+"""
+Future Enhancement: Drift Detection Status Monitoring
+We should eventually create an argument here that would check on the status of the drift-detection using
+"describe_stack_drift_detection_status", but we haven't created that function yet...  
+https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation.html#CloudFormation.Client.describe_stack_drift_detection_status
+
+This would enable:
+- Real-time drift detection progress monitoring
+- Drift detection result analysis and reporting  
+- Automated drift detection completion verification
+- Enhanced operational visibility for large-scale drift operations
+"""
+
+##########################
+ERASE_LINE = "\x1b[2K"  # Terminal control for dynamic output updates
+
+# Initialize AWS account access and organizational context for drift detection
+aws_acct = aws_acct_access(pProfile)
+sts_client = aws_acct.session.client("sts")
+
+# Handle organizational vs single account drift detection scope
+if aws_acct.AccountType == "Root":
+    print()
+    # Default to organizational drift detection for automation compatibility
+    try:
+        # Interactive prompt for organizational drift detection scope selection
+        answer = input(
+            f"You've specified a root account to check. \n"
+            f"Do you want to check the entire Org or only the root account? (Enter 'root' for whole Org):"
+        )
+    except EOFError:
+        # Handle non-interactive mode (automated testing)
+        print("Non-interactive mode detected, defaulting to root account only")
+        answer = "single"
+
+    if answer == "root":
+        # Enable organizational drift detection across all child accounts
+        ChildAccounts = aws_acct.ChildAccounts
+    else:
+        # Restrict drift detection to management account only
+        ChildAccounts = [
+            {
+                "MgmtAccount": aws_acct.acct_number,  # Management account identifier
+                "AccountId": aws_acct.acct_number,  # Account number for single account scope
+                "AccountEmail": aws_acct.MgmtEmail,  # Management email for audit context
+                "AccountStatus": aws_acct.AccountStatus,  # Account operational status
+            }
+        ]
+
+# Initialize drift detection operation tracking and regional scope configuration
+NumStacksFound = 0  # Counter for tracking total stacks processed for drift detection
+print()
+
+# Configure regional scope for comprehensive CloudFormation drift detection coverage
+RegionList = Inventory_Modules.get_service_regions("cloudformation", pRegionList)
+
+# Note: Alternative account discovery approaches for organizational drift detection
+# ChildAccounts = Inventory_Modules.find_child_accounts2(pProfile)  # Direct account discovery
+# ChildAccounts = Inventory_Modules.RemoveCoreAccounts(ChildAccounts, AccountsToSkip)  # Account filtering
+
+# Configure display formatting for drift detection progress and results
+fmt = "%-20s %-15s %-15s %-50s"
+print(fmt % ("Account", "Region", "Stack Status", "Stack Name"))
+print(fmt % ("-------", "------", "------------", "----------"))
+
+# Execute comprehensive CloudFormation drift detection across organizational accounts and regions
+StacksFound = []  # Aggregated list for discovered stacks requiring drift detection
+for account in ChildAccounts:
+    # Note: Alternative role ARN construction for cross-account CloudFormation access
+    # role_arn = f"arn:aws:iam::{account['AccountId']}:role/AWSCloudFormationStackSetExecutionRole"
+    # logging.info(f"Role ARN: {role_arn}")
+
+    try:
+        # Establish cross-account credentials for CloudFormation stack access
+        account_credentials = Inventory_Modules.get_child_access3(
+            aws_acct,
+            account["AccountId"],
+        )
+
+        # Validate account access and skip failed credential attempts
+        if account_credentials["AccessError"]:
+            logging.error(f"Accessing account {account['AccountId']} didn't work, so we're skipping it")
+            continue
+
+    except ClientError as my_Error:
+        # Handle comprehensive AWS API authorization and access errors
+        if "AuthFailure" in str(my_Error):
+            print(f"{pProfile}: Authorization Failure for account {account['AccountId']}")
+        elif str(my_Error).find("AccessDenied") > 0:
+            print(f"{pProfile}: Access Denied Failure for account {account['AccountId']}")
+        else:
+            print(f"{pProfile}: Other kind of failure for account {account['AccountId']}")
+            print(my_Error)
+        break
+
+    # Iterate through regions for comprehensive regional drift detection coverage
+    for region in RegionList:
+        Stacks = []  # Regional stack collection for drift detection processing
+        try:
+            StackNum = 0  # Regional stack counter for progress tracking
+
+            # Discover CloudFormation stacks with fragment and status filtering
+            Stacks = Inventory_Modules.find_stacks2(account_credentials, region, pstackfrag, pstatus)
+
+            # Log regional stack discovery progress for operational visibility
+            logging.warning(f"Account: {account['AccountId']} | Region: {region} | Found {StackNum} Stacks")
+            logging.info(
+                f"{ERASE_LINE}{Fore.RED}Account: {account['AccountId']} Region: {region} Found {StackNum} Stacks{Fore.RESET}"
+            )
+
+        except ClientError as my_Error:
+            # Handle regional authorization failures during stack discovery
+            if "AuthFailure" in str(my_Error):
+                print(f"{account['AccountId']}: Authorization Failure")
+
+        # Process discovered stacks for drift detection enablement
+        for Stack in Stacks:
+            # Extract stack metadata for drift detection operations
+            StackName = Stack["StackName"]  # Human-readable stack identifier
+            StackStatus = Stack["StackStatus"]  # Current operational status
+            StackID = Stack["StackId"]  # Unique CloudFormation stack identifier
+
+            # Enable drift detection on discovered CloudFormation stack
+            DriftStatus = Inventory_Modules.enable_drift_on_stacks2(account_credentials, region, StackName)
+
+            # Log drift detection enablement for audit trail and operational tracking
+            logging.error(
+                f"Enabled drift detection on {StackName} in account {account_credentials['AccountNumber']} in region {region}"
+            )
+            NumStacksFound += 1  # Increment total drift detection counter
+
+# Provide comprehensive operational summary with drift detection metrics
+print(ERASE_LINE)
+print(
+    f"{Fore.RED}Looked through {NumStacksFound} Stacks across {len(ChildAccounts)} accounts across "
+    f"{len(RegionList)} regions{Fore.RESET}"
+)
+print()
+
+# Display completion message for drift detection operation
+print("Thanks for using this script...")
+print()