PyPI - runbooks - Versions diffs - 0.9.8__py3-none-any.whl → 0.9.9__py3-none-any.whl - Mend

runbooks 0.9.8py3-none-any.whl → 0.9.9py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

runbooks/__init__.py +1 -1
runbooks/common/rich_utils.py +3 -0
runbooks/finops/markdown_exporter.py +226 -0
runbooks/finops/optimizer.py +2 -0
runbooks/finops/single_dashboard.py +2 -2
runbooks/finops/vpc_cleanup_exporter.py +328 -0
runbooks/finops/vpc_cleanup_optimizer.py +536 -35
runbooks/main.py +315 -7
runbooks/operate/vpc_operations.py +1 -1
runbooks/vpc/unified_scenarios.py +3199 -0
runbooks/vpc/vpc_cleanup_integration.py +4 -4
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/METADATA +1 -1
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/RECORD +17 -15
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/WHEEL +0 -0
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/entry_points.txt +0 -0
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/licenses/LICENSE +0 -0
{runbooks-0.9.8.dist-info → runbooks-0.9.9.dist-info}/top_level.txt +0 -0

runbooks/finops/vpc_cleanup_optimizer.py CHANGED Viewed

@@ -49,7 +49,7 @@ from ..common.rich_utils import (
 )
 from .embedded_mcp_validator import EmbeddedMCPValidator
 from ..common.profile_utils import get_profile_for_operation
-from ..enterprise.security import EnterpriseSecurityModule
+from ..security.enterprise_security_framework import EnterpriseSecurityFramework
 logger = logging.getLogger(__name__)
@@ -87,6 +87,28 @@ class VPCCleanupCandidate(BaseModel):
     risk_assessment: str = "medium"  # low, medium, high
     business_impact: str = "minimal"  # minimal, moderate, significant
     tags: Dict[str, str] = Field(default_factory=dict)
+    # Enhanced fields for advanced filtering
+    account_id: Optional[str] = None
+    flow_logs_enabled: bool = False
+    load_balancers: List[str] = Field(default_factory=list)
+    iac_detected: bool = False
+    owners_approvals: List[str] = Field(default_factory=list)
+    @property
+    def is_no_eni_vpc(self) -> bool:
+        """Check if VPC has zero ENI attachments (safe for cleanup)."""
+        return self.dependency_analysis.eni_count == 0
+    @property
+    def is_nil_vpc(self) -> bool:
+        """Check if VPC has no resources (empty VPC)."""
+        return (
+            self.dependency_analysis.eni_count == 0 and
+            len(self.dependency_analysis.route_tables) <= 1 and  # Only default route table
+            len(self.dependency_analysis.nat_gateways) == 0 and
+            len(self.dependency_analysis.vpc_endpoints) == 0
+        )
 class VPCCleanupResults(BaseModel):
@@ -102,6 +124,7 @@ class VPCCleanupResults(BaseModel):
     evidence_hash: Optional[str] = None
     safety_assessment: str = "graduated_risk_approach"
     security_assessment: Optional[Dict[str, Any]] = None
+    multi_account_context: Optional[Dict[str, Any]] = Field(default_factory=dict)
 class VPCCleanupOptimizer:
@@ -129,7 +152,55 @@ class VPCCleanupOptimizer:
         print_info(f"VPC Cleanup Optimizer initialized with profile: {self.profile}")
-    def analyze_vpc_cleanup_opportunities(self) -> VPCCleanupResults:
+    def filter_vpcs_by_criteria(self, candidates: List[VPCCleanupCandidate],
+                               no_eni_only: bool = False,
+                               filter_type: str = "all") -> List[VPCCleanupCandidate]:
+        """
+        Filter VPC candidates based on specified criteria.
+        Args:
+            candidates: List of VPC cleanup candidates
+            no_eni_only: If True, show only VPCs with zero ENI attachments
+            filter_type: Filter type - 'none', 'default', or 'all'
+        Returns:
+            Filtered list of VPC candidates
+        """
+        filtered_candidates = candidates.copy()
+        # Apply no-ENI-only filter
+        if no_eni_only:
+            filtered_candidates = [
+                candidate for candidate in filtered_candidates
+                if candidate.is_no_eni_vpc
+            ]
+            print_info(f"🔍 No-ENI filter applied - {len(filtered_candidates)} VPCs with zero ENI attachments")
+        # Apply type-based filters
+        if filter_type == "none":
+            # Show only VPCs with no resources (nil VPCs)
+            filtered_candidates = [
+                candidate for candidate in filtered_candidates
+                if candidate.is_nil_vpc
+            ]
+            print_info(f"📋 'None' filter applied - {len(filtered_candidates)} VPCs with no resources")
+        elif filter_type == "default":
+            # Show only default VPCs
+            filtered_candidates = [
+                candidate for candidate in filtered_candidates
+                if candidate.is_default
+            ]
+            print_info(f"🏠 'Default' filter applied - {len(filtered_candidates)} default VPCs")
+        elif filter_type == "all":
+            # Show all VPCs (no additional filtering)
+            print_info(f"📊 'All' filter applied - {len(filtered_candidates)} total VPCs")
+        return filtered_candidates
+    def analyze_vpc_cleanup_opportunities(self, no_eni_only: bool = False,
+                                        filter_type: str = "all") -> VPCCleanupResults:
         """
         Comprehensive VPC cleanup analysis with three-bucket strategy.
@@ -143,7 +214,7 @@ class VPCCleanupOptimizer:
         Returns: Comprehensive cleanup analysis with validated savings
         """
-        print_header("VPC Cleanup Cost Optimization Engine", "v0.9.1")
+        print_header("VPC Cleanup Cost Optimization Engine", "v0.9.9")
         print_info("AWSO-05 Implementation - Three-Bucket Strategy")
         # Initialize MCP validator for accuracy validation
@@ -155,12 +226,22 @@ class VPCCleanupOptimizer:
         # Step 2: Dependency analysis for each VPC
         analyzed_candidates = self._analyze_vpc_dependencies(vpc_candidates)
+        # Step 2.5: Apply filtering based on criteria
+        filtered_candidates = self.filter_vpcs_by_criteria(
+            analyzed_candidates,
+            no_eni_only=no_eni_only,
+            filter_type=filter_type
+        )
         # Step 3: Three-bucket classification
-        bucket_classification = self._classify_three_bucket_strategy(analyzed_candidates)
+        bucket_classification = self._classify_three_bucket_strategy(filtered_candidates)
         # Step 4: Enhanced VPC security assessment integration
         security_assessment = self._perform_vpc_security_assessment(analyzed_candidates)
+        # Step 4.5: Re-classify buckets after security assessment (ensure NO-ENI VPCs stay in Bucket 1)
+        bucket_classification = self._ensure_no_eni_bucket_1_classification(bucket_classification)
         # Step 5: Cost calculation and savings estimation
         cost_analysis = self._calculate_vpc_cleanup_costs(bucket_classification)
@@ -175,6 +256,190 @@ class VPCCleanupOptimizer:
         return results
+    def analyze_vpc_cleanup_opportunities_multi_account(self,
+                                                       account_ids: List[str],
+                                                       accounts_info: Dict[str, Any],
+                                                       no_eni_only: bool = False,
+                                                       filter_type: str = "all",
+                                                       progress_callback=None) -> 'VPCCleanupResults':
+        """
+        ENHANCED: Multi-account VPC cleanup analysis with Organizations integration.
+        Critical Fix: Instead of assuming cross-account access, this method aggregates
+        VPC discovery from the current profile's accessible scope, which may span
+        multiple accounts if the profile has appropriate permissions.
+        Args:
+            account_ids: List of account IDs from Organizations discovery
+            accounts_info: Account metadata from Organizations API
+            no_eni_only: Filter to only VPCs with zero ENI attachments
+            filter_type: Filter criteria ("all", "no-eni", "default", "tagged")
+            progress_callback: Optional callback for progress updates
+        Returns: Aggregated VPC cleanup analysis across accessible accounts
+        """
+        print_header("Multi-Account VPC Cleanup Analysis", "v0.9.9")
+        print_info(f"🏢 Analyzing VPCs across {len(account_ids)} organization accounts")
+        print_info(f"🔐 Using profile: {self.profile} (scope: accessible accounts only)")
+        # Initialize analysis timing
+        self.analysis_start_time = time.time()
+        # Initialize MCP validator for accuracy validation
+        self.mcp_validator = EmbeddedMCPValidator([self.profile])
+        if progress_callback:
+            progress_callback("Initializing multi-account discovery...")
+        # Enhanced VPC discovery with organization context
+        vpc_candidates = self._discover_vpc_candidates_multi_account(account_ids, accounts_info, progress_callback)
+        if progress_callback:
+            progress_callback("Analyzing VPC dependencies...")
+        # Follow standard analysis pipeline
+        analyzed_candidates = self._analyze_vpc_dependencies(vpc_candidates)
+        filtered_candidates = self.filter_vpcs_by_criteria(
+            analyzed_candidates,
+            no_eni_only=no_eni_only,
+            filter_type=filter_type
+        )
+        if progress_callback:
+            progress_callback("Performing three-bucket classification...")
+        bucket_classification = self._classify_three_bucket_strategy(filtered_candidates)
+        security_assessment = self._perform_vpc_security_assessment(analyzed_candidates)
+        bucket_classification = self._ensure_no_eni_bucket_1_classification(bucket_classification)
+        if progress_callback:
+            progress_callback("Calculating cost analysis...")
+        cost_analysis = self._calculate_vpc_cleanup_costs(bucket_classification)
+        validation_results = self._validate_analysis_with_mcp(cost_analysis)
+        if progress_callback:
+            progress_callback("Generating comprehensive results...")
+        # Generate results with multi-account context
+        results = self._generate_comprehensive_results(cost_analysis, validation_results, security_assessment)
+        # Add multi-account metadata
+        results.multi_account_context = {
+            'total_accounts_analyzed': len(account_ids),
+            'accounts_with_vpcs': len(set(candidate.account_id for candidate in vpc_candidates if candidate.account_id)),
+            'organization_id': accounts_info.get('organization_id', 'unknown'),
+            'accounts': [
+                {
+                    'account_id': account_id,
+                    'account_name': accounts_info.get('accounts', {}).get(account_id, {}).get('Name', 'unknown'),
+                    'status': accounts_info.get('accounts', {}).get(account_id, {}).get('Status', 'unknown')
+                }
+                for account_id in account_ids
+            ],
+            'vpc_count_by_account': self._calculate_vpc_count_by_account(vpc_candidates),
+            'analysis_scope': 'organization',
+            'profile_access_scope': self.profile
+        }
+        print_success(f"✅ Multi-account analysis complete: {results.total_vpcs_analyzed} VPCs across organization")
+        return results
+    def _calculate_vpc_count_by_account(self, vpc_candidates: List[VPCCleanupCandidate]) -> Dict[str, int]:
+        """Calculate VPC count by account from the candidate list."""
+        vpc_count_by_account = {}
+        for candidate in vpc_candidates:
+            account_id = candidate.account_id or 'unknown'
+            if account_id in vpc_count_by_account:
+                vpc_count_by_account[account_id] += 1
+            else:
+                vpc_count_by_account[account_id] = 1
+        return vpc_count_by_account
+    def _discover_vpc_candidates_multi_account(self, account_ids: List[str],
+                                             accounts_info: Dict[str, Any],
+                                             progress_callback=None) -> List[VPCCleanupCandidate]:
+        """
+        Enhanced VPC discovery with organization account context.
+        CRITICAL INSIGHT: This method discovers VPCs that the current profile can access,
+        which may include VPCs from multiple accounts if the profile has cross-account permissions
+        (e.g., via AWS SSO or cross-account roles).
+        """
+        vpc_candidates = []
+        if progress_callback:
+            progress_callback("Discovering VPCs across regions...")
+        # Get list of all regions
+        ec2_client = self.session.client('ec2', region_name='us-east-1')
+        regions = [region['RegionName'] for region in ec2_client.describe_regions()['Regions']]
+        print_info(f"🌍 Scanning {len(regions)} AWS regions for accessible VPCs...")
+        regions_with_vpcs = 0
+        for region in regions:
+            try:
+                regional_ec2 = self.session.client('ec2', region_name=region)
+                response = regional_ec2.describe_vpcs()
+                region_vpc_count = 0
+                for vpc in response['Vpcs']:
+                    # Enhanced VPC candidate with account detection
+                    candidate = VPCCleanupCandidate(
+                        vpc_id=vpc['VpcId'],
+                        region=region,
+                        state=vpc['State'],
+                        cidr_block=vpc['CidrBlock'],
+                        is_default=vpc.get('IsDefault', False),
+                        account_id=self._detect_vpc_account_id(vpc),  # Enhanced account detection
+                        dependency_analysis=VPCDependencyAnalysis(
+                            vpc_id=vpc['VpcId'],
+                            region=region,
+                            is_default_vpc=vpc.get('IsDefault', False)
+                        ),
+                        tags={tag['Key']: tag['Value'] for tag in vpc.get('Tags', [])}
+                    )
+                    vpc_candidates.append(candidate)
+                    region_vpc_count += 1
+                if region_vpc_count > 0:
+                    regions_with_vpcs += 1
+            except ClientError as e:
+                if "UnauthorizedOperation" in str(e):
+                    print_warning(f"No access to region {region} (expected for cross-account)")
+                else:
+                    print_warning(f"Could not access region {region}: {e}")
+        print_success(f"✅ Discovered {len(vpc_candidates)} VPCs across {regions_with_vpcs} accessible regions")
+        print_info(f"📊 Organization context: {len(account_ids)} accounts in scope")
+        return vpc_candidates
+    def _detect_vpc_account_id(self, vpc_data: Dict[str, Any]) -> Optional[str]:
+        """
+        Detect account ID for VPC (enhanced for multi-account context).
+        In multi-account scenarios, VPC ARN or tags may contain account information.
+        """
+        # Try to extract account ID from VPC ARN if available
+        if 'VpcArn' in vpc_data:
+            # VPC ARN format: arn:aws:ec2:region:account-id:vpc/vpc-id
+            arn_parts = vpc_data['VpcArn'].split(':')
+            if len(arn_parts) >= 5:
+                return arn_parts[4]
+        # Fallback: Try to get from current session context
+        try:
+            sts_client = self.session.client('sts')
+            response = sts_client.get_caller_identity()
+            return response.get('Account')
+        except Exception:
+            return None
     def _discover_vpc_candidates(self) -> List[VPCCleanupCandidate]:
         """Discover VPC candidates across all AWS regions."""
         vpc_candidates = []
@@ -295,6 +560,9 @@ class VPCCleanupOptimizer:
                         candidate.dependency_analysis
                     )
+                    # Enhanced data collection for new fields
+                    self._collect_enhanced_vpc_data(candidate, ec2_client)
                     analyzed_candidates.append(candidate)
                 except ClientError as e:
@@ -307,20 +575,140 @@ class VPCCleanupOptimizer:
         return analyzed_candidates
     def _calculate_dependency_risk(self, dependency_analysis: VPCDependencyAnalysis) -> str:
-        """Calculate dependency risk level based on VPC resource analysis."""
-        # Bucket 1: Internal data plane (Low Risk)
-        if (dependency_analysis.eni_count == 0 and
-            len(dependency_analysis.nat_gateways) == 0 and
-            len(dependency_analysis.vpc_endpoints) == 0 and
-            len(dependency_analysis.peering_connections) == 0):
-            return "low"
-        # Bucket 3: Control plane (High Risk - Default VPC)
+        """
+        Calculate dependency risk level based on VPC resource analysis.
+        CRITICAL FIX: Prioritize ENI count = 0 for safe Bucket 1 classification.
+        NO-ENI VPCs are inherently safe regardless of other infrastructure present.
+        """
+        # PRIORITY 1: NO-ENI VPCs are inherently low risk (safe for immediate deletion)
+        # This overrides all other factors - if no ENI attachments, no active workloads depend on it
+        if dependency_analysis.eni_count == 0:
+            return "low"  # Safe for Bucket 1 - Ready for deletion
+        # PRIORITY 2: Default VPCs always require careful handling
         if dependency_analysis.is_default_vpc:
-            return "high"
+            return "high"  # Bucket 3 - Manual review required
+        # PRIORITY 3: VPCs with ENI attachments require dependency analysis
+        # These have active workloads and need investigation
+        return "medium"  # Bucket 2 - Requires analysis
+    def _collect_enhanced_vpc_data(self, candidate: VPCCleanupCandidate, ec2_client) -> None:
+        """Collect enhanced VPC data for new fields."""
+        try:
+            # Get account ID from session
+            sts_client = self.session.client('sts', region_name=candidate.region)
+            account_info = sts_client.get_caller_identity()
+            candidate.account_id = account_info.get('Account')
+            # Detect flow logs
+            candidate.flow_logs_enabled = self._detect_flow_logs(candidate.vpc_id, ec2_client)
+            # Detect load balancers
+            candidate.load_balancers = self._detect_load_balancers(candidate.vpc_id, candidate.region)
+            # Analyze IaC indicators in tags
+            candidate.iac_detected = self._analyze_iac_tags(candidate.tags)
+            # Extract owner information from tags
+            candidate.owners_approvals = self._extract_owners_from_tags(candidate.tags)
+        except Exception as e:
+            print_warning(f"Enhanced data collection failed for VPC {candidate.vpc_id}: {e}")
+    def _detect_flow_logs(self, vpc_id: str, ec2_client) -> bool:
+        """Detect if VPC Flow Logs are enabled."""
+        try:
+            response = ec2_client.describe_flow_logs(
+                Filters=[
+                    {'Name': 'resource-id', 'Values': [vpc_id]},
+                    {'Name': 'resource-type', 'Values': ['VPC']}
+                ]
+            )
+            return len(response['FlowLogs']) > 0
+        except Exception as e:
+            print_warning(f"Flow logs detection failed for VPC {vpc_id}: {e}")
+            return False
+    def _detect_load_balancers(self, vpc_id: str, region: str) -> List[str]:
+        """Detect load balancers associated with the VPC."""
+        load_balancers = []
+        try:
+            # Check Application/Network Load Balancers (ELBv2)
+            elbv2_client = self.session.client('elbv2', region_name=region)
+            response = elbv2_client.describe_load_balancers()
+            for lb in response['LoadBalancers']:
+                if lb.get('VpcId') == vpc_id:
+                    load_balancers.append(lb['LoadBalancerArn'])
+        except Exception as e:
+            print_warning(f"ELBv2 load balancer detection failed for VPC {vpc_id}: {e}")
+        try:
+            # Check Classic Load Balancers (ELB)
+            elb_client = self.session.client('elb', region_name=region)
+            response = elb_client.describe_load_balancers()
+            for lb in response['LoadBalancerDescriptions']:
+                if lb.get('VPCId') == vpc_id:
+                    load_balancers.append(lb['LoadBalancerName'])
+        except Exception as e:
+            print_warning(f"Classic load balancer detection failed for VPC {vpc_id}: {e}")
+        return load_balancers
+    def _analyze_iac_tags(self, tags: Dict[str, str]) -> bool:
+        """Analyze tags for Infrastructure as Code indicators."""
+        iac_indicators = [
+            'terraform', 'cloudformation', 'cdk', 'pulumi', 'ansible',
+            'created-by', 'managed-by', 'provisioned-by', 'stack-name',
+            'aws:cloudformation:', 'terraform:', 'cdk:'
+        ]
+        # Check tag keys and values for IaC indicators
+        all_tag_text = ' '.join([
+            f"{key} {value}" for key, value in tags.items()
+        ]).lower()
-        # Bucket 2: External interconnects (Medium Risk)
-        return "medium"
+        return any(indicator in all_tag_text for indicator in iac_indicators)
+    def _extract_owners_from_tags(self, tags: Dict[str, str]) -> List[str]:
+        """Extract owner/approval information from tags with enhanced patterns."""
+        owners = []
+        # Enhanced owner key patterns - Common AWS tagging patterns
+        owner_keys = [
+            'Owner', 'owner', 'OWNER',  # Direct owner tags
+            'CreatedBy', 'createdby', 'Created-By', 'created-by',  # Creator tags
+            'ManagedBy', 'managedby', 'Managed-By', 'managed-by',  # Management tags
+            'Team', 'team', 'TEAM',  # Team tags
+            'Contact', 'contact', 'CONTACT',  # Contact tags
+            'BusinessOwner', 'business-owner', 'business_owner',  # Business owner
+            'TechnicalOwner', 'technical-owner', 'technical_owner',  # Technical owner
+            'Approver', 'approver', 'APPROVER'  # Approval tags
+        ]
+        for key in owner_keys:
+            if key in tags and tags[key]:
+                # Split multiple owners if comma-separated
+                owner_values = [owner.strip() for owner in tags[key].split(',')]
+                owners.extend(owner_values)
+        # Format owners with role context if identifiable
+        formatted_owners = []
+        for owner in owners:
+            if any(business_key in owner.lower() for business_key in ['business', 'manager', 'finance']):
+                formatted_owners.append(f"{owner} (Business)")
+            elif any(tech_key in owner.lower() for tech_key in ['ops', 'devops', 'engineering', 'tech']):
+                formatted_owners.append(f"{owner} (Technical)")
+            else:
+                formatted_owners.append(owner)
+        return list(set(formatted_owners))  # Remove duplicates
     def _classify_three_bucket_strategy(self, candidates: List[VPCCleanupCandidate]) -> Dict[str, List[VPCCleanupCandidate]]:
         """Classify VPCs using AWSO-05 three-bucket strategy."""
@@ -333,25 +721,24 @@ class VPCCleanupOptimizer:
         for candidate in candidates:
             dependency = candidate.dependency_analysis
-            # Bucket 1: Internal data plane (High Safety)
-            if (dependency.eni_count == 0 and
-                dependency.dependency_risk_level == "low" and
-                not dependency.is_default_vpc):
+            # PRIORITY 1: ENI count = 0 takes precedence (safety-first approach)
+            # NO-ENI VPCs are inherently safe regardless of default status
+            if dependency.eni_count == 0 and dependency.dependency_risk_level == "low":
                 candidate.cleanup_bucket = "internal"
                 candidate.cleanup_recommendation = "ready"
                 candidate.risk_assessment = "low"
                 candidate.business_impact = "minimal"
                 bucket_1_internal.append(candidate)
-            # Bucket 3: Control plane (Requires careful handling)
-            elif dependency.is_default_vpc:
+            # PRIORITY 2: Default VPCs with ENI attachments need careful handling
+            elif dependency.is_default_vpc and dependency.eni_count > 0:
                 candidate.cleanup_bucket = "control"
                 candidate.cleanup_recommendation = "manual_review"
                 candidate.risk_assessment = "high"
                 candidate.business_impact = "significant"
                 bucket_3_control.append(candidate)
-            # Bucket 2: External interconnects (Medium safety)
+            # PRIORITY 3: Non-default VPCs with ENI attachments require analysis
             else:
                 candidate.cleanup_bucket = "external"
                 candidate.cleanup_recommendation = "investigate"
@@ -372,13 +759,82 @@ class VPCCleanupOptimizer:
         return classification_results
+    def _ensure_no_eni_bucket_1_classification(self, bucket_classification: Dict[str, List[VPCCleanupCandidate]]) -> Dict[str, List[VPCCleanupCandidate]]:
+        """
+        Ensure NO-ENI VPCs remain in Bucket 1 after security assessment.
+        CRITICAL FIX: Security assessment may have modified VPC properties, but
+        NO-ENI VPCs (ENI count = 0) should ALWAYS remain in Bucket 1 regardless
+        of default status or security findings. They are inherently safe.
+        """
+        print_info("🔧 Ensuring NO-ENI VPCs remain in Bucket 1 (safety-first approach)...")
+        # Create new bucket structure
+        new_bucket_1 = []
+        new_bucket_2 = []
+        new_bucket_3 = []
+        # Collect all VPCs from all buckets
+        all_vpcs = []
+        for bucket_vpcs in bucket_classification.values():
+            all_vpcs.extend(bucket_vpcs)
+        # Re-classify with NO-ENI priority
+        for candidate in all_vpcs:
+            # PRIORITY 1: NO-ENI VPCs ALWAYS go to Bucket 1 (overrides all other factors)
+            if candidate.dependency_analysis.eni_count == 0:
+                # Ensure NO-ENI VPCs maintain Bucket 1 properties
+                candidate.cleanup_bucket = "internal"
+                candidate.cleanup_recommendation = "ready"
+                candidate.risk_assessment = "low"
+                candidate.business_impact = "minimal"
+                new_bucket_1.append(candidate)
+            # PRIORITY 2: Default VPCs with ENI attachments go to Bucket 3
+            elif candidate.is_default and candidate.dependency_analysis.eni_count > 0:
+                candidate.cleanup_bucket = "control"
+                candidate.cleanup_recommendation = "manual_review"
+                candidate.risk_assessment = "high"
+                candidate.business_impact = "significant"
+                new_bucket_3.append(candidate)
+            # PRIORITY 3: All other VPCs go to Bucket 2
+            else:
+                candidate.cleanup_bucket = "external"
+                candidate.cleanup_recommendation = "investigate"
+                candidate.risk_assessment = "medium"
+                candidate.business_impact = "moderate"
+                new_bucket_2.append(candidate)
+        corrected_classification = {
+            "bucket_1_internal": new_bucket_1,
+            "bucket_2_external": new_bucket_2,
+            "bucket_3_control": new_bucket_3
+        }
+        # Log corrections if any VPCs were moved
+        original_b1_count = len(bucket_classification["bucket_1_internal"])
+        original_b3_count = len(bucket_classification["bucket_3_control"])
+        new_b1_count = len(new_bucket_1)
+        new_b3_count = len(new_bucket_3)
+        if original_b1_count != new_b1_count or original_b3_count != new_b3_count:
+            print_warning(f"🔧 Bucket re-classification applied:")
+            print_info(f"   • Bucket 1: {original_b1_count} → {new_b1_count} VPCs")
+            print_info(f"   • Bucket 3: {original_b3_count} → {new_b3_count} VPCs")
+            print_success("✅ NO-ENI VPCs prioritized for Bucket 1 (safety-first)")
+        else:
+            print_success("✅ NO-ENI VPC classification already correct")
+        return corrected_classification
     def _perform_vpc_security_assessment(self, candidates: List[VPCCleanupCandidate]) -> Dict[str, Any]:
         """Perform comprehensive VPC security assessment using enterprise security module."""
         print_info("🔒 Performing comprehensive VPC security assessment...")
         try:
-            # Initialize enterprise security module
-            security_module = EnterpriseSecurityModule(profile=self.profile)
+            # Initialize enterprise security framework
+            security_framework = EnterpriseSecurityFramework(profile=self.profile)
             security_results = {
                 "assessed_vpcs": 0,
@@ -401,19 +857,30 @@ class VPCCleanupOptimizer:
                 for candidate in candidates:
                     try:
                         # Enhanced security assessment for each VPC
-                        vpc_security = self._assess_individual_vpc_security(candidate, security_module)
+                        vpc_security = self._assess_individual_vpc_security(candidate, security_framework)
                         # Classify security risk level
+                        # CRITICAL FIX: Don't override NO-ENI VPC classifications (they're inherently safe)
+                        # NO-ENI VPCs should remain in Bucket 1 regardless of default status
                         if candidate.is_default or vpc_security["high_risk_findings"] > 2:
                             security_results["security_risks"]["high_risk"].append(candidate.vpc_id)
-                            candidate.risk_assessment = "high"
-                            candidate.cleanup_recommendation = "manual_review"
+                            # Only override classification if VPC has ENI attachments
+                            # NO-ENI VPCs (ENI count = 0) remain safe for Bucket 1 regardless of default status
+                            if candidate.dependency_analysis.eni_count > 0:
+                                candidate.risk_assessment = "high"
+                                candidate.cleanup_recommendation = "manual_review"
+                            # NO-ENI VPCs keep their original Bucket 1 classification
                         elif vpc_security["medium_risk_findings"] > 1:
                             security_results["security_risks"]["medium_risk"].append(candidate.vpc_id)
-                            candidate.risk_assessment = "medium"
+                            # Only override classification if VPC has ENI attachments
+                            if candidate.dependency_analysis.eni_count > 0:
+                                candidate.risk_assessment = "medium"
                         else:
                             security_results["security_risks"]["low_risk"].append(candidate.vpc_id)
-                            candidate.risk_assessment = "low"
+                            # Only override classification if VPC has ENI attachments
+                            if candidate.dependency_analysis.eni_count > 0:
+                                candidate.risk_assessment = "low"
                         # Track compliance issues
                         if candidate.is_default:
@@ -447,7 +914,7 @@ class VPCCleanupOptimizer:
             print_error(f"Security assessment failed: {e}")
             return {"error": str(e), "assessed_vpcs": 0}
-    def _assess_individual_vpc_security(self, candidate: VPCCleanupCandidate, security_module) -> Dict[str, Any]:
+    def _assess_individual_vpc_security(self, candidate: VPCCleanupCandidate, security_framework) -> Dict[str, Any]:
         """Assess individual VPC security posture."""
         security_findings = {
             "high_risk_findings": 0,
@@ -613,7 +1080,16 @@ class VPCCleanupOptimizer:
             total_annual_savings=cost_analysis["total_annual_savings"],
             mcp_validation_accuracy=validation_results["overall_accuracy"],
             analysis_timestamp=datetime.now(),
-            security_assessment=security_assessment
+            security_assessment=security_assessment,
+            multi_account_context={
+                'total_accounts_analyzed': 1,
+                'accounts_with_vpcs': 1 if all_candidates else 0,
+                'organization_id': 'single_account_analysis',
+                'accounts': [{'account_id': 'current', 'account_name': 'current', 'status': 'active'}],
+                'vpc_count_by_account': {'current': len(all_candidates)},
+                'analysis_scope': 'single_account',
+                'profile_access_scope': self.profile
+            }
         )
         # Generate SHA256 evidence hash for audit compliance
@@ -760,6 +1236,9 @@ class VPCCleanupOptimizer:
             ready_table.add_column("Region", style="blue", width=12)
             ready_table.add_column("CIDR Block", style="yellow", width=18)
             ready_table.add_column("ENI Count", justify="right", style="green")
+            ready_table.add_column("Flow Logs", justify="center", style="magenta")
+            ready_table.add_column("Load Balancers", justify="right", style="red")
+            ready_table.add_column("IaC", justify="center", style="cyan")
             ready_table.add_column("Annual Savings", justify="right", style="green")
             for candidate in results.bucket_1_internal[:10]:  # Show first 10
@@ -768,6 +1247,9 @@ class VPCCleanupOptimizer:
                     candidate.region,
                     candidate.cidr_block,
                     str(candidate.dependency_analysis.eni_count),
+                    "✅" if candidate.flow_logs_enabled else "❌",
+                    str(len(candidate.load_balancers)),
+                    "✅" if candidate.iac_detected else "❌",
                     format_cost(candidate.annual_savings)
                 )
@@ -784,7 +1266,11 @@ class VPCCleanupOptimizer:
 @click.option('--export', default='json', help='Export format: json, csv, pdf')
 @click.option('--evidence-bundle', is_flag=True, help='Generate SHA256 evidence bundle')
 @click.option('--dry-run', is_flag=True, default=True, help='Perform analysis only (default: true)')
-def vpc_cleanup_command(profile: str, export: str, evidence_bundle: bool, dry_run: bool):
+@click.option('--no-eni-only', is_flag=True, help='Show only VPCs with zero ENI attachments')
+@click.option('--filter', type=click.Choice(['none', 'default', 'all']), default='all',
+              help='Filter VPCs: none=no resources, default=default VPCs only, all=show all')
+def vpc_cleanup_command(profile: str, export: str, evidence_bundle: bool, dry_run: bool,
+                       no_eni_only: bool, filter: str):
     """
     AWSO-05 VPC Cleanup Cost Optimization Engine
@@ -798,13 +1284,28 @@ def vpc_cleanup_command(profile: str, export: str, evidence_bundle: bool, dry_ru
     try:
         optimizer = VPCCleanupOptimizer(profile=profile)
-        results = optimizer.analyze_vpc_cleanup_opportunities()
+        results = optimizer.analyze_vpc_cleanup_opportunities(
+            no_eni_only=no_eni_only,
+            filter_type=filter
+        )
         if evidence_bundle:
             print_info(f"📁 Evidence bundle generated: SHA256 {results.evidence_hash}")
         if export:
-            print_info(f"📊 Export format: {export} (implementation pending)")
+            from .vpc_cleanup_exporter import export_vpc_cleanup_results
+            export_formats = [format.strip() for format in export.split(',')]
+            export_results = export_vpc_cleanup_results(
+                results,
+                export_formats=export_formats,
+                output_dir="./tmp"
+            )
+            for format_type, filename in export_results.items():
+                if filename:
+                    print_success(f"📄 {format_type.upper()} export: {filename}")
+                else:
+                    print_warning(f"⚠️ {format_type.upper()} export failed")
         print_success("🎯 AWSO-05 VPC cleanup analysis completed successfully")

runbooks 0.9.8__py3-none-any.whl → 0.9.9__py3-none-any.whl

runbooks 0.9.8py3-none-any.whl → 0.9.9py3-none-any.whl