PyPI - runbooks - Versions diffs - 0.9.8__py3-none-any.whl → 1.0.0__py3-none-any.whl - Mend

runbooks 0.9.8py3-none-any.whl → 1.0.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

runbooks/__init__.py +1 -1
runbooks/cfat/cloud_foundations_assessment.py +626 -0
runbooks/cloudops/cost_optimizer.py +95 -33
runbooks/common/aws_pricing.py +388 -0
runbooks/common/aws_pricing_api.py +205 -0
runbooks/common/aws_utils.py +2 -2
runbooks/common/comprehensive_cost_explorer_integration.py +979 -0
runbooks/common/cross_account_manager.py +606 -0
runbooks/common/enhanced_exception_handler.py +4 -0
runbooks/common/env_utils.py +96 -0
runbooks/common/mcp_integration.py +49 -2
runbooks/common/organizations_client.py +579 -0
runbooks/common/profile_utils.py +96 -2
runbooks/common/rich_utils.py +3 -0
runbooks/finops/cost_optimizer.py +2 -1
runbooks/finops/elastic_ip_optimizer.py +13 -9
runbooks/finops/embedded_mcp_validator.py +31 -0
runbooks/finops/enhanced_trend_visualization.py +3 -2
runbooks/finops/markdown_exporter.py +441 -0
runbooks/finops/nat_gateway_optimizer.py +57 -20
runbooks/finops/optimizer.py +2 -0
runbooks/finops/single_dashboard.py +2 -2
runbooks/finops/vpc_cleanup_exporter.py +330 -0
runbooks/finops/vpc_cleanup_optimizer.py +895 -40
runbooks/inventory/__init__.py +10 -1
runbooks/inventory/cloud_foundations_integration.py +409 -0
runbooks/inventory/core/collector.py +1148 -88
runbooks/inventory/discovery.md +389 -0
runbooks/inventory/drift_detection_cli.py +327 -0
runbooks/inventory/inventory_mcp_cli.py +171 -0
runbooks/inventory/inventory_modules.py +4 -7
runbooks/inventory/mcp_inventory_validator.py +2149 -0
runbooks/inventory/mcp_vpc_validator.py +23 -6
runbooks/inventory/organizations_discovery.py +91 -1
runbooks/inventory/rich_inventory_display.py +129 -1
runbooks/inventory/unified_validation_engine.py +1292 -0
runbooks/inventory/verify_ec2_security_groups.py +3 -1
runbooks/inventory/vpc_analyzer.py +825 -7
runbooks/inventory/vpc_flow_analyzer.py +36 -42
runbooks/main.py +969 -42
runbooks/monitoring/performance_monitor.py +11 -7
runbooks/operate/dynamodb_operations.py +6 -5
runbooks/operate/ec2_operations.py +3 -2
runbooks/operate/networking_cost_heatmap.py +4 -3
runbooks/operate/s3_operations.py +13 -12
runbooks/operate/vpc_operations.py +50 -2
runbooks/remediation/base.py +1 -1
runbooks/remediation/commvault_ec2_analysis.py +6 -1
runbooks/remediation/ec2_unattached_ebs_volumes.py +6 -3
runbooks/remediation/rds_snapshot_list.py +5 -3
runbooks/validation/__init__.py +21 -1
runbooks/validation/comprehensive_2way_validator.py +1996 -0
runbooks/validation/mcp_validator.py +904 -94
runbooks/validation/terraform_citations_validator.py +363 -0
runbooks/validation/terraform_drift_detector.py +1098 -0
runbooks/vpc/cleanup_wrapper.py +231 -10
runbooks/vpc/config.py +310 -62
runbooks/vpc/cross_account_session.py +308 -0
runbooks/vpc/heatmap_engine.py +96 -29
runbooks/vpc/manager_interface.py +9 -9
runbooks/vpc/mcp_no_eni_validator.py +1551 -0
runbooks/vpc/networking_wrapper.py +14 -8
runbooks/vpc/runbooks.inventory.organizations_discovery.log +0 -0
runbooks/vpc/runbooks.security.report_generator.log +0 -0
runbooks/vpc/runbooks.security.run_script.log +0 -0
runbooks/vpc/runbooks.security.security_export.log +0 -0
runbooks/vpc/tests/test_cost_engine.py +1 -1
runbooks/vpc/unified_scenarios.py +3269 -0
runbooks/vpc/vpc_cleanup_integration.py +516 -82
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/METADATA +94 -52
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/RECORD +75 -51
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/WHEEL +0 -0
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/entry_points.txt +0 -0
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/licenses/LICENSE +0 -0
{runbooks-0.9.8.dist-info → runbooks-1.0.0.dist-info}/top_level.txt +0 -0

runbooks/inventory/vpc_analyzer.py CHANGED Viewed

@@ -29,6 +29,8 @@ from dataclasses import dataclass
 from datetime import datetime, timedelta
 from pathlib import Path
 from typing import Any, Dict, List, Optional, Tuple
+import time
+import asyncio
 import boto3
 from botocore.exceptions import ClientError
@@ -39,12 +41,15 @@ from rich.table import Table
 from rich.tree import Tree
 from runbooks.common.profile_utils import create_operational_session
+from runbooks.common.cross_account_manager import EnhancedCrossAccountManager, CrossAccountSession
+from runbooks.common.organizations_client import OrganizationAccount, get_unified_organizations_client
 from runbooks.common.rich_utils import (
     console,
     print_header,
     print_success,
     print_error,
     print_warning,
+    print_info,
     create_table,
     create_progress_bar,
     format_cost
@@ -68,6 +73,8 @@ class VPCDiscoveryResult:
     security_groups: List[Dict[str, Any]]
     total_resources: int
     discovery_timestamp: str
+    account_summary: Optional[Dict[str, Any]] = None  # NEW: Multi-account metadata
+    landing_zone_metrics: Optional[Dict[str, Any]] = None  # NEW: Landing zone analytics
 @dataclass
@@ -98,21 +105,32 @@ class VPCAnalyzer:
         profile: Optional[str] = None,
         region: Optional[str] = "us-east-1",
         console: Optional[Console] = None,
-        dry_run: bool = True
+        dry_run: bool = True,
+        excluded_accounts: Optional[List[str]] = None,  # Enhanced: Decommissioned accounts filtering
+        enable_multi_account: bool = False,  # Enhanced: Multi-Organization Landing Zone mode
+        max_workers: int = 10  # Enhanced: Parallel processing for 60-account operations
     ):
         """
-        Initialize VPC Analyzer with enterprise profile management
+        Initialize VPC Analyzer with enterprise profile management and 60-account Landing Zone support
         Args:
             profile: AWS profile name (3-tier priority: User > Environment > Default)
-            region: AWS region for analysis
-            console: Rich console instance
-            dry_run: Safety-first READ-ONLY analysis mode
+            region: AWS region for analysis (defaults to us-east-1)
+            console: Rich console instance for enterprise UX
+            dry_run: Safety-first READ-ONLY analysis mode (default: True)
+            excluded_accounts: List of decommissioned account IDs to exclude (default: ['294618320542'])
+            enable_multi_account: Enable Multi-Organization Landing Zone discovery mode
+            max_workers: Maximum parallel workers for 60-account operations (default: 10)
         """
         self.profile = profile
         self.region = region
         self.console = console or Console()
         self.dry_run = dry_run
+        self.max_workers = max_workers
+        # Decommissioned account filtering (default: account 294618320542)
+        self.excluded_accounts = excluded_accounts or ["294618320542"]
+        self.enable_multi_account = enable_multi_account
         # Initialize AWS session using enterprise profile management
         self.session = None
@@ -123,9 +141,378 @@ class VPCAnalyzer:
             except Exception as e:
                 print_error(f"Failed to connect to AWS: {e}")
+        # NEW: Initialize Enhanced Cross-Account Manager for 60-account operations
+        self.cross_account_manager = None
+        if enable_multi_account:
+            self.cross_account_manager = EnhancedCrossAccountManager(
+                base_profile=profile,
+                max_workers=max_workers,
+                session_ttl_minutes=240  # 4-hour TTL for enterprise operations
+            )
+            print_info(f"🌐 Multi-Organization Landing Zone mode enabled for {max_workers} parallel accounts")
+            print_info(f"🚫 Excluded decommissioned accounts: {self.excluded_accounts}")
         # Results storage
         self.last_discovery = None
         self.last_awso_analysis = None
+        self.landing_zone_sessions = []  # Enhanced: Store cross-account sessions
+        print_header(f"VPC Analyzer v0.9.9", "Multi-Organization Landing Zone Enhanced")
+        if self.enable_multi_account:
+            print_info(f"🎯 Target: 60-account Multi-Organization Landing Zone discovery")
+            print_info(f"⚡ Performance: <60s complete analysis with {max_workers} parallel workers")
+            print_info(f"🔒 Session TTL: 4-hour enterprise standard with auto-refresh")
+    def _filter_landing_zone_accounts(
+        self,
+        accounts: List[OrganizationAccount],
+        excluded_accounts: Optional[List[str]] = None
+    ) -> List[OrganizationAccount]:
+        """
+        Enhanced: Filter out decommissioned accounts from Landing Zone discovery
+        Args:
+            accounts: List of organization accounts
+            excluded_accounts: Additional accounts to exclude (merged with instance defaults)
+        Returns:
+            Filtered list of active accounts for discovery
+        """
+        exclusion_list = (excluded_accounts or []) + (self.excluded_accounts or [])
+        # Remove duplicates while preserving order
+        exclusion_list = list(dict.fromkeys(exclusion_list))
+        if not exclusion_list:
+            return accounts
+        filtered_accounts = []
+        excluded_count = 0
+        for account in accounts:
+            if account.account_id in exclusion_list:
+                excluded_count += 1
+                print_info(f"🚫 Excluded decommissioned account: {account.account_id} ({account.name or 'Unknown'})")
+            else:
+                filtered_accounts.append(account)
+        if excluded_count > 0:
+            print_warning(f"⚠️  Excluded {excluded_count} decommissioned accounts from discovery")
+            print_info(f"✅ Active accounts for discovery: {len(filtered_accounts)}")
+        return filtered_accounts
+    async def discover_multi_org_vpc_topology(
+        self,
+        target_accounts: int = 60,
+        landing_zone_structure: Optional[Dict] = None
+    ) -> VPCDiscoveryResult:
+        """
+        Enhanced: Discover VPC topology across Multi-Organization Landing Zone
+        This is the primary method for 60-account enterprise discovery operations.
+        Args:
+            target_accounts: Expected number of accounts (default: 60)
+            landing_zone_structure: Optional Landing Zone structure metadata
+        Returns:
+            VPCDiscoveryResult with comprehensive multi-account topology
+        """
+        if not self.enable_multi_account or not self.cross_account_manager:
+            raise ValueError("Multi-account mode not enabled. Initialize with enable_multi_account=True")
+        print_header("Multi-Organization Landing Zone VPC Discovery", f"Target: {target_accounts} accounts")
+        start_time = time.time()
+        # Step 1: Discover and filter Landing Zone accounts
+        print_info("🏢 Step 1: Discovering Landing Zone accounts...")
+        try:
+            sessions = await self.cross_account_manager.create_cross_account_sessions_from_organization()
+            # Extract accounts from sessions and filter decommissioned
+            all_accounts = [
+                OrganizationAccount(
+                    account_id=session.account_id,
+                    name=session.account_name or session.account_id,
+                    email="discovered@system",
+                    status="ACTIVE" if session.status in ['success', 'cached'] else "INACTIVE",
+                    joined_method="DISCOVERED"
+                )
+                for session in sessions
+            ]
+            active_accounts = self._filter_landing_zone_accounts(all_accounts)
+            successful_sessions = self.cross_account_manager.get_successful_sessions(sessions)
+            print_success(f"✅ Landing Zone Discovery: {len(successful_sessions)}/{len(all_accounts)} accounts accessible")
+        except Exception as e:
+            print_error(f"❌ Failed to discover Landing Zone accounts: {e}")
+            raise
+        # Step 2: Parallel VPC topology discovery
+        print_info(f"🔍 Step 2: Parallel VPC discovery across {len(successful_sessions)} accounts...")
+        aggregated_results = await self._discover_vpc_topology_parallel(successful_sessions)
+        # Step 3: Generate comprehensive analytics
+        discovery_time = time.time() - start_time
+        landing_zone_metrics = {
+            'total_accounts_discovered': len(all_accounts),
+            'successful_sessions': len(successful_sessions),
+            'excluded_accounts': len(all_accounts) - len(active_accounts),
+            'discovery_time_seconds': discovery_time,
+            'performance_target_met': discovery_time < 60.0,  # <60s target
+            'accounts_per_second': len(successful_sessions) / discovery_time if discovery_time > 0 else 0,
+            'session_ttl_hours': 4,  # Enhanced: 4-hour TTL
+            'parallel_workers': self.max_workers
+        }
+        print_success(f"🎯 Multi-Organization Landing Zone Discovery Complete!")
+        print_info(f"   📊 Performance: {discovery_time:.1f}s for {len(successful_sessions)} accounts")
+        print_info(f"   ⚡ Rate: {landing_zone_metrics['accounts_per_second']:.1f} accounts/second")
+        print_info(f"   🎯 Target met: {'✅ Yes' if landing_zone_metrics['performance_target_met'] else '❌ No'} (<60s)")
+        # Store sessions for future operations
+        self.landing_zone_sessions = successful_sessions
+        # Enhanced result with Landing Zone metadata
+        aggregated_results.landing_zone_metrics = landing_zone_metrics
+        aggregated_results.account_summary = {
+            'total_accounts': len(successful_sessions),
+            'excluded_accounts_list': self.excluded_accounts,
+            'discovery_timestamp': datetime.now().isoformat(),
+            'landing_zone_structure': landing_zone_structure
+        }
+        self.last_discovery = aggregated_results
+        return aggregated_results
+    async def _discover_vpc_topology_parallel(
+        self,
+        sessions: List[CrossAccountSession]
+    ) -> VPCDiscoveryResult:
+        """
+        Enhanced: Discover VPC topology across multiple accounts in parallel
+        Optimized for 60-account operations with <60s performance target.
+        Args:
+            sessions: List of successful cross-account sessions
+        Returns:
+            Aggregated VPCDiscoveryResult from all accounts
+        """
+        if not sessions:
+            print_warning("⚠️  No successful sessions available for VPC discovery")
+            return self._create_empty_discovery_result()
+        # Initialize aggregated results
+        aggregated_vpcs = []
+        aggregated_nat_gateways = []
+        aggregated_vpc_endpoints = []
+        aggregated_internet_gateways = []
+        aggregated_route_tables = []
+        aggregated_subnets = []
+        aggregated_network_interfaces = []
+        aggregated_transit_gateway_attachments = []
+        aggregated_vpc_peering_connections = []
+        aggregated_security_groups = []
+        total_resources = 0
+        # Create progress tracking
+        with create_progress_bar() as progress:
+            task = progress.add_task(f"VPC discovery across {len(sessions)} accounts...", total=len(sessions))
+            # Process accounts in parallel batches
+            batch_size = min(self.max_workers, len(sessions))
+            for i in range(0, len(sessions), batch_size):
+                batch_sessions = sessions[i:i + batch_size]
+                batch_tasks = []
+                # Create async tasks for parallel processing
+                for session in batch_sessions:
+                    task_coro = self._discover_single_account_vpc_topology(session)
+                    batch_tasks.append(asyncio.create_task(task_coro))
+                # Wait for batch completion
+                batch_results = await asyncio.gather(*batch_tasks, return_exceptions=True)
+                # Process batch results
+                for idx, result in enumerate(batch_results):
+                    session = batch_sessions[idx]
+                    if isinstance(result, Exception):
+                        print_warning(f"⚠️  Account {session.account_id} discovery failed: {result}")
+                        progress.advance(task)
+                        continue
+                    if result:
+                        # Aggregate resources with account context
+                        for vpc in result.vpcs:
+                            vpc['source_account'] = session.account_id
+                            vpc['source_account_name'] = session.account_name
+                        aggregated_vpcs.extend(result.vpcs)
+                        for nat_gw in result.nat_gateways:
+                            nat_gw['source_account'] = session.account_id
+                            nat_gw['source_account_name'] = session.account_name
+                        aggregated_nat_gateways.extend(result.nat_gateways)
+                        # Add account context to all resource types
+                        for resource_list, aggregated_list in [
+                            (result.vpc_endpoints, aggregated_vpc_endpoints),
+                            (result.internet_gateways, aggregated_internet_gateways),
+                            (result.route_tables, aggregated_route_tables),
+                            (result.subnets, aggregated_subnets),
+                            (result.network_interfaces, aggregated_network_interfaces),
+                            (result.transit_gateway_attachments, aggregated_transit_gateway_attachments),
+                            (result.vpc_peering_connections, aggregated_vpc_peering_connections),
+                            (result.security_groups, aggregated_security_groups)
+                        ]:
+                            for resource in resource_list:
+                                resource['source_account'] = session.account_id
+                                resource['source_account_name'] = session.account_name
+                            aggregated_list.extend(resource_list)
+                        total_resources += result.total_resources
+                    progress.advance(task)
+        print_success(f"🎯 Parallel VPC discovery complete: {total_resources} total resources across {len(sessions)} accounts")
+        return VPCDiscoveryResult(
+            vpcs=aggregated_vpcs,
+            nat_gateways=aggregated_nat_gateways,
+            vpc_endpoints=aggregated_vpc_endpoints,
+            internet_gateways=aggregated_internet_gateways,
+            route_tables=aggregated_route_tables,
+            subnets=aggregated_subnets,
+            network_interfaces=aggregated_network_interfaces,
+            transit_gateway_attachments=aggregated_transit_gateway_attachments,
+            vpc_peering_connections=aggregated_vpc_peering_connections,
+            security_groups=aggregated_security_groups,
+            total_resources=total_resources,
+            discovery_timestamp=datetime.now().isoformat()
+        )
+    async def _discover_single_account_vpc_topology(
+        self,
+        session: CrossAccountSession
+    ) -> Optional[VPCDiscoveryResult]:
+        """
+        Discover VPC topology for a single account using cross-account session
+        Args:
+            session: CrossAccountSession with valid AWS credentials
+        Returns:
+            VPCDiscoveryResult for the account, or None if discovery fails
+        """
+        if not session.session or session.status not in ['success', 'cached']:
+            return None
+        try:
+            # Create EC2 client with assumed role session
+            ec2_client = session.session.client('ec2', region_name=self.region)
+            # Discover VPC resources
+            vpcs = []
+            nat_gateways = []
+            vpc_endpoints = []
+            internet_gateways = []
+            route_tables = []
+            subnets = []
+            network_interfaces = []
+            transit_gateway_attachments = []
+            vpc_peering_connections = []
+            security_groups = []
+            # VPC Discovery
+            vpc_response = ec2_client.describe_vpcs()
+            for vpc in vpc_response['Vpcs']:
+                vpcs.append({
+                    'VpcId': vpc['VpcId'],
+                    'State': vpc['State'],
+                    'CidrBlock': vpc['CidrBlock'],
+                    'IsDefault': vpc.get('IsDefault', False),
+                    'Tags': vpc.get('Tags', [])
+                })
+            # NAT Gateway Discovery
+            nat_response = ec2_client.describe_nat_gateways()
+            for nat_gw in nat_response['NatGateways']:
+                nat_gateways.append({
+                    'NatGatewayId': nat_gw['NatGatewayId'],
+                    'VpcId': nat_gw.get('VpcId'),
+                    'State': nat_gw['State'],
+                    'SubnetId': nat_gw.get('SubnetId'),
+                    'Tags': nat_gw.get('Tags', [])
+                })
+            # Network Interfaces Discovery (for ENI gate analysis)
+            eni_response = ec2_client.describe_network_interfaces()
+            for eni in eni_response['NetworkInterfaces']:
+                network_interfaces.append({
+                    'NetworkInterfaceId': eni['NetworkInterfaceId'],
+                    'VpcId': eni.get('VpcId'),
+                    'SubnetId': eni.get('SubnetId'),
+                    'Status': eni['Status'],
+                    'InterfaceType': eni.get('InterfaceType', 'interface'),
+                    'Attachment': eni.get('Attachment', {}),
+                    'Tags': eni.get('TagSet', [])
+                })
+            # Continue with other resource types as needed...
+            total_resources = (len(vpcs) + len(nat_gateways) + len(vpc_endpoints) +
+                             len(internet_gateways) + len(route_tables) + len(subnets) +
+                             len(network_interfaces) + len(transit_gateway_attachments) +
+                             len(vpc_peering_connections) + len(security_groups))
+            return VPCDiscoveryResult(
+                vpcs=vpcs,
+                nat_gateways=nat_gateways,
+                vpc_endpoints=vpc_endpoints,
+                internet_gateways=internet_gateways,
+                route_tables=route_tables,
+                subnets=subnets,
+                network_interfaces=network_interfaces,
+                transit_gateway_attachments=transit_gateway_attachments,
+                vpc_peering_connections=vpc_peering_connections,
+                security_groups=security_groups,
+                total_resources=total_resources,
+                discovery_timestamp=datetime.now().isoformat()
+            )
+        except ClientError as e:
+            print_warning(f"⚠️  AWS API error for account {session.account_id}: {e}")
+            return None
+        except Exception as e:
+            print_error(f"❌ Unexpected error for account {session.account_id}: {e}")
+            return None
+    def _create_empty_discovery_result(self) -> VPCDiscoveryResult:
+        """Create empty discovery result for error cases"""
+        return VPCDiscoveryResult(
+            vpcs=[],
+            nat_gateways=[],
+            vpc_endpoints=[],
+            internet_gateways=[],
+            route_tables=[],
+            subnets=[],
+            network_interfaces=[],
+            transit_gateway_attachments=[],
+            vpc_peering_connections=[],
+            security_groups=[],
+            total_resources=0,
+            discovery_timestamp=datetime.now().isoformat()
+        )
     def discover_vpc_topology(self, vpc_ids: Optional[List[str]] = None) -> VPCDiscoveryResult:
         """
@@ -216,6 +603,388 @@ class VPCAnalyzer:
                 logger.error(f"VPC discovery error: {e}")
                 return self._empty_discovery_result()
+    async def discover_multi_org_vpc_topology(
+        self,
+        target_accounts: int = 60,
+        landing_zone_structure: Optional[Dict] = None
+    ) -> VPCDiscoveryResult:
+        """
+        NEW: Multi-Organization Landing Zone VPC discovery for 60-account operations
+        Optimized discovery across Landing Zone with decommissioned account filtering
+        and enhanced session management.
+        Args:
+            target_accounts: Target number of accounts to discover (60 for Landing Zone)
+            landing_zone_structure: Optional Landing Zone organizational structure
+        Returns:
+            VPCDiscoveryResult with comprehensive multi-account topology
+        """
+        if not self.enable_multi_account or not self.cross_account_manager:
+            print_error("Multi-account mode not enabled. Initialize with enable_multi_account=True")
+            return self._empty_discovery_result()
+        print_header("Multi-Organization Landing Zone VPC Discovery", f"Target: {target_accounts} accounts")
+        start_time = time.time()
+        try:
+            # Step 1: Discover and filter Landing Zone accounts
+            print_info("🏢 Discovering Landing Zone organization accounts...")
+            accounts = await self._discover_landing_zone_accounts()
+            # Step 2: Filter decommissioned accounts
+            filtered_accounts = self._filter_landing_zone_accounts(accounts)
+            # Step 3: Create cross-account sessions
+            print_info(f"🔐 Creating cross-account sessions for {len(filtered_accounts)} accounts...")
+            sessions = await self.cross_account_manager.create_cross_account_sessions_from_accounts(filtered_accounts)
+            successful_sessions = self.cross_account_manager.get_successful_sessions(sessions)
+            self.landing_zone_sessions = successful_sessions
+            # Step 4: Parallel VPC discovery across all accounts
+            print_info(f"🔍 Discovering VPC topology across {len(successful_sessions)} accounts...")
+            multi_account_results = await self._discover_vpc_topology_parallel(successful_sessions)
+            # Step 5: Aggregate results and generate Landing Zone metrics
+            aggregated_result = self._aggregate_multi_account_results(multi_account_results, successful_sessions)
+            # Performance metrics
+            execution_time = time.time() - start_time
+            print_success(f"✅ Multi-Organization Landing Zone discovery complete in {execution_time:.1f}s")
+            print_info(f"   📈 {len(successful_sessions)}/{len(accounts)} accounts discovered")
+            print_info(f"   🏗️ {aggregated_result.total_resources} total VPC resources discovered")
+            return aggregated_result
+        except Exception as e:
+            print_error(f"Multi-Organization Landing Zone discovery failed: {e}")
+            logger.error(f"Landing Zone discovery error: {e}")
+            return self._empty_discovery_result()
+    async def _discover_landing_zone_accounts(self) -> List[OrganizationAccount]:
+        """Discover accounts from Organizations API with Landing Zone context"""
+        orgs_client = get_unified_organizations_client(self.profile)
+        accounts = await orgs_client.get_organization_accounts()
+        if not accounts:
+            print_warning("No accounts discovered from Organizations API")
+            return []
+        print_info(f"🏢 Discovered {len(accounts)} total organization accounts")
+        return accounts
+    def _filter_landing_zone_accounts(self, accounts: List[OrganizationAccount]) -> List[OrganizationAccount]:
+        """
+        Filter Landing Zone accounts with decommissioned account exclusion
+        Applies enterprise-grade filtering:
+        - Excludes decommissioned accounts (294618320542 by default)
+        - Filters to ACTIVE status accounts only
+        - Maintains Landing Zone organizational structure
+        """
+        # Filter to active accounts only
+        active_accounts = [acc for acc in accounts if acc.status == 'ACTIVE']
+        # Filter out decommissioned accounts
+        filtered_accounts = [
+            acc for acc in active_accounts
+            if acc.account_id not in self.excluded_accounts
+        ]
+        excluded_count = len(active_accounts) - len(filtered_accounts)
+        print_info(f"🎯 Landing Zone account filtering:")
+        print_info(f"   • Total accounts: {len(accounts)}")
+        print_info(f"   • Active accounts: {len(active_accounts)}")
+        print_info(f"   • Excluded decommissioned: {excluded_count} ({self.excluded_accounts})")
+        print_info(f"   • Ready for discovery: {len(filtered_accounts)}")
+        return filtered_accounts
+    async def _discover_vpc_topology_parallel(
+        self,
+        sessions: List[CrossAccountSession]
+    ) -> List[Tuple[str, VPCDiscoveryResult]]:
+        """
+        Parallel VPC discovery across multiple accounts optimized for 60-account Landing Zone
+        Performance optimized for <60s discovery across entire Landing Zone
+        """
+        results = []
+        print_info(f"🚀 Starting parallel VPC discovery across {len(sessions)} accounts")
+        # Use asyncio.gather for concurrent execution
+        async def discover_account_vpc(session: CrossAccountSession) -> Tuple[str, VPCDiscoveryResult]:
+            try:
+                # Create account-specific VPC analyzer
+                account_analyzer = VPCAnalyzer(
+                    profile=None,  # Use session directly
+                    region=self.region,
+                    console=self.console,
+                    dry_run=self.dry_run
+                )
+                account_analyzer.session = session.session
+                # Perform single-account VPC discovery
+                discovery_result = account_analyzer.discover_vpc_topology()
+                # Add account metadata to results
+                discovery_result.account_summary = {
+                    'account_id': session.account_id,
+                    'account_name': session.account_name,
+                    'role_used': session.role_used,
+                    'discovery_timestamp': discovery_result.discovery_timestamp
+                }
+                return session.account_id, discovery_result
+            except Exception as e:
+                print_warning(f"⚠️ VPC discovery failed for account {session.account_id}: {e}")
+                logger.warning(f"Account {session.account_id} VPC discovery error: {e}")
+                # Return empty result for failed account
+                empty_result = self._empty_discovery_result()
+                empty_result.account_summary = {
+                    'account_id': session.account_id,
+                    'account_name': session.account_name,
+                    'error': str(e)
+                }
+                return session.account_id, empty_result
+        # Execute parallel discovery
+        with create_progress_bar() as progress:
+            task = progress.add_task("Discovering VPC topology across accounts...", total=len(sessions))
+            # Process accounts in batches to manage resource usage
+            batch_size = min(self.max_workers, len(sessions))
+            for i in range(0, len(sessions), batch_size):
+                batch_sessions = sessions[i:i + batch_size]
+                # Execute batch concurrently
+                batch_results = await asyncio.gather(*[
+                    discover_account_vpc(session) for session in batch_sessions
+                ], return_exceptions=True)
+                # Process batch results
+                for result in batch_results:
+                    if isinstance(result, Exception):
+                        print_warning(f"⚠️ Batch discovery error: {result}")
+                    else:
+                        results.append(result)
+                    progress.advance(task)
+        print_success(f"✅ Parallel VPC discovery complete: {len(results)} accounts processed")
+        return results
+    def _aggregate_multi_account_results(
+        self,
+        multi_account_results: List[Tuple[str, VPCDiscoveryResult]],
+        sessions: List[CrossAccountSession]
+    ) -> VPCDiscoveryResult:
+        """
+        Aggregate multi-account VPC discovery results into comprehensive Landing Zone view
+        Creates unified view with Landing Zone metrics and account-level aggregation
+        """
+        print_info("📊 Aggregating multi-account VPC results...")
+        # Initialize aggregation containers
+        all_vpcs = []
+        all_nat_gateways = []
+        all_vpc_endpoints = []
+        all_internet_gateways = []
+        all_route_tables = []
+        all_subnets = []
+        all_network_interfaces = []
+        all_tgw_attachments = []
+        all_vpc_peering = []
+        all_security_groups = []
+        account_summaries = []
+        total_resources_per_account = {}
+        # Aggregate resources from all accounts
+        for account_id, discovery_result in multi_account_results:
+            # Add account context to all resources
+            for vpc in discovery_result.vpcs:
+                vpc['AccountId'] = account_id
+                all_vpcs.append(vpc)
+            for nat in discovery_result.nat_gateways:
+                nat['AccountId'] = account_id
+                all_nat_gateways.append(nat)
+            for endpoint in discovery_result.vpc_endpoints:
+                endpoint['AccountId'] = account_id
+                all_vpc_endpoints.append(endpoint)
+            for igw in discovery_result.internet_gateways:
+                igw['AccountId'] = account_id
+                all_internet_gateways.append(igw)
+            for rt in discovery_result.route_tables:
+                rt['AccountId'] = account_id
+                all_route_tables.append(rt)
+            for subnet in discovery_result.subnets:
+                subnet['AccountId'] = account_id
+                all_subnets.append(subnet)
+            for eni in discovery_result.network_interfaces:
+                eni['AccountId'] = account_id
+                all_network_interfaces.append(eni)
+            for tgw in discovery_result.transit_gateway_attachments:
+                tgw['AccountId'] = account_id
+                all_tgw_attachments.append(tgw)
+            for peering in discovery_result.vpc_peering_connections:
+                peering['AccountId'] = account_id
+                all_vpc_peering.append(peering)
+            for sg in discovery_result.security_groups:
+                sg['AccountId'] = account_id
+                all_security_groups.append(sg)
+            # Track per-account metrics
+            total_resources_per_account[account_id] = discovery_result.total_resources
+            # Collect account summary
+            if discovery_result.account_summary:
+                account_summaries.append(discovery_result.account_summary)
+        # Calculate Landing Zone metrics
+        landing_zone_metrics = self._calculate_landing_zone_metrics(
+            total_resources_per_account, account_summaries, sessions
+        )
+        # Create aggregated result
+        total_resources = (
+            len(all_vpcs) + len(all_nat_gateways) + len(all_vpc_endpoints) +
+            len(all_internet_gateways) + len(all_route_tables) + len(all_subnets) +
+            len(all_network_interfaces) + len(all_tgw_attachments) +
+            len(all_vpc_peering) + len(all_security_groups)
+        )
+        aggregated_result = VPCDiscoveryResult(
+            vpcs=all_vpcs,
+            nat_gateways=all_nat_gateways,
+            vpc_endpoints=all_vpc_endpoints,
+            internet_gateways=all_internet_gateways,
+            route_tables=all_route_tables,
+            subnets=all_subnets,
+            network_interfaces=all_network_interfaces,
+            transit_gateway_attachments=all_tgw_attachments,
+            vpc_peering_connections=all_vpc_peering,
+            security_groups=all_security_groups,
+            total_resources=total_resources,
+            discovery_timestamp=datetime.now().isoformat(),
+            account_summary={'accounts_discovered': account_summaries},
+            landing_zone_metrics=landing_zone_metrics
+        )
+        # Display Landing Zone summary
+        self._display_landing_zone_summary(aggregated_result)
+        return aggregated_result
+    def _calculate_landing_zone_metrics(
+        self,
+        resources_per_account: Dict[str, int],
+        account_summaries: List[Dict],
+        sessions: List[CrossAccountSession]
+    ) -> Dict[str, Any]:
+        """Calculate comprehensive Landing Zone analytics"""
+        successful_accounts = len([s for s in sessions if s.status in ['success', 'cached']])
+        return {
+            'total_accounts_targeted': len(sessions),
+            'successful_discoveries': successful_accounts,
+            'failed_discoveries': len(sessions) - successful_accounts,
+            'discovery_success_rate': (successful_accounts / len(sessions) * 100) if sessions else 0,
+            'total_vpc_resources': sum(resources_per_account.values()),
+            'average_resources_per_account': (
+                sum(resources_per_account.values()) / len(resources_per_account)
+                if resources_per_account else 0
+            ),
+            'accounts_with_resources': len([count for count in resources_per_account.values() if count > 0]),
+            'empty_accounts': len([count for count in resources_per_account.values() if count == 0]),
+            'decommissioned_accounts_excluded': len(self.excluded_accounts),
+            'excluded_account_list': self.excluded_accounts,
+            'session_manager_metrics': (
+                self.cross_account_manager.get_session_summary(sessions)
+                if self.cross_account_manager else {}
+            ),
+            'generated_at': datetime.now().isoformat()
+        }
+    def _display_landing_zone_summary(self, result: VPCDiscoveryResult):
+        """Display comprehensive Landing Zone summary with Rich formatting"""
+        # Landing Zone overview panel
+        metrics = result.landing_zone_metrics
+        summary_panel = Panel(
+            f"[bold green]Multi-Organization Landing Zone Discovery Complete[/bold green]\n\n"
+            f"🏢 Accounts Discovered: [bold cyan]{metrics['successful_discoveries']}/{metrics['total_accounts_targeted']}[/bold cyan] "
+            f"([bold yellow]{metrics['discovery_success_rate']:.1f}%[/bold yellow])\n"
+            f"🚫 Decommissioned Excluded: [bold red]{metrics['decommissioned_accounts_excluded']}[/bold red] "
+            f"({', '.join(metrics['excluded_account_list'])})\n"
+            f"📊 Total VPC Resources: [bold magenta]{metrics['total_vpc_resources']}[/bold magenta]\n"
+            f"📈 Avg Resources/Account: [bold blue]{metrics['average_resources_per_account']:.1f}[/bold blue]\n\n"
+            f"🏗️ Resource Breakdown:\n"
+            f"   VPCs: [bold cyan]{len(result.vpcs)}[/bold cyan] | "
+            f"NAT Gateways: [bold yellow]{len(result.nat_gateways)}[/bold yellow] | "
+            f"Endpoints: [bold blue]{len(result.vpc_endpoints)}[/bold blue]\n"
+            f"   IGWs: [bold green]{len(result.internet_gateways)}[/bold green] | "
+            f"Route Tables: [bold magenta]{len(result.route_tables)}[/bold magenta] | "
+            f"Subnets: [bold red]{len(result.subnets)}[/bold red]\n"
+            f"   ENIs: [bold white]{len(result.network_interfaces)}[/bold white] | "
+            f"TGW Attachments: [bold orange]{len(result.transit_gateway_attachments)}[/bold orange] | "
+            f"Security Groups: [bold gray]{len(result.security_groups)}[/bold gray]",
+            title="🌐 Landing Zone VPC Discovery Summary",
+            style="bold blue"
+        )
+        self.console.print(summary_panel)
+        # Account distribution table
+        if metrics.get('session_manager_metrics'):
+            session_metrics = metrics['session_manager_metrics']
+            session_table = create_table(
+                title="🔐 Cross-Account Session Summary",
+                columns=[
+                    {"header": "Metric", "style": "cyan"},
+                    {"header": "Value", "style": "green"},
+                    {"header": "Details", "style": "dim"}
+                ]
+            )
+            session_table.add_row(
+                "Session Success Rate",
+                f"{(session_metrics['successful_sessions'] / session_metrics['total_sessions'] * 100):.1f}%",
+                f"{session_metrics['successful_sessions']}/{session_metrics['total_sessions']}"
+            )
+            session_table.add_row(
+                "Cache Performance",
+                f"{(session_metrics['metrics']['cache_hits'] / max(session_metrics['metrics']['cache_hits'] + session_metrics['metrics']['cache_misses'], 1) * 100):.1f}%",
+                f"{session_metrics['metrics']['cache_hits']} hits, {session_metrics['metrics']['cache_misses']} misses"
+            )
+            session_table.add_row(
+                "Session TTL",
+                f"{session_metrics['session_ttl_minutes']} minutes",
+                "4-hour enterprise standard"
+            )
+            self.console.print(session_table)
     def analyze_awso_dependencies(self, discovery_result: Optional[VPCDiscoveryResult] = None) -> AWSOAnalysis:
         """
         AWSO-05 specific dependency analysis for safe VPC cleanup
@@ -943,15 +1712,64 @@ class VPCAnalyzer:
             'CleanupReadiness': 'READY' if not analysis_data['eni_warnings'] else 'REQUIRES_WORKLOAD_MIGRATION'
         }
+    # NEW: Convenience methods for CLI integration
+    def discover_landing_zone_vpc_topology(self) -> VPCDiscoveryResult:
+        """
+        Convenience method for CLI integration - Multi-Organization Landing Zone discovery
+        Automatically enables multi-account mode and discovers VPC topology across
+        60-account Landing Zone with decommissioned account filtering.
+        Returns:
+            VPCDiscoveryResult with comprehensive Landing Zone topology
+        """
+        if not self.enable_multi_account:
+            # Auto-enable multi-account mode for Landing Zone discovery
+            self.enable_multi_account = True
+            self.cross_account_manager = EnhancedCrossAccountManager(
+                base_profile=self.profile,
+                max_workers=self.max_workers,
+                session_ttl_minutes=240
+            )
+            print_info("🌐 Auto-enabled Multi-Organization Landing Zone mode")
+        # Use asyncio.run for CLI compatibility
+        return asyncio.run(self.discover_multi_org_vpc_topology())
+    def get_landing_zone_session_summary(self) -> Optional[Dict[str, Any]]:
+        """Get comprehensive Landing Zone session summary for reporting"""
+        if not self.landing_zone_sessions or not self.cross_account_manager:
+            return None
+        return self.cross_account_manager.get_session_summary(self.landing_zone_sessions)
+    def refresh_landing_zone_sessions(self) -> bool:
+        """Refresh expired Landing Zone sessions for continued operations"""
+        if not self.landing_zone_sessions or not self.cross_account_manager:
+            print_warning("No Landing Zone sessions to refresh")
+            return False
+        print_info("🔄 Refreshing Landing Zone sessions...")
+        self.landing_zone_sessions = self.cross_account_manager.refresh_expired_sessions(
+            self.landing_zone_sessions
+        )
+        successful_sessions = len([s for s in self.landing_zone_sessions if s.status in ['success', 'cached']])
+        print_success(f"✅ Session refresh complete: {successful_sessions} sessions ready")
+        return successful_sessions > 0
     # Helper methods
     def _empty_discovery_result(self) -> VPCDiscoveryResult:
-        """Return empty discovery result"""
+        """Return empty discovery result with Landing Zone structure"""
         return VPCDiscoveryResult(
             vpcs=[], nat_gateways=[], vpc_endpoints=[], internet_gateways=[],
             route_tables=[], subnets=[], network_interfaces=[],
             transit_gateway_attachments=[], vpc_peering_connections=[],
             security_groups=[], total_resources=0,
-            discovery_timestamp=datetime.now().isoformat()
+            discovery_timestamp=datetime.now().isoformat(),
+            account_summary=None,
+            landing_zone_metrics=None
         )
     def _empty_awso_analysis(self) -> AWSOAnalysis:

runbooks 0.9.8__py3-none-any.whl → 1.0.0__py3-none-any.whl

runbooks 0.9.8py3-none-any.whl → 1.0.0py3-none-any.whl