runbooks 0.9.9__py3-none-any.whl → 1.0.0__py3-none-any.whl

runbooks/vpc/cleanup_wrapper.py

@@ -194,7 +194,7 @@ class VPCCleanupCLI:
                 'analysis_summary': {
                     'total_vpcs': len(candidates),
                     'immediate_cleanup': len([c for c in candidates if c.cleanup_phase == VPCCleanupPhase.IMMEDIATE]),
-                    'total_annual_savings': sum(c.annual_savings for c in candidates),
+                    'total_annual_savings': sum((c.annual_savings or 0.0) for c in candidates),
                     'safety_mode_enabled': self.safety_mode
                 }
             }
@@ -289,9 +289,9 @@ class VPCCleanupCLI:
             execution_results['execution_plan'].append(vpc_plan)
             
             # Safety warnings
-            if candidate.blocking_dependencies > 0:
+            if (candidate.blocking_dependencies or 0) > 0:
                 execution_results['warnings'].append(
-                    f"VPC {candidate.vpc_id} has {candidate.blocking_dependencies} blocking dependencies"
+                    f"VPC {candidate.vpc_id} has {candidate.blocking_dependencies or 0} blocking dependencies"
                 )
             
             if candidate.is_default:
@@ -417,7 +417,7 @@ class VPCCleanupCLI:
         safety_results = {
             'vpc_id': vpc_id,
             'safety_score': 'SAFE',
-            'blocking_dependencies': vpc_candidate.blocking_dependencies,
+            'blocking_dependencies': vpc_candidate.blocking_dependencies or 0,
             'risk_level': vpc_candidate.risk_level.value,
             'safety_checks': [],
             'warnings': [],
@@ -504,7 +504,7 @@ class VPCCleanupCLI:
             f"Investigation Required: [yellow]{exec_summary.get('investigation_required', 0)}[/yellow]\n"
             f"Governance Approval Needed: [blue]{exec_summary.get('governance_approval_needed', 0)}[/blue]\n"
             f"Complex Migration Required: [red]{exec_summary.get('complex_migration_required', 0)}[/red]\n\n"
-            f"Total Annual Savings: [bold green]${cleanup_plan['metadata']['total_annual_savings']:,.2f}[/bold green]\n"
+            f"Total Annual Savings: [bold green]${(cleanup_plan['metadata']['total_annual_savings'] or 0.0):,.2f}[/bold green]\n"
             f"Business Case Strength: [cyan]{exec_summary.get('business_case_strength', 'Unknown')}[/cyan]"
         )
         
@@ -518,7 +518,7 @@ class VPCCleanupCLI:
             f"[bold blue]🚀 EXECUTION PLAN[/bold blue]\n\n"
             f"Mode: {mode_text}\n"
             f"VPCs to Process: [yellow]{len(candidates)}[/yellow]\n"
-            f"Total Dependencies to Remove: [red]{sum(c.blocking_dependencies for c in candidates)}[/red]\n"
+            f"Total Dependencies to Remove: [red]{sum((c.blocking_dependencies or 0) for c in candidates)}[/red]\n"
             f"High Risk VPCs: [red]{len([c for c in candidates if c.risk_level == VPCCleanupRisk.HIGH])}[/red]\n"
             f"Default VPCs: [magenta]{len([c for c in candidates if c.is_default])}[/magenta]"
         )
@@ -655,7 +655,9 @@ def analyze_cleanup_candidates(
     vpc_ids: Optional[List[str]] = None,
     all_accounts: bool = False,
     region: str = "us-east-1",
-    export_results: bool = True
+    export_results: bool = True,
+    account_limit: Optional[int] = None,
+    region_limit: Optional[int] = None
 ) -> Dict[str, Any]:
     """
     CLI function to analyze VPC cleanup candidates
@@ -666,6 +668,8 @@ def analyze_cleanup_candidates(
         all_accounts: Analyze across all accessible accounts
         region: AWS region
         export_results: Export results to files
+        account_limit: Limit number of accounts to process for faster testing
+        region_limit: Limit number of regions to scan per account
         
     Returns:
         Dictionary with analysis results
@@ -683,9 +687,92 @@ def analyze_cleanup_candidates(
     # Handle multi-account analysis
     account_profiles = None
     if all_accounts:
-        # In a real implementation, this would discover all accessible accounts/profiles
-        # For now, we'll use the single profile
-        account_profiles = [operational_profile] if operational_profile else None
+        # Use Organizations API to discover all accounts
+        console.print("[blue]🔍 Discovering organization accounts for multi-account VPC analysis...[/blue]")
+        
+        try:
+            # Import Organizations discovery functionality from FinOps module
+            from runbooks.finops.aws_client import get_organization_accounts
+            from runbooks.common.profile_utils import create_operational_session, create_management_session
+            from runbooks.vpc.cross_account_session import convert_accounts_to_sessions
+            
+            # Check for cached Organizations data first (performance optimization)
+            
+            # Use CENTRALISED_OPS_PROFILE if available for operational accounts
+            import os
+            centralised_ops_profile = os.getenv('CENTRALISED_OPS_PROFILE')
+            if centralised_ops_profile:
+                console.print(f"[green]✅ Using CENTRALISED_OPS_PROFILE: {centralised_ops_profile}[/green]")
+            from .mcp_no_eni_validator import _get_cached_organizations_data, _cache_organizations_data
+            
+            org_accounts = _get_cached_organizations_data()
+            
+            if not org_accounts:
+                # Create management session for Organizations discovery (needs Organizations permissions)
+                session = create_management_session(profile=operational_profile)
+                
+                # Discover all organization accounts
+                org_accounts = get_organization_accounts(session, operational_profile)
+                
+                # Cache the results for future use (prevents duplicate calls)
+                if org_accounts:
+                    _cache_organizations_data(org_accounts)
+            
+            if org_accounts:
+                # Apply account limit for performance optimization before session creation
+                if account_limit and account_limit < len(org_accounts):
+                    console.print(f"[yellow]🎯 Performance mode: limiting to first {account_limit} accounts[/yellow]")
+                    org_accounts = org_accounts[:account_limit]
+                
+                # Convert accounts to cross-account sessions using STS AssumeRole
+                account_sessions, account_metadata = convert_accounts_to_sessions(org_accounts, operational_profile)
+                
+                console.print(f"[green]✅ Discovered {len(org_accounts)} organization accounts[/green]")
+                console.print(f"[cyan]📋 Created {len(account_sessions)} cross-account sessions for VPC analysis[/cyan]")
+                
+                # Log account discovery for transparency
+                active_count = len([acc for acc in org_accounts if acc.get("status") == "ACTIVE"])
+                inactive_count = len(org_accounts) - active_count
+                console.print(f"[dim]Organization scope: {active_count} active, {inactive_count} inactive accounts[/dim]")
+                
+                # Detect STS AssumeRole failures and switch to multi-profile discovery
+                if len(account_sessions) == 0 and len(org_accounts) > 0:
+                    console.print(f"[red]❌ STS AssumeRole failed for all {len(org_accounts)} accounts - cross-account access denied[/red]")
+                    console.print("[yellow]💡 Enhancing to multi-profile discovery for comprehensive VPC scanning[/yellow]")
+                    
+                    # Enhanced multi-profile discovery pattern (KISS & DRY)
+                    console.print("[blue]🔍 Discovering VPC profiles from available AWS configurations...[/blue]")
+                    account_profiles = _discover_vpc_profiles_from_available_aws_profiles(operational_profile)
+                    
+                    if account_profiles and len(account_profiles) > 1:
+                        console.print(f"[green]✅ Enhanced discovery found {len(account_profiles)} profiles with VPC access[/green]")
+                    else:
+                        console.print("[yellow]⚠️ Enhanced discovery fallback to single profile[/yellow]")
+                else:
+                    # Store sessions for VPC discovery instead of profiles
+                    account_profiles = account_sessions  # Pass sessions instead of profile strings
+                
+            else:
+                console.print("[yellow]⚠️ No organization accounts found, falling back to single profile[/yellow]")
+                account_profiles = [operational_profile] if operational_profile else None
+                
+        except ImportError as e:
+            console.print(f"[red]❌ Organizations discovery unavailable: {e}[/red]")
+            console.print("[yellow]💡 Falling back to single profile analysis[/yellow]")
+            account_profiles = [operational_profile] if operational_profile else None
+            
+        except Exception as e:
+            console.print(f"[red]❌ Organizations discovery failed: {e}[/red]")
+            console.print("[yellow]💡 Enhancing to multi-profile discovery for comprehensive VPC scanning[/yellow]")
+            
+            # Enhanced multi-profile discovery pattern (KISS & DRY)
+            console.print("[blue]🔍 Discovering VPC profiles from available AWS configurations...[/blue]")
+            account_profiles = _discover_vpc_profiles_from_available_aws_profiles(operational_profile)
+            
+            if account_profiles and len(account_profiles) > 1:
+                console.print(f"[green]✅ Enhanced discovery found {len(account_profiles)} profiles with VPC access[/green]")
+            else:
+                console.print("[yellow]⚠️ Enhanced discovery fallback to single profile[/yellow]")
     
     return cleanup_cli.analyze_vpc_cleanup_candidates(
         vpc_ids=vpc_ids,
@@ -724,6 +811,140 @@ def validate_cleanup_safety(
     )
 
 
+def _discover_vpc_profiles_from_available_aws_profiles(primary_profile: str) -> List[str]:
+    """
+    Enhanced multi-profile discovery for comprehensive VPC scanning across all available AWS profiles.
+    
+    KISS & DRY approach: Use boto3's available_profiles to discover VPCs across Landing Zone
+    when Organizations API cross-account role assumption fails.
+    
+    Args:
+        primary_profile: Primary operational profile to include
+        
+    Returns:
+        List of validated AWS profile names for VPC discovery
+    """
+    import boto3
+    from rich.progress import Progress, TaskID
+    
+    console.print("[blue]🔍 Discovering VPC profiles from available AWS configurations...[/blue]")
+    
+    # Get all available AWS profiles
+    try:
+        session = boto3.Session()
+        available_profiles = session.available_profiles
+        
+        if not available_profiles:
+            console.print("[yellow]⚠️ No AWS profiles found in configuration[/yellow]")
+            return [primary_profile] if primary_profile else []
+        
+        console.print(f"[cyan]📋 Found {len(available_profiles)} AWS profiles in configuration[/cyan]")
+        
+        # Enhanced multi-region discovery for comprehensive Landing Zone coverage
+        # Based on user's confirmed NO-ENI VPCs in: us-east-1, us-west-2, ap-southeast-2
+        regions_to_check = [
+            'us-east-1',      # Primary US region - user confirmed VPCs here
+            'us-west-2',      # Secondary US region - user confirmed VPCs here  
+            'ap-southeast-2', # APAC region - user confirmed VPCs here
+            'eu-west-1',      # Europe primary
+            'ca-central-1',   # Canada
+            'ap-northeast-1', # Tokyo (common enterprise region)
+        ]
+        
+        # Validate profiles by attempting to create sessions and check VPC access
+        validated_profiles = []
+        profile_vpc_details = {}
+        
+        with Progress() as progress:
+            profile_task = progress.add_task("🔍 Validating profiles for VPC access...", total=len(available_profiles))
+            
+            for profile_name in available_profiles:
+                try:
+                    # Skip obvious non-VPC profiles but be less restrictive
+                    if 'billing' in profile_name.lower() and 'readonly' in profile_name.lower():
+                        console.print(f"[dim]⏭️ Skipping {profile_name} (billing-only profile)[/dim]")
+                        progress.advance(profile_task)
+                        continue
+                    
+                    # Create test session
+                    test_session = boto3.Session(profile_name=profile_name)
+                    total_vpcs = 0
+                    regions_with_vpcs = []
+                    
+                    # Check multiple regions for VPCs (Landing Zone accounts may have VPCs in different regions)
+                    for region in regions_to_check:
+                        try:
+                            ec2_client = test_session.client('ec2', region_name=region)
+                            vpc_response = ec2_client.describe_vpcs(MaxResults=10)  # Check more VPCs per region
+                            region_vpc_count = len(vpc_response.get('Vpcs', []))
+                            
+                            if region_vpc_count > 0:
+                                total_vpcs += region_vpc_count
+                                regions_with_vpcs.append(f"{region}:{region_vpc_count}")
+                            
+                        except Exception as region_error:
+                            # Log region-specific errors but don't fail the whole profile
+                            if "UnauthorizedOperation" not in str(region_error):
+                                console.print(f"[dim]⚠️ {profile_name} in {region}: {str(region_error)[:30]}...[/dim]")
+                            continue
+                    
+                    # Add profile if it has VPCs in any region OR if it's the primary profile
+                    if total_vpcs > 0:
+                        validated_profiles.append(profile_name)
+                        profile_vpc_details[profile_name] = {
+                            'total_vpcs': total_vpcs,
+                            'regions': regions_with_vpcs
+                        }
+                        console.print(f"[green]✅ {profile_name}: {total_vpcs} VPCs across {len(regions_with_vpcs)} regions[/green]")
+                    elif profile_name == primary_profile:
+                        # Always include primary profile even if no VPCs found
+                        validated_profiles.append(profile_name)
+                        console.print(f"[yellow]🔑 {profile_name}: Primary profile (included despite no VPCs found)[/yellow]")
+                    else:
+                        console.print(f"[dim]⚪ {profile_name}: No VPCs found in {len(regions_to_check)} regions[/dim]")
+                    
+                except Exception as e:
+                    console.print(f"[dim]❌ {profile_name}: Access failed ({str(e)[:50]}...)[/dim]")
+                
+                progress.advance(profile_task)
+        
+        # Ensure primary profile is included if it was validated
+        if primary_profile and primary_profile not in validated_profiles:
+            try:
+                # Test primary profile separately
+                test_session = boto3.Session(profile_name=primary_profile)
+                ec2_client = test_session.client('ec2', region_name='us-east-1')
+                ec2_client.describe_vpcs(MaxResults=1)
+                validated_profiles.insert(0, primary_profile)  # Add at front
+                console.print(f"[green]✅ Primary profile {primary_profile} added[/green]")
+            except Exception:
+                console.print(f"[yellow]⚠️ Primary profile {primary_profile} validation failed[/yellow]")
+        
+        # Enhanced VPC discovery summary
+        total_vpcs_found = sum(details.get('total_vpcs', 0) for details in profile_vpc_details.values())
+        console.print(f"[bold green]🎯 VPC Discovery Ready: {len(validated_profiles)} validated profiles[/bold green]")
+        
+        if total_vpcs_found > 0:
+            console.print(f"[bold cyan]📊 Total VPCs discovered: {total_vpcs_found} across {len(profile_vpc_details)} accounts[/bold cyan]")
+            
+            # Show detailed breakdown for profiles with VPCs
+            for profile, details in profile_vpc_details.items():
+                if details['total_vpcs'] > 0:
+                    regions_str = ', '.join(details['regions'])
+                    console.print(f"[dim]  • {profile}: {regions_str}[/dim]")
+        else:
+            console.print(f"[yellow]⚠️ No VPCs found across {len(validated_profiles)} profiles - Landing Zone accounts may be empty[/yellow]")
+            
+        console.print(f"[dim]Profiles: {', '.join(validated_profiles[:3])}{'...' if len(validated_profiles) > 3 else ''}[/dim]")
+        
+        return validated_profiles
+        
+    except Exception as e:
+        console.print(f"[red]❌ Profile discovery failed: {e}[/red]")
+        console.print(f"[yellow]💡 Falling back to primary profile: {primary_profile}[/yellow]")
+        return [primary_profile] if primary_profile else []
+
+
 def generate_business_report(
     profile: Optional[str] = None,
     region: str = "us-east-1",