runbooks 1.1.4__py3-none-any.whl → 1.1.6__py3-none-any.whl

runbooks/remediation/remediation_cli.py

@@ -38,21 +38,13 @@ from .universal_account_discovery import UniversalAccountDiscovery
 
 
 @click.group()
-@click.option(
-    "--profile",
-    default=None,
-    help="AWS profile to use (overrides environment variables)"
-)
-@click.option(
-    "--output-dir",
-    default="./artifacts/remediation",
-    help="Output directory for remediation reports"
-)
+@click.option("--profile", default=None, help="AWS profile to use (overrides environment variables)")
+@click.option("--output-dir", default="./artifacts/remediation", help="Output directory for remediation reports")
 @click.pass_context
 def remediation(ctx, profile: Optional[str], output_dir: str):
     """
     Enterprise Security Remediation with Dynamic Account Discovery.
-    
+
     Supports configuration via:
     - Environment variables (REMEDIATION_TARGET_ACCOUNTS)
     - Configuration files (REMEDIATION_ACCOUNT_CONFIG)
@@ -62,7 +54,7 @@ def remediation(ctx, profile: Optional[str], output_dir: str):
     ctx.ensure_object(dict)
     ctx.obj["profile"] = profile
     ctx.obj["output_dir"] = output_dir
-    
+
     # Validate profile if specified
     if profile:
         resolved_profile = get_profile_for_operation("management", profile)
@@ -75,55 +67,28 @@ def remediation(ctx, profile: Optional[str], output_dir: str):
 @click.option(
     "--operations",
     multiple=True,
-    type=click.Choice([
-        "block_public_access",
-        "enforce_ssl",
-        "enable_encryption"
-    ]),
+    type=click.Choice(["block_public_access", "enforce_ssl", "enable_encryption"]),
     default=["block_public_access"],
-    help="S3 security operations to execute"
-)
-@click.option(
-    "--accounts",
-    help="Comma-separated account IDs (overrides discovery)"
-)
-@click.option(
-    "--all",
-    "all_accounts",
-    is_flag=True,
-    help="Execute on all discovered accounts via Organizations API"
-)
-@click.option(
-    "--dry-run",
-    is_flag=True,
-    default=True,
-    help="Perform dry run without making changes (default: true)"
-)
-@click.option(
-    "--parallel",
-    is_flag=True,
-    default=True,
-    help="Execute operations in parallel (default: true)"
-)
-@click.option(
-    "--max-workers",
-    type=int,
-    default=5,
-    help="Maximum parallel workers"
+    help="S3 security operations to execute",
 )
+@click.option("--accounts", help="Comma-separated account IDs (overrides discovery)")
+@click.option("--all", "all_accounts", is_flag=True, help="Execute on all discovered accounts via Organizations API")
+@click.option("--dry-run", is_flag=True, default=True, help="Perform dry run without making changes (default: true)")
+@click.option("--parallel", is_flag=True, default=True, help="Execute operations in parallel (default: true)")
+@click.option("--max-workers", type=int, default=5, help="Maximum parallel workers")
 @click.pass_context
 def s3_security(
-    ctx, 
-    operations: List[str], 
-    accounts: Optional[str], 
-    all_accounts: bool, 
-    dry_run: bool, 
-    parallel: bool, 
-    max_workers: int
+    ctx,
+    operations: List[str],
+    accounts: Optional[str],
+    all_accounts: bool,
+    dry_run: bool,
+    parallel: bool,
+    max_workers: int,
 ):
     """
     Execute S3 security remediation across multiple accounts.
-    
+
     Environment Variables Supported:
     - REMEDIATION_TARGET_ACCOUNTS: Comma-separated account IDs
     - REMEDIATION_ACCOUNT_CONFIG: Path to accounts configuration file
@@ -131,7 +96,7 @@ def s3_security(
     """
     profile = ctx.obj["profile"]
     output_dir = ctx.obj["output_dir"]
-    
+
     try:
         # Display operation header
         operation_status = "DRY RUN" if dry_run else "LIVE EXECUTION"
@@ -145,7 +110,7 @@ def s3_security(
                 border_style="cyan" if dry_run else "red",
             )
         )
-        
+
         # Safety warning for live operations
         if not dry_run:
             console.print(
@@ -154,32 +119,32 @@ def s3_security(
                     "This will make actual changes to AWS resources.\n"
                     "Ensure you have proper permissions and backups.",
                     border_style="red",
-                    title="Security Warning"
+                    title="Security Warning",
                 )
             )
-            
+
             if not click.confirm("Continue with live execution?"):
                 print_warning("Operation cancelled by user")
                 return
-        
+
         # Determine target accounts
         target_accounts = []
-        
+
         if accounts:
             # Use specified accounts
             account_ids = [acc.strip() for acc in accounts.split(",")]
             target_accounts = [
-                type('AWSAccount', (), {'account_id': acc_id, 'environment': f'specified-{i}'})()
+                type("AWSAccount", (), {"account_id": acc_id, "environment": f"specified-{i}"})()
                 for i, acc_id in enumerate(account_ids)
             ]
             print_info(f"Using specified accounts: {len(target_accounts)} accounts")
-        
+
         elif all_accounts:
             # Discover all accounts via Organizations API
             print_info("Discovering accounts via Organizations API...")
             target_accounts = discover_organization_accounts(profile=profile)
             print_info(f"Discovered {len(target_accounts)} accounts")
-        
+
         else:
             # Use environment configuration
             env_accounts = get_accounts_from_environment()
@@ -191,80 +156,70 @@ def s3_security(
                 print_info("No environment configuration found, discovering via Organizations API...")
                 target_accounts = discover_organization_accounts(profile=profile)
                 print_info(f"Discovered {len(target_accounts)} accounts")
-        
+
         if not target_accounts:
             print_error("No target accounts found for remediation")
             raise click.Abort()
-        
+
         # Initialize multi-account remediator
         sso_start_url = os.getenv("ACCESS_PORTAL_URL")
         if not sso_start_url:
             print_warning("ACCESS_PORTAL_URL not set - SSO functionality may be limited")
-        
+
         remediator = MultiAccountRemediator(
-            sso_start_url=sso_start_url,
-            parallel_execution=parallel,
-            max_workers=max_workers
+            sso_start_url=sso_start_url, parallel_execution=parallel, max_workers=max_workers
         )
-        
+
         # Execute bulk S3 security operations
         print_info(f"Executing S3 security operations on {len(target_accounts)} accounts...")
-        
-        results = remediator.bulk_s3_security(
-            accounts=target_accounts,
-            operations=list(operations),
-            dry_run=dry_run
-        )
-        
+
+        results = remediator.bulk_s3_security(accounts=target_accounts, operations=list(operations), dry_run=dry_run)
+
         # Display results summary
         successful_results = [r for r in results if r.success]
         failed_results = [r for r in results if r.failed]
-        
+
         print_success(
-            f"S3 security remediation completed: "
-            f"{len(successful_results)} successful, {len(failed_results)} failed"
+            f"S3 security remediation completed: {len(successful_results)} successful, {len(failed_results)} failed"
         )
-        
+
         if failed_results:
             print_warning(f"Failed operations: {len(failed_results)}")
             for result in failed_results[:5]:  # Show first 5 failures
                 print_error(f"  Account {result.context.account.account_id}: {result.error_message}")
-        
+
         # Generate compliance report
         compliance_report = remediator.generate_compliance_report(results)
-        print_info(f"Compliance report generated: {compliance_report['total_operations']} operations across {compliance_report['total_accounts']} accounts")
-        
+        print_info(
+            f"Compliance report generated: {compliance_report['total_operations']} operations across {compliance_report['total_accounts']} accounts"
+        )
+
         # Display configuration sources used
         _display_configuration_sources()
-        
+
     except Exception as e:
         print_error(f"S3 security remediation failed: {str(e)}")
         raise click.Abort()
 
 
 @remediation.command("list-accounts")
-@click.option(
-    "--show-environment", 
-    is_flag=True,
-    help="Show environment classification for each account"
-)
+@click.option("--show-environment", is_flag=True, help="Show environment classification for each account")
 @click.pass_context
 def list_accounts(ctx, show_environment: bool):
     """
     List available accounts for remediation operations.
     """
     profile = ctx.obj["profile"]
-    
+
     try:
         console.print(
             create_panel(
-                "[bold cyan]Account Discovery[/bold cyan]\n\n"
-                "[dim]Discovering accounts from all sources...[/dim]",
+                "[bold cyan]Account Discovery[/bold cyan]\n\n[dim]Discovering accounts from all sources...[/dim]",
                 title="📋 Account Listing",
                 border_style="blue",
             )
         )
-        
+
         # Try environment configuration first
         env_accounts = get_accounts_from_environment()
         if env_accounts:
@@ -272,32 +227,32 @@ def list_accounts(ctx, show_environment: bool):
             for account in env_accounts:
                 env_indicator = f" ({account.environment})" if show_environment else ""
                 console.print(f"  ✅ {account.account_id}{env_indicator}")
-        
+
         # Discover from Organizations API
         try:
             org_accounts = discover_organization_accounts(profile=profile)
             console.print(f"\n[bold]Accounts from Organizations API Discovery:[/bold]")
             for account in org_accounts:
                 env_indicator = f" ({account.environment})" if show_environment else ""
-                name_part = f" - {account.name}" if hasattr(account, 'name') and account.name else ""
+                name_part = f" - {account.name}" if hasattr(account, "name") and account.name else ""
                 console.print(f"  🌐 {account.account_id}{env_indicator}{name_part}")
         except Exception as e:
             print_warning(f"Organizations API discovery failed: {str(e)}")
-        
+
         # Display configuration information
         console.print("\n[bold]Configuration Sources:[/bold]")
-        
+
         if os.getenv("REMEDIATION_TARGET_ACCOUNTS"):
             console.print("  ✅ REMEDIATION_TARGET_ACCOUNTS environment variable")
-        
+
         if os.getenv("REMEDIATION_ACCOUNT_CONFIG"):
             config_path = os.getenv("REMEDIATION_ACCOUNT_CONFIG")
             status = "✅" if os.path.exists(config_path) else "⚠️ "
             console.print(f"  {status} REMEDIATION_ACCOUNT_CONFIG: {config_path}")
-        
+
         if not env_accounts:
             console.print("  ℹ️  No environment configuration - using Organizations API discovery")
-    
+
     except Exception as e:
         print_error(f"Account listing failed: {str(e)}")
         raise click.Abort()
@@ -309,16 +264,11 @@ def config_info(ctx):
     """
     Display current remediation configuration and environment setup.
     """
-    console.print(
-        Panel.fit(
-            "[bold cyan]Remediation Configuration Information[/bold cyan]",
-            border_style="cyan"
-        )
-    )
-    
+    console.print(Panel.fit("[bold cyan]Remediation Configuration Information[/bold cyan]", border_style="cyan"))
+
     # Display environment variables
     print_info("Environment Configuration:")
-    
+
     env_vars = {
         "Account Configuration": {
             "REMEDIATION_TARGET_ACCOUNTS": os.getenv("REMEDIATION_TARGET_ACCOUNTS", "Not set"),
@@ -330,35 +280,33 @@ def config_info(ctx):
         "Profile Configuration": {
             "MANAGEMENT_PROFILE": os.getenv("MANAGEMENT_PROFILE", "Not set"),
             "CENTRALISED_OPS_PROFILE": os.getenv("CENTRALISED_OPS_PROFILE", "Not set"),
-        }
+        },
     }
-    
+
     for category, variables in env_vars.items():
         console.print(f"\n[bold]{category}:[/bold]")
         for var_name, var_value in variables.items():
             status = "✅" if var_value != "Not set" else "❌"
             console.print(f"  {status} {var_name}: {var_value}")
-    
+
     # Display example configuration files
     console.print("\n[bold]Example Configuration Files:[/bold]")
-    config_examples = [
-        "src/runbooks/remediation/config/accounts_example.json"
-    ]
-    
+    config_examples = ["src/runbooks/remediation/config/accounts_example.json"]
+
     for config_file in config_examples:
         if os.path.exists(config_file):
             console.print(f"  ✅ {config_file}")
         else:
             console.print(f"  📝 {config_file} (example)")
-    
+
     # Usage examples
     console.print("\n[bold]Usage Examples:[/bold]")
     examples = [
         "# Set target accounts via environment variable",
-        "export REMEDIATION_TARGET_ACCOUNTS=\"111122223333,444455556666\"",
+        'export REMEDIATION_TARGET_ACCOUNTS="111122223333,444455556666"',
         "",
         "# Use configuration file",
-        "export REMEDIATION_ACCOUNT_CONFIG=\"/path/to/accounts.json\"",
+        'export REMEDIATION_ACCOUNT_CONFIG="/path/to/accounts.json"',
         "",
         "# Execute S3 security remediation",
         "runbooks remediation s3-security --operations block_public_access --dry-run",
@@ -366,7 +314,7 @@ def config_info(ctx):
         "# Execute on all discovered accounts",
         "runbooks remediation s3-security --all --operations block_public_access,enforce_ssl",
     ]
-    
+
     for example in examples:
         if example.startswith("#") or example == "":
             console.print(f"[dim]{example}[/dim]")
@@ -377,68 +325,66 @@ def config_info(ctx):
 def _display_configuration_sources():
     """Display information about configuration sources used."""
     console.print("\n[bold]Configuration Sources:[/bold]")
-    
+
     # Check environment variables
     if os.getenv("REMEDIATION_TARGET_ACCOUNTS"):
         console.print("  ✅ Using REMEDIATION_TARGET_ACCOUNTS environment variable")
-    
+
     if os.getenv("REMEDIATION_ACCOUNT_CONFIG"):
         config_path = os.getenv("REMEDIATION_ACCOUNT_CONFIG")
         if os.path.exists(config_path):
             console.print(f"  ✅ Using accounts config file: {config_path}")
         else:
             console.print(f"  ⚠️  Accounts config file not found: {config_path}")
-    
+
     if os.getenv("ACCESS_PORTAL_URL"):
         console.print("  ✅ AWS SSO configured via ACCESS_PORTAL_URL")
     else:
         console.print("  ⚠️  ACCESS_PORTAL_URL not set - SSO functionality limited")
-    
-    if not any([
-        os.getenv("REMEDIATION_TARGET_ACCOUNTS"),
-        os.getenv("REMEDIATION_ACCOUNT_CONFIG")
-    ]):
+
+    if not any([os.getenv("REMEDIATION_TARGET_ACCOUNTS"), os.getenv("REMEDIATION_ACCOUNT_CONFIG")]):
         console.print("  ℹ️  Using default configuration (Organizations API discovery)")
 
 
 @remediation.command("generate-config")
 @click.option(
-    "--output-dir",
-    default="./artifacts/remediation/config",
-    help="Output directory for configuration templates"
+    "--output-dir", default="./artifacts/remediation/config", help="Output directory for configuration templates"
 )
 @click.pass_context
 def generate_config_templates(ctx, output_dir: str):
     """
     Generate universal configuration templates for remediation operations.
-    
+
     Creates templates for:
     - Account discovery configuration
     - Environment variable examples
     - Complete setup documentation
-    
+
     All templates support universal AWS compatibility with no hardcoded values.
     """
     print_info(f"Generating universal remediation configuration templates in {output_dir}...")
-    
+
     try:
         # Create output directory
         from pathlib import Path
+
         output_path = Path(output_dir)
         output_path.mkdir(parents=True, exist_ok=True)
-        
+
         # Use the security config generator (it covers remediation too)
         from runbooks.security.config_template_generator import SecurityConfigTemplateGenerator
+
         generator = SecurityConfigTemplateGenerator(output_dir)
-        
+
         # Generate account discovery template
         account_config = generator.generate_account_config_template()
         account_path = output_path / "account_config.json"
         import json
-        with open(account_path, 'w') as f:
+
+        with open(account_path, "w") as f:
             json.dump(account_config, f, indent=2)
         print_success(f"Generated account configuration: {account_path}")
-        
+
         # Generate environment variables for remediation
         env_template = """# Universal Remediation Configuration
 # ===================================
@@ -480,12 +426,12 @@ runbooks remediation ec2-security --operations terminate_unused_instances --dry-
 # Generate account discovery template
 runbooks remediation generate-config --output-dir ./config
 """
-        
+
         env_path = output_path / "environment_variables.sh"
-        with open(env_path, 'w') as f:
+        with open(env_path, "w") as f:
             f.write(env_template)
         print_success(f"Generated environment variables template: {env_path}")
-        
+
         # Generate setup documentation specific to remediation
         setup_docs = """# Universal Remediation Module Setup Guide
 ========================================
@@ -688,23 +634,23 @@ runbooks remediation s3-security --operations block_public_access --dry-run --ac
 
 This configuration system provides universal compatibility with any AWS environment while maintaining safety and control.
 """
-        
+
         docs_path = output_path / "REMEDIATION_SETUP_GUIDE.md"
-        with open(docs_path, 'w') as f:
+        with open(docs_path, "w") as f:
             f.write(setup_docs)
         print_success(f"Generated setup documentation: {docs_path}")
-        
+
         print_success("Remediation configuration templates generated successfully!")
         console.print("\n[bold yellow]Next steps:[/bold yellow]")
         console.print("1. Review and customize the generated configuration files")
         console.print("2. Set REMEDIATION_ACCOUNT_CONFIG or REMEDIATION_TARGET_ACCOUNTS")
         console.print("3. Test with: runbooks remediation s3-security --operations block_public_access --dry-run")
         console.print("4. Execute: runbooks remediation s3-security --operations block_public_access")
-        
+
     except Exception as e:
         print_error(f"Failed to generate configuration templates: {e}")
         raise click.Abort()
 
 
 if __name__ == "__main__":
-    remediation()
+    remediation()