tgwrap 0.8.12__py3-none-any.whl → 0.11.2__py3-none-any.whl

tgwrap/printer.py

@@ -69,3 +69,6 @@ class Printer():
         click.secho(msg, fg="green", bold=True, file=sys.stderr)
         self.line() if print_line_after else None
 
+    def progress_indicator(self):
+        print('.', flush=True, file=sys.stderr, end='')
+

{tgwrap-0.8.12.dist-info → tgwrap-0.11.2.dist-info}/METADATA

@@ -1,22 +1,23 @@
 Metadata-Version: 2.1
 Name: tgwrap
-Version: 0.8.12
+Version: 0.11.2
 Summary: A (terragrunt) wrapper around a (terraform) wrapper around ....
 Home-page: https://gitlab.com/lunadata/tgwrap
 License: MIT
 Keywords: terraform,terragrunt,terrasafe,python
 Author: Gerco Grandia
 Author-email: gerco.grandia@4synergy.nl
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.12,<4.0
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: azure-core (>=1.30.2,<2.0.0)
+Requires-Dist: azure-identity (>=1.17.1,<2.0.0)
+Requires-Dist: azure-mgmt-authorization (>=4.0.0,<5.0.0)
 Requires-Dist: click (>=8.0)
 Requires-Dist: inquirer (>=3.1.4,<4.0.0)
+Requires-Dist: jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: networkx (>=2.8.8,<3.0.0)
 Requires-Dist: outdated (>=0.2.2)
 Requires-Dist: pydot (>=1.4.2,<2.0.0)
@@ -72,6 +73,8 @@ And this was not something a bunch of aliases could solve, hence this wrapper wa
 
 When using the run-all, analyzing what is about to be changed is not going to be easier. Hence we created the `tgwrap analyze` function that lists all the planned changes and (if a config file is availabe) calculates a drift score and runs a [terrasafe](https://pypi.org/project/terrasafe/) style validation check.
 
+> you can ignore minor changes, such as tag updates, with `tgwrap analyze -i tags`
+
 It needs a config file as follows:
 
 ```yaml
@@ -142,6 +145,75 @@ export TGWRAP_PLANFILE_DIR=".terragrunt-cache/current"
 
 Or pass it along with the `--planfile-dir|-P` option and it will use that.
 
+### Logging the results
+
+`tgwrap` supports logging the analyze results to an [Azure Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview) custom table.
+
+For that, the custom table need to be present, including a [data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal) and associated [data collection rule](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview?tabs=portal).
+
+When you want to activate this, just pass `--data-collection-endpoint` (or, more conveniently, set the `TGWRAP_ANALYZE_DATA_COLLECTION_ENDPOINT` environment variable) with the url to which the data can be posted.
+
+> Note that for this to work, `tgwrap` assumes that there is a functioning [azure cli](https://learn.microsoft.com/en-us/cli/azure/) available on the system.
+
+A payload as below will be posted, and the log analytics table should be able to accomodate for that:
+
+```json
+[
+  {
+    "scope": "terragrunt/dlzs/data-platform/global/platform/rbac/",
+    "principal": "myself",
+    "repo": "https://gitlab.com/my-git-repo.git",
+    "creations": 0,
+    "updates": 0,
+    "deletions": 0,
+    "minor": 0,
+    "medium": 0,
+    "major": 0,
+    "unknown": 0,
+    "total": 0,
+    "score": 0.0,
+    "details": [
+      {
+        "drifts": {
+          "minor": 0,
+          "medium": 0,
+          "major": 0,
+          "unknown": 0,
+          "total": 0,
+          "score": 0.0
+        },
+        "all": [],
+        "creations": [],
+        "updates": [],
+        "deletions": [],
+        "unauthorized": [],
+        "unknowns": [],
+        "module": ""
+      }
+    ]
+  }
+]
+```
+
+The log analytics (custom) table should have a schema that is able to cope with the message above:
+
+| Field          | Type     |
+|----------------|----------|
+| creations      | Int      |
+| deletions      | Int      |
+| details        | Dynamic  |
+| major          | Int      |
+| medium         | Int      |
+| minor          | Int      |
+| principal      | String   |
+| repo           | String   |
+| scope          | String   |
+| score          | Int      |
+| TimeGenerated  | Datetime |
+| total          | Int      |
+| unknown        | Int      |
+| updates        | Int      |
+
 ## More than a wrapper
 
 Over time, tgwrap became more than a wrapper, blantly violating [#1 of the unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy#:~:text=The%20Unix%20philosophy%20is%20documented,%2C%20as%20yet%20unknown%2C%20program.): 'Make each program do one thing well'.
@@ -216,6 +288,7 @@ deploy: # which modules do you want to deploy
     source_stage: dev
     source_dir: platform # optional, if the source modules are not directly in the stage dir, but in <stage>/<source_dir> directory
     base_dir: platform # optional, if you want to deploy the base modules in its own dir, side by side with substacks
+    include_global_config_files: false # optional, overrides the CLI input
     config_dir: ../../../config # this is relative to where you run the deploy
     configs:
       - my-config.hcl
@@ -257,6 +330,90 @@ global_config_files:
     source: ../../terrasafe-config.json
 ```
 
+## Inspecting deployed infrastructure
+
+Testing infra-as-code is hard, even though test frameworks are becoming more common these days. But the standard test approaches typically work with temporary infrastructures, while it is often also useful to test a deployed infrastructure.
+
+Frameworks like [Chef's InSpec](https://docs.chef.io/inspec/) aims at solving that, but it is pretty config management heavy (but there are add-ons for aws and azure infra). It has a steep learning curve, we only need a tiny part of it, and also comes with a commercial license.
+
+For what we need ('is infra deployed and are the main role assignments still in place') it was pretty easy to implement in python.
+
+For this, you can now run the `inspect` command, which will then inspect real infrastructure and role assignments, and report back whether it meets the expectations (as declared in a config file):
+
+```yaml
+---
+location:
+  code: westeurope
+  full: West Europe
+
+# the entra id groups ar specified as a map as these will be checked for existence
+# but also used for role assignment validation
+entra_id_groups:
+  platform_admins: '{domain}-platform-admins'
+  cost_admins: '{domain}-cost-admins'
+  data_admins: '{domain}-data-admins'
+  just_testing: group-does-not-exist
+
+# the resources to check
+resources:
+  - identifier: 'kv-{domain}-euw-{stage}-base'
+    # due to length limitations in resource names, some shortening in the name might have taken place
+    # so you can provide alternative ids
+    alternative_ids:
+    - 'kv-{domain}-euw-{stage}-bs'
+    - 'kv{domain}euw{stage}bs'
+    - 'kv{domain}euw{stage}base'
+    type: key_vault
+    resource_group: 'rg-{domain}-euw-{stage}-base'
+    role_assignments:
+      - platform_admins: Owner
+      - platform_admins: Key Vault Secrets Officer
+      - data_admins: Key Vault Secrets Officer
+```
+
+After which you can run the following:
+
+```console
+tgwrap inspect -d domain -s sbx -a 886d4e58-a178-4c50-ae65-xxxxxxxxxx -c ./inspect-config.yml
+......
+
+Inspection status:
+entra_id_group: dps-platform-admins
+	-> Resource:	OK (Resource dps-platform-admins of type entra_id_group OK)
+entra_id_group: dps-cost-admins
+	-> Resource:	OK (Resource dps-cost-admins of type entra_id_group OK)
+entra_id_group: dps-data-admins
+	-> Resource:	OK (Resource dps-data-admins of type entra_id_group OK)
+entra_id_group: group-does-not-exist
+	-> Resource:	NEX (Resource group-does-not-exist of type entra_id_group not found)
+key_vault: kv-dps-euw-sbx-base
+	-> Resource:	OK (Resource kv-dps-euw-sbx-base of type key_vault OK)
+	-> RBAC:	NOK (Principal platform_admins has NOT role Owner assigned; )
+subscription: 886d4e58-a178-4c50-ae65-xxxxxxxxxx
+	-> Resource:	OK (Resource 886d4e58-a178-4c50-ae65-xxxxxxxxxx of type subscription OK)
+	-> RBAC:	NC (Role assignments not checked)
+```
+
+You can sent the results also to a data collection endpoint (seel also [Logging the results](#logging-the-results)).
+
+For that, a custom table should exist with the following structure:
+
+
+| Field                      | Type     |
+|----------------------------|----------|
+| domain                     | String   |
+| substack                   | String   |
+| stage                      | String   |
+| subscription_id            | String   |
+| resource_type              | String   |
+| inspect_status_code        | String   |
+| inspect_status             | String   |
+| inspect_message            | String   |
+| rbac_assignment_status_code| String   |
+| rbac_assignment_status     | String   |
+| rbac_assignment_message    | String   |
+| resource                   | String   |
+
 ## Generating change logs
 
 tgwrap can generate a change log by running:

tgwrap-0.11.2.dist-info/RECORD

@@ -0,0 +1,13 @@
+tgwrap/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+tgwrap/analyze.py,sha256=5C0OcDpOfn6U39QNIoc7V9ePjjcXKbJH6cOVNr9jJ9A,10289
+tgwrap/cli.py,sha256=9zvBop3Gm5B2b8K-zXVHEvRUCC7t5ffZUJZEpj1Fxtw,32186
+tgwrap/deploy.py,sha256=-fSk-Ix_HqrXY7KQX_L27TnFzIuhBHYv4xYJW6zRDN4,10243
+tgwrap/inspector-resources-template.yml,sha256=Mos8NDzzZ3VxdXgeiVL9cmQfRcIXIHMLf79_KLwdXu8,3297
+tgwrap/inspector.py,sha256=5pW7Ex1lkKRoXY6hZGbCNmSD2iRzgMSfqi9w7gb-AcY,16990
+tgwrap/main.py,sha256=Vzmy9GEuBT-T6TB_ZzN_lET5ihY0P-9WcPZ_MPCus_k,94366
+tgwrap/printer.py,sha256=frn1PARd8A28mkRCYR6ybN2x0NBULhNOutn4l2U7REY,2754
+tgwrap-0.11.2.dist-info/LICENSE,sha256=VT-AVxIXt3EQTC-7Hy1uPGnrDNJLqfcgLgJD78fiyx4,1065
+tgwrap-0.11.2.dist-info/METADATA,sha256=fYWSDZfgDmERSCJ7ZOJqMmf7M6cdemNBjFg_jsUG5KQ,17686
+tgwrap-0.11.2.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+tgwrap-0.11.2.dist-info/entry_points.txt,sha256=H8X0PMPmd4aW7Y9iyChZ0Ug6RWGXqhRUvHH-6f6Mxz0,42
+tgwrap-0.11.2.dist-info/RECORD,,

{tgwrap-0.8.12.dist-info → tgwrap-0.11.2.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.8.1
+Generator: poetry-core 1.9.1
 Root-Is-Purelib: true
 Tag: py3-none-any

tgwrap-0.8.12.dist-info/RECORD

@@ -1,11 +0,0 @@
-tgwrap/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-tgwrap/analyze.py,sha256=CsSaGv-be6ATy36z9X7x00gpKY59soJys2VbIzD-tmg,8726
-tgwrap/cli.py,sha256=weYPXnpZ1200L28tNGzVaO_GlX7wAdLn1nQZsHKpe3k,29060
-tgwrap/deploy.py,sha256=bJiox_fz8JsoPreX4woW6-EqAebhpJWnKUVLVeGXkrI,10000
-tgwrap/main.py,sha256=82f4Wc-jPczDpP4vCMeJeaF1CBfiDGizNy0KDw_iDZw,74720
-tgwrap/printer.py,sha256=dkcOCPIPB-IP6pn8QMpa06xlcqPFVaDvxnz-QEpDJV0,2663
-tgwrap-0.8.12.dist-info/LICENSE,sha256=VT-AVxIXt3EQTC-7Hy1uPGnrDNJLqfcgLgJD78fiyx4,1065
-tgwrap-0.8.12.dist-info/METADATA,sha256=RGlxakJg0v5wKWoma5H3rip2BTJ7mcmbq41iazo-VVE,11616
-tgwrap-0.8.12.dist-info/WHEEL,sha256=FMvqSimYX_P7y0a7UY-_Mc83r5zkBZsCYPm7Lr0Bsq4,88
-tgwrap-0.8.12.dist-info/entry_points.txt,sha256=H8X0PMPmd4aW7Y9iyChZ0Ug6RWGXqhRUvHH-6f6Mxz0,42
-tgwrap-0.8.12.dist-info/RECORD,,