tgwrap 0.8.12__tar.gz → 0.11.3__tar.gz

{tgwrap-0.8.12 → tgwrap-0.11.3}/PKG-INFO

@@ -1,22 +1,22 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: tgwrap
-Version: 0.8.12
+Version: 0.11.3
 Summary: A (terragrunt) wrapper around a (terraform) wrapper around ....
-Home-page: https://gitlab.com/lunadata/tgwrap
 License: MIT
 Keywords: terraform,terragrunt,terrasafe,python
 Author: Gerco Grandia
 Author-email: gerco.grandia@4synergy.nl
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.12,<4.0
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: azure-core (>=1.30.2,<2.0.0)
+Requires-Dist: azure-identity (>=1.17.1,<2.0.0)
+Requires-Dist: azure-mgmt-authorization (>=4.0.0,<5.0.0)
 Requires-Dist: click (>=8.0)
 Requires-Dist: inquirer (>=3.1.4,<4.0.0)
+Requires-Dist: jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: networkx (>=2.8.8,<3.0.0)
 Requires-Dist: outdated (>=0.2.2)
 Requires-Dist: pydot (>=1.4.2,<2.0.0)
@@ -25,6 +25,7 @@ Requires-Dist: python-hcl2 (>=4.3.2,<5.0.0)
 Requires-Dist: pyyaml (>=6.0)
 Requires-Dist: terrasafe (>=0.5.1,<0.6.0)
 Project-URL: Documentation, https://gitlab.com/lunadata/tgwrap/
+Project-URL: Homepage, https://gitlab.com/lunadata/tgwrap
 Project-URL: Repository, https://gitlab.com/lunadata/tgwrap
 Description-Content-Type: text/markdown
 
@@ -72,6 +73,8 @@ And this was not something a bunch of aliases could solve, hence this wrapper wa
 
 When using the run-all, analyzing what is about to be changed is not going to be easier. Hence we created the `tgwrap analyze` function that lists all the planned changes and (if a config file is availabe) calculates a drift score and runs a [terrasafe](https://pypi.org/project/terrasafe/) style validation check.
 
+> you can ignore minor changes, such as tag updates, with `tgwrap analyze -i tags`
+
 It needs a config file as follows:
 
 ```yaml
@@ -142,6 +145,75 @@ export TGWRAP_PLANFILE_DIR=".terragrunt-cache/current"
 
 Or pass it along with the `--planfile-dir|-P` option and it will use that.
 
+### Logging the results
+
+`tgwrap` supports logging the analyze results to an [Azure Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview) custom table.
+
+For that, the custom table need to be present, including a [data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal) and associated [data collection rule](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview?tabs=portal).
+
+When you want to activate this, just pass `--data-collection-endpoint` (or, more conveniently, set the `TGWRAP_ANALYZE_DATA_COLLECTION_ENDPOINT` environment variable) with the url to which the data can be posted.
+
+> Note that for this to work, `tgwrap` assumes that there is a functioning [azure cli](https://learn.microsoft.com/en-us/cli/azure/) available on the system.
+
+A payload as below will be posted, and the log analytics table should be able to accomodate for that:
+
+```json
+[
+  {
+    "scope": "terragrunt/dlzs/data-platform/global/platform/rbac/",
+    "principal": "myself",
+    "repo": "https://gitlab.com/my-git-repo.git",
+    "creations": 0,
+    "updates": 0,
+    "deletions": 0,
+    "minor": 0,
+    "medium": 0,
+    "major": 0,
+    "unknown": 0,
+    "total": 0,
+    "score": 0.0,
+    "details": [
+      {
+        "drifts": {
+          "minor": 0,
+          "medium": 0,
+          "major": 0,
+          "unknown": 0,
+          "total": 0,
+          "score": 0.0
+        },
+        "all": [],
+        "creations": [],
+        "updates": [],
+        "deletions": [],
+        "unauthorized": [],
+        "unknowns": [],
+        "module": ""
+      }
+    ]
+  }
+]
+```
+
+The log analytics (custom) table should have a schema that is able to cope with the message above:
+
+| Field          | Type     |
+|----------------|----------|
+| creations      | Int      |
+| deletions      | Int      |
+| details        | Dynamic  |
+| major          | Int      |
+| medium         | Int      |
+| minor          | Int      |
+| principal      | String   |
+| repo           | String   |
+| scope          | String   |
+| score          | Int      |
+| TimeGenerated  | Datetime |
+| total          | Int      |
+| unknown        | Int      |
+| updates        | Int      |
+
 ## More than a wrapper
 
 Over time, tgwrap became more than a wrapper, blantly violating [#1 of the unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy#:~:text=The%20Unix%20philosophy%20is%20documented,%2C%20as%20yet%20unknown%2C%20program.): 'Make each program do one thing well'.
@@ -216,6 +288,7 @@ deploy: # which modules do you want to deploy
     source_stage: dev
     source_dir: platform # optional, if the source modules are not directly in the stage dir, but in <stage>/<source_dir> directory
     base_dir: platform # optional, if you want to deploy the base modules in its own dir, side by side with substacks
+    include_global_config_files: false # optional, overrides the CLI input
     config_dir: ../../../config # this is relative to where you run the deploy
     configs:
       - my-config.hcl
@@ -257,6 +330,90 @@ global_config_files:
     source: ../../terrasafe-config.json
 ```
 
+## Inspecting deployed infrastructure
+
+Testing infra-as-code is hard, even though test frameworks are becoming more common these days. But the standard test approaches typically work with temporary infrastructures, while it is often also useful to test a deployed infrastructure.
+
+Frameworks like [Chef's InSpec](https://docs.chef.io/inspec/) aims at solving that, but it is pretty config management heavy (but there are add-ons for aws and azure infra). It has a steep learning curve, we only need a tiny part of it, and also comes with a commercial license.
+
+For what we need ('is infra deployed and are the main role assignments still in place') it was pretty easy to implement in python.
+
+For this, you can now run the `inspect` command, which will then inspect real infrastructure and role assignments, and report back whether it meets the expectations (as declared in a config file):
+
+```yaml
+---
+location:
+  code: westeurope
+  full: West Europe
+
+# the entra id groups ar specified as a map as these will be checked for existence
+# but also used for role assignment validation
+entra_id_groups:
+  platform_admins: '{domain}-platform-admins'
+  cost_admins: '{domain}-cost-admins'
+  data_admins: '{domain}-data-admins'
+  just_testing: group-does-not-exist
+
+# the resources to check
+resources:
+  - identifier: 'kv-{domain}-euw-{stage}-base'
+    # due to length limitations in resource names, some shortening in the name might have taken place
+    # so you can provide alternative ids
+    alternative_ids:
+    - 'kv-{domain}-euw-{stage}-bs'
+    - 'kv{domain}euw{stage}bs'
+    - 'kv{domain}euw{stage}base'
+    type: key_vault
+    resource_group: 'rg-{domain}-euw-{stage}-base'
+    role_assignments:
+      - platform_admins: Owner
+      - platform_admins: Key Vault Secrets Officer
+      - data_admins: Key Vault Secrets Officer
+```
+
+After which you can run the following:
+
+```console
+tgwrap inspect -d domain -s sbx -a 886d4e58-a178-4c50-ae65-xxxxxxxxxx -c ./inspect-config.yml
+......
+
+Inspection status:
+entra_id_group: dps-platform-admins
+	-> Resource:	OK (Resource dps-platform-admins of type entra_id_group OK)
+entra_id_group: dps-cost-admins
+	-> Resource:	OK (Resource dps-cost-admins of type entra_id_group OK)
+entra_id_group: dps-data-admins
+	-> Resource:	OK (Resource dps-data-admins of type entra_id_group OK)
+entra_id_group: group-does-not-exist
+	-> Resource:	NEX (Resource group-does-not-exist of type entra_id_group not found)
+key_vault: kv-dps-euw-sbx-base
+	-> Resource:	OK (Resource kv-dps-euw-sbx-base of type key_vault OK)
+	-> RBAC:	NOK (Principal platform_admins has NOT role Owner assigned; )
+subscription: 886d4e58-a178-4c50-ae65-xxxxxxxxxx
+	-> Resource:	OK (Resource 886d4e58-a178-4c50-ae65-xxxxxxxxxx of type subscription OK)
+	-> RBAC:	NC (Role assignments not checked)
+```
+
+You can sent the results also to a data collection endpoint (seel also [Logging the results](#logging-the-results)).
+
+For that, a custom table should exist with the following structure:
+
+
+| Field                      | Type     |
+|----------------------------|----------|
+| domain                     | String   |
+| substack                   | String   |
+| stage                      | String   |
+| subscription_id            | String   |
+| resource_type              | String   |
+| inspect_status_code        | String   |
+| inspect_status             | String   |
+| inspect_message            | String   |
+| rbac_assignment_status_code| String   |
+| rbac_assignment_status     | String   |
+| rbac_assignment_message    | String   |
+| resource                   | String   |
+
 ## Generating change logs
 
 tgwrap can generate a change log by running:

{tgwrap-0.8.12 → tgwrap-0.11.3}/README.md

@@ -42,6 +42,8 @@ And this was not something a bunch of aliases could solve, hence this wrapper wa
 
 When using the run-all, analyzing what is about to be changed is not going to be easier. Hence we created the `tgwrap analyze` function that lists all the planned changes and (if a config file is availabe) calculates a drift score and runs a [terrasafe](https://pypi.org/project/terrasafe/) style validation check.
 
+> you can ignore minor changes, such as tag updates, with `tgwrap analyze -i tags`
+
 It needs a config file as follows:
 
 ```yaml
@@ -112,6 +114,75 @@ export TGWRAP_PLANFILE_DIR=".terragrunt-cache/current"
 
 Or pass it along with the `--planfile-dir|-P` option and it will use that.
 
+### Logging the results
+
+`tgwrap` supports logging the analyze results to an [Azure Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview) custom table.
+
+For that, the custom table need to be present, including a [data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal) and associated [data collection rule](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview?tabs=portal).
+
+When you want to activate this, just pass `--data-collection-endpoint` (or, more conveniently, set the `TGWRAP_ANALYZE_DATA_COLLECTION_ENDPOINT` environment variable) with the url to which the data can be posted.
+
+> Note that for this to work, `tgwrap` assumes that there is a functioning [azure cli](https://learn.microsoft.com/en-us/cli/azure/) available on the system.
+
+A payload as below will be posted, and the log analytics table should be able to accomodate for that:
+
+```json
+[
+  {
+    "scope": "terragrunt/dlzs/data-platform/global/platform/rbac/",
+    "principal": "myself",
+    "repo": "https://gitlab.com/my-git-repo.git",
+    "creations": 0,
+    "updates": 0,
+    "deletions": 0,
+    "minor": 0,
+    "medium": 0,
+    "major": 0,
+    "unknown": 0,
+    "total": 0,
+    "score": 0.0,
+    "details": [
+      {
+        "drifts": {
+          "minor": 0,
+          "medium": 0,
+          "major": 0,
+          "unknown": 0,
+          "total": 0,
+          "score": 0.0
+        },
+        "all": [],
+        "creations": [],
+        "updates": [],
+        "deletions": [],
+        "unauthorized": [],
+        "unknowns": [],
+        "module": ""
+      }
+    ]
+  }
+]
+```
+
+The log analytics (custom) table should have a schema that is able to cope with the message above:
+
+| Field          | Type     |
+|----------------|----------|
+| creations      | Int      |
+| deletions      | Int      |
+| details        | Dynamic  |
+| major          | Int      |
+| medium         | Int      |
+| minor          | Int      |
+| principal      | String   |
+| repo           | String   |
+| scope          | String   |
+| score          | Int      |
+| TimeGenerated  | Datetime |
+| total          | Int      |
+| unknown        | Int      |
+| updates        | Int      |
+
 ## More than a wrapper
 
 Over time, tgwrap became more than a wrapper, blantly violating [#1 of the unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy#:~:text=The%20Unix%20philosophy%20is%20documented,%2C%20as%20yet%20unknown%2C%20program.): 'Make each program do one thing well'.
@@ -186,6 +257,7 @@ deploy: # which modules do you want to deploy
     source_stage: dev
     source_dir: platform # optional, if the source modules are not directly in the stage dir, but in <stage>/<source_dir> directory
     base_dir: platform # optional, if you want to deploy the base modules in its own dir, side by side with substacks
+    include_global_config_files: false # optional, overrides the CLI input
     config_dir: ../../../config # this is relative to where you run the deploy
     configs:
       - my-config.hcl
@@ -227,6 +299,90 @@ global_config_files:
     source: ../../terrasafe-config.json
 ```
 
+## Inspecting deployed infrastructure
+
+Testing infra-as-code is hard, even though test frameworks are becoming more common these days. But the standard test approaches typically work with temporary infrastructures, while it is often also useful to test a deployed infrastructure.
+
+Frameworks like [Chef's InSpec](https://docs.chef.io/inspec/) aims at solving that, but it is pretty config management heavy (but there are add-ons for aws and azure infra). It has a steep learning curve, we only need a tiny part of it, and also comes with a commercial license.
+
+For what we need ('is infra deployed and are the main role assignments still in place') it was pretty easy to implement in python.
+
+For this, you can now run the `inspect` command, which will then inspect real infrastructure and role assignments, and report back whether it meets the expectations (as declared in a config file):
+
+```yaml
+---
+location:
+  code: westeurope
+  full: West Europe
+
+# the entra id groups ar specified as a map as these will be checked for existence
+# but also used for role assignment validation
+entra_id_groups:
+  platform_admins: '{domain}-platform-admins'
+  cost_admins: '{domain}-cost-admins'
+  data_admins: '{domain}-data-admins'
+  just_testing: group-does-not-exist
+
+# the resources to check
+resources:
+  - identifier: 'kv-{domain}-euw-{stage}-base'
+    # due to length limitations in resource names, some shortening in the name might have taken place
+    # so you can provide alternative ids
+    alternative_ids:
+    - 'kv-{domain}-euw-{stage}-bs'
+    - 'kv{domain}euw{stage}bs'
+    - 'kv{domain}euw{stage}base'
+    type: key_vault
+    resource_group: 'rg-{domain}-euw-{stage}-base'
+    role_assignments:
+      - platform_admins: Owner
+      - platform_admins: Key Vault Secrets Officer
+      - data_admins: Key Vault Secrets Officer
+```
+
+After which you can run the following:
+
+```console
+tgwrap inspect -d domain -s sbx -a 886d4e58-a178-4c50-ae65-xxxxxxxxxx -c ./inspect-config.yml
+......
+
+Inspection status:
+entra_id_group: dps-platform-admins
+	-> Resource:	OK (Resource dps-platform-admins of type entra_id_group OK)
+entra_id_group: dps-cost-admins
+	-> Resource:	OK (Resource dps-cost-admins of type entra_id_group OK)
+entra_id_group: dps-data-admins
+	-> Resource:	OK (Resource dps-data-admins of type entra_id_group OK)
+entra_id_group: group-does-not-exist
+	-> Resource:	NEX (Resource group-does-not-exist of type entra_id_group not found)
+key_vault: kv-dps-euw-sbx-base
+	-> Resource:	OK (Resource kv-dps-euw-sbx-base of type key_vault OK)
+	-> RBAC:	NOK (Principal platform_admins has NOT role Owner assigned; )
+subscription: 886d4e58-a178-4c50-ae65-xxxxxxxxxx
+	-> Resource:	OK (Resource 886d4e58-a178-4c50-ae65-xxxxxxxxxx of type subscription OK)
+	-> RBAC:	NC (Role assignments not checked)
+```
+
+You can sent the results also to a data collection endpoint (seel also [Logging the results](#logging-the-results)).
+
+For that, a custom table should exist with the following structure:
+
+
+| Field                      | Type     |
+|----------------------------|----------|
+| domain                     | String   |
+| substack                   | String   |
+| stage                      | String   |
+| subscription_id            | String   |
+| resource_type              | String   |
+| inspect_status_code        | String   |
+| inspect_status             | String   |
+| inspect_message            | String   |
+| rbac_assignment_status_code| String   |
+| rbac_assignment_status     | String   |
+| rbac_assignment_message    | String   |
+| resource                   | String   |
+
 ## Generating change logs
 
 tgwrap can generate a change log by running:

{tgwrap-0.8.12 → tgwrap-0.11.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tgwrap"
-version = "0.8.12"
+version = "0.11.3"
 description = "A (terragrunt) wrapper around a (terraform) wrapper around ...."
 authors = ["Gerco Grandia <gerco.grandia@4synergy.nl>", "Pascal Alma <pascal.alma@4synergy.nl>"]
 license = "MIT"
@@ -12,7 +12,7 @@ keywords = ["terraform", "terragrunt", "terrasafe", "python"]
 include = ["tgwrap", "tgwrap/lib"]
 
 [tool.poetry.dependencies]
-python = "^3.8"
+python = "^3.12"
 pydot = "^1.4.2"
 networkx = "^2.8.8"
 click = ">= 8.0"
@@ -22,6 +22,10 @@ pyhcl = "^0.4.4"
 pyyaml = ">= 6.0"
 python-hcl2 = "^4.3.2"
 inquirer = "^3.1.4"
+azure-identity = "^1.17.1"
+azure-core = "^1.30.2"
+azure-mgmt-authorization = "^4.0.0"
+jinja2 = "^3.1.4"
 
 [tool.poetry.scripts]
 tgwrap = "tgwrap.cli:main"

{tgwrap-0.8.12 → tgwrap-0.11.3}/tgwrap/analyze.py

@@ -9,7 +9,7 @@ import re
 
 from .printer import Printer
 
-def run_analyze(config, data, verbose=False):
+def run_analyze(config, data, ignore_attributes, verbose=False):
     """ Run the terrasafe validation and return the unauthorized deletions """
 
     printer = Printer(verbose)
@@ -34,6 +34,7 @@ def run_analyze(config, data, verbose=False):
 
     detected_changes = get_resource_actions(data)
 
+    ignorable_updates = []
     if config:
         ts_default_levels =  {
             'low': 'ignore_deletion',
@@ -44,11 +45,28 @@ def run_analyze(config, data, verbose=False):
         for criticallity, ts_level in ts_default_levels.items():
             ts_config[ts_level] = [f"*{key}*" for key, value in config[criticallity].items() if value.get('terrasafe_level', ts_level) == ts_level]
 
+        for resource in detected_changes['updates']:
+            before = resource['change']['before']
+            after = resource['change']['after']
+
+            for i in ignore_attributes:
+                try:
+                    before.pop(i)
+                except KeyError:
+                    pass
+                try:
+                    after.pop(i)
+                except KeyError:
+                    pass
+
+            if before == after:
+                ignorable_updates.append(resource['address'])
+
         for resource in detected_changes['deletions']:
             resource_address = resource["address"]
             # Deny has precendence over Allow!
             if is_resource_match_any(resource_address, ts_config["unauthorized_deletion"]):
-                printer.verbose(f'Resource {resource_address} can not be destroyed for any reason')
+                printer.verbose(f'Resource {resource_address} cannot be destroyed for any reason')
             elif is_resource_match_any(resource_address, ts_config["ignore_deletion"]):
                 continue
             elif is_resource_recreate(resource) and is_resource_match_any(
@@ -69,8 +87,8 @@ def run_analyze(config, data, verbose=False):
 
         if changes['unauthorized']:
             printer.verbose("Unauthorized deletion detected for those resources:")
-            for deletion in changes['unauthorized']:
-                printer.verbose(f" - {deletion}")
+            for resource in changes['unauthorized']:
+                printer.verbose(f" - {resource}")
             printer.verbose("If you really want to delete those resources: comment it or export this environment variable:")
             printer.verbose(f"export TERRASAFE_ALLOW_DELETION=\"{';'.join(changes['unauthorized'])}\"")
 
@@ -114,20 +132,26 @@ def run_analyze(config, data, verbose=False):
 
         # now we have the proper lists, calculate the drifts
         for key, value in {'deletions': 'delete', 'creations': 'create', 'updates': 'update'}.items():
-            for resource in detected_changes[key]:
+
+            for index, resource in enumerate(detected_changes[key]):
                 resource_address = resource["address"]
-    
-                has_match, resource_config = get_matching_dd_config(resource_address, dd_config)
-                if has_match:
-                    # so what drift classification do we have?
-                    dd_class = resource_config[value]
-                    changes['drifts'][dd_class] += 1
+
+                # updates might need to be ignored
+                if key == 'updates' and resource_address in ignorable_updates:
+                    detected_changes[key].pop(index)
                 else:
-                    changes['drifts']['unknown'] += 1
-                    if resource_address not in changes['unknowns']:
-                        changes['unknowns'].append(resource_address)
+                    has_match, resource_config = get_matching_dd_config(resource_address, dd_config)
+
+                    if has_match:
+                        # so what drift classification do we have?
+                        dd_class = resource_config[value]
+                        changes['drifts'][dd_class] += 1
+                    else:
+                        changes['drifts']['unknown'] += 1
+                        if resource_address not in changes['unknowns']:
+                            changes['unknowns'].append(resource_address)
 
-                changes['drifts']['total'] += 1
+                    changes['drifts']['total'] += 1
 
     # remove ballast from the following lists
     changes['all'] = [ # ignore read and no-ops
@@ -140,9 +164,17 @@ def run_analyze(config, data, verbose=False):
         ]
     changes['creations'] = [resource["address"] for resource in detected_changes['creations']]
     changes['updates'] = [resource["address"] for resource in detected_changes['updates']]
+    changes['ignorable_updates'] = ignorable_updates
 
-    return changes, (not changes['unauthorized'])
+    # see if there are output changes
+    output_changes = get_output_changes(data)
+    changes['outputs'] = []
+    relevant_changes = set(['create', 'update', 'delete'])
+    for k,v in output_changes.items():
+        if relevant_changes.intersection(v['actions']):
+            changes['outputs'].append(k)
 
+    return changes, (not changes['unauthorized'])
 
 def parse_ignored_from_env_var():
     ignored = os.environ.get("TERRASAFE_ALLOW_DELETION")
@@ -170,6 +202,18 @@ def get_resource_actions(data):
 
     return changes
 
+def get_output_changes(data):
+    # check format version
+    if data["format_version"].split(".")[0] != "0" and data["format_version"].split(".")[0] != "1":
+        raise Exception("Only format major version 0 or 1 is supported")
+
+    if "output_changes" in data:
+        output_changes = data["output_changes"]
+    else:
+        output_changes = {}
+
+    return output_changes
+
 
 def has_delete_action(resource):
     return "delete" in resource["change"]["actions"]
@@ -185,7 +229,7 @@ def has_update_action(resource):
 
 def is_resource_match_any(resource_address, pattern_list):
     for pattern in pattern_list:
-        pattern = re.sub(r"\[(.+?)\]", "[[]\g<1>[]]", pattern)
+        pattern = re.sub(r"\[(.+?)\]", "[[]\\g<1>[]]", pattern)
         if fnmatch.fnmatch(resource_address, pattern):
             return True
     return False
@@ -193,7 +237,7 @@ def is_resource_match_any(resource_address, pattern_list):
 
 def get_matching_dd_config(resource_address, dd_config):
     for pattern, config in dd_config.items():
-        pattern = re.sub(r"\[(.+?)\]", "[[]\g<1>[]]", pattern)
+        pattern = re.sub(r"\[(.+?)\]", "[[]\\g<1>[]]", pattern)
         if fnmatch.fnmatch(resource_address, pattern):
             return True, config
     return False, None