tgwrap 0.9.3__py3-none-any.whl → 0.10.0__py3-none-any.whl

tgwrap/analyze.py

@@ -185,7 +185,7 @@ def has_update_action(resource):
 
 def is_resource_match_any(resource_address, pattern_list):
     for pattern in pattern_list:
-        pattern = re.sub(r"\[(.+?)\]", "[[]\g<1>[]]", pattern)
+        pattern = re.sub(r"\[(.+?)\]", "[[]\\g<1>[]]", pattern)
         if fnmatch.fnmatch(resource_address, pattern):
             return True
     return False
@@ -193,7 +193,7 @@ def is_resource_match_any(resource_address, pattern_list):
 
 def get_matching_dd_config(resource_address, dd_config):
     for pattern, config in dd_config.items():
-        pattern = re.sub(r"\[(.+?)\]", "[[]\g<1>[]]", pattern)
+        pattern = re.sub(r"\[(.+?)\]", "[[]\\g<1>[]]", pattern)
         if fnmatch.fnmatch(resource_address, pattern):
             return True, config
     return False, None

tgwrap/cli.py

@@ -42,7 +42,7 @@ def check_latest_version(verbose=False):
         # this happens when your local version is ahead of the pypi version,
         # which happens only in development
         pass
-    except Exception:
+    except :
         echo('Could not determine package version, continue nevertheless.')
         pass
 
@@ -237,12 +237,12 @@ def run(command, verbose, debug, dry_run, no_lock, update, upgrade,
     )
 @click.option('--include-dir', '-I',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
     show_default=True
     )
 @click.option('--exclude-dir', '-E',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
     show_default=True,
     )
 @click.argument('terragrunt-args', nargs=-1, type=click.UNPROCESSED)
@@ -390,12 +390,12 @@ def run_import(address, id, verbose, dry_run, working_dir, no_lock, terragrunt_a
     )
 @click.option('--include-dir', '-I',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
     show_default=True
     )
 @click.option('--exclude-dir', '-E',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
     show_default=True,
     )
 @click.option('--planfile-dir', '-P', default='.terragrunt-cache/current',
@@ -752,12 +752,12 @@ def check_deployments(manifest_file, verbose, working_dir, out):
     )
 @click.option('--include-dir', '-I',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be included, this option can be used multiple times. For example: -I "integrations/\*/\*"',
     show_default=True
     )
 @click.option('--exclude-dir', '-E',
     multiple=True, default=[],
-    help='A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
+    help=r'A glob of a directory that needs to be excluded, this option can be used multiple times. For example: -E "integrations/\*/\*"',
     show_default=True,
     )
 @click.option('--working-dir', '-w', default=None,
@@ -839,6 +839,66 @@ def change_log(changelog_file, verbose, working_dir, include_nbr_of_releases):
         include_nbr_of_releases=include_nbr_of_releases,
     )
 
+@main.command(
+    name="inspect",
+    context_settings=dict(
+        ignore_unknown_options=True,
+    ),
+)
+@click.option('--domain', '-d',
+    help='Domain name used in naming the objects',
+    required=True,
+    )
+@click.option('--substack', '-S',
+    help='Identifier that is needed to select the objects',
+    default=None,
+    )
+@click.option('--stage', '-s',
+    help='Stage (environment) to verify',
+    required=True,
+    )
+@click.option('--azure-subscription-id', '-a',
+    help='Azure subscription id',
+    required=True,
+    )
+@click.option('--config-file', '-c',
+    help='Config file specifying the verifications',
+    required=True,
+    type=click.Path(),
+    )
+@click.option('--out', '-o', is_flag=True, default=False,
+    help='Show output as json',
+    show_default=True
+    )
+@click.option('--data-collection-endpoint', '-D', default=None,
+    help='Optional URI of an (Azure) data collection endpoint, to which the inspection results will be sent',
+    envvar='TGWRAP_INSPECT_DATA_COLLECTION_ENDPOINT',
+    show_default=True,
+    )
+@click.option('--verbose', '-v', is_flag=True, default=False,
+    help='Verbose printing',
+    show_default=True
+    )
+@click.version_option(version=__version__)
+def inspect(domain, substack, stage, azure_subscription_id, config_file, out, 
+            data_collection_endpoint, verbose):
+    """ Inspect the status of an (Azure) environment """
+
+    check_latest_version(verbose)
+
+    tgwrap = TgWrap(verbose=verbose)
+    exit = tgwrap.inspect(
+        domain=domain,
+        substack=substack,
+        stage=stage,
+        azure_subscription_id=azure_subscription_id,
+        out=out,
+        data_collection_endpoint=data_collection_endpoint,
+        config_file=config_file,
+    )
+
+    sys.exit(exit)
+
 # this is needed for the vscode debugger to work
 if __name__ == '__main__':
     main()

tgwrap/inspector-resources-template.yml

@@ -0,0 +1,58 @@
+---
+entra_id_group:
+  # note that there must be single quotes around the {name}, double quotes are not working!
+  url: "https://graph.microsoft.com/v1.0/groups?$filter=displayName eq '{name}'"
+  properties: {}
+subscription:
+  url: https://management.azure.com/subscriptions/{subscription_id}?api-version=2024-03-01
+  properties:
+    state: Enabled
+resource_group:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{name}?api-version=2024-03-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_code}}"
+key_vault:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.KeyVault/vaults/{name}?api-version=2019-09-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_code}}"
+application_insights:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Insights/components/{name}?api-version=2014-04-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_code}}"
+log_analytics_workspace:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.OperationalInsights/workspaces/{name}?api-version=2021-06-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_code}}"
+storage_account:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/{name}?api-version=2021-08-01
+  properties:
+    properties.provisioningState: Succeeded
+    kind: StorageV2
+    location: "{{location_code}}"
+databricks_access_connector:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Databricks/accessConnectors/{name}?api-version=2024-05-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_full}}"
+databricks_workspace:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Databricks/workspaces/{name}?api-version=2024-05-01
+  properties:
+    properties.provisioningState: Succeeded
+    location: "{{location_code}}"
+data_factory:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.DataFactory/factories/{name}?api-version=2018-06-01
+  properties:
+    properties.provisioningState: Succeeded
+    properties.repoConfiguration.repositoryName: datafactory
+    properties.repoConfiguration.type: FactoryVSTSConfiguration
+    location: "{{location_code}}"
+function_app:
+  url: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Web/sites/{name}?api-version=2021-01-15
+  properties:
+    properties.state: Running
+    properties.enabled: true
+    location: "{{location_full}}"

tgwrap/inspector.py

@@ -0,0 +1,438 @@
+"""Verify a given Azure environment based on some verification config file"""
+
+import os
+import yaml
+import requests
+import json
+import re
+
+from typing import Tuple, Dict, List
+from enum import Enum
+from jinja2 import Template
+
+from azure.identity import DefaultAzureCredential
+from azure.core.exceptions import ClientAuthenticationError
+from azure.mgmt.authorization import AuthorizationManagementClient
+
+from .printer import Printer
+
+class ResourceInspectionStatus(Enum):
+    OK = "Successfully inspected the resource"
+    NOK = "Resource does not have the right status"
+    NEX = "Resource does not exist"
+    NS = "Resource type is not supported"
+
+class RoleAssignmentInspectionStatus(Enum):
+    OK = "Successfully inspected the role assignments"
+    NC = "Role assignments not checked"
+    NOK = "(Some) role assignments missing"
+
+class AzureInspector():
+    _printer = None
+    _subscription_id = None
+    _domain = None
+    _substack = None
+    _stage = None
+    _config = {}
+    _credential = None
+    _client = None
+    _graph_token = None
+    _mngt_token = None
+    _role_definitions = {}
+    _result = {}
+
+    @property
+    def printer(self):
+        return self._printer
+
+    @property
+    def subscription_id(self):
+        return self._subscription_id
+
+    @property
+    def domain(self):
+        return self._domain
+
+    @property
+    def substack(self):
+        return self._substack
+
+    @property
+    def stage(self):
+        return self._stage
+
+    @property
+    def config(self):
+        return self._config
+
+    @property
+    def credential(self):
+        return self._credential
+
+    @property
+    def client(self):
+        return self._client
+
+    @property
+    def graph_token(self):
+        return self._graph_token
+
+    @property
+    def mngt_token(self):
+        return self._mngt_token
+
+    @property
+    def role_definitions(self):
+        return self._role_definitions
+
+    @property
+    def result(self):
+        return self._result
+
+    @result.setter
+    def result(self, value):
+        self._result = value
+
+    def __init__(self, subscription_id:str, domain:str, substack:str, stage:str, config_file:str, verbose:bool, managed_identity_client_id:str = None):
+        self._printer = Printer(verbose)
+        self._subscription_id = subscription_id
+        self._domain = domain
+        self._substack = substack
+        self._stage = stage
+
+        # load the config file
+        self._config = self._load_config(config_file)
+
+        # get a credential
+        self._credential = DefaultAzureCredential(
+            # if you are using a user-assigned identity, the client id must be specified here!
+            managed_identity_client_id = managed_identity_client_id,
+        )
+
+        self._client = AuthorizationManagementClient(
+            credential=self.credential,
+            subscription_id=self.subscription_id,
+        )
+
+        # Retrieve all role definitions
+        self.printer.verbose('Retrieve all role definitions')
+        role_definitions_iter = self.client.role_definitions.list(
+            scope=f'/subscriptions/{self.subscription_id}'
+        )
+        for rd in role_definitions_iter:
+            self._role_definitions[rd.role_name.lower()] = rd.name
+
+    def _get_value_from_dict(self, data:str, property:str) -> str:
+        """Get a value from a dict with a string that indicates the hierarchy with a dot"""
+
+        keys = property.split('.')
+        value = data
+        for key in keys:
+            if value:
+                value = value.get(key)
+
+        return value
+
+    def _load_config(self, config_file:str) -> Dict:
+        with open(config_file, 'r') as file:
+            try:
+                data = yaml.safe_load(file)
+                return data
+            except yaml.YAMLError as exc:
+                self.printer.error(f"Error loading YAML file: {exc}")
+                return None
+
+    def _load_yaml_template(self, template_file:str, inputs:Dict) -> Dict:
+        with open(template_file, 'r') as file:
+            try:
+                template_content = file.read()
+                template = Template(template_content)
+                rendered_yaml = template.render(inputs)
+
+                data = yaml.safe_load(rendered_yaml)
+                return data
+            except yaml.YAMLError as exc:
+                self.printer.error(f"Error loading YAML template file: {exc}")
+                return None
+
+    def _invoke_api(self, url:str, token:str, method:str='get', data:Dict=None) -> Dict:
+        """Invoke the Azure API"""
+
+        self.printer.verbose(f'Invoke {method.upper()} on {url}')
+        headers = {
+            'Authorization': f'Bearer {token}',
+            'Content-Type': 'application/json'
+        }
+        resp = None
+        try:
+            if method.lower() == 'get':
+                resp = requests.get(url, headers=headers)
+            elif method.lower() == 'post':
+                resp = requests.post(url, headers=headers, json=data)
+            elif method.lower() == 'delete':
+                resp = requests.delete(url, headers=headers)
+            else:
+                raise ValueError(f'Method {method} not recognised')
+
+            resp.raise_for_status()
+            return resp.json()
+        except requests.exceptions.HTTPError as e:
+            self.printer.verbose(f'Error occurred:\n{e.response.text}')
+            return None
+
+    def inspect(self):
+        try:
+            self._graph_token = self.credential.get_token('https://graph.microsoft.com/.default').token
+            self._mngt_token = self.credential.get_token('https://management.azure.com/.default').token
+        except ClientAuthenticationError as e:
+            self.printer.error(
+                f'Could not retrieve an azure token, are you logged in?',
+                print_line_before=True,
+                print_line_after=True,
+            )
+            raise (e)
+
+        self.result = {}
+
+        try:
+            # read the config
+            location_code = self.config['location'].get('code', 'westeurope')
+            location_full = self.config['location'].get('full', 'West Europe')
+            resources = self.config.get('resources', [])
+            groups = self.config.get('entra_id_groups', {})
+
+            # read the map that determines how to test a particular resource type
+            resource_types = self._load_yaml_template(
+                template_file=os.path.join(os.path.dirname(__file__), 'inspector-resources-template.yml'),
+                inputs={
+                    'location_code': location_code,
+                    'location_full': location_full,
+                },
+            )
+
+            # first check the groups, this will also enrich the map with the IDs of the actual groups
+            # build a list
+            groups_to_verify = []
+            for role, name in groups.items():
+                groups_to_verify.append({
+                    'identifier': name.format(
+                        domain=self.domain,
+                        substack=self.substack,
+                        stage=self.stage,
+                    ),
+                    'type': 'entra_id_group',
+                    'role': role,
+                })
+            # and verify
+            groups = self.inspect_resources(
+                resources=groups_to_verify,
+                resource_types=resource_types,
+                groups=groups,
+            )
+
+            # now inspect the resources
+            self.inspect_resources(
+                resources=resources,
+                resource_types=resource_types,
+                groups=groups,
+            )
+
+            return self.result
+        finally:
+            # ensure new messages are printed on a new line, as the progress indicator does not create a new line
+            self.printer.normal('')
+
+    def inspect_resources(self, resources:List, resource_types:Dict, groups:Dict) -> Dict:
+        for resource in resources:
+            self.printer.progress_indicator()
+
+            # get some identifiers from the config and replace with real values
+            identifier = resource['identifier'].format(
+                subscription_id=self.subscription_id,
+                domain=self.domain,
+                substack=self.substack,
+                stage=self.stage,
+            )
+            # it might be that we have an alternative id, as sometimes these are shortened because of length restrictions
+            alternative_ids = []
+            for id in resource.get('alternative_ids', []):
+                alternative_ids.append(
+                    id.format(
+                        subscription_id=self.subscription_id,
+                        domain=self.domain,
+                        substack=self.substack,
+                        stage=self.stage,
+                    )
+                )
+
+            resource_group = resource.get('resource_group', '').format(
+                domain=self.domain,
+                substack=self.substack,
+                stage=self.stage,
+            )
+
+            type = resource['type']
+            self.result[identifier] = {
+                "type": type,
+            }
+            this_result = self.result[identifier]
+
+            self.printer.verbose(f'Inspect {identifier} ({resource_group})')
+
+            # now we can start inspecting these
+            if type in resource_types:
+                resource_type = resource_types[type]
+                url = resource_type['url'].format(
+                    subscription_id=self.subscription_id,
+                    resource_group=resource_group,
+                    name=identifier,
+                )
+
+                # which token to use?
+                graph_api = False
+                if 'graph.microsoft.com' in url:
+                    graph_api = True
+                    token = self.graph_token
+                elif 'management.azure.com' in url:
+                    token = self.mngt_token
+                else:
+                    self.printer.error(f'Do not have token for url: {url}')
+                    break
+
+                resp = self._invoke_api(url=url, token=token)
+
+                # if we don't get anything back, try alternative ids (if we have some)
+                if (not resp or (graph_api and len(resp.get('value', [])) == 0)):
+                    for id in alternative_ids:
+                        resp = self._invoke_api(url=url, token=token)
+                        url = resource_type['url'].format(
+                            subscription_id=self.subscription_id,
+                            resource_group=resource_group,
+                            name=id,
+                        )
+                        resp = self._invoke_api(url=url, token=token)
+
+                        # now check if we have something, we stop at first hit
+                        if (not graph_api and resp) or (graph_api and len(resp.get('value', [])) > 0):
+                            identifier = id
+                            break
+
+                if not resp or (graph_api and len(resp.get('value', [])) == 0):
+                    status = ResourceInspectionStatus.NEX.name
+                    if resource_group:
+                        msg = f"Resource {identifier} (in {resource_group}) of type {type} not found"
+                    else:
+                        msg = f"Resource {identifier} of type {type} not found"
+                    ra_status = RoleAssignmentInspectionStatus.NC.name
+                    ra_msg = ''
+                else:
+                    self.printer.verbose(json.dumps(resp, indent=2))
+
+                    status = ResourceInspectionStatus.OK.name # we're innocent until proven otherwise
+                    msg = ""
+                    for property, expected_value in resource_type['properties'].items():
+                        property_value = self._get_value_from_dict(data=resp, property=property)
+                        if isinstance(property_value, str) and not re.match(expected_value, property_value):
+                            status = ResourceInspectionStatus.NOK.name
+                            msg = msg + f"Property {property} has value {property_value}, expected regex {expected_value}"
+                        elif isinstance(property_value, bool) and not property_value:
+                            status = ResourceInspectionStatus.NOK.name
+                            msg = msg + f"Property {property} has value {property_value}, expected boolean {expected_value}"
+
+                    # set the default status that we haven't check the role assignments
+                    ra_status = RoleAssignmentInspectionStatus.NC.name
+                    ra_msg = 'Role assignments not checked'
+
+                    # if this is an entra id group, we store the object id
+                    if type == 'entra_id_group':
+                        role = resource['role']
+                        id = resp['value'][0]['id']
+                        groups[role] = {
+                            'id': id,
+                            'name': identifier,
+                        }
+                    elif 'role_assignments' in resource:
+
+                        ra_status, ra_msg = self.check_role_assignments(
+                            resource=resource,
+                            groups=groups,
+                            url=url,
+                        )
+
+                    if not msg:
+                        if resource_group:
+                            msg = f"Resource {identifier} (in {resource_group}) of type {type} OK"
+                        else:
+                            msg = f"Resource {identifier} of type {type} OK"
+                    if not ra_msg and ra_status == RoleAssignmentInspectionStatus.OK.name:
+                        ra_msg = f"Role Assignments for {identifier} (in {resource_group}) of type {type} are OK"
+
+                this_result["inspect_status_code"] = status
+                this_result["inspect_status"] = ResourceInspectionStatus[status].value
+                this_result["inspect_message"] = msg
+
+                if not type == 'entra_id_group':
+                    this_result["rbac_assignment_status_code"] = ra_status
+                    this_result["rbac_assignment_status"] = RoleAssignmentInspectionStatus[ra_status].value
+                    if ra_msg:
+                        this_result["rbac_assignment_message"] = ra_msg
+            else:
+                self.printer.error(f'\nResource type {type} is not configured in tgwrap!')
+                this_result["inspect_status_code"] = ResourceInspectionStatus.NS.name
+                this_result["inspect_status"] = ResourceInspectionStatus.NS.value
+                this_result["inspect_message"] = f'Resource type {type} is not supported'
+
+        # the groups dict is updated with the IDs of the actual groups
+        return groups
+    
+    def check_role_assignments(self, resource:Dict, groups:Dict, url:str):
+
+        status = RoleAssignmentInspectionStatus.NC.name
+        msg = ''
+
+        # extract the scope from the url
+        base_url=url.split('?')[0].rstrip('/')
+        scope = base_url.replace('https://management.azure.com', '')
+        self.printer.verbose('\nGet permissions over scope: ', scope)
+
+        # first get the role assignments for each (unique) principals
+        principals = set()
+        for ra in resource['role_assignments']:
+            principals.update(ra.keys())
+        
+        principals = list(principals)
+        principal_assignments = {} # here we collect all assignments for this scope per principal
+        for p in principals:
+            principal_assignments[p] = []
+
+            if not p in groups:
+                self.printer.error(f'\nCannot find the group {p} in groups: {groups}')
+                continue
+            elif not 'id' in groups[p]:
+                self.printer.error(f'\nCannot find the id for group {p}: {groups[p]}')
+                continue
+
+            principal_id = groups[p]['id']
+            assignments = self.client.role_assignments.list_for_scope(
+                scope=scope,
+                filter=f"principalId eq '{principal_id}'",
+            )
+
+            # get the IDs of all roles assigned for the given scope
+            for a in assignments:
+                principal_assignments[p].append(a.role_definition_id.split('/')[-1]) # we only want the guid of the role definition
+
+        # assume the role assignments will be fine
+        status = RoleAssignmentInspectionStatus.OK.name
+        for role in resource['role_assignments']:
+            principal = list(role.keys())[0]
+            role = list(role.values())[0]
+
+            if role.lower() not in self.role_definitions:
+                raise ValueError(f"Role: '{role}' is not found.")
+
+            if (self.role_definitions[role.lower()] not in principal_assignments[principal]):
+                status = RoleAssignmentInspectionStatus.NOK.name
+                msg = msg + f'Principal {principal} has NOT role {role} assigned; '
+
+        return status, msg

tgwrap/main.py

@@ -25,6 +25,7 @@ import yaml
 import threading
 import queue
 import multiprocessing
+import traceback
 import click
 import networkx as nx
 import hcl2
@@ -35,6 +36,7 @@ from datetime import datetime, timezone
 from .printer import Printer
 from .analyze import run_analyze
 from .deploy import prepare_deploy_config, run_sync
+from .inspector import AzureInspector
 
 class DateTimeEncoder(json.JSONEncoder):
     def default(self, obj):
@@ -84,6 +86,10 @@ class TgWrap():
                     )
                 self.tg_source_indicator = None
 
+        # terragrunt do now prefer opentofu but we want this to be a conscious decision
+        if not os.environ.get('TERRAGRUNT_TFPATH'):
+            os.environ['TERRAGRUNT_TFPATH'] = 'terraform'
+
     def load_yaml_file(self, filepath):
         try:
             with open(filepath, 'r') as file:
@@ -776,23 +782,15 @@ class TgWrap():
             total_items = sum(len(group) for group in groups)
             self.printer.verbose(f'Executed {group_nbr} groups and {total_items} steps')
 
-    def _post_analyze_results_to_dce(self, data_collection_endpoint:str, payload:object):
-        """
-        Posts the payload to the given (Azure) data collection endpoint
-        """
-
-        def mask_basic_auth(url):
-            # Regular expression to match basic authentication credentials in URL
-            auth_pattern = re.compile(r"(https?://)([^:@]+):([^:@]+)@(.+)")
-            # Return the url without the basic auth part
-            return auth_pattern.sub(r"\1\4", url)
-
+    def _get_access_token(self):
+        """Retrieve an access token"""
+    
         #
         # Everything we do here, can be done using native python. And probably this is preferable as well.
         # But I have decided to follow (at least for now) the overall approach of the app and that is
         # executing systems commands.
         # This does require the az cli to be installed, but that is a fair assumption if you are working
-        # with terragrunt/terraform and want to post the analyze results to a Data Collection Endpoint.
+        # with terragrunt/terraform and want to post the analyze results to an Azure Data Collection Endpoint.
         # However, not ruling out this will change, but then the change should be transparant.
         #
 
@@ -842,6 +840,60 @@ class TgWrap():
         if not token:
             raise Exception(f'Could not retrieve an access token:\n{json.dumps(output, indent=2)}')
 
+        return principal, token
+
+    def _post_to_dce(self, data_collection_endpoint, payload, token=None):
+
+        if not token:
+            _, token = self._get_access_token()
+
+        # DCE payload must be submitted as an arry
+        if not isinstance(payload, list):
+            dce_payload = [payload]
+        else:
+            dce_payload = payload
+
+        self.printer.verbose('About to log:')
+        self.printer.verbose(f'- to: {data_collection_endpoint}')
+        self.printer.verbose(f'- payload:\n{json.dumps(dce_payload, indent=2)}')
+
+        # now do the actual post
+        try:
+            headers = {
+                'Authorization': f"Bearer {token}",
+                'Content-Type': 'application/json',
+            }
+            resp = requests.post(
+                url=data_collection_endpoint,
+                headers=headers,
+                json=dce_payload,
+            )
+
+            resp.raise_for_status()
+            self.printer.success('Analyze results logged to DCE', print_line_before=True)
+
+        except requests.exceptions.RequestException as e:
+            # we warn but continue
+            self.printer.warning(f'Error while posting the analyze results ({type(e)}): {e}', print_line_before=True)
+        except Exception as e:
+            self.printer.error(f'Unexpected error: {e}')
+            if self.printer.print_verbose:
+                raise(e)
+            sys.exit(1)
+
+    def _post_analyze_results_to_dce(self, data_collection_endpoint:str, payload:object):
+        """
+        Posts the payload to the given (Azure) data collection endpoint
+        """
+
+        def mask_basic_auth(url):
+            # Regular expression to match basic authentication credentials in URL
+            auth_pattern = re.compile(r"(https?://)([^:@]+):([^:@]+)@(.+)")
+            # Return the url without the basic auth part
+            return auth_pattern.sub(r"\1\4", url)
+
+        principal, token = self._get_access_token()
+
         # Get the repo info
         rc = subprocess.run(
             shlex.split('git config --get remote.origin.url'),
@@ -882,51 +934,26 @@ class TgWrap():
             raise Exception(f'Could not get scope: {scope}')
 
         # So now we have everything, we can construct the final payload
-        dce_payload = [
-            {
-                "scope": scope,
-                "principal": principal,
-                "repo": repo,
-                "creations": payload.get("summary").get("creations"),
-                "updates": payload.get("summary").get("updates"),
-                "deletions": payload.get("summary").get("deletions"),
-                "minor": payload.get("summary").get("minor"),
-                "medium": payload.get("summary").get("medium"),
-                "major": payload.get("summary").get("major"),
-                "unknown": payload.get("summary").get("unknown"),
-                "total": payload.get("summary").get("total"),
-                "score": payload.get("summary").get("score"),
-                "details": payload.get('details'),
-            },
-        ]
-        
-        self.printer.verbose('About to log:')
-        self.printer.verbose(f'- to: {data_collection_endpoint}')
-        self.printer.verbose(f'- payload:\n{json.dumps(dce_payload, indent=2)}')
-
-        # now do the actual post
-        try:
-            headers = {
-                'Authorization': f"Bearer {token}",
-                'Content-Type': 'application/json',
-            }
-            resp = requests.post(
-                url=data_collection_endpoint,
-                headers=headers,
-                json=dce_payload,
-            )
-
-            resp.raise_for_status()
-            self.printer.success('Analyze results logged to DCE')
-
-        except requests.exceptions.RequestException as e:
-            # we warn but continue
-            self.printer.warning(f'Error while posting the analyze results ({type(e)}): {e}')
-        except Exception as e:
-            self.printer.error(f'Unexpected error: {e}')
-            if self.printer.print_verbose:
-                raise(e)
-            sys.exit(1)
+        payload = {
+            "scope": scope,
+            "principal": principal,
+            "repo": repo,
+            "creations": payload.get("summary").get("creations"),
+            "updates": payload.get("summary").get("updates"),
+            "deletions": payload.get("summary").get("deletions"),
+            "minor": payload.get("summary").get("minor"),
+            "medium": payload.get("summary").get("medium"),
+            "major": payload.get("summary").get("major"),
+            "unknown": payload.get("summary").get("unknown"),
+            "total": payload.get("summary").get("total"),
+            "score": payload.get("summary").get("score"),
+            "details": payload.get('details'),
+        }
+        self._post_to_dce(
+            payload=payload,
+            data_collection_endpoint=data_collection_endpoint,
+            token=token,
+        )
 
         self.printer.verbose('Done')
 
@@ -1768,9 +1795,9 @@ Note:
     def clean(self, working_dir):
         """ Clean the temporary files of a terragrunt/terraform project """
 
-        cmd = 'find . -name ".terragrunt-cache" -type d -exec rm -rf {} \; ; ' + \
-            'find . -name ".terraform" -type d -exec rm -rf {} \; ; ' + \
-            'find . -name "terragrunt-debug*" -type f -exec rm -rf {} \;'
+        cmd = r'find . -name ".terragrunt-cache" -type d -exec rm -rf {} \; ; ' + \
+            r'find . -name ".terraform" -type d -exec rm -rf {} \; ; ' + \
+            r'find . -name "terragrunt-debug*" -type f -exec rm -rf {} \;'
 
         # we see the behaviour that with cleaning up large directories, it returns errorcode=1 upon first try
         # never to shy away from a questionable solution to make your life easier, we just run it again :-)
@@ -1819,7 +1846,7 @@ Note:
                 current_release = match.group(1)
                 if current_release not in release_commits:
                     # remove the part between ()
-                    pattern = re.compile('\(.*?\) ')
+                    pattern = re.compile(r'\(.*?\) ')
                     updated_entry = pattern.sub('', entry)
                     release_commits[current_release] = [updated_entry]
             elif current_release:
@@ -1875,3 +1902,62 @@ Note:
             # use the regular printer, to avoid it being sent to stderr
             print(changelog)
 
+    def inspect(self, domain:str,substack:str, stage:str, azure_subscription_id:str, config_file:str,
+                out:bool, data_collection_endpoint:str):
+        """ Inspects the status of an Azure deployment """
+
+        inspector = AzureInspector(
+            subscription_id=azure_subscription_id,
+            domain=domain,
+            substack=substack,
+            stage=stage,
+            config_file=config_file,
+            verbose=self.printer.print_verbose,
+        )
+
+        try:
+            results = inspector.inspect()
+
+            # Report the status
+            exit_code = 0
+            self.printer.header('Inspection status:', print_line_before=True)
+            for k,v in results.items():
+                msg = f"{v['type']}: {k}\n\t-> Resource:\t{v.get('inspect_status_code', 'NC')} ({v.get('inspect_message', 'not found')})"
+                if 'rbac_assignment_status_code' in v:
+                    msg = msg + f'\n\t-> RBAC:\t{v['rbac_assignment_status_code']} ({v.get('rbac_assignment_message')})'
+                if v['inspect_status_code'] != 'OK' or v.get('rbac_assignment_status_code', 'OK') == 'NOK':
+                    self.printer.error(msg=msg)
+                    exit_code += 1
+                else:
+                    self.printer.success(msg=msg)
+
+            if out or data_collection_endpoint:
+                # convert results to something DCE understands, and add the inputs
+                payload = []
+                for key, value in results.items():
+                    value_with_key = value.copy()
+                    value_with_key["resource_type"] = value_with_key.pop("type")
+                    value_with_key["resource"] = key
+                    value_with_key["domain"] = domain
+                    value_with_key["substack"] = substack
+                    value_with_key["stage"] = stage
+                    value_with_key["subscription_id"] = azure_subscription_id
+                    payload.append(value_with_key)
+
+                if out:
+                    print(json.dumps(payload, indent=2))
+
+                if data_collection_endpoint:
+                    self._post_to_dce(
+                        data_collection_endpoint=data_collection_endpoint,
+                        payload=payload,
+                    )
+
+            return exit_code
+        except Exception as e:
+            self.printer.normal(f'Exception occurred: {e}')
+
+            if self.printer.print_verbose:
+                traceback.print_exc()
+            
+            return -1

tgwrap/printer.py

@@ -69,3 +69,6 @@ class Printer():
         click.secho(msg, fg="green", bold=True, file=sys.stderr)
         self.line() if print_line_after else None
 
+    def progress_indicator(self):
+        print('.', flush=True, file=sys.stderr, end='')
+

{tgwrap-0.9.3.dist-info → tgwrap-0.10.0.dist-info}/METADATA

@@ -1,22 +1,24 @@
 Metadata-Version: 2.1
 Name: tgwrap
-Version: 0.9.3
+Version: 0.10.0
 Summary: A (terragrunt) wrapper around a (terraform) wrapper around ....
 Home-page: https://gitlab.com/lunadata/tgwrap
 License: MIT
 Keywords: terraform,terragrunt,terrasafe,python
 Author: Gerco Grandia
 Author-email: gerco.grandia@4synergy.nl
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.10,<4.0
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Requires-Dist: azure-core (>=1.30.2,<2.0.0)
+Requires-Dist: azure-identity (>=1.17.1,<2.0.0)
+Requires-Dist: azure-mgmt-authorization (>=4.0.0,<5.0.0)
 Requires-Dist: click (>=8.0)
 Requires-Dist: inquirer (>=3.1.4,<4.0.0)
+Requires-Dist: jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: networkx (>=2.8.8,<3.0.0)
 Requires-Dist: outdated (>=0.2.2)
 Requires-Dist: pydot (>=1.4.2,<2.0.0)
@@ -192,6 +194,25 @@ A payload as below will be posted, and the log analytics table should be able to
 ]
 ```
 
+The log analytics (custom) table should have a schema that is able to cope with the message above:
+
+| Field          | Type     |
+|----------------|----------|
+| creations      | Int      |
+| deletions      | Int      |
+| details        | Dynamic  |
+| major          | Int      |
+| medium         | Int      |
+| minor          | Int      |
+| principal      | String   |
+| repo           | String   |
+| scope          | String   |
+| score          | Int      |
+| TimeGenerated  | Datetime |
+| total          | Int      |
+| unknown        | Int      |
+| updates        | Int      |
+
 ## More than a wrapper
 
 Over time, tgwrap became more than a wrapper, blantly violating [#1 of the unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy#:~:text=The%20Unix%20philosophy%20is%20documented,%2C%20as%20yet%20unknown%2C%20program.): 'Make each program do one thing well'.
@@ -307,6 +328,90 @@ global_config_files:
     source: ../../terrasafe-config.json
 ```
 
+## Inspecting deployed infrastructure
+
+Testing infra-as-code is hard, even though test frameworks are becoming more common these days. But the standard test approaches typically work with temporary infrastructures, while it is often also useful to test a deployed infrastructure.
+
+Frameworks like [Chef's InSpec](https://docs.chef.io/inspec/) aims at solving that, but it is pretty config management heavy (but there are add-ons for aws and azure infra). It has a steep learning curve, we only need a tiny part of it, and also comes with a commercial license.
+
+For what we need ('is infra deployed and are the main role assignments still in place') it was pretty easy to implement in python.
+
+For this, you can now run the `inspect` command, which will then inspect real infrastructure and role assignments, and report back whether it meets the expectations (as declared in a config file):
+
+```yaml
+---
+location:
+  code: westeurope
+  full: West Europe
+
+# the entra id groups ar specified as a map as these will be checked for existence
+# but also used for role assignment validation
+entra_id_groups:
+  platform_admins: '{domain}-platform-admins'
+  cost_admins: '{domain}-cost-admins'
+  data_admins: '{domain}-data-admins'
+  just_testing: group-does-not-exist
+
+# the resources to check
+resources:
+  - identifier: 'kv-{domain}-euw-{stage}-base'
+    # due to length limitations in resource names, some shortening in the name might have taken place
+    # so you can provide alternative ids
+    alternative_ids:
+    - 'kv-{domain}-euw-{stage}-bs'
+    - 'kv{domain}euw{stage}bs'
+    - 'kv{domain}euw{stage}base'
+    type: key_vault
+    resource_group: 'rg-{domain}-euw-{stage}-base'
+    role_assignments:
+      - platform_admins: Owner
+      - platform_admins: Key Vault Secrets Officer
+      - data_admins: Key Vault Secrets Officer
+```
+
+After which you can run the following:
+
+```console
+tgwrap inspect -d domain -s sbx -a 886d4e58-a178-4c50-ae65-xxxxxxxxxx -c ./inspect-config.yml
+......
+
+Inspection status:
+entra_id_group: dps-platform-admins
+	-> Resource:	OK (Resource dps-platform-admins of type entra_id_group OK)
+entra_id_group: dps-cost-admins
+	-> Resource:	OK (Resource dps-cost-admins of type entra_id_group OK)
+entra_id_group: dps-data-admins
+	-> Resource:	OK (Resource dps-data-admins of type entra_id_group OK)
+entra_id_group: group-does-not-exist
+	-> Resource:	NEX (Resource group-does-not-exist of type entra_id_group not found)
+key_vault: kv-dps-euw-sbx-base
+	-> Resource:	OK (Resource kv-dps-euw-sbx-base of type key_vault OK)
+	-> RBAC:	NOK (Principal platform_admins has NOT role Owner assigned; )
+subscription: 886d4e58-a178-4c50-ae65-xxxxxxxxxx
+	-> Resource:	OK (Resource 886d4e58-a178-4c50-ae65-xxxxxxxxxx of type subscription OK)
+	-> RBAC:	NC (Role assignments not checked)
+```
+
+You can sent the results also to a data collection endpoint (seel also [Logging the results](#logging-the-results)).
+
+For that, a custom table should exist with the following structure:
+
+
+| Field                      | Type     |
+|----------------------------|----------|
+| domain                     | String   |
+| substack                   | String   |
+| stage                      | String   |
+| subscription_id            | String   |
+| resource_type              | String   |
+| inspect_status_code        | String   |
+| inspect_status             | String   |
+| inspect_message            | String   |
+| rbac_assignment_status_code| String   |
+| rbac_assignment_status     | String   |
+| rbac_assignment_message    | String   |
+| resource                   | String   |
+
 ## Generating change logs
 
 tgwrap can generate a change log by running:

tgwrap-0.10.0.dist-info/RECORD

@@ -0,0 +1,13 @@
+tgwrap/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+tgwrap/analyze.py,sha256=TJvAKVIbWl8-8oxpTwXVBWU72q_XQKzUTlyMZ25cV2M,8728
+tgwrap/cli.py,sha256=UokTSBp84HZ9IAwn0MlGMUjpjL76SILWm1GNlVHAqr0,31482
+tgwrap/deploy.py,sha256=-fSk-Ix_HqrXY7KQX_L27TnFzIuhBHYv4xYJW6zRDN4,10243
+tgwrap/inspector-resources-template.yml,sha256=goQaqyaTb_o1fAuCBHl-6xc1Rul63Byqau5RQ4qJvTo,2992
+tgwrap/inspector.py,sha256=5pW7Ex1lkKRoXY6hZGbCNmSD2iRzgMSfqi9w7gb-AcY,16990
+tgwrap/main.py,sha256=zKddIfI7-KHd1lX9xXh_tqgnIUa8uOxqDSxsVNW-klg,84544
+tgwrap/printer.py,sha256=frn1PARd8A28mkRCYR6ybN2x0NBULhNOutn4l2U7REY,2754
+tgwrap-0.10.0.dist-info/LICENSE,sha256=VT-AVxIXt3EQTC-7Hy1uPGnrDNJLqfcgLgJD78fiyx4,1065
+tgwrap-0.10.0.dist-info/METADATA,sha256=kH2A2ZYjEQPKQ0iGbJKiachqmV1yELC3j1k5g7ZWVyM,17578
+tgwrap-0.10.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+tgwrap-0.10.0.dist-info/entry_points.txt,sha256=H8X0PMPmd4aW7Y9iyChZ0Ug6RWGXqhRUvHH-6f6Mxz0,42
+tgwrap-0.10.0.dist-info/RECORD,,

{tgwrap-0.9.3.dist-info → tgwrap-0.10.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.8.1
+Generator: poetry-core 1.9.0
 Root-Is-Purelib: true
 Tag: py3-none-any

tgwrap-0.9.3.dist-info/RECORD

@@ -1,11 +0,0 @@
-tgwrap/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-tgwrap/analyze.py,sha256=CsSaGv-be6ATy36z9X7x00gpKY59soJys2VbIzD-tmg,8726
-tgwrap/cli.py,sha256=w6IxXbHuok0D2KNKx6kEezHeNbMnGc09now0KtN80d4,29728
-tgwrap/deploy.py,sha256=-fSk-Ix_HqrXY7KQX_L27TnFzIuhBHYv4xYJW6zRDN4,10243
-tgwrap/main.py,sha256=9v8c7o32xmmkgEOgrUCiDCcivol4lRzauS6L0pvXdLw,81157
-tgwrap/printer.py,sha256=dkcOCPIPB-IP6pn8QMpa06xlcqPFVaDvxnz-QEpDJV0,2663
-tgwrap-0.9.3.dist-info/LICENSE,sha256=VT-AVxIXt3EQTC-7Hy1uPGnrDNJLqfcgLgJD78fiyx4,1065
-tgwrap-0.9.3.dist-info/METADATA,sha256=4QoTzQqkbDlKqK6aQXs8NvQZRAFrmUBkOoD-wZVetrw,13334
-tgwrap-0.9.3.dist-info/WHEEL,sha256=FMvqSimYX_P7y0a7UY-_Mc83r5zkBZsCYPm7Lr0Bsq4,88
-tgwrap-0.9.3.dist-info/entry_points.txt,sha256=H8X0PMPmd4aW7Y9iyChZ0Ug6RWGXqhRUvHH-6f6Mxz0,42
-tgwrap-0.9.3.dist-info/RECORD,,