cloud-custodian/Makefile at main · capitalone-contributions/cloud-custodian · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# Copyright The Cloud Custodian Authors.
# SPDX-License-Identifier: Apache-2.0
SHELL := /bin/bash
SELF_MAKE := $(lastword $(MAKEFILE_LIST))

PKG_REPO = testpypi
PKG_INCREMENT := patch
PKG_SET := tools/c7n_gcp tools/c7n_kube tools/c7n_openstack tools/c7n_mailer tools/c7n_policystream tools/c7n_org tools/c7n_sphinxext tools/c7n_awscc tools/c7n_tencentcloud tools/c7n_azure tools/c7n_oci tools/c7n_left

PKG_SET_OLD := tools/c7n_logexporter tools/c7n_trailcreator tools/c7n_terraform

FMT_SET := tools/c7n_left tools/c7n_mailer tools/c7n_oci tools/c7n_kube tools/c7n_awscc

COVERAGE_TYPE := html
ARGS :=
IMAGE := c7n
IMAGE_TAG := latest

###
# Common developer targets

install:
# extras are for c7n_mailer, separate lint from dev for ci
	uv sync --all-packages --locked \
	    --group dev \
	    --group addons \
	    --group lint \
            --extra gcp --extra azure

.PHONY: test

test:
	uv run pytest -n auto $(ARGS) tests tools

test-coverage:
	uv run pytest -n auto \
            --cov-config .coveragerc \
            --cov-report $(COVERAGE_TYPE) \
            --cov c7n \
            --cov tools/c7n_azure/c7n_azure \
            --cov tools/c7n_gcp/c7n_gcp \
            --cov tools/c7n_kube/c7n_kube \
            --cov tools/c7n_left/c7n_left \
            --cov tools/c7n_mailer/c7n_mailer \
            --cov tools/c7n_policystream/c7n_policystream \
            --cov tools/c7n_tencentcloud/c7n_tencentcloud \
            --cov tools/c7n_oci/c7n_oci \
            tests tools $(ARGS)

test-functional:
# note this will provision real resources in a cloud environment
	C7N_FUNCTIONAL=yes AWS_DEFAULT_REGION=us-east-2 pytest tests -m functional $(ARGS)

test-functional-azure:
# note this will provision real resources in Azure's public cloud environment
	C7N_FUNCTIONAL=yes uv run pytest tools/c7n_azure/tests_azure -k terraform -m functional $(ARGS)

sphinx:
	make -f docs/Makefile.sphinx html

lint:
	uv run --no-project ruff check c7n tests tools
	uv run --no-project black --check $(FMT_SET)
	terraform fmt -check -recursive .

format:
	uv run black $(FMT_SET)
	uv run ruff check --fix c7n tests tools
	terraform fmt -recursive .

clean:
	make -f docs/Makefile.sphinx clean
	rm -rf .tox .Python bin include lib pip-selfcheck.json
	@$(MAKE) -f $(SELF_MAKE) pkg-clean

image:
	docker build -f docker/$(IMAGE) -t $(IMAGE):$(IMAGE_TAG) .

gen-docker:
	uv run tools/dev/dockerpkg.py generate
###
# Package Management Targets
# - primarily used to help drive frozen releases and dependency upgrades

pkg-clean:
	rm -f release.md
	rm -f wheels-manifest.txt
	rm -f dist/*
	for pkg in $(PKG_SET); do cd $$pkg && rm -f dist/* && cd ../..; done

	rm -Rf build/*
	for pkg in $(PKG_SET); do cd $$pkg && rm -Rf build/* && cd ../..; done


pkg-update:
	uv sync --all-packages \
	    --group dev \
	    --group addons \
	    --group lint \
            --extra gcp --extra azure \
            --upgrade

pkg-show-update:
	uv tree --outdated --no-default-groups

pkg-increment:
# increment versions
	uv version --bump $(PKG_INCREMENT)
	for pkg in $(PKG_SET); do cd $$pkg && uv version --bump $(PKG_INCREMENT) && cd ../..; done
	uv run tools/dev/devpkg.py gen-version-file -p . -f c7n/version.py

pkg-build-wheel:
	@$(MAKE) -f $(SELF_MAKE) pkg-clean
	uv build --all-packages --wheel
	uv run tools/dev/freezeuvwheel.py dist uv.lock
	uv run twine check --strict dist/*.whl

pkg-publish-wheel:
# upload to named package index / pypi
	uv run twine upload -r $(PKG_REPO) dist/*

release-get-artifacts:
# download release artifacts from github release action
	@$(MAKE) -f $(SELF_MAKE) pkg-clean
	uv run tools/dev/get_release_artifacts.py

data-update:
# terraform data sets
	cd tools/c7n_left/scripts && uv run python get_taggable.py \
		--module-path taggable_providers/latest \
		--module-path taggable_providers/azurerm-previous \
		--output ../c7n_left/data/taggable.json
# aws data sets
	uv run python tools/dev/data_cftypedb.py -f tests/data/cfn-types.json
	uv run python tools/dev/data_updatearnref.py > tests/data/arn-types.json
	uv run python tools/dev/data_iamdb.py -f tests/data/iam-actions.json
	uv run python tools/dev/data_awspartitions.py > c7n/data/aws_region_partition_map.json
# gcp data sets
	uv run python tools/dev/data_gcpiamdb.py -f tools/c7n_gcp/tests/data/iam-permissions.json
	uv run python tools/dev/data_gcpregion.py -f tools/c7n_gcp/c7n_gcp/regions.json
###
# Static analyzers

# For context around skipping the B105 (hardcoded password)
# rule, see:
# https://github.com/PyCQA/bandit/issues/1350
analyzer-bandit:
	uvx bandit -i -s B101,B105,B311 \
	-r tools/c7n_azure/c7n_azure \
	 tools/c7n_gcp/c7n_gcp \
	 tools/c7n_oci/c7n_oci \
	 tools/c7n_left/c7n_left \
	 tools/c7n_guardian/c7n_guardian \
	 tools/c7n_org/c7n_org \
	 tools/c7n_mailer/c7n_mailer \
	 tools/c7n_policystream/policystream.py \
	 tools/c7n_trailcreator/c7n_trailcreator \
	 c7n


analyzer-semgrep:
	uvx semgrep --error --verbose --config p/security-audit \
	 tools/c7n_azure/c7n_azure \
	 tools/c7n_gcp/c7n_gcp \
	 tools/c7n_oci/c7n_oci \
	 tools/c7n_left/c7n_left \
	 tools/c7n_guardian/c7n_guardian \
	 tools/c7n_org/c7n_org \
	 tools/c7n_mailer/c7n_mailer \
	 tools/c7n_policystream/policystream.py \
	 tools/c7n_trailcreator/c7n_trailcreator \
	 c7n