infrahouse_core.aws package

Subpackages

Submodules

infrahouse_core.aws.acm_certificate module

ACM Certificate resource wrapper.

Provides exists / delete() support for AWS Certificate Manager certificates.

class infrahouse_core.aws.acm_certificate.ACMCertificate(certificate_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ACM certificate.

Parameters:

  • certificate_arn – ARN of the ACM certificate.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property certificate_arn: str

Return the ARN of the certificate.

Return type:

str

delete() None[source]

Delete the ACM certificate.

Idempotent – does nothing if the certificate does not exist.

Note

ResourceInUseException is not caught and will propagate to the caller. The certificate must be disassociated from all AWS services (CloudFront, ELB, etc.) before deletion.

property exists: bool

Return True if the certificate exists.

Returns False if the API raises ResourceNotFoundException.

infrahouse_core.aws.base module

Base class for AWS resource wrappers.

Provides a standard interface (exists property and delete() method) that all AWS resource classes should implement.

class infrahouse_core.aws.base.AWSResource(resource_id, service_name, region=None, role_arn=None, session=None)[source]

Bases: ABC

Abstract base class for AWS resource wrappers.

Subclasses must implement the exists property and the delete() method. The constructor provides a lazy-loaded boto3 client via _client.

Parameters:

  • resource_id – Primary identifier for the resource (ID, name, ARN, etc.).

  • service_name – AWS service name passed to get_client() (e.g. "ec2", "dynamodb").

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

  • session – Pre-configured boto3.Session. When provided the client is created from this session instead of via get_client().

property arn: str

Return the ARN of this resource.

Subclasses must override this to enable the generic tag helpers.

Raises:

NotImplementedError – if the subclass has not implemented arn.

abstract delete() None[source]

Delete the resource.

abstract property exists: bool

Check whether the resource currently exists.

Returns:

True if the resource exists, False otherwise.

remove_tag(key: str) bool[source]

Remove a single tag from this resource.

Idempotent: no-op if the tag is not currently set.

Parameters:

key – Tag key to remove.

Returns:

True if the tag was present and removed, False if it was already absent.

set_tag(key: str, value: str) bool[source]

Set a single tag on this resource.

Idempotent: if the tag is already set to value, no API call is made.

Parameters:

  • key – Tag key.

  • value – Tag value.

Returns:

True if the tag was written, False if it was already current.

set_tags(tags: dict) int[source]

Set multiple tags on this resource.

Idempotent: tags that already have the requested value are skipped.

Parameters:

tags – Mapping of tag keys to values.

Returns:

Number of tags actually written.

property tags: dict

Return current tags as a {key: value} dict.

Uses the generic list_tags_for_resource API. Override in subclasses whose service uses a different tagging API.

infrahouse_core.aws.asg module

Module for ASG class - a class to work with Autoscaling group.

class infrahouse_core.aws.asg.ASG(asg_name: str, region: str | None = None, role_arn: str | None = None, session=None)[source]

Bases: object

AWS Autoscaling group.

cancel_instance_refresh()[source]

Cancel all instance refreshes.

complete_lifecycle_action(hook_name='terminating', result='CONTINUE', instance_id=None)[source]

Completes the lifecycle hook. See details on https://docs.aws.amazon.com/autoscaling/ec2/userguide/completing-lifecycle-hooks.html

Parameters:

  • hook_name (str) – Hook name.

  • result (str) – Result of the hook. Can be either CONTINUE or ABANDON.

  • instance_id (str) – EC2 instance_id for which complete the hook. If not given, assume the local instance.

delete(force_delete: bool = True) None[source]

Delete the autoscaling group.

Idempotent – does nothing if the ASG does not exist.

Parameters:

force_delete (bool) – If True (default), force-delete the ASG even if it has running instances.

property exists: bool

Check whether the autoscaling group currently exists.

Returns:

True if the ASG exists, False otherwise.

property instance_refreshes: List[Dict]
Returns:

List of ASG instance refresh tasks.

property instances: List[ASGInstance]
Returns:

List of EC2 instances in the autoscaling group.

record_lifecycle_action_heartbeat(hook_name='terminating', instance_id=None)[source]

Extend lifecycle wait time.

Parameters:

  • hook_name (str) – Hook name.

  • instance_id (str) – EC2 instance_id for which the hook is waiting. If not given, assume the local instance.

infrahouse_core.aws.asg_instance module

Module for ASGInstance class - a class to describe and work with an instance that is a part of an Autoscaling group.

class infrahouse_core.aws.asg_instance.ASGInstance(instance_id=None, **kwargs)[source]

Bases: EC2Instance

ASGInstance is an EC2 instance that is a part of an autoscaling group. Because it’s an EC2 instance, ASGInstance inherits EC2Instance.

property asg_name: str
Returns:

Name of an autoscaling group that this instance is a part of.

property lifecycle_state: str
Returns:

Lifecycle state of the instance. See https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-lifecycle.html for possible values.

mark_unhealthy()[source]

Tell the autoscaling group that this instance is not healthy and should be replaced.

protect()[source]

Protect the instance from a scale-in event.

unprotect()[source]

Release protection the instance from a scale-in event.

infrahouse_core.aws.cloudwatch_alarm module

CloudWatch Alarm resource wrapper.

Provides exists / delete() support for CloudWatch alarms.

class infrahouse_core.aws.cloudwatch_alarm.CloudWatchAlarm(alarm_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a CloudWatch alarm.

Parameters:

  • alarm_name – Name of the alarm.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property alarm_name: str

Return the name of the alarm.

Return type:

str

delete() None[source]

Delete the alarm.

Idempotent – delete_alarms does not raise if the alarm does not exist.

property exists: bool

Return True if the alarm exists.

Checks both metric alarms and composite alarms returned by describe_alarms.

infrahouse_core.aws.cloudfront_cache_policy module

CloudFront Cache Policy resource wrapper.

Provides exists / delete() support for CloudFront cache policies.

class infrahouse_core.aws.cloudfront_cache_policy.CloudFrontCachePolicy(policy_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a CloudFront cache policy.

Parameters:

  • policy_id – The cache policy ID.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the cache policy.

Fetches the current ETag and issues the delete call.

Idempotent – does nothing if the policy does not exist.

Note

CachePolicyInUse is not caught and will propagate to the caller. The policy must be detached from all distributions first.

property exists: bool

Return True if the cache policy exists.

Returns False if the API raises NoSuchCachePolicy.

property policy_id: str

Return the cache policy ID.

Return type:

str

infrahouse_core.aws.cloudfront_distribution module

CloudFront Distribution resource wrapper.

Provides exists / delete() support for Amazon CloudFront distributions. Deletion is a multi-step process:

  1. Disable the distribution (if enabled).

  2. Wait for the distribution to reach the Deployed state.

  3. Delete the distribution using the current ETag.

class infrahouse_core.aws.cloudfront_distribution.CloudFrontDistribution(distribution_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an Amazon CloudFront distribution.

Parameters:

  • distribution_id – The CloudFront distribution ID (e.g. E1A2B3C4D5E6F7).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Disable (if needed), wait for deployment, then delete the distribution.

Idempotent – does nothing if the distribution does not exist.

Raises:

  • TimeoutError – If the distribution does not reach Deployed status within the allowed wait time.

  • ClientError – For unexpected AWS API errors or if the distribution cannot be deleted (e.g. still in use).

disable() None[source]

Disable the distribution.

No-op if the distribution is already disabled.

Raises:

ClientError – For unexpected AWS API errors.

property distribution_id: str

Return the distribution ID.

Return type:

str

enable() None[source]

Enable the distribution.

No-op if the distribution is already enabled.

Raises:

ClientError – For unexpected AWS API errors.

property exists: bool

Return True if the distribution exists.

Returns False if the API raises NoSuchDistribution.

infrahouse_core.aws.cloudfront_function module

CloudFront Function resource wrapper.

Provides exists / delete() support for CloudFront Functions.

class infrahouse_core.aws.cloudfront_function.CloudFrontFunction(function_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a CloudFront Function.

Parameters:

  • function_name – Name of the CloudFront function.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the CloudFront function.

Fetches the current ETag and issues the delete call.

Idempotent – does nothing if the function does not exist.

Note

FunctionInUse is not caught and will propagate to the caller. The function must be disassociated from all cache behaviors first.

property exists: bool

Return True if the CloudFront function exists.

Returns False if the API raises NoSuchFunctionExists.

property function_name: str

Return the function name.

Return type:

str

infrahouse_core.aws.cloudfront_response_headers_policy module

CloudFront Response Headers Policy resource wrapper.

Provides exists / delete() support for CloudFront response headers policies.

class infrahouse_core.aws.cloudfront_response_headers_policy.CloudFrontResponseHeadersPolicy(policy_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a CloudFront response headers policy.

Parameters:

  • policy_id – The response headers policy ID.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the response headers policy.

Fetches the current ETag and issues the delete call.

Idempotent – does nothing if the policy does not exist.

Note

ResponseHeadersPolicyInUse is not caught and will propagate to the caller. The policy must be detached from all distributions first.

property exists: bool

Return True if the response headers policy exists.

Returns False if the API raises NoSuchResponseHeadersPolicy.

property policy_id: str

Return the response headers policy ID.

Return type:

str

infrahouse_core.aws.cloudwatch_log_group module

CloudWatch Log Group resource wrapper.

Provides exists / delete() support for CloudWatch Logs log groups.

class infrahouse_core.aws.cloudwatch_log_group.CloudWatchLogGroup(log_group_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a CloudWatch Logs log group.

Parameters:

  • log_group_name – Name of the log group.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property arn: str

Return the ARN of the log group.

Pulled from describe_log_groups so no account/region plumbing is required at construction time. The CloudWatch Logs API returns ARNs with a trailing :* wildcard; this property strips it so the value can be used with tag_resource and similar APIs that expect a plain resource ARN.

Raises:

ValueError – if the log group does not exist.

delete() None[source]

Delete the log group.

Idempotent – does nothing if the log group does not exist.

property exists: bool

Return True if the log group exists.

Uses describe_log_groups with a name prefix filter and checks for an exact match, since the API does not raise an error for missing log groups.

classmethod list_log_groups(prefix: str | None = None, region: str | None = None, role_arn: str | None = None, session=None) list[CloudWatchLogGroup][source]

List log groups, optionally filtered by name prefix.

Parameters:

  • prefix – Log group name prefix to filter on.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

  • session (boto3.Session or None) – Pre-configured boto3.Session.

Returns:

List of CloudWatchLogGroup instances.

property log_group_name: str

Return the name of the log group.

Return type:

str

property retention_in_days: int | None

Return the retention period in days, or None if set to never expire.

set_retention(days: int) None[source]

Set the retention policy on the log group.

Parameters:

days – Retention period in days. Must be a value accepted by the CloudWatch Logs API (1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653).

infrahouse_core.aws.ecr_repository module

ECR Repository resource wrapper.

Provides exists / delete() support plus image queries via ECRImage.

class infrahouse_core.aws.ecr_repository.ECRImage(ecr_client, repository_name: str, tag: str | None = None, digest: str | None = None)[source]

Bases: object

Represents a single image in an ECR repository.

Use ECRRepository.get_image() to obtain instances. Exactly one of tag or digest must be provided.

Parameters:

  • ecr_client – A boto3 ECR client.

  • repository_name – Name of the ECR repository.

  • tag – An image tag (e.g. "latest").

  • digest – An image digest (e.g. "sha256:abc...").

Raises:

ValueError – If neither or both of tag and digest are provided.

property digest: str | None

Return the image digest.

Return type:

str | None

property exists: bool

Return True if the image exists in the repository.

property image_id: dict

Return the imageIds element for boto3 ECR API calls.

Return type:

dict

tag_image(tag: str) None[source]

Apply an additional tag to this image.

Fetches the image manifest via batch_get_image and re-publishes it with the new tag via put_image. If the tag already points to the same manifest, ImageAlreadyExistsException is caught silently.

Parameters:

tag – The tag to apply.

Raises:

ClientError – On AWS API errors (except ImageAlreadyExistsException).

property tags: List[str]

Return all tags for this image.

Return type:

list[str]

Returns:

List of image tags. Empty list if the image is not found.

class infrahouse_core.aws.ecr_repository.ECRRepository(repository_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ECR repository.

Parameters:

  • repository_name – Name of the ECR repository.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

  • session – Pre-configured boto3.Session.

delete() None[source]

Delete the repository and all its images.

Idempotent – does nothing if the repository does not exist.

property exists: bool

Return True if the repository exists.

get_image(tag: str | None = None, digest: str | None = None) ECRImage[source]

Return an ECRImage for the given tag or digest.

Exactly one of tag or digest must be provided.

Parameters:

  • tag – An image tag (e.g. "latest").

  • digest – An image digest (e.g. "sha256:abc...").

Return type:

ECRImage

property images: List[ECRImage]

Return all images in the repository.

Paginates through describe_images to return all results.

Return type:

list[ECRImage]

property repository_name: str

Return the name of the repository.

Return type:

str

property repository_uri: str

Return the full URI of the repository.

Return type:

str

Raises:

ClientError – If the repository does not exist.

infrahouse_core.aws.ecs_service module

ECS Service resource wrapper.

Provides exists / delete() support plus service status queries.

class infrahouse_core.aws.ecs_service.ECSService(cluster_name, service_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ECS service.

Parameters:

  • cluster_name – Name or ARN of the ECS cluster.

  • service_name – Name of the ECS service.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

  • session – Pre-configured boto3.Session.

property cluster_name: str

Return the cluster name.

Return type:

str

delete() None[source]

Delete the service.

Sets desiredCount to 0 then force-deletes the service. Idempotent – does nothing if the service does not exist.

property desired_count: int

Return the current desired count.

Return type:

int

property exists: bool

Return True if the service exists and is ACTIVE.

property is_steady_state: bool

Return True if the service has reached steady state.

Steady state means runningCount == desiredCount and all deployments have rolloutState == "COMPLETED".

Return type:

bool

property running_count: int

Return the current running count.

Return type:

int

property service_name: str

Return the service name.

Return type:

str

property status: str

Return the service status string (ACTIVE, DRAINING, INACTIVE).

Return type:

str

property task_definition_arn: str

Return the ARN of the active task definition.

Return type:

str

infrahouse_core.aws.ecs_task_definition module

ECS Task Definition resource wrapper.

Provides exists / delete() support plus container image queries.

class infrahouse_core.aws.ecs_task_definition.ECSTaskDefinition(task_definition_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ECS task definition.

Parameters:

  • task_definition_arn – Full ARN of the task definition (e.g. arn:aws:ecs:us-west-2:123456789012:task-definition/my-task:3).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

  • session – Pre-configured boto3.Session.

property container_images: List[str]

Return image URIs from all container definitions.

Return type:

list[str]

delete() None[source]

Deregister the task definition (mark it INACTIVE).

Idempotent – does nothing if the task definition does not exist.

property exists: bool

Return True if the task definition exists and is ACTIVE.

property task_definition_arn: str

Return the task definition ARN.

Return type:

str

infrahouse_core.aws.config module

Module for AWSConfig class.

class infrahouse_core.aws.config.AWSConfig(aws_home=None)[source]

Bases: object

Class AWSConfig parses AWS CLI config file, ~/.aws/config by default, and provides a convenient interfaces to certain configuration options.

Parameters:

aws_home (str) – Path to a directory with AWS configs. By default, ~/.aws/.

property aws_home

Path to AWS config directory.

property config_parser: ConfigParser

ConfigParser object that represents ~/.aws/config.

property config_path

Path to AWS config file.

get_account_id(profile_name: str) str[source]

Read AWS account ID for given profile.

Parameters:

profile_name (str) – AWS profile name.

Returns:

AWS account ID (12-digit number).

Return type:

str

Raises:

  • NoSectionError – If profile doesn’t exist in config.

  • NoOptionError – If sso_account_id is not configured for profile.

get_region(profile_name: str) str[source]

Read AWS region for given profile.

Falls back to the [default] section if the profile or region option is not found.

Parameters:

profile_name (str) – AWS profile name.

Returns:

AWS region name, or None if not configured anywhere.

Return type:

str or None

get_role(profile_name: str) str[source]

Read AWS IAM role name for given profile.

Parameters:

profile_name (str) – AWS profile name.

Returns:

SSO role name.

Return type:

str

Raises:

  • NoSectionError – If profile doesn’t exist in config.

  • NoOptionError – If sso_role_name is not configured for profile.

get_sso_region(profile_name: str) str[source]

Read SSO region for given profile.

Looks up the sso_session for the profile, then reads sso_region from that session’s config section. Falls back to the [default] region.

Parameters:

profile_name (str) – AWS profile name.

Returns:

SSO region name, or None if not configured anywhere.

Return type:

str or None

get_start_url(profile_name: str) str[source]

Read SSO start URL for given profile.

Looks up the sso_session for the profile, then reads sso_start_url from that session’s config section.

Parameters:

profile_name (str) – AWS profile name.

Returns:

SSO start URL.

Return type:

str

Raises:

  • NoSectionError – If profile or SSO session section doesn’t exist.

  • NoOptionError – If sso_session or sso_start_url is not configured.

property profiles: list

List of configured AWS profiles.

property regions: list

Return a list of all AWS regions

infrahouse_core.aws.dynamodb module

Module for DynamoDB class.

class infrahouse_core.aws.dynamodb.DynamoDBTable(table_name: str, region: str | None = None, role_arn: str | None = None, session=None)[source]

Bases: object

DynamoDB table wrapper with distributed locking support.

Parameters:

  • table_name (str) – DynamoDB table name. It must exist.

  • region (str) – AWS region

  • role_arn (str) – IAM role ARN to assume for cross-account access.

delete() None[source]

Delete the DynamoDB table.

Idempotent – does nothing if the table does not exist.

delete_item(**kwargs)[source]

Delete record from the table.

property exists: bool

Check whether the DynamoDB table currently exists.

Returns:

True if the table exists, False otherwise.

get_item(**kwargs) dict[source]

Get a record from the table.

Parameters:

kwargs – Arguments passed to boto3 DynamoDB get_item(). Key (required): Primary key of the item to retrieve.

Returns:

The item attributes as a dictionary.

Raises:

IHItemNotFound – If the item does not exist.

lock(lock_name: str, timeout: int = 30, ttl: int | None = 300, key_name: str = 'ResourceId')[source]

Global exclusive lock context manager.

This function attempts to acquire a lock on a specific resource in the DynamoDB table using a conditional put operation. If the lock is acquired, the code within the ‘with’ block will execute. The lock is released after the block execution.

If a lock exists but has expired (based on TTL), it will be automatically overwritten, allowing recovery from crashed processes that left stale locks.

Parameters:

  • lock_name – The name of the lock (resource) to be acquired.

  • timeout – Maximum time in seconds to attempt acquiring the lock.

  • ttl – Lock expiration time in seconds. If a process crashes while holding the lock, other processes can acquire it after this time. Set to None to disable TTL (not recommended). Default is 300 seconds (5 minutes).

  • key_name – The partition key name in the DynamoDB table (default: “ResourceId”).

Raises:

  • RuntimeError – If the lock cannot be acquired within the timeout.

  • ClientError – If an unexpected error occurs while trying to acquire the lock.

Example:

table = DynamoDBTable("my-locks-table", region="us-east-1")
with table.lock("deploy-my-service", timeout=60, ttl=600):
    # Only one process can hold this lock at a time.
    run_deployment()
put_item(**kwargs)[source]

Add record to the table.

infrahouse_core.aws.elastic_ip module

Elastic IP resource wrapper.

Provides exists / delete() support for EC2 Elastic IP addresses.

class infrahouse_core.aws.elastic_ip.ElasticIP(allocation_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 Elastic IP address.

Parameters:

  • allocation_id – Allocation ID (e.g. eipalloc-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property allocation_id: str

Return the allocation ID.

Return type:

str

delete() None[source]

Release the Elastic IP.

Idempotent – does nothing if the address does not exist.

property exists: bool

Return True if the Elastic IP exists.

infrahouse_core.aws.elasticache_cluster module

ElastiCache Cluster resource wrapper.

Provides exists / delete() support for ElastiCache clusters.

class infrahouse_core.aws.elasticache_cluster.ElastiCacheCluster(cluster_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ElastiCache cluster.

Parameters:

  • cluster_id – Cache cluster identifier.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property cluster_id: str

Return the cluster identifier.

Return type:

str

delete() None[source]

Delete the cluster.

Idempotent – does nothing if the cluster does not exist.

property exists: bool

Return True if the cluster exists.

infrahouse_core.aws.emr_serverless_application module

EMR Serverless Application resource wrapper.

Provides exists / delete() support. An EMR Serverless application must be in CREATED or STOPPED state before it can be deleted. If the application is STARTED, delete() will stop it first.

class infrahouse_core.aws.emr_serverless_application.EMRServerlessApplication(application_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EMR Serverless application.

Parameters:

  • application_id – Application identifier.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property application_id: str

Return the application identifier.

Return type:

str

delete() None[source]

Delete the application.

If the application is in STARTED state, it will be stopped first. Idempotent – does nothing if the application does not exist.

property exists: bool

Return True if the application exists and is not terminated.

Returns False if the application is not found or its state is TERMINATED.

infrahouse_core.aws.ec2_instance module

Module for EC2Instance class - a class tha represents an EC2 instance.

class infrahouse_core.aws.ec2_instance.CommandStatus(value)[source]

Bases: Enum

Enum representing possible command statuses for EC2 instance operations.

Attributes:

  • PENDING: The command is pending execution.

  • IN_PROGRESS: The command is currently in progress.

  • DELAYED: The command execution has been delayed.

  • SUCCESS: The command executed successfully.

  • CANCELLED: The command execution was cancelled.

  • TIMED_OUT: The command execution has timed out.

  • FAILED: The command execution failed.

  • CANCELLING: The command is in the process of being cancelled.

CANCELLED = 'Cancelled'
CANCELLING = 'Cancelling'
DELAYED = 'Delayed'
FAILED = 'Failed'
IN_PROGRESS = 'InProgress'
PENDING = 'Pending'
SUCCESS = 'Success'
TIMED_OUT = 'TimedOut'
class infrahouse_core.aws.ec2_instance.EC2Instance(instance_id: str | None = None, region: str | None = None, ec2_client: Session | None = None, ssm_client: Session | None = None, role_arn: str | None = None, session: Session | None = None)[source]

Bases: object

EC2Instance represents an EC2 instance.

Parameters:

instance_id (str) – Instance id. If omitted, the local instance is read from metadata.

add_tag(key: str, value: str)[source]

Add a tag to the EC2 instance.

Parameters:

  • key (str) – The key of the tag.

  • value (str) – The value of the tag.

property availability_zone: str
Returns:

Availability zone where this instance is hosted. This is obtained from EC2 metadata.

delete() None[source]

Terminate the EC2 instance.

Idempotent — does nothing if the instance is already terminated or does not exist.

property ec2_client: BaseClient

Boto3 EC2 client.

Returns:

Boto3 EC2 client.

execute_command(command: str, send_timeout: int = 600, execution_timeout: int = 60) tuple[int, str, str][source]

Execute a command on the EC2 instance via SSM.

Parameters:

  • command (str) – The command to execute.

  • send_timeout (int) – Time in seconds to attempt to send a command. Instances coming back from hibernation may take about 5 minutes.

  • execution_timeout (int) – Time in seconds to wait for the command to complete.

Returns:

A tuple containing the exit code, standard output, and standard error.

Example:

instance = EC2Instance("i-1234567890abcdef0", region="us-east-1")
exit_code, stdout, stderr = instance.execute_command("hostname")
if exit_code != 0:
    raise RuntimeError(f"Command failed: {stderr}")
property exists: bool

Check whether the instance currently exists.

An instance is considered non-existent if its state is terminated or shutting-down, or if the describe call fails with InvalidInstanceID.NotFound.

Returns:

True if the instance exists and is not terminated.

property hostname: str | None
Returns:

Instance’s private hostname, i.e. the first part of the private DNS name. For example, if the private DNS name is ip-10-0-0-1.eu-west-1.compute.internal, the hostname is ip-10-0-0-1.

property instance_id: str

The instance’s instance_id. It’s read from metadata if the class instance was created w/o specifying it.

Returns:

The instance’s instance_id.

property private_dns_name
Returns:

Instance’s private DNS name. This name is for use inside the VPC and is not accessible from the public Internet.

property private_ip
Returns:

Instance’s private IP address. Can be None if the instance is in a transitional lifecycle state.

property public_ip
Returns:

Instance’s public IP address. Can be None if the instance is not configured to have a public IP.

property ssm_client: BaseClient

Boto3 SSM client.

Returns:

Boto3 SSM client.

property state: str
Returns:

The state of the instance. Can be one of the following values: - pending: The instance is preparing to launch. - running: The instance is running and ready for use. - shutting-down: The instance is preparing to be terminated. - terminated: The instance has been shut down. - stopping: The instance is stopping. - stopped: The instance has been stopped.

property tags: dict
Returns:

A dictionary with the instance tags. Keys are tag names, and values - the tag values.

infrahouse_core.aws.elb_load_balancer module

ELB Load Balancer resource wrapper.

Provides exists / delete() support for ELBv2 (Application, Network, and Gateway) load balancers.

class infrahouse_core.aws.elb_load_balancer.ELBLoadBalancer(load_balancer_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ELBv2 Load Balancer.

Parameters:

  • load_balancer_arn – ARN of the load balancer.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the load balancer.

Idempotent – does nothing if the load balancer does not exist.

property exists: bool

Return True if the load balancer exists.

Returns False if the API raises LoadBalancerNotFoundException.

property load_balancer_arn: str

Return the ARN of the load balancer.

Return type:

str

infrahouse_core.aws.elb_target_group module

ELB Target Group resource wrapper.

Provides exists / delete() support for ELBv2 target groups.

class infrahouse_core.aws.elb_target_group.ELBTargetGroup(target_group_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an ELBv2 Target Group.

Parameters:

  • target_group_arn – ARN of the target group.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the target group.

Idempotent – does nothing if the target group does not exist.

property exists: bool

Return True if the target group exists.

Returns False if the API raises TargetGroupNotFoundException.

property target_group_arn: str

Return the ARN of the target group.

Return type:

str

infrahouse_core.aws.eventbridge_rule module

EventBridge Rule resource wrapper.

Provides exists / delete() support with dependency-aware teardown (remove all targets before deleting the rule).

class infrahouse_core.aws.eventbridge_rule.EventBridgeRule(rule_name, event_bus_name='default', region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EventBridge rule.

Parameters:

  • rule_name – Name of the EventBridge rule.

  • event_bus_name – Name of the event bus (defaults to "default").

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the rule after removing all targets.

Teardown order: 1. List and remove all targets. 2. Delete the rule itself.

Idempotent – does nothing if the rule does not exist.

property event_bus_name: str

Return the event bus name.

Return type:

str

property exists: bool

Return True if the rule exists.

Returns False if the API raises ResourceNotFoundException.

property rule_name: str

Return the name of the rule.

Return type:

str

infrahouse_core.aws.exceptions module

Top level exceptions.

The exception hierarchy repeats the structure of the infrahouse_core package. Each module in the package has its own exceptions.py module. The module exceptions are inherited from the upper module exceptions.

exception infrahouse_core.aws.exceptions.IHAWSException[source]

Bases: IHCoreException

AWS related InfraHouse exception

exception infrahouse_core.aws.exceptions.IHDynamoDBException[source]

Bases: IHAWSException

DynamoDB related InfraHouse exception

exception infrahouse_core.aws.exceptions.IHItemNotFound[source]

Bases: IHDynamoDBException

Requested DynamoDB item doesn’t exist

exception infrahouse_core.aws.exceptions.IHSecretNotFound[source]

Bases: IHSecretsManagerException

Requested secret doesn’t exist

exception infrahouse_core.aws.exceptions.IHSecretsManagerException[source]

Bases: IHAWSException

Secrets Manager related InfraHouse exception

infrahouse_core.aws.internet_gateway module

Internet Gateway resource wrapper.

Provides exists / delete() support. The gateway must be detached from all VPCs before it can be deleted – delete() handles this automatically.

class infrahouse_core.aws.internet_gateway.InternetGateway(igw_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 Internet Gateway.

Parameters:

  • igw_id – Internet gateway ID (e.g. igw-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Detach from all VPCs and delete the internet gateway.

Idempotent – does nothing if the gateway does not exist.

property exists: bool

Return True if the internet gateway exists.

property igw_id: str

Return the internet gateway ID.

Return type:

str

infrahouse_core.aws.kms_key module

KMS Key resource wrapper.

Provides exists / delete() support for KMS keys. Note that KMS keys cannot be immediately deleted – they are scheduled for deletion with a waiting period of 7–30 days.

class infrahouse_core.aws.kms_key.KMSKey(key_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around a KMS key.

Parameters:

  • key_id – Key ID, key ARN, alias name, or alias ARN.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete(pending_window_in_days: int = 7) None[source]

Schedule the key for deletion.

Parameters:

pending_window_in_days – Days before permanent deletion (7–30). Default is 7.

Idempotent – does nothing if the key is already pending deletion, does not exist, or is AWS-managed.

property exists: bool

Return True if the key exists and is not pending deletion.

Returns False if the key is not found or its state is PendingDeletion.

property key_id: str

Return the key identifier.

Return type:

str

infrahouse_core.aws.nat_gateway module

NAT Gateway resource wrapper.

Provides exists / delete() support. NAT Gateways have no dependencies to clean up before deletion, but exists must account for the deleting and deleted lifecycle states.

class infrahouse_core.aws.nat_gateway.NATGateway(nat_gateway_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 NAT Gateway.

Parameters:

  • nat_gateway_id – ID of the NAT Gateway (e.g. nat-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the NAT Gateway.

Idempotent – does nothing if the NAT Gateway does not exist or is already being deleted.

property exists: bool

Return True if the NAT Gateway exists and is not being deleted.

A NAT Gateway in the deleting or deleted state is considered non-existent. Returns False if the API returns no results or raises NatGatewayNotFound.

property nat_gateway_id: str

Return the ID of the NAT Gateway.

Return type:

str

infrahouse_core.aws.opensearch_domain module

OpenSearch Domain resource wrapper.

Provides exists / delete() support for OpenSearch domains.

class infrahouse_core.aws.opensearch_domain.OpenSearchDomain(domain_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an OpenSearch domain.

Parameters:

  • domain_name – Domain name.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the domain.

Idempotent – does nothing if the domain does not exist.

property domain_name: str

Return the domain name.

Return type:

str

property exists: bool

Return True if the domain exists and is not being deleted.

infrahouse_core.aws.iam_group module

IAM Group resource wrapper.

Provides exists / delete() support with dependency-aware teardown (detach policies, delete inline policies, remove all users, then delete the group).

class infrahouse_core.aws.iam_group.IAMGroup(group_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an IAM group.

Parameters:

  • group_name – Name of the IAM group.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the group after removing all dependencies.

Teardown order: 1. Detach all managed policies. 2. Delete all inline policies. 3. Remove all users from the group. 4. Delete the group itself.

Idempotent – does nothing if the group does not exist.

detach_policy(policy: IAMPolicy) None[source]

Detach a managed policy from the group.

Parameters:

policy (IAMPolicy) – The managed policy to detach.

property exists: bool

Return True if the group exists.

property group_name: str

Return the name of the group.

Return type:

str

managed_policies[source]

Return managed policies attached to this group.

Returns:

List of IAMPolicy instances.

Return type:

list[IAMPolicy]

remove_user(user: IAMUser) None[source]

Remove a user from this group.

Parameters:

user (IAMUser) – The IAM user to remove.

users[source]

Return users that belong to this group.

Returns:

List of IAMUser instances.

Return type:

list[IAMUser]

infrahouse_core.aws.iam_instance_profile module

IAM Instance Profile resource wrapper.

Provides exists / delete() support with dependency-aware teardown (remove all roles, then delete the instance profile).

class infrahouse_core.aws.iam_instance_profile.IAMInstanceProfile(profile_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an IAM instance profile.

Parameters:

  • profile_name – Name of the IAM instance profile.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the instance profile after removing all roles.

Teardown order: 1. Remove all roles from the instance profile. 2. Delete the instance profile itself.

Idempotent – does nothing if the instance profile does not exist.

property exists: bool

Return True if the instance profile exists.

property profile_name: str

Return the name of the instance profile.

Return type:

str

remove_role() None[source]

Remove the role from the instance profile, if one is attached.

role[source]

Return the IAM role associated with this instance profile, or None.

An instance profile can have at most one role.

Returns:

The attached IAMRole, or None if no role is attached.

Return type:

IAMRole | None

infrahouse_core.aws.iam_policy module

IAM Policy resource wrapper.

Provides exists / delete() support with dependency-aware teardown (detach from all entities, delete non-default versions, then delete the policy).

class infrahouse_core.aws.iam_policy.IAMPolicy(policy_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an IAM managed policy.

Parameters:

  • policy_arn – ARN of the IAM policy.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property attached_groups: list[IAMGroup]

Return groups that have this policy attached.

Returns:

List of IAMGroup instances.

Return type:

list[IAMGroup]

property attached_roles: list[IAMRole]

Return roles that have this policy attached.

Returns:

List of IAMRole instances.

Return type:

list[IAMRole]

property attached_users: list[IAMUser]

Return users that have this policy attached.

Returns:

List of IAMUser instances.

Return type:

list[IAMUser]

delete() None[source]

Delete the policy after detaching from all entities and removing non-default versions.

Teardown order: 1. Detach from all IAM roles, users, and groups. 2. Delete all non-default policy versions. 3. Delete the policy itself.

AWS-managed policies cannot be deleted and are silently skipped. Idempotent – does nothing if the policy does not exist.

property exists: bool

Return True if the policy exists.

property is_aws_managed: bool

Return True if this is an AWS-managed policy.

AWS-managed policies (e.g. arn:aws:iam::aws:policy/ReadOnlyAccess) cannot be deleted or modified.

Return type:

bool

property policy_arn: str

Return the ARN of the policy.

Return type:

str

infrahouse_core.aws.iam_role module

IAM Role resource wrapper.

Provides exists / delete() support with dependency-aware teardown (detach policies, remove from instance profiles, then delete the role).

class infrahouse_core.aws.iam_role.IAMRole(role_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an IAM role.

Parameters:

  • role_name – Name of the IAM role.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the role after detaching all policies and instance profiles.

Teardown order: 1. Detach all managed policies. 2. Delete all inline policies. 3. Remove role from all instance profiles. 4. Delete the role itself.

Idempotent – does nothing if the role does not exist.

detach_policy(policy: IAMPolicy) None[source]

Detach a managed policy from the role.

Parameters:

policy (IAMPolicy) – The managed policy to detach.

property exists: bool

Return True if the role exists.

instance_profiles[source]

Return instance profiles that have this role attached.

Returns:

List of IAMInstanceProfile instances.

Return type:

list[IAMInstanceProfile]

managed_policies[source]

Return a list of managed policies attached to the role.

Returns:

List of IAMPolicy instances.

Return type:

list[IAMPolicy]

property role_name: str

Return the name of the role.

Return type:

str

infrahouse_core.aws.iam_user module

IAM User resource wrapper.

Provides exists / delete() support with dependency-aware teardown (detach policies, delete inline policies, remove from groups, delete access keys, then delete the user).

class infrahouse_core.aws.iam_user.IAMUser(user_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an IAM user.

Parameters:

  • user_name – Name of the IAM user.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the user after removing all dependencies.

Teardown order: 1. Detach all managed policies. 2. Delete all inline policies. 3. Remove from all groups. 4. Delete all access keys. 5. Delete the user itself.

Idempotent – does nothing if the user does not exist.

detach_policy(policy: IAMPolicy) None[source]

Detach a managed policy from the user.

Parameters:

policy (IAMPolicy) – The managed policy to detach.

property exists: bool

Return True if the user exists.

groups[source]

Return groups that this user belongs to.

Returns:

List of IAMGroup instances.

Return type:

list[IAMGroup]

managed_policies[source]

Return managed policies attached to this user.

Returns:

List of IAMPolicy instances.

Return type:

list[IAMPolicy]

property user_name: str

Return the name of the user.

Return type:

str

infrahouse_core.aws.lambda_function module

Lambda Function resource wrapper.

Provides exists / delete() support for AWS Lambda functions.

class infrahouse_core.aws.lambda_function.LambdaFunction(function_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an AWS Lambda function.

Parameters:

  • function_name – Name or ARN of the Lambda function.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the Lambda function.

Idempotent – does nothing if the function does not exist.

property exists: bool

Return True if the Lambda function exists.

Returns False if the API raises ResourceNotFoundException.

property function_name: str

Return the name (or ARN) of the Lambda function.

Return type:

str

infrahouse_core.aws.rds_cluster module

RDS Cluster resource wrapper.

Provides exists / delete() support for RDS DB clusters. Deletion removes all cluster member instances first, then the cluster itself.

class infrahouse_core.aws.rds_cluster.RDSCluster(db_cluster_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an RDS DB cluster.

Parameters:

  • db_cluster_id – DB cluster identifier.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property db_cluster_id: str

Return the DB cluster identifier.

Return type:

str

delete() None[source]

Delete the cluster and all its member instances.

Deletes all cluster member DB instances first (skipping final snapshots), then deletes the cluster itself.

Idempotent – does nothing if the cluster does not exist.

property exists: bool

Return True if the DB cluster exists.

infrahouse_core.aws.rds_instance module

RDS Instance resource wrapper.

Provides exists / delete() support for RDS DB instances.

class infrahouse_core.aws.rds_instance.RDSInstance(db_instance_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an RDS DB instance.

Parameters:

  • db_instance_id – DB instance identifier.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property db_instance_id: str

Return the DB instance identifier.

Return type:

str

delete() None[source]

Delete the DB instance, skipping the final snapshot.

Idempotent – does nothing if the instance does not exist.

property exists: bool

Return True if the DB instance exists.

infrahouse_core.aws.route_table module

Route Table resource wrapper.

Provides exists / delete() support for EC2 route tables.

class infrahouse_core.aws.route_table.RouteTable(route_table_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 Route Table.

Parameters:

  • route_table_id – Route table ID (e.g. rtb-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the route table.

Idempotent – does nothing if the route table does not exist.

property exists: bool

Return True if the route table exists.

property route_table_id: str

Return the route table ID.

Return type:

str

infrahouse_core.aws.s3_bucket module

S3 Bucket resource wrapper.

Provides exists / delete() support with dependency-aware teardown (delete all object versions and delete markers, then delete the bucket).

class infrahouse_core.aws.s3_bucket.S3Bucket(bucket_name, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an S3 bucket.

Parameters:

  • bucket_name – Name of the S3 bucket.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

property bucket_name: str

Return the name of the bucket.

Return type:

str

delete() None[source]

Delete the bucket after removing all objects.

Teardown order: 1. Delete all object versions and delete markers. 2. Delete the bucket itself.

Idempotent – does nothing if the bucket does not exist.

property exists: bool

Return True if the bucket exists.

remove_tag(key: str) bool[source]

Remove a single tag from this resource.

Idempotent: no-op if the tag is not currently set.

Parameters:

key – Tag key to remove.

Returns:

True if the tag was present and removed, False if it was already absent.

set_tag(key: str, value: str) bool[source]

Set a single tag on this resource.

Idempotent: if the tag is already set to value, no API call is made.

Parameters:

  • key – Tag key.

  • value – Tag value.

Returns:

True if the tag was written, False if it was already current.

set_tags(tags: dict) int[source]

Set multiple tags on this resource.

Idempotent: tags that already have the requested value are skipped.

Parameters:

tags – Mapping of tag keys to values.

Returns:

Number of tags actually written.

property tags: dict

Return current tags as a {key: value} dict.

infrahouse_core.aws.security_group module

Security Group resource wrapper.

Provides exists / delete() support. Security Groups have no automatic dependency cleanup – if other resources (ENIs, other SG rules) still reference the group, delete() will raise DependencyViolation. The caller is responsible for removing dependencies first.

class infrahouse_core.aws.security_group.SecurityGroup(group_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 Security Group.

Parameters:

  • group_id – ID of the Security Group (e.g. sg-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the Security Group.

Idempotent – does nothing if the Security Group does not exist.

Warning

If other resources (ENIs, other security group rules, etc.) still reference this group, AWS will raise DependencyViolation. The caller is responsible for removing dependencies before calling delete().

property exists: bool

Return True if the Security Group exists.

Returns False if the API raises InvalidGroup.NotFound.

property group_id: str

Return the ID of the Security Group.

Return type:

str

infrahouse_core.aws.sns_topic module

SNS Topic resource wrapper.

Provides exists / delete() support for Amazon SNS topics.

class infrahouse_core.aws.sns_topic.SNSTopic(topic_arn, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an SNS topic.

Parameters:

  • topic_arn – ARN of the SNS topic.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the topic.

Idempotent – SNS delete_topic does not raise an error if the topic does not exist.

property exists: bool

Return True if the topic exists.

Returns False if the API raises NotFoundException.

property topic_arn: str

Return the ARN of the topic.

Return type:

str

infrahouse_core.aws.sqs_queue module

SQS Queue resource wrapper.

Provides exists / delete() support for Amazon SQS queues.

class infrahouse_core.aws.sqs_queue.SQSQueue(queue_url, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an SQS queue.

Parameters:

  • queue_url – URL of the SQS queue.

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the queue.

Idempotent – does nothing if the queue does not exist.

property exists: bool

Return True if the queue exists.

Returns False if the API raises QueueDoesNotExist or NonExistentQueue.

property queue_url: str

Return the URL of the queue.

Return type:

str

infrahouse_core.aws.subnet module

Subnet resource wrapper.

Provides exists / delete() support for EC2 subnets.

class infrahouse_core.aws.subnet.Subnet(subnet_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 Subnet.

Parameters:

  • subnet_id – Subnet ID (e.g. subnet-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the subnet.

Idempotent – does nothing if the subnet does not exist.

property exists: bool

Return True if the subnet exists.

property subnet_id: str

Return the subnet ID.

Return type:

str

infrahouse_core.aws.vpc module

VPC resource wrapper.

Provides exists / delete() support for EC2 VPCs.

class infrahouse_core.aws.vpc.VPC(vpc_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 VPC.

Parameters:

  • vpc_id – VPC ID (e.g. vpc-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the VPC.

Idempotent – does nothing if the VPC does not exist.

Warning

All dependent resources (subnets, route tables, internet gateways, VPC endpoints, etc.) must be deleted before the VPC can be removed.

property exists: bool

Return True if the VPC exists.

property flow_logs: list[VPCFlowLog]

Return all flow logs associated with this VPC.

Return type:

list[VPCFlowLog]

property vpc_endpoints: list[VPCEndpoint]

Return all VPC endpoints associated with this VPC.

Return type:

list[VPCEndpoint]

property vpc_id: str

Return the VPC ID.

Return type:

str

infrahouse_core.aws.vpc_endpoint module

VPC Endpoint resource wrapper.

Provides exists / delete() support for EC2 VPC endpoints.

class infrahouse_core.aws.vpc_endpoint.VPCEndpoint(vpc_endpoint_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 VPC Endpoint.

Parameters:

  • vpc_endpoint_id – VPC endpoint ID (e.g. vpce-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the VPC endpoint.

Idempotent – does nothing if the endpoint does not exist.

property exists: bool

Return True if the VPC endpoint exists and is not deleted.

property vpc_endpoint_id: str

Return the VPC endpoint ID.

Return type:

str

infrahouse_core.aws.vpc_flow_log module

VPC Flow Log resource wrapper.

Provides exists / delete() support for EC2 VPC flow logs.

class infrahouse_core.aws.vpc_flow_log.VPCFlowLog(flow_log_id, region=None, role_arn=None, session=None)[source]

Bases: AWSResource

Wrapper around an EC2 VPC Flow Log.

Parameters:

  • flow_log_id – Flow log ID (e.g. fl-0123456789abcdef0).

  • region – AWS region.

  • role_arn – IAM role ARN for cross-account access.

delete() None[source]

Delete the flow log.

Idempotent – delete_flow_logs succeeds even if the flow log does not exist.

property exists: bool

Return True if the flow log exists.

The describe_flow_logs API does not raise an error for non-existent IDs – it returns an empty list instead.

property flow_log_id: str

Return the flow log ID.

Return type:

str

infrahouse_core.aws.secretsmanager module

Module for Secret class - a class that represents an AWS Secrets Manager secret.

class infrahouse_core.aws.secretsmanager.Secret(secret_name: str, region: str | None = None, role_arn: str | None = None, session=None)[source]

Bases: object

Secret represents an AWS Secrets Manager secret.

Parameters:

  • secret_name (str) – The name or ARN of the secret.

  • region (str) – AWS region. If omitted, uses the default region.

  • role_arn (str) – IAM role ARN to assume for cross-account access.

property arn: str

Get the ARN of the secret.

Returns:

The secret ARN.

Raises:

  • IHSecretNotFound – If the secret does not exist.

  • ClientError – If an unexpected AWS error occurs.

create(value: dict | str, description: str | None = None)[source]

Create the secret.

Parameters:

  • value (Union[dict, str]) – The secret value. If a dict, it will be JSON-encoded.

  • description (str) – Optional description for the secret.

Raises:

ClientError – If an AWS error occurs (e.g., secret already exists).

delete(force: bool = False, recovery_window_days: int | None = None)[source]

Delete the secret.

Parameters:

  • force (bool) – If True, delete immediately without recovery window.

  • recovery_window_days (int) – Days before permanent deletion (7-30). Ignored if force=True.

Raises:

  • IHSecretNotFound – If the secret does not exist.

  • ClientError – If an unexpected AWS error occurs.

ensure_absent(force: bool = False, recovery_window_days: int | None = None)[source]

Ensure the secret does not exist, deleting it if necessary.

Parameters:

  • force (bool) – If True, delete immediately without recovery window.

  • recovery_window_days (int) – Days before permanent deletion (7-30). Ignored if force=True.

Raises:

ClientError – If an unexpected AWS error occurs.

ensure_present(value: dict | str, description: str | None = None, update_if_exists: bool = False)[source]

Ensure the secret exists, creating it if necessary.

Parameters:

  • value (Union[dict, str]) – The secret value. If a dict, it will be JSON-encoded.

  • description (str) – Optional description for the secret.

  • update_if_exists (bool) – If True, update the secret value if it already exists.

Raises:

ClientError – If an unexpected AWS error occurs.

property exists: bool

Check if the secret exists.

Returns:

True if the secret exists, False otherwise.

Raises:

ClientError – If an unexpected AWS error occurs.

property name: str

Get the secret name.

Returns:

The secret name as provided to the constructor.

update(value: dict | str)[source]

Update the secret value.

Parameters:

value (Union[dict, str]) – The new secret value. If a dict, it will be JSON-encoded.

Raises:

  • IHSecretNotFound – If the secret does not exist.

  • ClientError – If an unexpected AWS error occurs.

property value: dict | str

Get the secret value.

If the secret value is valid JSON, it is parsed and returned as a dict. Otherwise, the raw string is returned.

Note: Binary secrets (SecretBinary) are not supported.

Returns:

The secret value as a dict (if JSON) or string.

Raises:

  • IHSecretNotFound – If the secret does not exist.

  • ClientError – If an unexpected AWS error occurs.

property version_id: str

Get the current version ID of the secret.

Returns:

The version ID.

Raises:

  • IHSecretNotFound – If the secret does not exist.

  • ClientError – If an unexpected AWS error occurs.

Module contents

AWS classes.

AWS Region Resolution Order

When region=None is passed (or omitted):

  1. For EC2Instance: Attempts to read from instance metadata (if running on EC2).

  2. For other classes: Relies on AWS SDK default resolution:

    1. AWS_DEFAULT_REGION environment variable

    2. AWS_REGION environment variable

    3. ~/.aws/config file [default] region

    4. us-east-1 (AWS SDK fallback)