Merge pull request #48 from dwc0011/handle-email-error-and-continue

Refactor to enable better error handling and future maintenance

Author: dwc0011

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.0
+current_version = 3.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

.github/workflows/test-python.yml

@@ -0,0 +1,33 @@
+name: Run pytest
+
+on:
+  pull_request:
+
+concurrency:
+  group: pytest-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Set up Python
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b
+        with:
+          enable-cache: true
+          cache-dependency-glob: "src/python/requirements-dev.txt"
+
+      - name: Install dependencies
+        run: |
+          uv venv
+          uv pip install -r src/python/requirements-dev.txt
+
+      - name: Run tests
+        run: uv run pytest tests/python/ -v

.pylintrc

@@ -0,0 +1,2 @@
+[MAIN]
+init-hook=import sys, os; sys.path.append(os.path.join(os.getcwd(), 'src', 'python'))

AUTHORS.md

@@ -0,0 +1,3 @@
+# Authors
+
+*   Plus3IT Maintainers of terraform-aws-tardigrade-iam-key-enforcer - projects@plus3it.com

CHANGELOG.md

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [3.0.0](https://github.com/plus3it/terraform-aws-tardigrade-iam-key-enforcer/releases/tag/3.0.0)
+
+**Released**: 2026.01.20
+
+**Summary**:
+
+*   Major refactoring of Python codebase for improved maintainability and robustness
+*   Enhances error handling to continue processing remaining users when errors are encountered
+*   Improves logging for better debugging and troubleshooting
+*   Adds CLI mode for local testing and development
+*   Removes unused Terraform variable `email_admin_report_subject`
+*   Removes unused environment variable `EMAIL_ADMIN_REPORT_SUBJECT`
+*   Tools
+        *   aws-lambda-powertools `3.24.0`
+        *   aws-assume-role-lib `2.10.0`
+        *   boto3 `1.42.30`
+
 ### [2.0.0](https://github.com/plus3it/terraform-aws-tardigrade-iam-key-enforcer/releases/tag/2.0.0)
 
 **Released**: 2026.01.02

Makefile

@@ -1 +1,4 @@
+# Add src/python to PYTHONPATH so pylint can find the modules
+export PYTHONPATH := $(PWD)/src/python:$(PYTHONPATH)
+
 include $(shell test -f .tardigrade-ci || curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)

README.md

@@ -43,7 +43,6 @@ The function audits each user in an account for access keys and determines how l
 | <a name="input_key_use_threshold"></a> [key\_use\_threshold](#input\_key\_use\_threshold) | Age at which unused keys should be deleted (e.g.30) | `number` | n/a | yes |
 | <a name="input_accounts"></a> [accounts](#input\_accounts) | List of account objects to create events for | <pre>list(object({<br/>    account_name        = string<br/>    account_number      = string<br/>    role_name           = optional(string) # deprecated<br/>    armed               = bool<br/>    debug               = optional(bool, false)<br/>    email_user_enabled  = bool<br/>    email_targets       = list(string)<br/>    exempt_groups       = list(string)<br/>    schedule_expression = optional(string, "cron(0 1 ? * SUN *)")<br/><br/>  }))</pre> | `[]` | no |
 | <a name="input_email_admin_report_enabled"></a> [email\_admin\_report\_enabled](#input\_email\_admin\_report\_enabled) | Used to enable or disable the SES emailed report | `bool` | `false` | no |
-| <a name="input_email_admin_report_subject"></a> [email\_admin\_report\_subject](#input\_email\_admin\_report\_subject) | Subject of the report email that is sent | `string` | `null` | no |
 | <a name="input_email_banner_message"></a> [email\_banner\_message](#input\_email\_banner\_message) | Messages that will be at the top of all emails sent to notify recipients of important information | `string` | `""` | no |
 | <a name="input_email_banner_message_color"></a> [email\_banner\_message\_color](#input\_email\_banner\_message\_color) | Color of email banner message, must be valid html color | `string` | `"red"` | no |
 | <a name="input_email_tag"></a> [email\_tag](#input\_email\_tag) | Tag to be placed on the IAM user that we can use to notify when their key is going to be disabled/deleted | `string` | `"keyenforcer:email"` | no |

main.tf

@@ -63,7 +63,6 @@ module "lambda" {
   environment_variables = {
     LOG_LEVEL                  = var.log_level
     EMAIL_ADMIN_REPORT_ENABLED = var.email_admin_report_enabled
-    EMAIL_ADMIN_REPORT_SUBJECT = var.email_admin_report_subject
     EMAIL_SOURCE               = var.email_source
     ADMIN_EMAIL                = var.admin_email
     KEY_AGE_WARNING            = var.key_age_warning

pytest.ini

@@ -0,0 +1,9 @@
+[pytest]
+testpaths = tests/python
+python_files = test_*.py
+pythonpath = src/python
+addopts = -v --tb=short
+markers =
+    smoke: mark test as smoke test
+    regression: mark test as regression test
+    slow: mark test as slow

ruff.toml

@@ -0,0 +1,38 @@
+# Line length and excludes chosen to match prior flake8 settings
+line-length = 88
+exclude = [
+    ".git",
+    "__pycache__",
+    ".eggs",
+    "*.egg",
+    "build",
+    "dist",
+    "htmlcov",
+]
+
+[lint]
+ignore = [
+    "D107",  # __init__ docstrings are documented at the class level to avoid duplication
+    "D203",  # Conflicts with D211 (no-blank-line-before-class). Project uses D211 style.
+    "D212",  # Conflicts with D213 (multi-line-summary-first-line). Project uses D213 style.
+    "EXE001",  # Only occurs in CI when source is restored as artifact (loses executable bit)
+    "ANN",  # 500+ missing type annotations across src/tests; keep ignored for now; see staged plan below
+]
+select = ["ALL"]
+
+[lint.per-file-ignores]
+"tests/**" = ["S101", "S314", "SLF", "ARG", "PLR2004", "PLR0913", "INP001"]
+
+# Prepare for future gradual enabling of ANN (flake8-annotations) with saner defaults
+[lint.flake8-annotations]
+# Don't require explicit "-> None" on __init__ (aligns with mypy default)
+mypy-init-return = true
+
+# Allow using Any for *args/**kwargs without error
+allow-star-arg-any = true
+
+# Don't flag unused conventional dummy args like _ or unused parameters in callbacks
+suppress-dummy-args = true
+
+# Don't require explicit -> None on functions that implicitly return None
+suppress-none-returning = true