Skip to content

runbooks csdmΒΆ

Find | 4 commands | Management. Auto-generated from Click registry on 2026-06-26.

QA/QC: 0/4 commands PASSED (v1.3.17)

L1 --help: 0/4 | L2 params: PASS | L4 cross-validation: N/A

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile ConfigurationΒΆ

All runbooks commands support these common options for AWS authentication:

Option Scope When to Use
--profile PROFILE Single account Developer/operator targeting one AWS account
--all-profile All accounts (Landing Zone) Platform team β€” discovers across all SSO profiles
--region REGION Override region Non-default region (default: ap-southeast-2)
--dry-run Safe mode Analysis only, no mutations (recommended for first run)
--output-dir DIR Output path Directory for generated reports (default: output/)
--format FORMAT Output format table, json, csv, markdown (varies by command)

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table

Org-Wide Profile Routing β€” 4-Step MethodologyΒΆ

Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors (CROSS_ACCOUNT_SILENT_ZERO anti-pattern).

Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md β€” canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.

Step Name Profile Env Var Flag API / Service What-If Wrong
1. DISCOVER Org-wide resource inventory $AWS_OPERATIONS_PROFILE --all-profile P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) β€” all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API β€” capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. Wrong profile β†’ aggregator index not found β†’ silent-zero count
2. ENUMERATE Account names & IDs $AWS_MANAGEMENT_PROFILE --all-profile AWS Organizations ListAccounts Wrong profile β†’ empty account list β†’ can't resolve resource owners
3. ENRICH Per-account attributes Per-workload ~/.aws/config profile --profile Single-account describe-* / get-* (encryption, lifecycle, tags β€” aggregator can't return these) Skip this step β†’ counts + cost present but target columns NULL
4. COST Cost attribution $AWS_BILLING_PROFILE --all-profile Cost Explorer GetCostAndUsage Wrong profile β†’ no CE access β†’ cost columns blank or AccessDenied

When to use --profile vs --all-profile

  • --all-profile $AWS_<PURPOSE>_PROFILE β€” Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with --profile.
  • --profile $AWS_PROFILE β€” Single workload account only (Steps 3 + per-workload incident investigation).

Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug β€” the LZ hub account has no workload resources, so results are silently empty.

--all-profile flag behaviour differs by command group

--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.

# Step 1 β€” DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE

# Step 2 β€” ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE

# Step 3 β€” ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
#   from runbooks.common import resolve_readonly_profile
#   profile = resolve_readonly_profile(account_id)   # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE   # one call per workload account

# Step 4 β€” COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE

Environment Variables ReferenceΒΆ

Variable Required Purpose
AWS_REGION Yes Target AWS region (default: ap-southeast-2)
AWS_PROFILE Yes Default profile when --profile is omitted
AWS_BILLING_PROFILE LZ only Cost Explorer data enrichment
AWS_MANAGEMENT_PROFILE LZ only Organizations metadata enrichment
AWS_OPERATIONS_PROFILE LZ only Centralized Operations shared resources
RUNBOOKS_TEST_MODE No Set to 1 for offline/mock mode (no AWS calls)

CommandsΒΆ

Command Description Params API Type
tag-fill-rate Compute bc:* tag fill-rate across resources in the tenant account(s). 5 read-only
tag-schema-validate Validate a tagging standard YAML file against structural schema rules. 1 read-only
tag-validate Validate bc:* tags on live AWS resources against the tagging schema. 4 read-only
validate-5way Run 5-way cross-validation for a tenant + resource type. 6 read-only
## Command Details

runbooks csdm tag-fill-rateΒΆ

Compute bc:* tag fill-rate across resources in the tenant account(s).

runbooks csdm tag-fill-rate
Parameter Type Default Description
--tenant STRING - Tenant directory name, e.g.
--all-profile STRING <function create_csdm_group.<locals>.<lambda> at 0x10db236a0> AWS profile for LZ-wide ResourceGroupsTaggingAPI calls (default: $AWS_OPERATIONS_PROFILE).
--required-keys STRING bc:capability,bc:business-service,bc:business-owner,bc:cost-centre,bc:environment,bc:project Comma-separated list of required bc:* tag keys to measure.
--region STRING <function create_csdm_group.<locals>.<lambda> at 0x10db23ce0> AWS region (default: $AWS_DEFAULT_REGION).
--output PATH - Path to write JSON evidence file (optional).

runbooks csdm tag-schema-validateΒΆ

Validate a tagging standard YAML file against structural schema rules.

runbooks csdm tag-schema-validate
Parameter Type Default Description
--schema-path PATH - Path to YAML tagging standard to validate (default: tenants/_base/ci-schema/aws-tagging-standard.yaml).

runbooks csdm tag-validateΒΆ

Validate bc:* tags on live AWS resources against the tagging schema.

runbooks csdm tag-validate
Parameter Type Default Description
--tenant STRING - Tenant directory name, e.g.
--all-profile STRING <function create_csdm_group.<locals>.<lambda> at 0x10db23560> AWS profile for LZ-wide ResourceGroupsTaggingAPI calls (default: $AWS_OPERATIONS_PROFILE).
--schema-path PATH - Path to YAML tag schema (default: tenants/_base/ci-schema/aws-tagging-standard.yaml).
--region STRING <function create_csdm_group.<locals>.<lambda> at 0x10db23a60> AWS region (default: $AWS_DEFAULT_REGION).

runbooks csdm validate-5wayΒΆ

Run 5-way cross-validation for a tenant + resource type.

runbooks csdm validate-5way
All Parameters (6)
Parameter Type Default Description
--tenant STRING - Tenant directory name, e.g.
--resource-type STRING workspaces Resource type to validate: workspaces, ec2, s3, rds, ...
--ops-profile STRING <function create_csdm_group.<locals>.<lambda> at 0x10db23600> AWS profile for V4 live API calls (default: $AWS_OPERATIONS_PROFILE).
--terraform-root PATH - Path to tenant Terraform directory for V5 (optional).
--excel-root PATH - Path to cloudops/data/inventory/ for V5 Excel source (optional).
--cv-out-dir PATH tmp/command-center/cross-validation Output directory for gate5 JSON evidence.