add precheck

local-app/python-tools/cross-organization/remediate_tgw_dns.py

@@ -2,14 +2,13 @@
 from datetime import datetime
 
 # --- VERSIONING ---
-__version__ = "1.3.0"
+__version__ = "1.4.0"
 
 def get_child_session(base_session, account_id, role_name, partition):
     """
     Assumes role in child account using the detected partition.
     """
     sts = base_session.client('sts')
-    # Use dynamic partition for the ARN
     role_arn = f"arn:{partition}:iam::{account_id}:role/{role_name}"
     try:
         response = sts.assume_role(
@@ -28,38 +27,72 @@ def get_child_session(base_session, account_id, role_name, partition):
 
 def remediate_task(instruction_line, base_session, role_name, partition, dry_run=True, rollback=False):
     """
-    Executes TGW DNS modification honoring the resource's specific region.
+    Executes TGW DNS modification with a pre-check to prevent redundant calls.
     """
     if not instruction_line.startswith("MODIFY_TGW_ATTACHMENT:"):
         return None
 
     try:
         parts = instruction_line.split(":")[-1].strip().split("|")
         acc_id = parts[0].strip()
-        region = parts[1].strip() # Honor the region from the .txt file
+        region = parts[1].strip()
         attach_id = parts[2].strip()
     except Exception as e:
         return {"error": f"Parse failure: {str(e)}", "line": instruction_line}
 
     desired_state = "enable" if rollback else "disable"
 
+    log_entry = {
+        "account_id": acc_id,
+        "region": region,
+        "resource": attach_id,
+        "action": f"DnsSupport={desired_state}",
+        "status": "PENDING",
+        "timestamp": datetime.now().isoformat()
+    }
+
     if dry_run:
         print(f"[DRY-RUN] Account {acc_id} | Region {region} | {attach_id} -> {desired_state}")
-        return {"account_id": acc_id, "region": region, "resource": attach_id, "status": "DRY_RUN_SKIPPED"}
+        log_entry["status"] = "DRY_RUN_SKIPPED"
+        return log_entry
 
     session = get_child_session(base_session, acc_id, role_name, partition)
     if not session:
-        return {"account_id": acc_id, "resource": attach_id, "status": "AUTH_FAILED"}
+        log_entry["status"] = "AUTH_FAILED"
+        return log_entry
 
     try:
-        # Honor the specific region for the resource
         ec2 = session.client('ec2', region_name=region)
+
+        # --- PRE-CHECK LOGIC ---
+        # Describe the specific attachment to check its current status
+        desc = ec2.describe_transit_gateway_vpc_attachments(TransitGatewayAttachmentIds=[attach_id])
+        attachments = desc.get('TransitGatewayVpcAttachments', [])
+
+        if not attachments:
+            print(f"  NOT_FOUND: {attach_id} no longer exists in {acc_id} ({region})")
+            log_entry["status"] = "NOT_FOUND"
+            return log_entry
+
+        current_options = attachments[0].get('Options', {})
+        current_dns = current_options.get('DnsSupport', 'disabled')
+
+        if current_dns == desired_state:
+            print(f"  SKIPPING: {attach_id} in {acc_id} is already '{desired_state}'")
+            log_entry["status"] = "ALREADY_COMPLIANT"
+            return log_entry
+
+        # --- EXECUTE MODIFICATION ---
         ec2.modify_transit_gateway_vpc_attachment(
             TransitGatewayAttachmentId=attach_id,
             Options={'DnsSupport': desired_state}
         )
         print(f"SUCCESS: {attach_id} set to {desired_state} in {acc_id} ({region})")
-        return {"account_id": acc_id, "region": region, "resource": attach_id, "status": "SUCCESS"}
+        log_entry["status"] = "SUCCESS"
+
     except Exception as e:
-        print(f"FAILED: {attach_id} in {acc_id} ({region}) - {str(e)}")
-        return {"account_id": acc_id, "region": region, "resource": attach_id, "status": f"ERROR: {str(e)}"}
+        error_msg = str(e)
+        print(f"FAILED: {attach_id} in {acc_id} ({region}) - {error_msg}")
+        log_entry["status"] = f"ERROR: {error_msg}"
+
+    return log_entry