CloudOps-Runbooks CLI¶

Enterprise AWS automation toolkit with 131 commands across 9 groups, supporting both single-account and multi-account Landing Zone operations.

Installation¶

UV (Recommended)pipDevelopment

uv tool install runbooks

pip install runbooks

git clone https://github.com/nnthanh101/cloudops.git
cd cloudops
uv sync
uv run runbooks --help

Quick Verification¶

# Check installation
runbooks --version

# List all command groups
runbooks --help

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration¶

All runbooks commands support these common options for AWS authentication:

Option	Scope	When to Use
`--profile PROFILE`	Single account	Developer/operator targeting one AWS account
`--all-profiles`	All accounts (Landing Zone)	Platform team — discovers across all SSO profiles
`--region REGION`	Override region	Non-default region (default: `ap-southeast-2`)
`--dry-run`	Safe mode	Analysis only, no mutations (recommended for first run)
`--output-dir DIR`	Output path	Directory for generated reports (default: `output/`)
`--format FORMAT`	Output format	`table`, `json`, `csv`, `markdown` (varies by command)

Single Account

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Multi-Account Landing Zone

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table

Environment Variables Reference¶

Variable	Required	Purpose
`AWS_REGION`	Yes	Target AWS region (default: `ap-southeast-2`)
`AWS_PROFILE`	Yes	Default profile when `--profile` is omitted
`AWS_BILLING_PROFILE`	LZ only	Cost Explorer data enrichment
`AWS_MANAGEMENT_PROFILE`	LZ only	Organizations metadata enrichment
`AWS_OPERATIONS_PROFILE`	LZ only	Centralized Operations shared resources
`RUNBOOKS_TEST_MODE`	No	Set to `1` for offline/mock mode (no AWS calls)

Command Groups¶

Group	Commands	F2T2EA Phase	Purpose	API Type
`cert`	5	Find	Certificate inventory and lifecycle monitoring	Read-only
`cfat`	5	Assess	Cloud Foundations Assessment	Read-only
`finops`	36	Track	Cost optimization and FinOps analytics	Read-only
`inventory`	51	Find	Multi-account resource discovery	Read-only / Write
`operate`	9	Engage	EC2, S3, VPC, CloudFormation operations	Write
`remediation`	4	Engage	Security remediation automation	Write
`security`	6	Assess	Security assessment and baseline	Read-only / Write
`validation`	7	Assess	Cross-validation and benchmarking	Read-only
`vpc`	7	Find	VPC analysis and VPCE cleanup	Read-only / Write

Quick Start by Role¶

I'm an Executive I'm a TechLead I'm an Engineer

What	Command	Time
Monthly costs	`runbooks finops dashboard --profile $AWS_BILLING_PROFILE`	30s
Security posture	`runbooks security assess --profile $AWS_PROFILE`	60s
Resource count	`runbooks inventory collect --profile $AWS_PROFILE`	90s
Compliance	`runbooks security report --profile $AWS_PROFILE --output-dir /tmp`	60s

Workflow	Commands	Output
Cost review	`dashboard` → `detect-orphans` → `optimize`	XLSX report
Inventory	`collect` → `enrich-accounts` → `enrich-costs`	JSON enriched
Security	`assess` → `report` → `remediate --dry-run`	Action plan

Group	Commands	Purpose	Docs
`finops`	35	Track	Cost optimization
`inventory`	51	Resource discovery
`security`	6	Security posture
`operate`	9	Lifecycle ops
`vpc`	7	Network analysis
`cfat`	5	Cloud foundations
`remediation`	4	Security fixes
`validation`	7	Assess	Cross-validation

Full Reference¶

See All Commands for the complete command reference with parameter details.