runbooks operate

Engage | 9 commands | Management. Auto-generated from Click registry on 2026-04-01.

QA/QC: 9/9 commands PASSED (v1.3.17)

L1 --help: 9/9 | L2 params: PASS | L4 cross-validation: N/A

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration

All runbooks commands support these common options for AWS authentication:

Option	Scope	When to Use
--profile PROFILE	Single account	Developer/operator targeting one AWS account
--all-profiles	All accounts (Landing Zone)	Platform team — discovers across all SSO profiles
--region REGION	Override region	Non-default region (default: ap-southeast-2)
--dry-run	Safe mode	Analysis only, no mutations (recommended for first run)
--output-dir DIR	Output path	Directory for generated reports (default: output/)
--format FORMAT	Output format	table, json, csv, markdown (varies by command)

Single Account

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Multi-Account Landing Zone

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table

Environment Variables Reference

Variable	Required	Purpose
AWS_REGION	Yes	Target AWS region (default: ap-southeast-2)
AWS_PROFILE	Yes	Default profile when --profile is omitted
AWS_BILLING_PROFILE	LZ only	Cost Explorer data enrichment
AWS_MANAGEMENT_PROFILE	LZ only	Organizations metadata enrichment
AWS_OPERATIONS_PROFILE	LZ only	Centralized Operations shared resources
RUNBOOKS_TEST_MODE	No	Set to 1 for offline/mock mode (no AWS calls)

Commands

Command	Description	Params	API Type
cloudformation	CloudFormation stack operations.	0	write
cloudformation deploy	Deploy CloudFormation stack with universal profile support.	7	write
ec2	EC2 instance and resource operations.	0	write
ec2 start	Start EC2 instances with universal profile support.	7	write
ec2 stop	Stop EC2 instances with universal profile support.	7	write
s3	S3 bucket and object operations.	0	write
s3 create-bucket	Create S3 bucket with enterprise configurations and universal profile support.	10	write
vpc	VPC and networking operations.	0	write
vpc create-vpc	Create VPC with enterprise configurations and universal profile support.	6	write

Quick Start by Role

Operational runbooks for resource lifecycle management.

Executive TechLead Engineer / SRE

Task	Command
Resource status	runbooks operate status --profile $AWS_PROFILE

Task	Command
Batch operations	runbooks operate batch --profile $AWS_PROFILE --dry-run

Task	Command
Start resources	runbooks operate start --profile $AWS_PROFILE --dry-run
Stop resources	runbooks operate stop --profile $AWS_PROFILE --dry-run

Command Details

runbooks operate cloudformation

Write Operation

This command modifies AWS resources. Use --dry-run when available.

CloudFormation stack operations.

runbooks operate cloudformation

runbooks operate cloudformation deploy

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Deploy CloudFormation stack with universal profile support.

Single AccountMulti-Account Landing Zone

runbooks operate cloudformation deploy --profile $AWS_PROFILE

runbooks operate cloudformation deploy --all

All Parameters (7)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile for single-account operations.
--region	STRING	-	AWS region override (default: ap-southeast-2)
--dry-run	BOOL	-	Safe analysis mode - no resource modifications (enterprise default)
--template-file	PATH	-	CloudFormation template file
--stack-name	STRING	-	Stack name
--parameters	STRING	-	Stack parameters (JSON format)
--all	BOOL	-	Use all available AWS profiles for multi-account operations

runbooks operate ec2

Write Operation

This command modifies AWS resources. Use --dry-run when available.

EC2 instance and resource operations.

runbooks operate ec2

runbooks operate ec2 start

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Start EC2 instances with universal profile support.

Single AccountMulti-Account Landing Zone

runbooks operate ec2 start --profile $AWS_PROFILE

runbooks operate ec2 start --all

All Parameters (7)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile for single-account operations.
--region	STRING	-	AWS region override (default: ap-southeast-2)
--dry-run	BOOL	-	Safe analysis mode - no resource modifications (enterprise default)
--instance-ids	STRING	-	Instance IDs (repeat for multiple).
--all	BOOL	-	Use all available AWS profiles for multi-account operations
--verbose/-v	BOOL	-	Show detailed logs
--format	CHOICE(compact	table	json)

runbooks operate ec2 stop

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Stop EC2 instances with universal profile support.

Single AccountMulti-Account Landing Zone

runbooks operate ec2 stop --profile $AWS_PROFILE

runbooks operate ec2 stop --all

All Parameters (7)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile for single-account operations.
--region	STRING	-	AWS region override (default: ap-southeast-2)
--dry-run	BOOL	-	Safe analysis mode - no resource modifications (enterprise default)
--instance-ids	STRING	-	Instance IDs (repeat for multiple).
--all	BOOL	-	Use all available AWS profiles for multi-account operations
--verbose/-v	BOOL	-	Show detailed logs
--format	CHOICE(compact	table	json)

runbooks operate s3

Write Operation

This command modifies AWS resources. Use --dry-run when available.

S3 bucket and object operations.

runbooks operate s3

runbooks operate s3 create-bucket

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Create S3 bucket with enterprise configurations and universal profile support.

Single AccountMulti-Account Landing Zone

runbooks operate s3 create-bucket --profile $AWS_PROFILE

runbooks operate s3 create-bucket --all

All Parameters (10)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile for single-account operations.
--region	STRING	-	AWS region override (default: ap-southeast-2)
--dry-run	BOOL	-	Safe analysis mode - no resource modifications (enterprise default)
--bucket-name	STRING	-	S3 bucket name
--encryption	BOOL	-	Enable encryption
--versioning	BOOL	-	Enable versioning
--public-access-block	BOOL	-	Block public access
--all	BOOL	-	Use all available AWS profiles for multi-account operations
--verbose/-v	BOOL	-	Show detailed logs
--format	CHOICE(compact	table	json)

runbooks operate vpc

Write Operation

This command modifies AWS resources. Use --dry-run when available.

VPC and networking operations.

runbooks operate vpc

runbooks operate vpc create-vpc

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Create VPC with enterprise configurations and universal profile support.

Single AccountMulti-Account Landing Zone

runbooks operate vpc create-vpc --profile $AWS_PROFILE

runbooks operate vpc create-vpc --all

All Parameters (6)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile for single-account operations.
--region	STRING	-	AWS region override (default: ap-southeast-2)
--dry-run	BOOL	-	Safe analysis mode - no resource modifications (enterprise default)
--cidr-block	STRING	-	VPC CIDR block (e.g., 10.0.0.0/16)
--vpc-name	STRING	-	VPC name tag
--all	BOOL	-	Use all available AWS profiles for multi-account operations

Usage Examples

Write Operations

All operate commands modify AWS resources. Use --dry-run before executing.

Single AccountMulti-Account Landing Zone

# Stop EC2 instances (dry-run first)
runbooks operate ec2 stop \
  --profile $AWS_PROFILE \
  --instance-ids i-0123456789abcdef0 \
  --dry-run

# Create S3 bucket with enterprise defaults
runbooks operate s3 create-bucket \
  --profile $AWS_PROFILE \
  --bucket-name my-bucket \
  --region $AWS_REGION

# Deploy CloudFormation stack
runbooks operate cloudformation deploy \
  --profile $AWS_OPERATIONS_PROFILE \
  --stack-name my-stack \
  --template-file template.yaml

# Create VPC with enterprise config
runbooks operate vpc create-vpc \
  --profile $AWS_OPERATIONS_PROFILE \
  --cidr 10.0.0.0/16