drop Python 3.9 support

Author: gruebel

.github/workflows/publish.yml

@@ -11,7 +11,7 @@ permissions:
   contents: read
 
 env:
-  MIN_PYTHON_VERSION: "3.9"
+  MIN_PYTHON_VERSION: "3.10"
 
 jobs:
   test:

.github/workflows/test.yml

@@ -12,7 +12,7 @@ permissions:
   contents: read
 
 env:
-  MIN_PYTHON_VERSION: "3.9"
+  MIN_PYTHON_VERSION: "3.10"
 
 jobs:
   pre-commit:
@@ -60,7 +60,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ['3.10', '3.11', '3.12', '3.13', '3.14']
+        python: ['3.11', '3.12', '3.13', '3.14']
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c  # v6.0.0

.github/workflows/update-bundle-report.yml

@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 env:
-  MIN_PYTHON_VERSION: "3.9"
+  MIN_PYTHON_VERSION: "3.10"
 
 jobs:
   update:

.python-version

@@ -1 +1 @@
-3.9
+3.10

.readthedocs.yml

@@ -7,7 +7,7 @@ version: 2
 build:
   os: ubuntu-24.04
   tools:
-    python: "3.9"
+    python: "3.10"
 
 mkdocs:
   configuration: mkdocs.yml

cloudsplaining/command/create_exclusions_file.py

@@ -9,7 +9,7 @@
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -21,14 +21,14 @@
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used as a custom exclusions template",
 )
 @click.option(
     "-o",
     "--output-file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "exclusions.yml"),
+    default=str(Path.cwd() / "exclusions.yml"),
     required=True,
     help="Relative path to output file where we want to store the exclusions template.",
 )
@@ -40,7 +40,7 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with Path(output_file).open("a", encoding="utf-8") as file_obj:
         file_obj.write(EXCLUSIONS_TEMPLATE)
 
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")

cloudsplaining/command/create_multi_account_config_file.py

@@ -9,7 +9,7 @@
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -23,15 +23,15 @@
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used for multi-account scanning",
 )
 @click.option(
     "-o",
     "--output-file",
     "output_file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "multi-account-config.yml"),
+    default=str(Path.cwd() / "multi-account-config.yml"),
     required=True,
     help="Relative path to output file where we want to store the multi account config template.",
 )
@@ -42,17 +42,14 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    if os.path.exists(output_file):
+    output_file = Path(output_file)
+    if output_file.exists():
         logger.debug("%s exists. Removing the file and replacing its contents.", output_file)
-        os.remove(output_file)
+        output_file.unlink()
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with output_file.open("a", encoding="utf-8") as file_obj:
         file_obj.write(MULTI_ACCOUNT_CONFIG_TEMPLATE)
 
-    utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
-    print(
-        f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."
-    )
-    print(
-        f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {os.path.relpath(output_file)} -o ./"
-    )
+    utils.print_green(f"Success! Multi-account config file written to: {output_file}")
+    print(f"\nMake sure you edit the {output_file} file and then run the scan-multi-account command, as shown below.")
+    print(f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {output_file} -o ./")

cloudsplaining/command/download.py

@@ -11,6 +11,7 @@
 import json
 import logging
 import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
 import boto3
@@ -41,7 +42,7 @@
     "-o",
     "--output",
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Path to store the output. Defaults to current directory.",
 )
 @click.option(
@@ -61,14 +62,15 @@ def download(profile: str, output: str, include_non_default_policy_versions: boo
     default_region = "us-east-1"
     session_data = {"region_name": default_region}
 
+    output = Path(output)
     if profile:
         session_data["profile_name"] = profile
-        output_filename = os.path.join(output, f"{profile}.json")
+        output_filename = output / f"{profile}.json"
     else:
-        output_filename = os.path.join(output, "default.json")
+        output_filename = output / "default.json"
 
     results = get_account_authorization_details(session_data, include_non_default_policy_versions)
-    with open(output_filename, "w", encoding="utf-8") as f:
+    with output_filename.open("w", encoding="utf-8") as f:
         json.dump(results, f, indent=4, default=str)
     # output_filename.write_text(json.dumps(results, indent=4, default=str))
     print(f"Saved results to {output_filename}")

cloudsplaining/command/expand_policy.py

@@ -9,6 +9,7 @@
 # or https://opensource.org/licenses/BSD-3-Clause
 import json
 import logging
+from pathlib import Path
 
 import click
 from policy_sentry.analysis.expand import get_expanded_policy
@@ -33,7 +34,7 @@ def expand_policy(input_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(input_file, encoding="utf-8") as json_file:
+    with Path(input_file).open(encoding="utf-8") as json_file:
         logger.debug(f"Opening {input_file}")
         data = json.load(json_file)
         policy = get_expanded_policy(data)

cloudsplaining/command/scan.py

@@ -47,14 +47,14 @@
     help="A yaml file containing a list of policy names to exclude from the scan.",
     type=click.Path(exists=True),
     required=False,
-    default=EXCLUSIONS_FILE,
+    default=str(EXCLUSIONS_FILE),
 )
 @click.option(
     "-o",
     "--output",
     required=False,
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Output directory.",
 )
 @click.option(
@@ -123,7 +123,7 @@ def scan(
 
     if exclusions_file:
         # Get the exclusions configuration
-        with open(exclusions_file, encoding="utf-8") as yaml_file:
+        with Path(exclusions_file).open(encoding="utf-8") as yaml_file:
             try:
                 exclusions_cfg = yaml.safe_load(yaml_file)
             except yaml.YAMLError as exc:
@@ -139,9 +139,11 @@ def scan(
         flag_conditional_statements = False
         flag_resource_arn_statements = False
 
-    if os.path.isfile(input_file):
-        account_name = os.path.basename(input_file).split(".")[0]
-        account_authorization_details_cfg = json.loads(Path(input_file).read_text(encoding="utf-8"))
+    output = Path(output)
+    input_file = Path(input_file)
+    if input_file.is_file():
+        account_name = input_file.stem
+        account_authorization_details_cfg = json.loads(input_file.read_text(encoding="utf-8"))
         rendered_html_report = scan_account_authorization_details(
             account_authorization_details_cfg,
             exclusions,
@@ -154,29 +156,29 @@ def scan(
             flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
-        html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+        html_output_file = output / f"iam-report-{account_name}.html"
         logger.info("Saving the report to %s", html_output_file)
-        if os.path.exists(html_output_file):
-            os.remove(html_output_file)
+        if html_output_file.exists():
+            html_output_file.unlink()
 
-        Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+        html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
         print(f"Wrote HTML results to: {html_output_file}")
 
         # Open the report by default
         if not skip_open_report:
             print("Opening the HTML report")
-            url = f"file://{os.path.abspath(html_output_file)}"
+            url = f"file://{html_output_file.absolute()}"
             webbrowser.open(url, new=2)
 
-    if os.path.isdir(input_file):
+    if input_file.is_dir():
         logger.info("The path given is a directory. Scanning for account authorization files and generating report.")
         input_files = get_authorization_files_in_directory(input_file)
         for file in input_files:
             logger.info(f"Scanning file: {file}")
             account_authorization_details_cfg = json.loads(Path(file).read_text(encoding="utf-8"))
 
-            account_name = os.path.basename(input_file).split(".")[0]
+            account_name = input_file.parent.stem
             # Scan the Account Authorization Details config
             rendered_html_report = scan_account_authorization_details(
                 account_authorization_details_cfg,
@@ -187,19 +189,19 @@ def scan(
                 minimize=minimize,
                 severity=severity,
             )
-            html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+            html_output_file = output / f"iam-report-{account_name}.html"
             logger.info("Saving the report to %s", html_output_file)
-            if os.path.exists(html_output_file):
-                os.remove(html_output_file)
+            if html_output_file.exists():
+                html_output_file.unlink()
 
-            Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+            html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
             print(f"Wrote HTML results to: {html_output_file}")
 
             # Open the report by default
             if not skip_open_report:
                 print("Opening the HTML report")
-                url = f"file://{os.path.abspath(html_output_file)}"
+                url = f"file://{html_output_file.absolute()}"
                 webbrowser.open(url, new=2)
 
 
@@ -211,7 +213,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str,
-    output_directory: str,
+    output_directory: str | Path | None,
     write_data_files: bool,
     minimize: bool,
     return_json_results: Literal[True],
@@ -227,7 +229,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = ...,
-    output_directory: str = ...,
+    output_directory: str | Path | None = ...,
     write_data_files: bool = ...,
     minimize: bool = ...,
     return_json_results: Literal[False] = ...,
@@ -242,7 +244,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = "default",
-    output_directory: str = os.getcwd(),
+    output_directory: str | Path | None = None,
     write_data_files: bool = False,
     minimize: bool = False,
     return_json_results: bool = False,
@@ -285,14 +287,13 @@ def scan_account_authorization_details(
 
     # Raw data file
     if write_data_files:
-        if output_directory is None:
-            output_directory = os.getcwd()
+        output_directory = Path(output_directory) if output_directory else Path.cwd()
 
-        results_data_file = os.path.join(output_directory, f"iam-results-{account_name}.json")
+        results_data_file = output_directory / f"iam-results-{account_name}.json"
         results_data_filepath = write_results_data_file(authorization_details.results, results_data_file)
         print(f"Results data saved: {results_data_filepath}")
 
-        findings_data_file = os.path.join(output_directory, f"iam-findings-{account_name}.json")
+        findings_data_file = output_directory / f"iam-findings-{account_name}.json"
         findings_data_filepath = write_results_data_file(results, findings_data_file)
         print(f"Findings data file saved: {findings_data_filepath}")
 
@@ -302,15 +303,15 @@ def scan_account_authorization_details(
             "iam_findings": results,
             "rendered_report": rendered_report,
         }
-    else:
-        return rendered_report
+
+    return rendered_report
 
 
 def get_authorization_files_in_directory(
-    directory: str,
+    directory: Path,
 ) -> list[str]:  # pragma: no cover
     """Get a list of download-account-authorization-files in a directory"""
-    file_list_with_full_path = [file.absolute() for file in Path(directory).glob("*.json")]
+    file_list_with_full_path = [file.absolute() for file in directory.glob("*.json")]
 
     new_file_list = []
     for file in file_list_with_full_path: