dbt-platform-helper 15.3.0__py3-none-any.whl → 15.16.0__py3-none-any.whl

dbt_platform_helper/entities/platform_config_schema.py

@@ -114,7 +114,6 @@ class PlatformConfigSchema:
                         Optional("default_waf"): str,
                         Optional("domain_prefix"): str,
                         Optional("enable_logging"): bool,
-                        Optional("env_root"): str,
                         Optional("forwarded_values_forward"): str,
                         Optional("forwarded_values_headers"): [str],
                         Optional("forwarded_values_query_string"): bool,
@@ -152,7 +151,7 @@ class PlatformConfigSchema:
                                 {
                                     "name": str,
                                     Optional("requires_approval"): bool,
-                                }
+                                },
                             ],
                         },
                         {
@@ -167,9 +166,16 @@ class PlatformConfigSchema:
                         },
                     ),
                 ],
+                Optional("cache_invalidation"): {
+                    "domains": PlatformConfigSchema.__cache_invalidation_domains_schema(),
+                },
             },
         }
 
+    @staticmethod
+    def __cache_invalidation_domains_schema() -> dict:
+        return {str: {"paths": [str], "environment": str}}
+
     @staticmethod
     def __default_versions_schema() -> dict:
         return {
@@ -195,6 +201,12 @@ class PlatformConfigSchema:
                     # TODO: DBTP-1943: requires_approval is no longer relevant since we don't have AWS Copilot manage environment pipelines
                     Optional("requires_approval"): bool,
                     Optional("vpc"): str,
+                    Optional("service-deployment-mode"): Or(
+                        "copilot",
+                        "dual-deploy-copilot-traffic",
+                        "dual-deploy-platform-traffic",
+                        "platform",
+                    ),
                 },
             )
         }
@@ -280,6 +292,7 @@ class PlatformConfigSchema:
     @staticmethod
     def __postgres_schema() -> dict:
         _valid_postgres_plans = Or(*plan_manager.get_plan_names("postgres"))
+        _valid_postgres_version = Or(int, float)
 
         # TODO: DBTP-1943: Move to Postgres provider?
         _valid_postgres_storage_types = Or("gp2", "gp3", "io1", "io2")
@@ -292,11 +305,13 @@ class PlatformConfigSchema:
 
         return {
             "type": "postgres",
-            "version": (Or(int, float)),
+            Optional("version"): _valid_postgres_version,
             Optional("deletion_policy"): PlatformConfigSchema.__valid_postgres_deletion_policy(),
             Optional("environments"): {
                 PlatformConfigSchema.__valid_environment_name(): {
+                    Optional("apply_immediately"): bool,
                     Optional("plan"): _valid_postgres_plans,
+                    Optional("version"): (Or(int, float)),
                     Optional("volume_size"): PlatformConfigSchema.is_integer_between(20, 10000),
                     Optional("iops"): PlatformConfigSchema.is_integer_between(1000, 9950),
                     Optional("snapshot_id"): str,
@@ -306,9 +321,6 @@ class PlatformConfigSchema:
                     Optional("deletion_protection"): bool,
                     Optional("multi_az"): bool,
                     Optional("storage_type"): _valid_postgres_storage_types,
-                    Optional("backup_retention_days"): PlatformConfigSchema.is_integer_between(
-                        1, 35
-                    ),
                 }
             },
             Optional("database_copy"): [_valid_postgres_database_copy],
@@ -397,11 +409,19 @@ class PlatformConfigSchema:
             Optional("environments"): {
                 Optional(PlatformConfigSchema.__valid_environment_name()): {
                     "team_name": str,
-                    "contact_name": str,
-                    "contact_email": str,
-                    "documentation_url": str,
-                    "services_to_monitor": list,
-                }
+                    Optional("contact_name"): str,
+                    Optional("contact_email"): str,
+                    Optional("contacts"): [
+                        {
+                            "name": str,
+                            "type": str,
+                            "contact": str,
+                        }
+                    ],
+                    Optional("documentation_url"): str,
+                    "services_to_monitor": dict,
+                    Optional("description"): str,
+                },
             },
         }
 

dbt_platform_helper/entities/semantic_version.py

@@ -77,5 +77,7 @@ class SemanticVersion:
 
     @staticmethod
     def is_semantic_version(version_string):
+        if not version_string:
+            return False
         valid_semantic_string_regex = r"(?i)^v?[0-9]+[.-][0-9]+[.-][0-9]+$"
         return re.match(valid_semantic_string_regex, version_string)

dbt_platform_helper/entities/service.py

@@ -0,0 +1,339 @@
+import re
+from enum import Enum
+from typing import ClassVar
+from typing import Dict
+from typing import Optional
+from typing import Union
+
+from pydantic import BaseModel
+from pydantic import Field
+from pydantic import field_validator
+from pydantic import model_validator
+
+from dbt_platform_helper.platform_exception import PlatformException
+
+
+class HealthCheck(BaseModel):
+    path: Optional[str] = Field(
+        description="The destination that the health check requests are sent to.", default="/"
+    )
+    port: Optional[int] = Field(
+        description="The port that the health check requests are sent to.", default=8080
+    )
+    success_codes: Optional[str] = Field(
+        description="A comma-separated list of HTTP status codes that healthy targets must use when responding to a HTTP health check.",
+        default="200",
+    )
+    healthy_threshold: Optional[int] = Field(
+        description="The number of consecutive health check successes required before considering an unhealthy target healthy.",
+        default=3,
+    )
+    unhealthy_threshold: Optional[int] = Field(
+        description="The number of consecutive health check failures required before considering a target unhealthy.",
+        default=3,
+    )
+    interval: Optional[int] = Field(
+        description="The approximate amount of time, in seconds, between health checks of an individual target.",
+        default=35,
+    )
+    timeout: Optional[int] = Field(
+        description="The amount of time, in seconds, during which no response from a target means a failed health check.",
+        default=30,
+    )
+    grace_period: Optional[int] = Field(
+        description="The amount of time to ignore failing target group healthchecks on container start.",
+        default=30,
+    )
+
+
+class AdditionalRules(BaseModel):
+    path: str = Field(description="""Requests to this path will be forwarded to your service.""")
+    alias: list[str] = Field(description="""The HTTP domain alias of the service.""")
+
+
+class Http(BaseModel):
+    alias: list[str] = Field(
+        description="List of HTTPS domain alias(es) of your service.", default=None
+    )
+    stickiness: Optional[bool] = Field(description="Enable sticky sessions.", default=False)
+    path: str = Field(description="Requests to this path will be forwarded to your service.")
+    target_container: str = Field(description="Target container for the requests.")
+    healthcheck: HealthCheck = Field(default_factory=HealthCheck)
+    additional_rules: Optional[list[AdditionalRules]] = Field(default=None)
+    deregistration_delay: Optional[int] = Field(
+        default=60,
+        description="The amount of time to wait for targets to drain connections during deregistration.",
+    )
+
+
+class HttpOverride(BaseModel):
+    alias: Optional[list[str]] = Field(
+        description="List of HTTPS domain alias(es) of your service.", default=None
+    )
+    stickiness: Optional[bool] = Field(description="Enable sticky sessions.", default=None)
+    path: Optional[str] = Field(
+        description="Requests to this path will be forwarded to your service.", default=None
+    )
+    target_container: Optional[str] = Field(
+        description="Target container for the requests", default=None
+    )
+    healthcheck: Optional[HealthCheck] = Field(default=None)
+    additional_rules: Optional[list[AdditionalRules]] = Field(default=None)
+    deregistration_delay: Optional[int] = Field(
+        default=None,
+        description="The amount of time to wait for targets to drain connections during deregistration.",
+    )
+
+
+class ContainerHealthCheck(BaseModel):
+    command: list[str] = Field(
+        description="The command to run to determine if the container is healthy."
+    )
+    interval: Optional[int] = Field(
+        default=10, description="Time period between health checks, in seconds."
+    )
+    retries: Optional[int] = Field(
+        default=2, description="Number of times to retry before container is deemed unhealthy."
+    )
+    timeout: Optional[int] = Field(
+        default=5,
+        description="How long to wait before considering the health check failed, in seconds.",
+    )
+    start_period: Optional[int] = Field(
+        default=0,
+        description="Length of grace period for containers to bootstrap before failed health checks count towards the maximum number of retries.",
+    )
+
+
+class Sidecar(BaseModel):
+    port: int = Field(description="Container port exposed by the sidecar to receive traffic.")
+    image: str = Field(description="Container image URI for the sidecar (e.g. 'repo/image:tag').")
+    essential: Optional[bool] = Field(
+        description="Whether the ECS task should stop if this sidecar container exits.",
+        default=True,
+    )
+    variables: Optional[Dict[str, Union[str, int, bool]]] = Field(
+        description="Environment variables to inject into the sidecar container.", default=None
+    )
+    secrets: Optional[Dict[str, str]] = Field(
+        description="Parameter Store secrets to inject into the sidecar.", default=None
+    )
+    healthcheck: Optional[ContainerHealthCheck] = Field(default=None)
+
+
+class SidecarOverride(BaseModel):
+    port: Optional[int] = Field(default=None)
+    image: Optional[str] = Field(default=None)
+    essential: Optional[bool] = Field(default=None)
+    variables: Optional[Dict[str, Union[str, int, bool]]] = Field(default=None)
+    secrets: Optional[Dict[str, str]] = Field(default=None)
+    healthcheck: Optional[ContainerHealthCheck] = Field(default=None)
+
+
+class Image(BaseModel):
+    location: str = Field(description="Main container image location.")
+    port: Optional[int] = Field(
+        description="Port exposed by the main ECS task container (used by the load balancer/Service Connect).",
+        default=None,
+    )
+    depends_on: Optional[dict[str, str]] = Field(
+        description="Container dependency conditions.", default=None
+    )
+    healthcheck: Optional[ContainerHealthCheck] = Field(default=None)
+
+    @field_validator("location", mode="after")
+    @classmethod
+    def is_image_untagged(cls, value: str) -> str:
+        image_name = value.split("/")[-1]
+        if ":" in image_name:
+            raise PlatformException(
+                f"Image location cannot contain a tag '{value}'\nPlease remove the tag from your image location. The image tag is automatically added during deployment."
+            )
+        return value
+
+
+class Storage(BaseModel):
+    readonly_fs: Optional[bool] = Field(
+        description="Specify true to give your container read-only access to its root file system.",
+        default=False,
+    )
+    writable_directories: Optional[list[str]] = Field(
+        description="List of directories with read/write access.", default=None
+    )
+
+    @field_validator("writable_directories", mode="after")
+    @classmethod
+    def has_leading_forward_slash(cls, value: Union[list, None]) -> Union[list, None]:
+        if value is not None:
+            for path in value:
+                if not path.startswith("/"):
+                    raise PlatformException(
+                        "All writable directory paths must be absolute (starts with a /)"
+                    )
+        return value
+
+
+class Cooldown(BaseModel):
+    in_: Optional[int] = Field(
+        alias="in",
+        description="Number of seconds to wait before scaling in (down) after a drop in load.",
+        default=60,
+    )  # Can't use 'in' because it's a reserved keyword
+    out: Optional[int] = Field(
+        description="Number of seconds to wait before scaling out (up) after a spike in load.",
+        default=60,
+    )
+
+    @field_validator("in_", "out", mode="before")
+    @classmethod
+    def parse_seconds(cls, value):
+        if isinstance(value, str) and value.endswith("s"):
+            value = value.removesuffix("s")  # remove the trailing 's'
+        try:
+            return int(value)
+        except (ValueError, TypeError):
+            raise PlatformException("Cooldown values must be integers or strings like '30s'")
+
+
+class CpuPercentage(BaseModel):
+    value: int = Field(description="Target CPU utilisation percentage that triggers autoscaling.")
+    cooldown: Optional[Cooldown] = Field(
+        default=None, description="Optional CPU cooldown that overrides the global cooldown policy."
+    )
+
+
+class MemoryPercentage(BaseModel):
+    value: int = Field(description="Target CPU utilisation percentage that triggers autoscaling.")
+    cooldown: Optional[Cooldown] = Field(
+        default=None,
+        description="Optional memory cooldown that overrides the global cooldown policy.",
+    )
+
+
+class RequestsPerMinute(BaseModel):
+    value: int = Field(
+        description="Number of incoming requests per minute that triggers autoscaling."
+    )
+    cooldown: Optional[Cooldown] = Field(
+        default=None,
+        description="Optional requests cooldown that overrides the global cooldown policy.",
+    )
+
+
+class Count(BaseModel):
+    range: str = Field(
+        description="Minimum and maximum number of ECS tasks to maintain e.g. '1-2'."
+    )
+    cooldown: Optional[Cooldown] = Field(
+        default=None,
+        description="Global cooldown applied to all autoscaling metrics unless overridden per metric.",
+    )
+    cpu_percentage: Optional[Union[int, CpuPercentage]] = Field(
+        default=None,
+        description="CPU utilisation threshold (0–100). Either a plain integer or a map with 'value' and 'cooldown'.",
+    )
+    memory_percentage: Optional[Union[int, MemoryPercentage]] = Field(
+        default=None,
+        description="Memory utilisation threshold (0–100). Either a plain integer or a map with 'value' and 'cooldown'.",
+    )
+    requests_per_minute: Optional[Union[int, RequestsPerMinute]] = Field(
+        default=None,
+        description="Request-rate threshold. Either a plain integer or a map with 'value' and 'cooldown'.",
+    )
+
+    @model_validator(mode="after")
+    def at_least_one_autoscaling_metric(self):
+
+        if not any([self.cpu_percentage, self.memory_percentage, self.requests_per_minute]):
+            raise PlatformException(
+                "If autoscaling is enabled, you must define at least one metric: "
+                "cpu_percentage, memory_percentage, or requests_per_minute"
+            )
+
+        if not re.match(r"^(\d+)-(\d+)$", self.range):
+            raise PlatformException("Range must be in the format 'int-int' e.g. '1-2'")
+
+        range_split = self.range.split("-")
+        if range_split[0] >= range_split[1]:
+            raise PlatformException("Range minimum value must be less than the maximum value.")
+
+        return self
+
+
+class ServiceConfigEnvironmentOverride(BaseModel):
+    http: Optional[HttpOverride] = Field(default=None)
+    sidecars: Optional[Dict[str, SidecarOverride]] = Field(default=None)
+    image: Optional[Image] = Field(default=None)
+
+    cpu: Optional[int] = Field(default=None)
+    memory: Optional[int] = Field(default=None)
+    count: Optional[Union[int, Count]] = Field(default=None)
+    exec: Optional[bool] = Field(default=None)
+    entrypoint: Optional[list[str]] = Field(default=None)
+    essential: Optional[bool] = Field(default=None)
+
+    storage: Optional[Storage] = Field(default=None)
+
+    variables: Optional[Dict[str, Union[str, int, bool]]] = Field(default=None)
+    secrets: Optional[Dict[str, str]] = Field(default=None)
+
+
+class ServiceType(str, Enum):
+    BACKEND_SERVICE = "Backend Service"
+    LOAD_BALANCED_WEB_SERVICE = "Load Balanced Web Service"
+
+
+class ServiceConfig(BaseModel):
+    name: str = Field(description="Service name.")
+    type: ServiceType = Field(
+        description=f"Type of service. Must one one of: '{ServiceType.LOAD_BALANCED_WEB_SERVICE.value}', '{ServiceType.BACKEND_SERVICE.value}'"
+    )
+    http: Optional[Http] = Field(default=None)
+
+    @model_validator(mode="after")
+    def check_http_for_web_service(self):
+        if self.type == ServiceType.LOAD_BALANCED_WEB_SERVICE and self.http is None:
+            raise PlatformException(
+                f"A 'http' block must be provided when service type == {self.type.value}"
+            )
+        return self
+
+    sidecars: Optional[Dict[str, Sidecar]] = Field(default=None)
+    image: Image = Field()
+    cpu: int = Field(
+        description="vCPU units reserved for the ECS task (e.g. 256=0.25 vCPU, 512=0.5 vCPU, 1024=1 vCPU)."
+    )
+    memory: int = Field(
+        description="Memory in MiB reserved for the ECS task (e.g. 256, 512, 1024)."
+    )
+    count: Union[int, Count] = Field(
+        description="Desired task count — either a fixed integer or an autoscaling policy map with 'range', 'cooldown', and at least one of 'cpu_percentage', 'memory_percentage', or 'requests_per_minute' metrics."
+    )
+    exec: Optional[bool] = Field(
+        description="Enable ECS Exec (remote command execution) for running ECS tasks.",
+        default=False,
+    )
+    entrypoint: Optional[list[str]] = Field(
+        description="Overrides the default entrypoint in the image.", default=None
+    )
+    essential: Optional[bool] = Field(
+        description="Whether the main container is marked essential; The entire ECS task stops if it exits.",
+        default=True,
+    )
+    storage: Storage = Field(default_factory=Storage)
+    variables: Optional[Dict[str, Union[str, int, bool]]] = Field(
+        description="Environment variables to inject into the main application container.",
+        default=None,
+    )
+    secrets: Optional[Dict[str, str]] = Field(
+        description="Parameter Store secrets to inject into the main application container.",
+        default=None,
+    )
+    # Environment overrides can override almost the full config
+    environments: Optional[Dict[str, ServiceConfigEnvironmentOverride]] = Field(
+        description="Allows you to override most service config properties for specific environments.",
+        default=None,
+    )
+
+    # Class based variable used when handling the object
+    local_terraform_source: ClassVar[str] = "../../../../../platform-tools/terraform/ecs-service"

dbt_platform_helper/providers/autoscaling.py

@@ -0,0 +1,24 @@
+from typing import Any
+
+import boto3
+from botocore.exceptions import ClientError
+
+from dbt_platform_helper.platform_exception import PlatformException
+
+
+class AutoscalingProvider:
+    def __init__(self, client: boto3.client):
+        self.autoscaling_client = client
+
+    def describe_autoscaling_target(
+        self, cluster_name: str, ecs_service_name: str
+    ) -> dict[str, Any]:
+        """Return autoscaling target information for an ECS service."""
+
+        try:
+            response = self.autoscaling_client.describe_scalable_targets(
+                ServiceNamespace="ecs", ResourceIds=[f"service/{cluster_name}/{ecs_service_name}"]
+            )
+            return response["ScalableTargets"][0]
+        except ClientError as err:
+            raise PlatformException(f"Error retrieving scalable targets: {err}")

dbt_platform_helper/providers/aws/exceptions.py

@@ -63,3 +63,8 @@ class CreateAccessTokenException(AWSException):
 class UnableToRetrieveSSOAccountList(AWSException):
     def __init__(self):
         super().__init__("Unable to retrieve AWS SSO account list")
+
+
+class UnableToRetrieveSSOAccountRolesList(AWSException):
+    def __init__(self, account_id: str):
+        super().__init__(f"Unable to retrieve AWS SSO roles list for AWS account {account_id}")

dbt_platform_helper/providers/aws/sso_auth.py

@@ -3,6 +3,9 @@ from boto3 import Session
 
 from dbt_platform_helper.providers.aws.exceptions import CreateAccessTokenException
 from dbt_platform_helper.providers.aws.exceptions import UnableToRetrieveSSOAccountList
+from dbt_platform_helper.providers.aws.exceptions import (
+    UnableToRetrieveSSOAccountRolesList,
+)
 from dbt_platform_helper.utils.aws import get_aws_session_or_abort
 
 
@@ -55,6 +58,17 @@ class SSOAuthProvider:
             raise UnableToRetrieveSSOAccountList()
         return aws_accounts_response.get("accountList")
 
+    def list_account_roles(self, access_token, account_id, max_results=100):
+        aws_account_roles_response = self.sso.list_account_roles(
+            accessToken=access_token,
+            accountId=account_id,
+            maxResults=max_results,
+        )
+
+        if len(aws_account_roles_response.get("roleList", [])) == 0:
+            raise UnableToRetrieveSSOAccountRolesList(account_id=account_id)
+        return aws_account_roles_response.get("roleList")
+
     def _get_client(self, client: str):
         if not self.session:
             self.session = get_aws_session_or_abort()

dbt_platform_helper/providers/config.py

@@ -25,6 +25,23 @@ PLEASE_UPGRADE_TO_V13_MESSAGE = """Please ensure that you have already upgraded
 Then upgrade platform-helper to version {installed_platform_helper_version} and run 'platform-helper config migrate' to upgrade the configuration to the current schema version."""
 
 
+class ConfigLoader:
+    def __init__(self, file_provider=YamlFileProvider, io: ClickIOProvider = ClickIOProvider()):
+        self.io = io
+        self.file_provider = file_provider
+
+    def load(self, path):
+        try:
+            file_content = self.file_provider.load(path)
+            return file_content
+        except FileNotFoundException as e:
+            self.io.abort_with_error(
+                f"{e} Please check it exists and you are in the root directory of your -deploy repository."
+            )
+        except FileProviderException as e:
+            self.io.abort_with_error(f"Error loading configuration from {path}: {e}")
+
+
 class ConfigProvider:
     def __init__(
         self,
@@ -183,8 +200,6 @@ class ConfigProvider:
             name: data if data else {} for name, data in environments.items() if name != "*"
         }
 
-        config.get("default_versions", {})
-
         def combine_env_data(data):
             return {
                 **env_defaults,

dbt_platform_helper/providers/config_validator.py

@@ -28,7 +28,9 @@ class ConfigValidator:
             self.validate_environment_pipelines,
             self.validate_environment_pipelines_triggers,
             self.validate_database_copy_section,
-            self.validate_database_migration_input_sources,
+            self.validate_s3_data_migration_config,
+            self.validate_cache_invalidation_config,
+            self.validate_config_for_managed_upgrades,
         ]
         self.io = io
         self.session = session
@@ -203,7 +205,7 @@ class ConfigValidator:
         if errors:
             raise ConfigValidatorError("\n".join(errors))
 
-    def validate_database_migration_input_sources(self, config: dict):
+    def validate_s3_data_migration_config(self, config: dict):
         extensions = config.get("extensions", {})
         if not extensions:
             return
@@ -222,6 +224,10 @@ class ConfigValidator:
                 if "data_migration" not in env_config:
                     continue
                 data_migration = env_config.get("data_migration", {})
+                if extension.get("serve_static_content", {}):
+                    errors.append(
+                        "Data migration is not supported for static S3 buckets to avoid the risk of unintentionally exposing private data. However, you can copy data on an ad hoc basis using AWS CLI commands such as 'aws s3 sync' or 'aws s3 cp'."
+                    )
                 if "import" in data_migration and "import_sources" in data_migration:
                     errors.append(
                         f"Error in '{extension_name}.environments.{env}.data_migration': only the 'import_sources' property is required - 'import' is deprecated."
@@ -232,3 +238,82 @@ class ConfigValidator:
                     )
         if errors:
             raise ConfigValidatorError("\n".join(errors))
+
+    def validate_cache_invalidation_config(self, config: dict):
+        codebase_pipelines = config.get("codebase_pipelines")
+        if not codebase_pipelines:
+            return
+
+        errors = []
+
+        all_environments = [env for env in config.get("environments", {}).keys() if not env == "*"]
+
+        for codebase in codebase_pipelines.values():
+            cache_invalidation_config = codebase.get("cache_invalidation")
+            if cache_invalidation_config:
+                for domain, config in cache_invalidation_config.get("domains").items():
+                    environment = config.get("environment")
+                    if environment not in all_environments:
+                        errors.append(
+                            f"Error in cache invalidation configuration for the domain '{domain}'.  Environment '{environment}' is not defined for this application"
+                        )
+
+        if errors:
+            raise ConfigValidatorError("\n".join(errors))
+
+    def validate_config_for_managed_upgrades(self, config: dict):
+        """
+        Validates that pipelines do not contain manual approvals when managed
+        upgrades are enabled.
+
+        Args:
+            config (dict): The platform configuration dictionary.
+
+        Raises:
+            ConfigValidatorError:
+            - If any pipeline contains manual approvals when platform-helper is "auto".
+            - If platform-config.yml is missing environment_pipelines or codebase_pipelines configuration.
+        """
+        errors = []
+
+        def find_pipeline_for_env(env_pipelines, env: str):
+            for name, config in env_pipelines.items():
+                if not isinstance(config, dict):
+                    continue
+                envs = config.get("environments", {})
+                if isinstance(envs, dict) and env in envs:
+                    return name
+
+        if config.get("default_versions", {}).get("platform-helper") == "auto":
+
+            pipelines = {}
+            environments = [env for env in config.get("environments").keys() if env != "*"]
+            environment_pipelines = config.get("environment_pipelines", {})
+            for env in environments:
+                pipeline = find_pipeline_for_env(environment_pipelines, env)
+                if not pipeline:
+                    errors.append(
+                        f"For auto default platform-helper version, all environments {environments} must be deployed in an environment pipeline. Missing: {env}"
+                    )
+
+            for pipeline_section in ["environment_pipelines", "codebase_pipelines"]:
+                pipelines = config.get(pipeline_section, {})
+
+                if not pipelines:
+                    errors.append(
+                        f"For auto default platform-helper version, environment and codebase pipelines must be configured in platform-config.yml. {pipeline_section} is not configured."
+                    )
+                    continue
+
+                for pipeline_name, pipeline in pipelines.items():
+                    if pipeline_section == "environment_pipelines":
+                        pipeline_deploy_to_environments = pipeline.get("environments", {})
+                        for env_name, env_config in pipeline_deploy_to_environments.items():
+                            if isinstance(env_config, dict) and env_config.get("requires_approval"):
+                                errors.append(
+                                    f"Managed upgrades enabled: (environment_pipelines) Pipeline '{pipeline_name}' environment '{env_name}' "
+                                    "cannot have manual approval when platform-helper is 'auto'."
+                                )
+
+        if errors:
+            raise ConfigValidatorError("\n".join(errors))