qontract-reconcile 0.10.1rc1057__py3-none-any.whl → 0.10.1rc1059__py3-none-any.whl

{qontract_reconcile-0.10.1rc1057.dist-info → qontract_reconcile-0.10.1rc1059.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1057
+Version: 0.10.1rc1059
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1057.dist-info → qontract_reconcile-0.10.1rc1059.dist-info}/RECORD

@@ -114,7 +114,7 @@ reconcile/terraform_cloudflare_resources.py,sha256=41Mj1WkuS75slCDpmhG2GGf1nh3Bw
 reconcile/terraform_cloudflare_users.py,sha256=iyTG5sj20Jg4J4qWJ144KVptfIHGOSfH8wQKxu0imq0,13942
 reconcile/terraform_repo.py,sha256=TKqlodhQGoAtQ6nDm04TNlpx4wpgJ_n4atoUK5Rfd7o,16444
 reconcile/terraform_resources.py,sha256=-sgMMHDtNvnQyNR05-MKebI_pSiyxSWAg8LmeA2_Ntk,19326
-reconcile/terraform_tgw_attachments.py,sha256=EucuF4p3RWKTS4GTPd8oZmR79GpIW_grQl2PAeeNQeI,18665
+reconcile/terraform_tgw_attachments.py,sha256=09svJG9pAiwWp4aY0xRoQRV90T4ZNwHG3r8flI-ZS_s,18810
 reconcile/terraform_users.py,sha256=HqSm3ev3b8dZ9J6F_phDZB-FQsnlsdeKp9RPoY1cU94,10188
 reconcile/terraform_vpc_peerings.py,sha256=VLSfuO7FvHN5McopRiKoKJDHCmIhYtlJEHv_hxV5kcM,27669
 reconcile/vault_replication.py,sha256=isfmNaqxl4AC90n8sVJffUt685sPBfhNSvjks6DoQXg,17339
@@ -255,7 +255,7 @@ reconcile/gql_definitions/common/aws_vpcs.py,sha256=Dss9dQ3xagnz3Ltg1e9mtG2PAmQG
 reconcile/gql_definitions/common/clusters.py,sha256=Dr5AsSsTuqjAxkI9fU0fdiaP6u5qkmRpkkCcYDnU584,21868
 reconcile/gql_definitions/common/clusters_minimal.py,sha256=JYrJV_aStmryiiGKyiXhj47qpF_8KilCqy-d9CofBCo,4635
 reconcile/gql_definitions/common/clusters_with_dms.py,sha256=GJ53P8tgMLh1NfVkaV9_AmaqF9pNUqJZcDkcKzKzUy0,2242
-reconcile/gql_definitions/common/clusters_with_peering.py,sha256=9NGjhJW_QWA5XSGGjULdIJdDVObdRqiX2OwEl9zTu4U,11838
+reconcile/gql_definitions/common/clusters_with_peering.py,sha256=B1Hi3u6rZZsl4bDDPMLIcSRI5lNFuh29lPVVTOrRRpQ,11929
 reconcile/gql_definitions/common/github_orgs.py,sha256=rZ0pDAA2_9hF9N-ykRZIxPtEmczTSjuA_k3nkp0k1W0,2039
 reconcile/gql_definitions/common/jira_settings.py,sha256=Fmjxhlhr69kc4jkG_0k17fuYlQVucbNex0jXYu83wbY,1990
 reconcile/gql_definitions/common/jiralert_settings.py,sha256=H96nMg_r2YcOvioj3aIkwqtFrALGSLt7uhbx9jGSUTo,1984
@@ -566,7 +566,7 @@ reconcile/test/test_terraform_cloudflare_resources.py,sha256=1mdSZS-38mtTSg7teJg
 reconcile/test/test_terraform_cloudflare_users.py,sha256=2VGBtMUhckLPtUnQlHIzpGsCnyVJZPNLFf-ABELkxbQ,27456
 reconcile/test/test_terraform_repo.py,sha256=INfl-VlUtpV87J0neQt4wliptnX7PKvxLPF-ZgweTFA,12960
 reconcile/test/test_terraform_resources.py,sha256=8C97yXIEihaQ3DZrtjxLNt4y4G12IOhD01ydm7JjliY,15359
-reconcile/test/test_terraform_tgw_attachments.py,sha256=SM6QwogMZNLh0BkUyaxzFafuOLp23-hBtYTu_F53C4I,40922
+reconcile/test/test_terraform_tgw_attachments.py,sha256=pJFmQzUwAn-wKpF6oSkImpdF7WXvcky8iaJiXbjGGgU,41104
 reconcile/test/test_terraform_users.py,sha256=XOAfGvITCJPI1LTlISmHbA4ONMQMkxYUMTsny7pQCFw,4319
 reconcile/test/test_terraform_vpc_peerings.py,sha256=bpjCjhmic07cw3XKSHf-2JvmLuWlyQG8laXlC-H7qtI,20796
 reconcile/test/test_terraform_vpc_peerings_build_desired_state.py,sha256=cHmr1_yhRgfdqlFX6TMw-aiKXebaRv0szl16M9YRJic,49988
@@ -724,8 +724,8 @@ reconcile/utils/sqs_gateway.py,sha256=XNIf3PY4UCPNufP2Ul0UJj3fKlt5larBba-VTT-41F
 reconcile/utils/state.py,sha256=W0_awkLAPX18hNOF_60o73tkPxDUylqbzYNHfl_sDsk,16386
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
-reconcile/utils/terraform_client.py,sha256=jHTkqqJk1HQh2vZP1FkEeDOiMlO-SKmX8oYuS7lzO_o,34672
-reconcile/utils/terrascript_aws_client.py,sha256=ctNT-TQSMxNicVIjR1gM2OZWzNc_BG820COSXb_E-CE,278933
+reconcile/utils/terraform_client.py,sha256=rGyia1FuW-NtZhydreh5K2fAumvM9MJhxBaa6xUdH54,35905
+reconcile/utils/terrascript_aws_client.py,sha256=SMsJaOmpn_9QQHhKIN_5ps1zOa9zEcBSsxGOyvF8voU,280492
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=9GSNHku8tw5KM2LKpZ1myWYDLtLGUJgpSnD0DxbzeO0,14956
@@ -867,8 +867,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1057.dist-info/METADATA,sha256=QAX2yVsbSHxtZT1eJKfc-v_ZDWOfcNA5gRNg4fHsgwo,2213
-qontract_reconcile-0.10.1rc1057.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1057.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1057.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1057.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1059.dist-info/METADATA,sha256=YQ--_Q2We5-jBRDfo1Q4mpT0E9dwxpholocK39LiTCU,2213
+qontract_reconcile-0.10.1rc1059.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1059.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1059.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1059.dist-info/RECORD,,

reconcile/gql_definitions/common/clusters_with_peering.py

@@ -147,6 +147,7 @@ query ClustersWithPeering {
           }
           tags
           cidrBlock
+          cidrBlocks
           manageSecurityGroups
           manageRoute53Associations
           allowPrivateHcpApiAccess
@@ -268,6 +269,7 @@ class ClusterPeeringConnectionAccountTGWV1(ClusterPeeringConnectionV1):
     account: ClusterPeeringConnectionAccountTGWV1_AWSAccountV1 = Field(..., alias="account")
     tags: Optional[Json] = Field(..., alias="tags")
     cidr_block: Optional[str] = Field(..., alias="cidrBlock")
+    cidr_blocks: Optional[list[str]] = Field(..., alias="cidrBlocks")
     manage_security_groups: Optional[bool] = Field(..., alias="manageSecurityGroups")
     manage_route53_associations: Optional[bool] = Field(..., alias="manageRoute53Associations")
     allow_private_hcp_api_access: Optional[bool] = Field(..., alias="allowPrivateHcpApiAccess")

reconcile/terraform_tgw_attachments.py

@@ -64,11 +64,14 @@ class ValidationError(Exception):
     pass
 
 
-class AccountProviderInfo(BaseModel):
+class TGWAccountProviderInfo(BaseModel):
     name: str
     uid: str
     assume_role: str | None
     assume_region: str
+
+
+class ClusterAccountProviderInfo(TGWAccountProviderInfo):
     assume_cidr: str
 
 
@@ -79,8 +82,9 @@ class Requester(BaseModel):
     routes: list[dict] | None
     rules: list[dict] | None
     hostedzones: list[str] | None
-    cidr_block: str
-    account: AccountProviderInfo
+    cidr_block: str | None
+    cidr_blocks: list[str]
+    account: TGWAccountProviderInfo
 
 
 class Accepter(BaseModel):
@@ -89,7 +93,7 @@ class Accepter(BaseModel):
     vpc_id: str | None
     route_table_ids: list[str] | None
     subnets_id_az: list[dict] | None
-    account: AccountProviderInfo
+    account: ClusterAccountProviderInfo
     api_security_group_id: str | None
 
 
@@ -225,7 +229,7 @@ def _build_account_with_assume_role(
     region: str,
     cidr_block: str,
     ocm: OCM | None,
-) -> AccountProviderInfo:
+) -> ClusterAccountProviderInfo:
     account = peer_connection.account
     # assume_role is the role to assume to provision the
     # peering connection request, through the accepter AWS account.
@@ -235,7 +239,7 @@ def _build_account_with_assume_role(
     # there is no OCM at all.
     if not assume_role:
         if isinstance(cluster.spec, ClusterSpecROSAV1) and cluster.spec.account:
-            return AccountProviderInfo(
+            return ClusterAccountProviderInfo(
                 name=cluster.spec.account.name,
                 uid=cluster.spec.account.uid,
                 assume_role=assume_role,
@@ -247,7 +251,7 @@ def _build_account_with_assume_role(
         assume_role = ocm.get_aws_infrastructure_access_terraform_assume_role(
             cluster.name, account.uid, account.terraform_username
         )
-    return AccountProviderInfo(
+    return ClusterAccountProviderInfo(
         name=account.name,
         uid=account.uid,
         assume_role=assume_role,
@@ -258,7 +262,7 @@ def _build_account_with_assume_role(
 
 def _build_accepter(
     peer_connection: ClusterPeeringConnectionAccountTGWV1,
-    account: AccountProviderInfo,
+    account: ClusterAccountProviderInfo,
     region: str,
     cidr_block: str,
     awsapi: AWSApi,
@@ -290,11 +294,10 @@ def _build_requester(
     peer_connection: ClusterPeeringConnectionAccountTGWV1,
     tgw: Mapping,
 ) -> Requester:
-    tgw_account = AccountProviderInfo(
+    tgw_account = TGWAccountProviderInfo(
         name=peer_connection.account.name,
         uid=peer_connection.account.uid,
         assume_region=tgw["region"],
-        assume_cidr=peer_connection.cidr_block,
     )
     return Requester(
         tgw_id=tgw["tgw_id"],
@@ -304,6 +307,7 @@ def _build_requester(
         rules=tgw.get("rules"),
         hostedzones=tgw.get("hostedzones"),
         cidr_block=peer_connection.cidr_block,
+        cidr_blocks=peer_connection.cidr_blocks or [],
         account=tgw_account,
     )
 

reconcile/test/test_terraform_tgw_attachments.py

@@ -161,6 +161,7 @@ def peering_connection_builder(
         account: ClusterPeeringConnectionAccountTGWV1_AWSAccountV1 | None = None,
         assume_role: str | None = None,
         cidr_block: str | None = None,
+        cidr_blocks: list[str] | None = None,
         delete: bool | None = None,
     ) -> ClusterPeeringConnectionAccountTGWV1:
         return gql_class_factory(
@@ -172,6 +173,7 @@ def peering_connection_builder(
                 "account": account.dict(by_alias=True) if account is not None else None,
                 "assumeRole": assume_role,
                 "cidrBlock": cidr_block,
+                "cidrBlocks": cidr_blocks,
                 "delete": delete,
             },
         )
@@ -191,6 +193,7 @@ def account_tgw_connection(
         account=tgw_connection_account,
         assume_role=None,
         cidr_block="172.16.0.0/16",
+        cidr_blocks=["10.240.0.0/12"],
         delete=False,
     )
 
@@ -481,6 +484,7 @@ def build_expected_desired_state_item(
             rules=tgw["rules"],
             hostedzones=tgw["hostedzones"],
             cidr_block=connection.cidr_block,
+            cidr_blocks=connection.cidr_blocks or [],
             account=expected_tgw_account,
         ),
         accepter=Accepter(

reconcile/utils/terraform_client.py

@@ -331,12 +331,27 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
         for resource_change in resource_changes:
             resource_type = resource_change["type"]
             resource_name = resource_change["name"]
+            resource_previous_address = resource_change.get("previous_address")
             resource_change = resource_change["change"]
             actions = resource_change["actions"]
             for action in actions:
+                if resource_previous_address:
+                    # the resource is being moved/renamed in the TF state
+                    with self._log_lock:
+                        logging.info([
+                            "move/rename",
+                            name,
+                            resource_previous_address,
+                            resource_change["address"],
+                        ])
+
                 if action == "no-op":
                     logging.debug([action, name, resource_type, resource_name])
-                    continue
+                    if resource_previous_address:
+                        # apply resource renaming with no-op
+                        self.increment_apply_count()
+                    else:
+                        continue
                 if action == "update" and resource_type == "aws_db_instance":
                     self.validate_db_upgrade(name, resource_name, resource_change)
                     # Ignore RDS modifications that are going to occur during the next
@@ -790,6 +805,9 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
 
             blue_green_update = after.get("blue_green_update", [])
             if blue_green_update and blue_green_update[0]["enabled"]:
+                changed_fields = self._resource_diff_changed_fields(
+                    "update", resource_change
+                )
                 replica = before["replicas"] != [] or before["replicate_source_db"]
                 self.validate_blue_green_update_requirements(
                     account_name,
@@ -799,6 +817,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
                     replica,
                     before["parameter_group_name"],
                     region_name,
+                    changed_fields=changed_fields,
                 )
 
     def validate_blue_green_update_requirements(
@@ -810,6 +829,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
         replica: bool,
         parameter_group: str,
         region_name: str,
+        changed_fields: set[str],
     ) -> None:
         min_supported_versions = {
             "mysql": [pkg_version.parse("5.7"), pkg_version.parse("8.0.15")],
@@ -862,6 +882,13 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
                 )
                 return
 
+        if "storage_type" in changed_fields or "allocated_storage" in changed_fields:
+            logging.error(
+                f"Cannot upgrade RDS instance: {resource_name}. "
+                f"Blue/green updates are not supported when 'storage_type' or 'allocated_storage' has changed."
+            )
+            return
+
 
 class TerraformPlanFailed(Exception):
     pass

reconcile/utils/terrascript_aws_client.py

@@ -35,6 +35,7 @@ from sretoolbox.utils import threaded
 # temporary to create aws_ecrpublic_repository
 from terrascript import (
     Backend,
+    Block,
     Data,
     Module,
     Output,
@@ -299,6 +300,13 @@ class UnapprovedSecretPathError(Exception):
     pass
 
 
+class Moved(Block):
+    """Terraform `moved` block, available since Terraform 1.1"""
+
+    def __init__(self, fro: str, to: str):
+        super().__init__(fro=fro, to=to)
+
+
 class aws_ecrpublic_repository(Resource):
     pass
 
@@ -1392,17 +1400,32 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             # add routes to existing route tables
             route_table_ids = accepter.route_table_ids
             req_cidr_block = requester.cidr_block
-            if route_table_ids and req_cidr_block:
+            req_cidr_blocks = requester.cidr_blocks or []
+            if req_cidr_block:
+                req_cidr_blocks.append(req_cidr_block)
+            if route_table_ids and (req_cidr_block or req_cidr_blocks):
                 for route_table_id in route_table_ids:
-                    values = {
-                        "provider": "aws." + acc_alias,
-                        "route_table_id": route_table_id,
-                        "destination_cidr_block": req_cidr_block,
-                        "transit_gateway_id": requester.tgw_id,
-                    }
-                    route_identifier = f"{identifier}-{route_table_id}"
-                    tf_resource = aws_route(route_identifier, **values)
-                    self.add_resource(infra_account_name, tf_resource)
+                    for cidr_block in req_cidr_blocks:
+                        values = {
+                            "provider": "aws." + acc_alias,
+                            "route_table_id": route_table_id,
+                            "destination_cidr_block": cidr_block,
+                            "transit_gateway_id": requester.tgw_id,
+                        }
+                        # use the cidr block in the resource name to allow re-ordering
+                        cidr_id = cidr_block.replace(".", "-").replace("/", "_")
+                        route_identifier = (
+                            f"{identifier}-{route_table_id}-dest-{cidr_id}"
+                        )
+                        tf_resource = aws_route(route_identifier, **values)
+                        self.add_resource(infra_account_name, tf_resource)
+                    if req_cidr_block:
+                        req_cidr_id = req_cidr_block.replace(".", "-").replace("/", "_")
+                        moved = Moved(
+                            fro=f"aws_route.{identifier}-{route_table_id}",
+                            to=f"aws_route.{identifier}-{route_table_id}-dest-{req_cidr_id}",
+                        )
+                        self.add_moved(infra_account_name, moved)
 
             # add routes to peered transit gateways in the requester's
             # account to achieve global routing from all regions
@@ -4084,6 +4107,19 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         with self.locks[account]:
             self.tss[account].add(tf_resource)
 
+    def add_moved(self, account: str, moved: Moved):
+        if account not in self.locks:
+            logging.debug(
+                f"integration {self.integration} is disabled for account {account}. "
+                "can not add resource"
+            )
+            return
+        with self.locks[account]:
+            self.tss[account].setdefault("moved", []).append({
+                "from": moved.fro,
+                "to": moved.to,
+            })
+
     def dump(
         self,
         print_to_file: str | None = None,