qontract-reconcile 0.10.1rc1061__py3-none-any.whl → 0.10.1rc1063__py3-none-any.whl

{qontract_reconcile-0.10.1rc1061.dist-info → qontract_reconcile-0.10.1rc1063.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1061
+Version: 0.10.1rc1063
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1061.dist-info → qontract_reconcile-0.10.1rc1063.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=q96mwr2KeEQ5bpNniGlgIMZTxiuLSodcYfX-t
 reconcile/aws_support_cases_sos.py,sha256=hl_9L53yQYRQxKs3IWrd69Cc60XK067g_bJRM9B0udo,2975
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=JCKHmEpzb1MnjtyBlyRPo27J2z03J1rrQ680Nlu7_m8,106890
+reconcile/cli.py,sha256=PHoUlP86m-TdTpB3hyoHbOEDWR0_ZO-GSBQEGTmbTmc,107514
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=rLh16BOlBOxTmJ8Si3wWyyEpmMlhh4Znx1Gc36qsmOc,4865
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=l34QDu1G96_Ctnh7ZXdxXgSeCE93GQMdLAkWxmN6vDA,4775
@@ -114,7 +114,7 @@ reconcile/terraform_cloudflare_resources.py,sha256=41Mj1WkuS75slCDpmhG2GGf1nh3Bw
 reconcile/terraform_cloudflare_users.py,sha256=iyTG5sj20Jg4J4qWJ144KVptfIHGOSfH8wQKxu0imq0,13942
 reconcile/terraform_repo.py,sha256=TKqlodhQGoAtQ6nDm04TNlpx4wpgJ_n4atoUK5Rfd7o,16444
 reconcile/terraform_resources.py,sha256=-sgMMHDtNvnQyNR05-MKebI_pSiyxSWAg8LmeA2_Ntk,19326
-reconcile/terraform_tgw_attachments.py,sha256=EucuF4p3RWKTS4GTPd8oZmR79GpIW_grQl2PAeeNQeI,18665
+reconcile/terraform_tgw_attachments.py,sha256=09svJG9pAiwWp4aY0xRoQRV90T4ZNwHG3r8flI-ZS_s,18810
 reconcile/terraform_users.py,sha256=HqSm3ev3b8dZ9J6F_phDZB-FQsnlsdeKp9RPoY1cU94,10188
 reconcile/terraform_vpc_peerings.py,sha256=VLSfuO7FvHN5McopRiKoKJDHCmIhYtlJEHv_hxV5kcM,27669
 reconcile/vault_replication.py,sha256=isfmNaqxl4AC90n8sVJffUt685sPBfhNSvjks6DoQXg,17339
@@ -161,9 +161,10 @@ reconcile/aws_version_sync/merge_request_manager/merge_request_manager.py,sha256
 reconcile/change_owners/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/change_owners/approver.py,sha256=Z3_11vnK2WNOxjEEXVDh0224-_-qbt9d6mBeVE-7fsc,2259
 reconcile/change_owners/bundle.py,sha256=ZIlXRo6Z2raeWSCUqYsexBdol-q-r9kWJs5O_YPaEYk,5273
+reconcile/change_owners/change_log_tracking.py,sha256=zFpean5UB3-u5VQLJHzik8GmhBwYoNorR-l90-D1Pis,4160
 reconcile/change_owners/change_owners.py,sha256=0HRJhDm0oW3uYJFgzynqA1gA0lbhalhSkmWOiQmr-NM,17062
-reconcile/change_owners/change_types.py,sha256=PMDEWOAbRKjES3WDPGe_8bcrZgK3efLdVF22WvkUL3A,31938
-reconcile/change_owners/changes.py,sha256=CH38-hyOfbH6xFYWidw_LAniyPisKq9nGRQhUaT93do,17180
+reconcile/change_owners/change_types.py,sha256=TjVtvmkU0s8w2NA6qvWQccB6PwlCrChFySlsHLYZjpE,32027
+reconcile/change_owners/changes.py,sha256=pa3cNAL-Xawh700ARJJQjY0p09NA1J2329RcE0F0MHM,17224
 reconcile/change_owners/decision.py,sha256=iUJcIc_N_RqXIAY8D10RZqPMC2OinsHTMcqI6f6uylE,7606
 reconcile/change_owners/diff.py,sha256=0vyu29xCL24ZhUa7hqBni0NaxoCYRXLwvA-h8V23YQ4,9009
 reconcile/change_owners/implicit_ownership.py,sha256=6BehZvx4IjrphmOt_LLLk9_02Fl5BY5jd00Wuz_PBZk,4234
@@ -233,7 +234,7 @@ reconcile/gql_definitions/aws_version_sync/clusters.py,sha256=2TOJOFxpTkZ2HKuqAG
 reconcile/gql_definitions/aws_version_sync/namespaces.py,sha256=eBLyXlSjWdmEE-jY9M2Ocgk7JGi2OsWisTkjHLfgU_A,4311
 reconcile/gql_definitions/change_owners/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/change_owners/queries/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/change_owners/queries/change_types.py,sha256=9S2YRNnSAvutjzuubZIQQe35yd8V2rGKvWSUI6yl11Q,5017
+reconcile/gql_definitions/change_owners/queries/change_types.py,sha256=SjpKbLWmLh8iwPwfulbjHpH-M1hqBG1TOu_pZazox0Q,5084
 reconcile/gql_definitions/change_owners/queries/self_service_roles.py,sha256=BcTQvnefPiShG90ajU_l2V6HUYSEXgdAzgiwY89vQew,4790
 reconcile/gql_definitions/cluster_auth_rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/cluster_auth_rhidp/clusters.py,sha256=Pp9P3Q30Be3szcVqOEOtPfYUNiGTq1xc5Juz-ApMMw0,3283
@@ -255,7 +256,7 @@ reconcile/gql_definitions/common/aws_vpcs.py,sha256=Dss9dQ3xagnz3Ltg1e9mtG2PAmQG
 reconcile/gql_definitions/common/clusters.py,sha256=Dr5AsSsTuqjAxkI9fU0fdiaP6u5qkmRpkkCcYDnU584,21868
 reconcile/gql_definitions/common/clusters_minimal.py,sha256=JYrJV_aStmryiiGKyiXhj47qpF_8KilCqy-d9CofBCo,4635
 reconcile/gql_definitions/common/clusters_with_dms.py,sha256=GJ53P8tgMLh1NfVkaV9_AmaqF9pNUqJZcDkcKzKzUy0,2242
-reconcile/gql_definitions/common/clusters_with_peering.py,sha256=9NGjhJW_QWA5XSGGjULdIJdDVObdRqiX2OwEl9zTu4U,11838
+reconcile/gql_definitions/common/clusters_with_peering.py,sha256=B1Hi3u6rZZsl4bDDPMLIcSRI5lNFuh29lPVVTOrRRpQ,11929
 reconcile/gql_definitions/common/github_orgs.py,sha256=rZ0pDAA2_9hF9N-ykRZIxPtEmczTSjuA_k3nkp0k1W0,2039
 reconcile/gql_definitions/common/jira_settings.py,sha256=Fmjxhlhr69kc4jkG_0k17fuYlQVucbNex0jXYu83wbY,1990
 reconcile/gql_definitions/common/jiralert_settings.py,sha256=H96nMg_r2YcOvioj3aIkwqtFrALGSLt7uhbx9jGSUTo,1984
@@ -566,7 +567,7 @@ reconcile/test/test_terraform_cloudflare_resources.py,sha256=1mdSZS-38mtTSg7teJg
 reconcile/test/test_terraform_cloudflare_users.py,sha256=2VGBtMUhckLPtUnQlHIzpGsCnyVJZPNLFf-ABELkxbQ,27456
 reconcile/test/test_terraform_repo.py,sha256=INfl-VlUtpV87J0neQt4wliptnX7PKvxLPF-ZgweTFA,12960
 reconcile/test/test_terraform_resources.py,sha256=8C97yXIEihaQ3DZrtjxLNt4y4G12IOhD01ydm7JjliY,15359
-reconcile/test/test_terraform_tgw_attachments.py,sha256=SM6QwogMZNLh0BkUyaxzFafuOLp23-hBtYTu_F53C4I,40922
+reconcile/test/test_terraform_tgw_attachments.py,sha256=pJFmQzUwAn-wKpF6oSkImpdF7WXvcky8iaJiXbjGGgU,41104
 reconcile/test/test_terraform_users.py,sha256=XOAfGvITCJPI1LTlISmHbA4ONMQMkxYUMTsny7pQCFw,4319
 reconcile/test/test_terraform_vpc_peerings.py,sha256=bpjCjhmic07cw3XKSHf-2JvmLuWlyQG8laXlC-H7qtI,20796
 reconcile/test/test_terraform_vpc_peerings_build_desired_state.py,sha256=cHmr1_yhRgfdqlFX6TMw-aiKXebaRv0szl16M9YRJic,49988
@@ -724,8 +725,8 @@ reconcile/utils/sqs_gateway.py,sha256=XNIf3PY4UCPNufP2Ul0UJj3fKlt5larBba-VTT-41F
 reconcile/utils/state.py,sha256=W0_awkLAPX18hNOF_60o73tkPxDUylqbzYNHfl_sDsk,16386
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
-reconcile/utils/terraform_client.py,sha256=gyTqNyDn0uQISxnfXOWv8HpXSM1-yqvwDiVGIW0jpRk,35215
-reconcile/utils/terrascript_aws_client.py,sha256=ctNT-TQSMxNicVIjR1gM2OZWzNc_BG820COSXb_E-CE,278933
+reconcile/utils/terraform_client.py,sha256=LjX2U2E0Dglt2S_KA5jWQ_dVC8sPn4FEAh0xW_d6JTk,35953
+reconcile/utils/terrascript_aws_client.py,sha256=SMsJaOmpn_9QQHhKIN_5ps1zOa9zEcBSsxGOyvF8voU,280492
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=9GSNHku8tw5KM2LKpZ1myWYDLtLGUJgpSnD0DxbzeO0,14956
@@ -836,7 +837,7 @@ tools/app_interface_metrics_exporter.py,sha256=zkwkxdAUAxjdc-pzx2_oJXG25fo0Fnyd5
 tools/app_interface_reporter.py,sha256=oZPib4HPq0aZ2Zui1QGJGk6qQdfpeihujGDBnSdKyGE,17627
 tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=LDQgwmAg3kzgtPuODqhGgPeVfD_9g8dgiOOVRsJ3YRA,128234
+tools/qontract_cli.py,sha256=5RQemctfItbH3S4TPjX2AmqmS1vCoI5j9zqhxFRJB44,129495
 tools/sd_app_sre_alert_report.py,sha256=e9vAdyenUz2f5c8-z-5WY0wv-SJ9aePKDH2r4IwB6pc,5063
 tools/template_validation.py,sha256=qpKYaTgk0GOPGa2Ct5_5sKdwIHtCAKIBGzsMPuJU5fw,3371
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -867,8 +868,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1061.dist-info/METADATA,sha256=h9WxXliU1mlCQK_rTCcdKt6xDFcUTN2z9AdiP-QeRzU,2213
-qontract_reconcile-0.10.1rc1061.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1061.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1061.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1061.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1063.dist-info/METADATA,sha256=7-a0ZUIlQEjsDHPbo9WkNXXBEumFIE91sWi6HVm8Umw,2213
+qontract_reconcile-0.10.1rc1063.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1063.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1063.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1063.dist-info/RECORD,,

reconcile/change_owners/change_log_tracking.py

@@ -0,0 +1,119 @@
+import logging
+from collections.abc import Callable
+from dataclasses import asdict, dataclass, field
+
+from reconcile.change_owners.bundle import (
+    NoOpFileDiffResolver,
+    QontractServerDiff,
+)
+from reconcile.change_owners.change_owners import fetch_change_type_processors
+from reconcile.change_owners.change_types import ChangeTypeContext
+from reconcile.change_owners.changes import aggregate_file_moves, parse_bundle_changes
+from reconcile.utils import gql
+from reconcile.utils.defer import defer
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.state import init_state
+
+QONTRACT_INTEGRATION = "change-log-tracking"
+BUNDLE_DIFFS_OBJ = "bundle-diffs.json"
+
+
+@dataclass
+class ChangeLogItem:
+    commit: str
+    change_types: list[str] = field(default_factory=list)
+    error: bool = False
+
+
+@dataclass
+class ChangeLog:
+    items: list[ChangeLogItem] = field(default_factory=list)
+
+
+class ChangeLogIntegrationParams(PydanticRunParams):
+    process_existing: bool = False
+
+
+class ChangeLogIntegration(QontractReconcileIntegration[ChangeLogIntegrationParams]):
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION
+
+    @defer
+    def run(
+        self,
+        dry_run: bool,
+        defer: Callable | None = None,
+    ) -> None:
+        change_type_processors = [
+            ctp
+            for ctp in fetch_change_type_processors(
+                gql.get_api(), NoOpFileDiffResolver()
+            )
+            if ctp.labels and "change_log_tracking" in ctp.labels
+        ]
+
+        integration_state = init_state(
+            integration=self.name,
+        )
+        if defer:
+            defer(integration_state.cleanup)
+        diff_state = init_state(
+            integration=self.name,
+        )
+        if defer:
+            defer(diff_state.cleanup)
+        diff_state.state_path = "bundle-archive/diff"
+
+        if not self.params.process_existing:
+            existing_change_log = ChangeLog(**integration_state.get(BUNDLE_DIFFS_OBJ))
+            existing_change_log_items = [
+                ChangeLogItem(**i)  # type: ignore[arg-type]
+                for i in existing_change_log.items
+            ]
+        change_log = ChangeLog()
+        for item in diff_state.ls():
+            key = item.lstrip("/")
+            commit = key.rstrip(".json")
+            if not self.params.process_existing:
+                existing_change_log_item = next(
+                    (i for i in existing_change_log_items if i.commit == commit), None
+                )
+                if existing_change_log_item:
+                    logging.debug(f"Found existing commit {commit}")
+                    change_log.items.append(existing_change_log_item)
+                    continue
+
+            logging.info(f"Processing commit {commit}")
+            change_log_item = ChangeLogItem(
+                commit=commit,
+            )
+            change_log.items.append(change_log_item)
+            obj = diff_state.get(key, None)
+            if not obj:
+                logging.error(f"Error processing commit {commit}")
+                change_log_item.error = True
+                continue
+            diff = QontractServerDiff(**obj)
+            changes = aggregate_file_moves(parse_bundle_changes(diff))
+            for change in changes:
+                logging.debug(f"Processing change {change}")
+                for ctp in change_type_processors:
+                    logging.info(f"Processing change type {ctp.name}")
+                    ctx = ChangeTypeContext(
+                        change_type_processor=ctp,
+                        context="",
+                        origin="",
+                        context_file=change.fileref,
+                        approvers=[],
+                    )
+                    covered_diffs = change.cover_changes(ctx)
+                    if covered_diffs:
+                        if ctp.name not in change_log_item.change_types:
+                            change_log_item.change_types.append(ctp.name)
+
+        if not dry_run:
+            integration_state.add(BUNDLE_DIFFS_OBJ, asdict(change_log), force=True)

reconcile/change_owners/change_types.py

@@ -22,6 +22,7 @@ import jinja2
 import jinja2.meta
 import jsonpath_ng
 import networkx
+from pydantic import Json
 
 from reconcile.change_owners.approver import (
     Approver,
@@ -474,6 +475,7 @@ class ChangeTypeProcessor:
     """
 
     name: str
+    labels: Json | None
     description: str
     priority: ChangeTypePriority
     context_type: BundleFileType
@@ -715,6 +717,7 @@ def init_change_type_processors(
         # build raw change-type-processor
         processors[change_type.name] = ChangeTypeProcessor(
             name=change_type.name,
+            labels=change_type.labels,
             description=change_type.description,
             priority=ChangeTypePriority(change_type.priority),
             context_type=BundleFileType[change_type.context_type.upper()],

reconcile/change_owners/changes.py

@@ -102,7 +102,7 @@ class BundleFileChange:
     def is_file_creation(self) -> bool:
         return self.old is None and self.new is not None
 
-    def cover_changes(self, change_type_context: ChangeTypeContext) -> None:
+    def cover_changes(self, change_type_context: ChangeTypeContext) -> dict[str, Diff]:
         """
         Figure out if a ChangeTypeV1 covers detected changes within the BundleFile.
         Base idea:
@@ -121,7 +121,7 @@ class BundleFileChange:
         # as a source of approvers
         if self.metadata_only_change and not self.diffs:
             self._metadata_only_diff_coverage().coverage.append(change_type_context)
-            return
+            return {}
 
         covered_diffs = {}
         # observe the new state for added fields or list items or entire object sutrees
@@ -139,6 +139,8 @@ class BundleFileChange:
             )
         )
 
+        return covered_diffs
+
     def _cover_changes_for_diffs(
         self,
         diffs: list[DiffCoverage],

reconcile/cli.py

@@ -3557,6 +3557,29 @@ def change_owners(
     )
 
 
+@integration.command(short_help="Analyze bundle diffs by change types.")
+@click.option(
+    "--process-existing/--no-process-existing",
+    default=False,
+    help="wait for pending/running pipelines before acting.",
+)
+@click.pass_context
+def change_log_tracking(ctx, process_existing):
+    from reconcile.change_owners.change_log_tracking import (
+        ChangeLogIntegration,
+        ChangeLogIntegrationParams,
+    )
+
+    run_class_integration(
+        ChangeLogIntegration(
+            ChangeLogIntegrationParams(
+                process_existing=process_existing,
+            )
+        ),
+        ctx=ctx.obj,
+    )
+
+
 @integration.command(
     short_help="Configure and enforce glitchtip instance configuration."
 )

reconcile/gql_definitions/change_owners/queries/change_types.py

@@ -22,6 +22,7 @@ DEFINITION = """
 query ChangeTypes($name: String) {
   change_types: change_types_v1(name: $name) {
     name
+    labels
     description
     priority
     contextType
@@ -117,6 +118,7 @@ class ChangeTypeV1_ChangeTypeV1(ConfiguredBaseModel):
 
 class ChangeTypeV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    labels: Optional[Json] = Field(..., alias="labels")
     description: str = Field(..., alias="description")
     priority: str = Field(..., alias="priority")
     context_type: str = Field(..., alias="contextType")

reconcile/gql_definitions/common/clusters_with_peering.py

@@ -147,6 +147,7 @@ query ClustersWithPeering {
           }
           tags
           cidrBlock
+          cidrBlocks
           manageSecurityGroups
           manageRoute53Associations
           allowPrivateHcpApiAccess
@@ -268,6 +269,7 @@ class ClusterPeeringConnectionAccountTGWV1(ClusterPeeringConnectionV1):
     account: ClusterPeeringConnectionAccountTGWV1_AWSAccountV1 = Field(..., alias="account")
     tags: Optional[Json] = Field(..., alias="tags")
     cidr_block: Optional[str] = Field(..., alias="cidrBlock")
+    cidr_blocks: Optional[list[str]] = Field(..., alias="cidrBlocks")
     manage_security_groups: Optional[bool] = Field(..., alias="manageSecurityGroups")
     manage_route53_associations: Optional[bool] = Field(..., alias="manageRoute53Associations")
     allow_private_hcp_api_access: Optional[bool] = Field(..., alias="allowPrivateHcpApiAccess")

reconcile/terraform_tgw_attachments.py

@@ -64,11 +64,14 @@ class ValidationError(Exception):
     pass
 
 
-class AccountProviderInfo(BaseModel):
+class TGWAccountProviderInfo(BaseModel):
     name: str
     uid: str
     assume_role: str | None
     assume_region: str
+
+
+class ClusterAccountProviderInfo(TGWAccountProviderInfo):
     assume_cidr: str
 
 
@@ -79,8 +82,9 @@ class Requester(BaseModel):
     routes: list[dict] | None
     rules: list[dict] | None
     hostedzones: list[str] | None
-    cidr_block: str
-    account: AccountProviderInfo
+    cidr_block: str | None
+    cidr_blocks: list[str]
+    account: TGWAccountProviderInfo
 
 
 class Accepter(BaseModel):
@@ -89,7 +93,7 @@ class Accepter(BaseModel):
     vpc_id: str | None
     route_table_ids: list[str] | None
     subnets_id_az: list[dict] | None
-    account: AccountProviderInfo
+    account: ClusterAccountProviderInfo
     api_security_group_id: str | None
 
 
@@ -225,7 +229,7 @@ def _build_account_with_assume_role(
     region: str,
     cidr_block: str,
     ocm: OCM | None,
-) -> AccountProviderInfo:
+) -> ClusterAccountProviderInfo:
     account = peer_connection.account
     # assume_role is the role to assume to provision the
     # peering connection request, through the accepter AWS account.
@@ -235,7 +239,7 @@ def _build_account_with_assume_role(
     # there is no OCM at all.
     if not assume_role:
         if isinstance(cluster.spec, ClusterSpecROSAV1) and cluster.spec.account:
-            return AccountProviderInfo(
+            return ClusterAccountProviderInfo(
                 name=cluster.spec.account.name,
                 uid=cluster.spec.account.uid,
                 assume_role=assume_role,
@@ -247,7 +251,7 @@ def _build_account_with_assume_role(
         assume_role = ocm.get_aws_infrastructure_access_terraform_assume_role(
             cluster.name, account.uid, account.terraform_username
         )
-    return AccountProviderInfo(
+    return ClusterAccountProviderInfo(
         name=account.name,
         uid=account.uid,
         assume_role=assume_role,
@@ -258,7 +262,7 @@ def _build_account_with_assume_role(
 
 def _build_accepter(
     peer_connection: ClusterPeeringConnectionAccountTGWV1,
-    account: AccountProviderInfo,
+    account: ClusterAccountProviderInfo,
     region: str,
     cidr_block: str,
     awsapi: AWSApi,
@@ -290,11 +294,10 @@ def _build_requester(
     peer_connection: ClusterPeeringConnectionAccountTGWV1,
     tgw: Mapping,
 ) -> Requester:
-    tgw_account = AccountProviderInfo(
+    tgw_account = TGWAccountProviderInfo(
         name=peer_connection.account.name,
         uid=peer_connection.account.uid,
         assume_region=tgw["region"],
-        assume_cidr=peer_connection.cidr_block,
     )
     return Requester(
         tgw_id=tgw["tgw_id"],
@@ -304,6 +307,7 @@ def _build_requester(
         rules=tgw.get("rules"),
         hostedzones=tgw.get("hostedzones"),
         cidr_block=peer_connection.cidr_block,
+        cidr_blocks=peer_connection.cidr_blocks or [],
         account=tgw_account,
     )
 

reconcile/test/test_terraform_tgw_attachments.py

@@ -161,6 +161,7 @@ def peering_connection_builder(
         account: ClusterPeeringConnectionAccountTGWV1_AWSAccountV1 | None = None,
         assume_role: str | None = None,
         cidr_block: str | None = None,
+        cidr_blocks: list[str] | None = None,
         delete: bool | None = None,
     ) -> ClusterPeeringConnectionAccountTGWV1:
         return gql_class_factory(
@@ -172,6 +173,7 @@ def peering_connection_builder(
                 "account": account.dict(by_alias=True) if account is not None else None,
                 "assumeRole": assume_role,
                 "cidrBlock": cidr_block,
+                "cidrBlocks": cidr_blocks,
                 "delete": delete,
             },
         )
@@ -191,6 +193,7 @@ def account_tgw_connection(
         account=tgw_connection_account,
         assume_role=None,
         cidr_block="172.16.0.0/16",
+        cidr_blocks=["10.240.0.0/12"],
         delete=False,
     )
 
@@ -481,6 +484,7 @@ def build_expected_desired_state_item(
             rules=tgw["rules"],
             hostedzones=tgw["hostedzones"],
             cidr_block=connection.cidr_block,
+            cidr_blocks=connection.cidr_blocks or [],
             account=expected_tgw_account,
         ),
         accepter=Accepter(

reconcile/utils/terraform_client.py

@@ -331,12 +331,28 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
         for resource_change in resource_changes:
             resource_type = resource_change["type"]
             resource_name = resource_change["name"]
+            resource_address = resource_change["address"]
+            resource_previous_address = resource_change.get("previous_address")
             resource_change = resource_change["change"]
             actions = resource_change["actions"]
             for action in actions:
+                if resource_previous_address:
+                    # the resource is being moved/renamed in the TF state
+                    with self._log_lock:
+                        logging.info([
+                            "move/rename",
+                            name,
+                            resource_previous_address,
+                            resource_address,
+                        ])
+
                 if action == "no-op":
                     logging.debug([action, name, resource_type, resource_name])
-                    continue
+                    if resource_previous_address:
+                        # apply resource renaming with no-op
+                        self.increment_apply_count()
+                    else:
+                        continue
                 if action == "update" and resource_type == "aws_db_instance":
                     self.validate_db_upgrade(name, resource_name, resource_change)
                     # Ignore RDS modifications that are going to occur during the next

reconcile/utils/terrascript_aws_client.py

@@ -35,6 +35,7 @@ from sretoolbox.utils import threaded
 # temporary to create aws_ecrpublic_repository
 from terrascript import (
     Backend,
+    Block,
     Data,
     Module,
     Output,
@@ -299,6 +300,13 @@ class UnapprovedSecretPathError(Exception):
     pass
 
 
+class Moved(Block):
+    """Terraform `moved` block, available since Terraform 1.1"""
+
+    def __init__(self, fro: str, to: str):
+        super().__init__(fro=fro, to=to)
+
+
 class aws_ecrpublic_repository(Resource):
     pass
 
@@ -1392,17 +1400,32 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             # add routes to existing route tables
             route_table_ids = accepter.route_table_ids
             req_cidr_block = requester.cidr_block
-            if route_table_ids and req_cidr_block:
+            req_cidr_blocks = requester.cidr_blocks or []
+            if req_cidr_block:
+                req_cidr_blocks.append(req_cidr_block)
+            if route_table_ids and (req_cidr_block or req_cidr_blocks):
                 for route_table_id in route_table_ids:
-                    values = {
-                        "provider": "aws." + acc_alias,
-                        "route_table_id": route_table_id,
-                        "destination_cidr_block": req_cidr_block,
-                        "transit_gateway_id": requester.tgw_id,
-                    }
-                    route_identifier = f"{identifier}-{route_table_id}"
-                    tf_resource = aws_route(route_identifier, **values)
-                    self.add_resource(infra_account_name, tf_resource)
+                    for cidr_block in req_cidr_blocks:
+                        values = {
+                            "provider": "aws." + acc_alias,
+                            "route_table_id": route_table_id,
+                            "destination_cidr_block": cidr_block,
+                            "transit_gateway_id": requester.tgw_id,
+                        }
+                        # use the cidr block in the resource name to allow re-ordering
+                        cidr_id = cidr_block.replace(".", "-").replace("/", "_")
+                        route_identifier = (
+                            f"{identifier}-{route_table_id}-dest-{cidr_id}"
+                        )
+                        tf_resource = aws_route(route_identifier, **values)
+                        self.add_resource(infra_account_name, tf_resource)
+                    if req_cidr_block:
+                        req_cidr_id = req_cidr_block.replace(".", "-").replace("/", "_")
+                        moved = Moved(
+                            fro=f"aws_route.{identifier}-{route_table_id}",
+                            to=f"aws_route.{identifier}-{route_table_id}-dest-{req_cidr_id}",
+                        )
+                        self.add_moved(infra_account_name, moved)
 
             # add routes to peered transit gateways in the requester's
             # account to achieve global routing from all regions
@@ -4084,6 +4107,19 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         with self.locks[account]:
             self.tss[account].add(tf_resource)
 
+    def add_moved(self, account: str, moved: Moved):
+        if account not in self.locks:
+            logging.debug(
+                f"integration {self.integration} is disabled for account {account}. "
+                "can not add resource"
+            )
+            return
+        with self.locks[account]:
+            self.tss[account].setdefault("moved", []).append({
+                "from": moved.fro,
+                "to": moved.to,
+            })
+
     def dump(
         self,
         print_to_file: str | None = None,

tools/qontract_cli.py

@@ -47,6 +47,12 @@ from reconcile.aus.base import (
 )
 from reconcile.aus.models import OrganizationUpgradeSpec
 from reconcile.change_owners.bundle import NoOpFileDiffResolver
+from reconcile.change_owners.change_log_tracking import (
+    ChangeLog,
+    ChangeLogIntegration,
+    ChangeLogIntegrationParams,
+    ChangeLogItem,
+)
 from reconcile.change_owners.change_owners import (
     fetch_change_type_processors,
     fetch_self_service_roles,
@@ -85,6 +91,7 @@ from reconcile.jenkins_job_builder import init_jjb
 from reconcile.slack_base import slackapi_from_queries
 from reconcile.status_board import StatusBoardExporterIntegration
 from reconcile.typed_queries.alerting_services_settings import get_alerting_services
+from reconcile.typed_queries.app_interface_repo_url import get_app_interface_repo_url
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
@@ -2857,6 +2864,35 @@ def container_image_details(ctx):
     print_output(ctx.obj["options"], data, columns)
 
 
+@get.command
+@click.pass_context
+def change_log_tracking(ctx):
+    repo_url = get_app_interface_repo_url()
+    change_types = fetch_change_type_processors(gql.get_api(), NoOpFileDiffResolver())
+    state = init_state(
+        integration=ChangeLogIntegration(ChangeLogIntegrationParams()).name
+    )
+    change_log = ChangeLog(**state.get("bundle-diffs.json"))
+    data: list[dict[str, str]] = []
+    for item in change_log.items:
+        change_log_item = ChangeLogItem(**item)
+        commit = change_log_item.commit
+        covered_change_types_descriptions = [
+            ct.description
+            for ct in change_types
+            if ct.name in change_log_item.change_types
+        ]
+        item = {
+            "commit": f"[{commit}]({repo_url}/commit/{commit})",
+            "changes": ", ".join(covered_change_types_descriptions),
+            "error": change_log_item.error,
+        }
+        data.append(item)
+
+    columns = ["commit", "changes", "error"]
+    print_output(ctx.obj["options"], data, columns)
+
+
 @root.group(name="set")
 @output
 @click.pass_context