qontract-reconcile 0.10.1rc1127__py3-none-any.whl → 0.10.1rc1129__py3-none-any.whl

{qontract_reconcile-0.10.1rc1127.dist-info → qontract_reconcile-0.10.1rc1129.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1127
+Version: 0.10.1rc1129
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1127.dist-info → qontract_reconcile-0.10.1rc1129.dist-info}/RECORD

@@ -128,7 +128,7 @@ reconcile/aus/healthchecks.py,sha256=jR9c-syh9impnkV0fd6XW3Bnk7iRN5zv8oCRYM-yIRY
 reconcile/aus/metrics.py,sha256=nKT4m2zGT-QOMR0c-z-npVNKWsNMubzdffpU_f9n4II,3927
 reconcile/aus/models.py,sha256=MSKX7SY0GDw7BgpIuKeLT3i_v8E1LFz4M0DQAL7JWUM,7783
 reconcile/aus/node_pool_spec.py,sha256=FkMggklG-4BgQwud2Swp2m3AAAKzZmeaXgohl9uwxZ8,1138
-reconcile/aus/ocm_addons_upgrade_scheduler_org.py,sha256=t2_J7CuovTm6FGvwWI6HsyiftPbt3ZRWEKjsGmIRcEI,10207
+reconcile/aus/ocm_addons_upgrade_scheduler_org.py,sha256=-xliq44ev35P6YzwrGLppReRUWrKDTNptNjaivwICIc,10263
 reconcile/aus/ocm_upgrade_scheduler.py,sha256=2uPn13y3QGCHLoKwCc1Z7q9wQsoQf_F1HATMYUbl53s,3695
 reconcile/aus/ocm_upgrade_scheduler_org.py,sha256=QeZAQ1wdDPcwZ77b3Xmt4yBV60rWi3qd8h-vGwnwoCs,3948
 reconcile/aus/upgrades.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -194,8 +194,8 @@ reconcile/endpoints_discovery/merge_request_manager.py,sha256=wUMsumxv8RnWaRatta
 reconcile/external_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/external_resources/aws.py,sha256=7W-6d-lXO6JGwaxtO1Uc3Lw0p8csJ1EVgz__O1YWUOc,4793
 reconcile/external_resources/factories.py,sha256=nhdTqf1WEfRfgd5-70KAUJVz0ZvZ19C3Pz7wmotSdrs,4857
-reconcile/external_resources/integration.py,sha256=y1gJ16woMBC3J9qniMmS5y3lCkAs7V_ETZRUwjKqaO0,6628
-reconcile/external_resources/integration_secrets_sync.py,sha256=cMEZhgCvABAMf-DWF051L6CRnJQdfbsISA_b1xuS940,1670
+reconcile/external_resources/integration.py,sha256=Ne_D5eXtR2a4kFg2Us5h7Zc_WIRgOBxaKbVPic0c6uw,6619
+reconcile/external_resources/integration_secrets_sync.py,sha256=dX09O3r6KURziUYYfiki10orNjOGVma-XojhVqd0ww4,1667
 reconcile/external_resources/manager.py,sha256=cs6QEirz9EaLiuxybZ_1ugUn61vNWlKAC4NKouqpd5I,16148
 reconcile/external_resources/meta.py,sha256=noaytFzmShpzLA_ebGh7wuP45mOfHIOnnoUxivjDa1I,672
 reconcile/external_resources/metrics.py,sha256=jsN3IF78Su23d3Qp4BTKXkgZPN6AKjdS8sZFEXmYCek,863
@@ -616,7 +616,7 @@ reconcile/typed_queries/clusters_with_peering.py,sha256=lIai7SJJD0bqIJbe7virgrbY
 reconcile/typed_queries/dynatrace.py,sha256=8vXDXDIDf9_vN_efYwysDr4gLN7SCx4I2bOoNxQhbio,312
 reconcile/typed_queries/dynatrace_environments.py,sha256=VV_7KzKG9wqGDV9wZLbcCJtfuzPhTV1wdg0YwAOaq3A,413
 reconcile/typed_queries/dynatrace_token_provider_token_specs.py,sha256=x41KG6JRDNYw5QGJYtIFNwSeejUUgxrL-agS8qFf6q0,433
-reconcile/typed_queries/external_resources.py,sha256=h1uzZzmtEGzoqSFhDMSAdxauGJoGy0stPuWbA0rkVKE,1503
+reconcile/typed_queries/external_resources.py,sha256=AT5md8nH5gX56UrdWnU4T3_aVF_FanHorXNFkU6s6KY,1573
 reconcile/typed_queries/get_state_aws_account.py,sha256=CSJjVPWsUZ2rkGIt8ehoQt7hokFqrUDgG9HFlg2lVD8,492
 reconcile/typed_queries/github_orgs.py,sha256=UZhoPl8qvA_tcO7CZlN8GuMKckt3ywd47Suu61rgHsc,258
 reconcile/typed_queries/gitlab_instances.py,sha256=ZVQHy2W9xIp53f5qYkjKLHLHgOVtQpxTfcmM1C2046g,291
@@ -838,10 +838,11 @@ tools/app_interface_metrics_exporter.py,sha256=zkwkxdAUAxjdc-pzx2_oJXG25fo0Fnyd5
 tools/app_interface_reporter.py,sha256=oZPib4HPq0aZ2Zui1QGJGk6qQdfpeihujGDBnSdKyGE,17627
 tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=7cPjwPMHOUcz0JADrD4K7_k-g0kbnqplkmFgPZZ84gU,130565
+tools/qontract_cli.py,sha256=_OqTpZ57TGdWR_0Oc9sT83JVilLKbAz5NbPm1EyL34I,133385
 tools/sd_app_sre_alert_report.py,sha256=e9vAdyenUz2f5c8-z-5WY0wv-SJ9aePKDH2r4IwB6pc,5063
 tools/template_validation.py,sha256=qpKYaTgk0GOPGa2Ct5_5sKdwIHtCAKIBGzsMPuJU5fw,3371
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+tools/cli_commands/erv2.py,sha256=vHYBYkTaS3h2qEStuAE6iThCt54LD2o3-0bJLcYODKY,16393
 tools/cli_commands/gpg_encrypt.py,sha256=x02JOMn834z89YSNvr5B-oJky7rR1C0begCkPh45eHk,4958
 tools/cli_commands/systems_and_tools.py,sha256=EMHOF1AtUDaoSk0bbjl6oUKYAz4rTZjIBaF-6E6GspM,16816
 tools/cli_commands/cost_report/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -865,12 +866,13 @@ tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y
 tools/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tools/test/conftest.py,sha256=YLtiauk_StNFE-lirLnfG_BpJmlB2NGMZISE9A4zwvk,2421
 tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvftCWEEf-g1mfXOtgCog-g,1271
+tools/test/test_erv2.py,sha256=EAS7QuJkHisRVO9bMGxm662L5B6i66wF_mT9PAjVzrU,3128
 tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jrss,4941
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1127.dist-info/METADATA,sha256=yNBdxEIOUgziXqZSgMl69r9F3yGcnT_a9xEPJSvCyE8,2213
-qontract_reconcile-0.10.1rc1127.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1127.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1127.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1127.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1129.dist-info/METADATA,sha256=Z1h9eqAPOgiPFSvnkYjuHeRDc1Xe5s3E1tX1VHVx1sc,2213
+qontract_reconcile-0.10.1rc1129.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1129.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1129.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1129.dist-info/RECORD,,

reconcile/aus/ocm_addons_upgrade_scheduler_org.py

@@ -251,7 +251,9 @@ def calculate_diff(
         addon_id,
     )
     for current in addon_current_state:
-        if addon_id == current.addon_id and current.schedule_type == "automatic":
+        if addon_id == current.addon_id and (
+            current.schedule_type == "automatic" or current.state == "completed"
+        ):
             diffs.append(
                 aus.UpgradePolicyHandler(
                     action="delete",

reconcile/external_resources/integration.py

@@ -84,7 +84,7 @@ def create_er_manager(
 ) -> ExternalResourcesManager:
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    er_settings = get_settings()[0]
+    er_settings = get_settings()
     m_inventory = load_module_inventory(get_modules())
     namespaces = [ns for ns in get_namespaces() if ns.external_resources]
     er_inventory = ExternalResourcesInventory(namespaces)
@@ -139,7 +139,7 @@ def run(
 ) -> None:
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    er_settings = get_settings()[0]
+    er_settings = get_settings()
 
     if not workers_cluster:
         workers_cluster = er_settings.workers_cluster.name
@@ -173,7 +173,7 @@ def run(
 def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    er_settings = get_settings()[0]
+    er_settings = get_settings()
 
     with get_aws_api(
         query_func=gql.get_api().query,

reconcile/external_resources/integration_secrets_sync.py

@@ -25,7 +25,7 @@ def run(dry_run: bool, thread_pool_size: int) -> None:
     """
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    er_settings = get_settings()[0]
+    er_settings = get_settings()
 
     namespaces = [ns for ns in get_namespaces() if ns.external_resources]
     er_inventory = ExternalResourcesInventory(namespaces)

reconcile/typed_queries/external_resources.py

@@ -28,13 +28,13 @@ def get_namespaces(query_func: Callable | None = None) -> list[NamespaceV1]:
     return list(data.namespaces or [])
 
 
-def get_settings(
-    query_func: Callable | None = None,
-) -> list[ExternalResourcesSettingsV1]:
+def get_settings(query_func: Callable | None = None) -> ExternalResourcesSettingsV1:
     if not query_func:
         query_func = gql.get_api().query
     data = query_settings(query_func=query_func)
-    return list(data.settings or [])
+    if not data.settings:
+        raise ValueError("No external resources settings found.")
+    return data.settings[0]
 
 
 def get_modules(

tools/cli_commands/erv2.py

@@ -0,0 +1,473 @@
+from __future__ import annotations
+
+import json
+import os
+import sys
+from collections.abc import Iterator
+from contextlib import contextmanager
+from difflib import get_close_matches
+from enum import Enum
+from pathlib import Path
+from subprocess import CalledProcessError, run
+from typing import Protocol
+
+from pydantic import BaseModel
+from rich import print as rich_print
+from rich.console import Console
+from rich.progress import Progress, SpinnerColumn, TextColumn, TimeElapsedColumn
+from rich.prompt import Confirm, IntPrompt
+
+from reconcile.external_resources.integration import get_aws_api
+from reconcile.external_resources.manager import setup_factories
+from reconcile.external_resources.meta import FLAG_RESOURCE_MANAGED_BY_ERV2
+from reconcile.external_resources.model import (
+    ExternalResourceKey,
+    ExternalResourceModuleConfiguration,
+    ExternalResourcesInventory,
+    load_module_inventory,
+)
+from reconcile.external_resources.state import (
+    ExternalResourcesStateDynamoDB,
+    ResourceStatus,
+)
+from reconcile.typed_queries.external_resources import (
+    get_modules,
+    get_namespaces,
+    get_settings,
+)
+from reconcile.utils import gql
+from reconcile.utils.exceptions import FetchResourceError
+from reconcile.utils.secret_reader import SecretReaderBase
+
+
+def progress_spinner() -> Progress:
+    """Display shiny progress spinner."""
+    console = Console(record=True)
+    return Progress(
+        SpinnerColumn(),
+        TextColumn("[progress.description]{task.description}"),
+        TimeElapsedColumn(),
+        console=console,
+    )
+
+
+@contextmanager
+def pause_progress_spinner(progress: Progress | None) -> Iterator:
+    """Pause the progress spinner."""
+    if progress:
+        progress.stop()
+        UP = "\x1b[1A"
+        CLEAR = "\x1b[2K"
+        for task in progress.tasks:
+            if task.finished:
+                continue
+            print(UP + CLEAR + UP)
+    yield
+    if progress:
+        progress.start()
+
+
+@contextmanager
+def task(progress: Progress | None, description: str) -> Iterator:
+    """Display a task in the progress spinner."""
+    if progress:
+        task = progress.add_task(description, total=1)
+    yield
+    if progress:
+        progress.advance(task)
+
+
+class Erv2Cli:
+    def __init__(
+        self,
+        provision_provider: str,
+        provisioner: str,
+        provider: str,
+        identifier: str,
+        secret_reader: SecretReaderBase,
+        temp_dir: Path | None = None,
+        progress_spinner: Progress | None = None,
+    ) -> None:
+        self._provision_provider = provision_provider
+        self._provisioner = provisioner
+        self._provider = provider
+        self._identifier = identifier
+        self._temp_dir = temp_dir
+        self.progress_spinner = progress_spinner
+
+        namespaces = [ns for ns in get_namespaces() if ns.external_resources]
+        er_inventory = ExternalResourcesInventory(namespaces)
+
+        try:
+            spec = er_inventory.get_inventory_spec(
+                provision_provider=provision_provider,
+                provisioner=provisioner,
+                provider=provider,
+                identifier=identifier,
+            )
+        except FetchResourceError:
+            rich_print(
+                f"[b red]Resource {provision_provider}/{provisioner}/{provider}/{identifier} not found[/]. Ensure `managed_by_erv2: true` is set!"
+            )
+            sys.exit(1)
+
+        self._secret_reader = secret_reader
+        self._er_settings = get_settings()
+        m_inventory = load_module_inventory(get_modules())
+        factories = setup_factories(
+            self._er_settings, m_inventory, er_inventory, self._secret_reader
+        )
+        f = factories.get_factory(spec.provision_provider)
+        self._resource = f.create_external_resource(spec)
+        f.validate_external_resource(self._resource)
+        self._module_configuration = (
+            ExternalResourceModuleConfiguration.resolve_configuration(
+                m_inventory.get_from_spec(spec), spec
+            )
+        )
+
+    @property
+    def input_data(self) -> str:
+        return self._resource.json(exclude={"data": {FLAG_RESOURCE_MANAGED_BY_ERV2}})
+
+    @property
+    def image(self) -> str:
+        return self._module_configuration.image_version
+
+    @property
+    def temp(self) -> Path:
+        if not self._temp_dir:
+            raise ValueError("Temp directory is not set!")
+        return self._temp_dir
+
+    def reconcile(self) -> None:
+        with get_aws_api(
+            query_func=gql.get_api().query,
+            account_name=self._er_settings.state_dynamodb_account.name,
+            region=self._er_settings.state_dynamodb_region,
+            secret_reader=self._secret_reader,
+        ) as aws_api:
+            state_manager = ExternalResourcesStateDynamoDB(
+                aws_api=aws_api,
+                table_name=self._er_settings.state_dynamodb_table,
+            )
+            key = ExternalResourceKey(
+                provision_provider=self._provision_provider,
+                provisioner_name=self._provisioner,
+                provider=self._provider,
+                identifier=self._identifier,
+            )
+            current_state = state_manager.get_external_resource_state(key)
+            if current_state.resource_status != ResourceStatus.NOT_EXISTS:
+                state_manager.update_resource_status(
+                    key, ResourceStatus.RECONCILIATION_REQUESTED
+                )
+            else:
+                rich_print("[b red]External Resource does not exist")
+
+    def build_cdktf(self, credentials: Path) -> None:
+        """Run the CDKTF container and return the generated CDKTF json."""
+        input_file = self.temp / "input.json"
+        input_file.write_text(self.input_data)
+
+        # delete previous ERv2 container
+        run(["docker", "rm", "-f", "erv2"], capture_output=True, check=True)
+
+        try:
+            cdktf_outdir = "/tmp/cdktf.out"
+
+            # run cdktf synth
+            with task(self.progress_spinner, "-- Running CDKTF synth"):
+                run(
+                    [
+                        "docker",
+                        "run",
+                        "--name",
+                        "erv2",
+                        "--mount",
+                        f"type=bind,source={input_file!s},target=/inputs/input.json",
+                        "--mount",
+                        f"type=bind,source={credentials!s},target=/credentials",
+                        "-e",
+                        "AWS_SHARED_CREDENTIALS_FILE=/credentials",
+                        "--entrypoint",
+                        "cdktf",
+                        self.image,
+                        "synth",
+                        "--output",
+                        cdktf_outdir,
+                    ],
+                    check=True,
+                    capture_output=True,
+                )
+
+            # # get the cdk.tf.json
+            with task(self.progress_spinner, "-- Copying the generated cdk.tf.json"):
+                run(
+                    [
+                        "docker",
+                        "cp",
+                        f"erv2:{cdktf_outdir}/stacks/CDKTF/cdk.tf.json",
+                        str(self.temp),
+                    ],
+                    check=True,
+                    capture_output=True,
+                )
+        except CalledProcessError as e:
+            print(e.stderr.decode("utf-8"))
+            print(e.stdout.decode("utf-8"))
+            raise
+
+
+class TfRun(Protocol):
+    def __call__(self, path: Path, cmd: list[str]) -> str: ...
+
+
+def tf_run(path: Path, cmd: list[str]) -> str:
+    env = os.environ.copy()
+    env["TF_CLI_ARGS"] = "-no-color"
+    try:
+        return run(
+            ["terraform", *cmd],
+            cwd=path,
+            check=True,
+            capture_output=True,
+            env=env,
+        ).stdout.decode("utf-8")
+    except CalledProcessError as e:
+        print(e.stderr.decode("utf-8"))
+        print(e.stdout.decode("utf-8"))
+        raise
+
+
+class TfAction(Enum):
+    CREATE = "create"
+    DESTROY = "delete"
+
+
+class TfResource(BaseModel):
+    address: str
+
+    @property
+    def id(self) -> str:
+        return self.address.split(".")[1]
+
+    @property
+    def type(self) -> str:
+        return self.address.split(".")[0]
+
+    def __str__(self) -> str:
+        return self.address
+
+    def __repr__(self) -> str:
+        return str(self)
+
+
+class TfResourceList(BaseModel):
+    resources: list[TfResource]
+
+    def __iter__(self) -> Iterator[TfResource]:  # type: ignore
+        return iter(self.resources)
+
+    def _get_resource_by_address(self, address: str) -> TfResource | None:
+        for resource in self.resources:
+            if resource.address == address:
+                return resource
+        return None
+
+    def _get_resources_by_type(self, type: str) -> list[TfResource]:
+        results = [resource for resource in self.resources if resource.type == type]
+        if not results:
+            raise KeyError(f"Resource type '{type}' not found!")
+        return results
+
+    def __getitem__(self, tf_resource: TfResource) -> list[TfResource]:
+        """Get a resource by searching the resource list.
+
+        self holds the source resources (terraform-resources).
+        The tf_resource is the destination resource (ERv2).
+        """
+        if resource := self._get_resource_by_address(tf_resource.address):
+            # exact match by AWS address
+            return [resource]
+
+        # a resource with the same ID does not exist
+        # let's try to find the resource by the AWS type
+        results = self._get_resources_by_type(tf_resource.type)
+        if len(results) == 1:
+            # there is just one resource with the same type
+            # this must be the searched resource.
+            return results
+
+        # ok, now it's getting tricky. Let's use difflib and let the user decide.
+        possible_matches_ids = get_close_matches(
+            tf_resource.id, [r.id for r in results]
+        )
+        return [r for r in results if r.id in possible_matches_ids]
+
+    def __len__(self) -> int:
+        return len(self.resources)
+
+
+class TerraformCli:
+    def __init__(
+        self,
+        path: Path,
+        dry_run: bool = True,
+        tf_run: TfRun = tf_run,
+        progress_spinner: Progress | None = None,
+    ) -> None:
+        self._path = path
+        self._dry_run = dry_run
+        self._tf_run = tf_run
+        self.progress_spinner = progress_spinner
+        self.initialized = False
+
+    def init(self) -> None:
+        """Initialize the terraform modules."""
+        self._tf_init()
+        self._tf_plan()
+        self._tf_state_pull()
+        self.initialized = True
+
+    @property
+    def state_file(self) -> Path:
+        return self._path / "state.json"
+
+    def _tf_init(self) -> None:
+        with task(self.progress_spinner, "-- Running terraform init"):
+            self._tf_run(self._path, ["init"])
+
+    def _tf_plan(self) -> None:
+        with task(self.progress_spinner, "-- Running terraform plan"):
+            self._tf_run(self._path, ["plan", "-out=plan.out"])
+
+    def _tf_state_pull(self) -> None:
+        with task(self.progress_spinner, "-- Retrieving the terraform state"):
+            self.state_file.write_text(self._tf_run(self._path, ["state", "pull"]))
+
+    def _tf_state_push(self) -> None:
+        with task(
+            self.progress_spinner,
+            f"-- Uploading the terraform state {'[b red](DRY-RUN)' if self._dry_run else ''}",
+        ):
+            if not self._dry_run:
+                self._tf_run(self._path, ["state", "push", str(self.state_file)])
+
+    def upload_state(self) -> None:
+        self._tf_state_push()
+
+    def resource_changes(self, action: TfAction) -> TfResourceList:
+        """Get the resource changes."""
+        plan = json.loads(self._tf_run(self._path, ["show", "-json", "plan.out"]))
+        return TfResourceList(
+            resources=[
+                TfResource(address=r["address"])
+                for r in plan["resource_changes"]
+                if action.value.lower() in r["change"]["actions"]
+            ]
+        )
+
+    def move_resource(
+        self, source_state_file: Path, source: TfResource, destination: TfResource
+    ) -> None:
+        """Move the resource from source state file to destination state file."""
+        if self.progress_spinner:
+            self.progress_spinner.log(
+                f"-- Moving {destination} {'[b red](DRY-RUN)' if self._dry_run else ''}"
+            )
+        if not self._dry_run:
+            self._tf_run(
+                self._path,
+                [
+                    "state",
+                    "mv",
+                    "-lock=false",
+                    f"-state={source_state_file!s}",
+                    f"-state-out={self.state_file!s}",
+                    f"{source.address}",
+                    f"{destination.address}",
+                ],
+            )
+
+    def migrate_resources(self, source: TerraformCli) -> None:
+        """Migrate the resources from source."""
+        # if not self.initialized or not source.initialized:
+        #     raise ValueError("Terraform must be initialized before!")
+
+        source_resources = source.resource_changes(TfAction.DESTROY)
+        destination_resources = self.resource_changes(TfAction.CREATE)
+
+        if not source_resources or not destination_resources:
+            raise ValueError("No resource changes found!")
+
+        if len(source_resources) != len(destination_resources):
+            with pause_progress_spinner(self.progress_spinner):
+                rich_print(
+                    "[b red]The number of changes (ERv2 vs terraform-resource) does not match! Please review them carefully![/]"
+                )
+                rich_print("ERv2:")
+                rich_print(
+                    "\n".join([
+                        f"  {i}: {r.address}"
+                        for i, r in enumerate(destination_resources, start=1)
+                    ])
+                )
+                rich_print("Terraform:")
+                rich_print(
+                    "\n".join([
+                        f"  {i}: {r.address}"
+                        for i, r in enumerate(source_resources, start=1)
+                    ])
+                )
+                if not Confirm.ask("Would you like to continue anyway?", default=False):
+                    return
+
+        for destination_resource in destination_resources:
+            possible_source_resouces = source_resources[destination_resource]
+            if not possible_source_resouces:
+                raise ValueError(
+                    f"Source resource for {destination_resource} not found!"
+                )
+            elif len(possible_source_resouces) == 1:
+                # just one resource found.
+                source_resource = possible_source_resouces[0]
+            else:
+                # more than one resource found. Let the user decide.
+                with pause_progress_spinner(self.progress_spinner):
+                    rich_print(
+                        f"[b red]{destination_resource.address} not found![/] Please select the related source ID manually!"
+                    )
+                    for i, r in enumerate(possible_source_resouces, start=1):
+                        print(f"{i}: {r.address}")
+
+                    index = IntPrompt.ask(
+                        ":boom: Enter the number",
+                        choices=[
+                            str(i) for i in range(1, len(possible_source_resouces) + 1)
+                        ],
+                        show_choices=False,
+                    )
+                    source_resource = possible_source_resouces[index - 1]
+
+            self.move_resource(
+                source_state_file=source.state_file,
+                source=source_resource,
+                destination=destination_resource,
+            )
+
+        if not self._dry_run:
+            if self.progress_spinner:
+                self.progress_spinner.stop()
+            if not Confirm.ask(
+                "\nEverything ok? Would you like to upload the modified terraform states",
+                default=False,
+            ):
+                return
+
+            if self.progress_spinner:
+                self.progress_spinner.start()
+
+            # finally push the terraform states
+            self.upload_state()
+            source.upload_state()

tools/qontract_cli.py

@@ -14,7 +14,9 @@ from datetime import (
     timedelta,
 )
 from operator import itemgetter
+from pathlib import Path
 from statistics import median
+from textwrap import dedent
 from typing import Any
 
 import boto3
@@ -23,10 +25,9 @@ import click.core
 import requests
 import yaml
 from rich import box
-from rich.console import (
-    Console,
-    Group,
-)
+from rich import print as rich_print
+from rich.console import Console, Group
+from rich.prompt import Confirm
 from rich.table import Table
 from rich.tree import Tree
 
@@ -59,25 +60,11 @@ from reconcile.change_owners.change_owners import (
 )
 from reconcile.checkpoint import report_invalid_metadata
 from reconcile.cli import (
+    TERRAFORM_VERSION,
+    TERRAFORM_VERSION_REGEX,
     config_file,
     use_jump_host,
 )
-from reconcile.external_resources.integration import (
-    get_aws_api,
-)
-from reconcile.external_resources.manager import (
-    setup_factories,
-)
-from reconcile.external_resources.meta import FLAG_RESOURCE_MANAGED_BY_ERV2
-from reconcile.external_resources.model import (
-    ExternalResourceKey,
-    ExternalResourcesInventory,
-    load_module_inventory,
-)
-from reconcile.external_resources.state import (
-    ExternalResourcesStateDynamoDB,
-    ResourceStatus,
-)
 from reconcile.gql_definitions.advanced_upgrade_service.aus_clusters import (
     query as aus_clusters_query,
 )
@@ -99,11 +86,6 @@ from reconcile.typed_queries.app_quay_repos_escalation_policies import (
     get_apps_quay_repos_escalation_policies,
 )
 from reconcile.typed_queries.clusters import get_clusters
-from reconcile.typed_queries.external_resources import (
-    get_modules,
-    get_namespaces,
-    get_settings,
-)
 from reconcile.typed_queries.saas_files import get_saas_files
 from reconcile.typed_queries.slo_documents import get_slo_documents
 from reconcile.typed_queries.status_board import get_status_board
@@ -168,6 +150,12 @@ from reconcile.utils.state import init_state
 from reconcile.utils.terraform_client import TerraformClient as Terraform
 from tools.cli_commands.cost_report.aws import AwsCostReportCommand
 from tools.cli_commands.cost_report.openshift import OpenShiftCostReportCommand
+from tools.cli_commands.erv2 import (
+    Erv2Cli,
+    TerraformCli,
+    progress_spinner,
+    task,
+)
 from tools.cli_commands.gpg_encrypt import (
     GPGEncryptCommand,
     GPGEncryptCommandData,
@@ -3945,85 +3933,185 @@ def remove(ctx, sso_client_vault_secret_path: str):
 
 
 @root.group()
+@click.option(
+    "--provision-provider",
+    required=True,
+    help="externalResources.provider",
+    default="aws",
+)
+@click.option(
+    "--provisioner",
+    required=True,
+    help="externalResources.provisioner.name. E.g. app-sre-stage",
+    prompt=True,
+)
+@click.option(
+    "--provider",
+    required=True,
+    help="externalResources.resources.provider. E.g. rds, msk, ...",
+    prompt=True,
+)
+@click.option(
+    "--identifier",
+    required=True,
+    help="externalResources.resources.identifier. E.g. erv2-example",
+    prompt=True,
+)
 @click.pass_context
-def external_resources(ctx):
+def external_resources(
+    ctx, provision_provider: str, provisioner: str, provider: str, identifier: str
+):
     """External resources commands"""
+    ctx.obj["provision_provider"] = provision_provider
+    ctx.obj["provisioner"] = provisioner
+    ctx.obj["provider"] = provider
+    ctx.obj["identifier"] = identifier
+    vault_settings = get_app_interface_vault_settings()
+    ctx.obj["secret_reader"] = create_secret_reader(use_vault=vault_settings.vault)
 
 
 @external_resources.command()
-@click.argument("provision-provider", required=True)
-@click.argument("provisioner", required=True)
-@click.argument("provider", required=True)
-@click.argument("identifier", required=True)
 @click.pass_context
-def get_input(
-    ctx, provision_provider: str, provisioner: str, provider: str, identifier: str
-):
+def get_input(ctx):
     """Gets the input data for an external resource asset. Input data is what is used
-    in the Reconciliation Job to manage the resource.
-
-    e.g: qontract-reconcile --config=<config> external-resources get-input aws app-sre-stage rds dashdotdb-stage
-    """
-    namespaces = [ns for ns in get_namespaces() if ns.external_resources]
-    er_inventory = ExternalResourcesInventory(namespaces)
-
-    spec = er_inventory.get_inventory_spec(
-        provision_provider=provision_provider,
-        provisioner=provisioner,
-        provider=provider,
-        identifier=identifier,
+    in the Reconciliation Job to manage the resource."""
+    erv2cli = Erv2Cli(
+        provision_provider=ctx.obj["provision_provider"],
+        provisioner=ctx.obj["provisioner"],
+        provider=ctx.obj["provider"],
+        identifier=ctx.obj["identifier"],
+        secret_reader=ctx.obj["secret_reader"],
     )
-    vault_settings = get_app_interface_vault_settings()
-    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    er_settings = get_settings()[0]
-    m_inventory = load_module_inventory(get_modules())
-    factories = setup_factories(er_settings, m_inventory, er_inventory, secret_reader)
-    f = factories.get_factory(spec.provision_provider)
-    resource = f.create_external_resource(spec)
-    f.validate_external_resource(resource)
-    print(resource.json(exclude={"data": {FLAG_RESOURCE_MANAGED_BY_ERV2}}))
+    print(erv2cli.input_data)
 
 
 @external_resources.command()
-@click.argument("provision-provider", required=True)
-@click.argument("provisioner", required=True)
-@click.argument("provider", required=True)
-@click.argument("identifier", required=True)
 @click.pass_context
-def request_reconciliation(
-    ctx, provision_provider: str, provisioner: str, provider: str, identifier: str
-):
+def request_reconciliation(ctx):
     """Marks a resource as it needs to get reconciled. The itegration will reconcile the resource at
-    its next iteration.
+    its next iteration."""
+    erv2cli = Erv2Cli(
+        provision_provider=ctx.obj["provision_provider"],
+        provisioner=ctx.obj["provisioner"],
+        provider=ctx.obj["provider"],
+        identifier=ctx.obj["identifier"],
+        secret_reader=ctx.obj["secret_reader"],
+    )
+    erv2cli.reconcile()
+
+
+@external_resources.command()
+@binary(["terraform"])
+@binary_version("terraform", ["version"], TERRAFORM_VERSION_REGEX, TERRAFORM_VERSION)
+@click.option(
+    "--dry-run/--no-dry-run",
+    help="Enable/Disable dry-run. Default: dry-run enabled!",
+    default=True,
+)
+@click.option(
+    "--skip-build/--no-skip-build",
+    help="Skip/Do not skip the terraform and CDKTF builds. Default: build everything!",
+    default=False,
+)
+@click.pass_context
+def migrate(ctx, dry_run: bool, skip_build: bool) -> None:
+    """Migrate an existing external resource managed by terraform-resources to ERv2.
+
 
-    e.g: e.g: qontract-reconcile --config=<config> external-resources request-reconciliation aws app-sre-stage rds dashdotdb-stage
+    E.g: qontract-reconcile --config=<config> external-resources migrate aws app-sre-stage rds dashdotdb-stage
     """
-    er_settings = get_settings()[0]
-    vault_settings = get_app_interface_vault_settings()
-    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    with get_aws_api(
-        query_func=gql.get_api().query,
-        account_name=er_settings.state_dynamodb_account.name,
-        region=er_settings.state_dynamodb_region,
-        secret_reader=secret_reader,
-    ) as aws_api:
-        state_manager = ExternalResourcesStateDynamoDB(
-            aws_api=aws_api,
-            table_name=er_settings.state_dynamodb_table,
-        )
-        key = ExternalResourceKey(
-            provision_provider=provision_provider,
-            provisioner_name=provisioner,
-            provider=provider,
-            identifier=identifier,
+    if ctx.obj["provider"] == "rds":
+        # The "random_password" is not an AWS resource. It's just in the outputs and can't be migrated :(
+        raise NotImplementedError("RDS migration is not supported yet!")
+
+    if not Confirm.ask(
+        dedent("""
+            Please disable terraform-resources: [i blue]https://app-interface.unleash.devshift.net/projects/default/features/terraform-resources[/]
+            in Unleash before proceeding!
+
+            Do you want to proceed?"""),
+        default=True,
+    ):
+        sys.exit(0)
+
+    # use a temporary directory in $HOME. The MacOS colima default configuration allows docker mounts from $HOME.
+    tempdir = Path.home() / ".erv2-migration"
+    rich_print(f"Using temporary directory: [b]{tempdir}[/]")
+    tempdir.mkdir(exist_ok=True)
+    temp_erv2 = Path(tempdir) / "erv2"
+    temp_erv2.mkdir(exist_ok=True)
+    temp_tfr = tempdir / "terraform-resources"
+    temp_tfr.mkdir(exist_ok=True)
+
+    with progress_spinner() as progress:
+        with task(progress, "Preparing AWS credentials for CDKTF and local terraform"):
+            # prepare AWS credentials for CDKTF and local terraform
+            credentials_file = tempdir / "credentials"
+            credentials_file.write_text(
+                ctx.obj["secret_reader"].read_with_parameters(
+                    path=f"app-sre/external-resources/{ctx.obj['provisioner']}",
+                    field="credentials",
+                    format=None,
+                    version=None,
+                )
+            )
+        os.environ["AWS_SHARED_CREDENTIALS_FILE"] = str(credentials_file)
+
+        erv2cli = Erv2Cli(
+            provision_provider=ctx.obj["provision_provider"],
+            provisioner=ctx.obj["provisioner"],
+            provider=ctx.obj["provider"],
+            identifier=ctx.obj["identifier"],
+            secret_reader=ctx.obj["secret_reader"],
+            temp_dir=temp_erv2,
+            progress_spinner=progress,
         )
-        current_state = state_manager.get_external_resource_state(key)
-        if current_state.resource_status != ResourceStatus.NOT_EXISTS:
-            state_manager.update_resource_status(
-                key, ResourceStatus.RECONCILIATION_REQUESTED
+
+        with task(progress, "(erv2) Building the terraform configuration"):
+            if not skip_build:
+                # build the CDKTF output
+                erv2cli.build_cdktf(credentials_file)
+            erv2_tf_cli = TerraformCli(
+                temp_erv2, dry_run=dry_run, progress_spinner=progress
             )
-        else:
-            logging.info("External Resource does not exist")
+            if not skip_build:
+                erv2_tf_cli.init()
+
+        with task(
+            progress, "(terraform-resources) Building the terraform configuration"
+        ):
+            # build the terraform-resources output
+            conf_tf = temp_tfr / "conf.tf.json"
+            if not skip_build:
+                tfr.run(
+                    dry_run=True,
+                    print_to_file=str(conf_tf),
+                    account_name=[ctx.obj["provisioner"]],
+                )
+            # remove comments
+            conf_tf.write_text(
+                "\n".join(
+                    line
+                    for line in conf_tf.read_text().splitlines()
+                    if not line.startswith("#")
+                )
+            )
+            tfr_tf_cli = TerraformCli(
+                temp_tfr, dry_run=dry_run, progress_spinner=progress
+            )
+            if not skip_build:
+                tfr_tf_cli.init()
+
+    with progress_spinner() as progress:
+        # start a new spinner instance for clean output
+        erv2_tf_cli.progress_spinner = progress
+        with task(
+            progress,
+            "Migrating the resources from terraform-resources to ERv2",
+        ):
+            erv2_tf_cli.migrate_resources(source=tfr_tf_cli)
+
+    rich_print(f"[b red]Please remove the temporary directory ({tempdir}) manually!")
 
 
 if __name__ == "__main__":

tools/test/test_erv2.py

@@ -0,0 +1,80 @@
+import pytest
+
+from tools.cli_commands.erv2 import TfResource, TfResourceList
+
+
+def test_erv2_model_tfresource_list() -> None:
+    # terraform_resource_list
+    terraform_resource_list = TfResourceList(
+        resources=[
+            TfResource(address="postfix-module.user-1"),
+            TfResource(address="postfix-module.user-2"),
+            TfResource(address="prefix-module.user-1"),
+            TfResource(address="prefix-module.user-2"),
+            TfResource(address="exact-module.identifier"),
+            TfResource(address="something.else"),
+            # real life examples
+            TfResource(
+                address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage"
+            ),
+            TfResource(
+                address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage-another-user"
+            ),
+            TfResource(address="aws_secretsmanager_secret.playground-user"),
+            TfResource(address="aws_secretsmanager_secret.foobar-playground-user"),
+        ]
+    )
+    assert len(terraform_resource_list) == 10
+    # exact match
+    assert terraform_resource_list[TfResource(address="exact-module.identifier")] == [
+        TfResource(address="exact-module.identifier")
+    ]
+    # with postfix
+    assert terraform_resource_list[
+        TfResource(address="postfix-module.user-1-postfix")
+    ] == [TfResource(address="postfix-module.user-1")]
+    # with prefix
+    assert terraform_resource_list[
+        TfResource(address="prefix-module.prefix-user-1")
+    ] == [TfResource(address="prefix-module.user-1")]
+
+    # real life examples
+    assert terraform_resource_list[
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage-secret"
+        )
+    ] == [
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage"
+        ),
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage-another-user"
+        ),
+    ]
+    assert terraform_resource_list[
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage-another-user-secret"
+        )
+    ] == [
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage"
+        ),
+        TfResource(
+            address="aws_secretsmanager_secret.AmazonMSK_playground-msk-stage-playground-msk-stage-another-user"
+        ),
+    ]
+
+    assert terraform_resource_list[
+        TfResource(address="aws_secretsmanager_secret.secret-foobar-playground-user")
+    ] == [
+        TfResource(address="aws_secretsmanager_secret.playground-user"),
+        TfResource(address="aws_secretsmanager_secret.foobar-playground-user"),
+    ]
+    with pytest.raises(KeyError):
+        # unknown resource type
+        terraform_resource_list[TfResource(address="not.found")]
+
+    assert (
+        terraform_resource_list[TfResource(address="aws_secretsmanager_secret.found")]
+        == []
+    )