qontract-reconcile 0.10.1rc1168__py3-none-any.whl → 0.10.1rc1170__py3-none-any.whl

{qontract_reconcile-0.10.1rc1168.dist-info → qontract_reconcile-0.10.1rc1170.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1168
+Version: 0.10.1rc1170
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1168.dist-info → qontract_reconcile-0.10.1rc1170.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=q96mwr2KeEQ5bpNniGlgIMZTxiuLSodcYfX-t
 reconcile/aws_support_cases_sos.py,sha256=hl_9L53yQYRQxKs3IWrd69Cc60XK067g_bJRM9B0udo,2975
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=-RT8biWI5mY9o6gYZ7HxXowePxmxbnfGKKqhMeUdiDc,107720
+reconcile/cli.py,sha256=2W2_vnq68954f-lhNwX3yGgCrofwSbDtAk33b4TnicE,107467
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=rLh16BOlBOxTmJ8Si3wWyyEpmMlhh4Znx1Gc36qsmOc,4865
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=l34QDu1G96_Ctnh7ZXdxXgSeCE93GQMdLAkWxmN6vDA,4775
@@ -46,7 +46,7 @@ reconcile/jenkins_roles.py,sha256=pNNYcnmyDCTVytG2mi3BFhq9A7_3l301oFRQtY_q6S8,44
 reconcile/jenkins_webhooks.py,sha256=K5h0OlCghoHlpot40IRq4BuezfKB1rj4Xk0dCUvqp3o,1952
 reconcile/jenkins_webhooks_cleaner.py,sha256=JsN_NVPfZJwv1JtSzZXDIHUqGiefL-DRffFnDGau9aY,1539
 reconcile/jenkins_worker_fleets.py,sha256=PMNGOX0krubFjInPiFT0za0KCiWBLEcVDuXdKRd1BrE,5378
-reconcile/jira_permissions_validator.py,sha256=t8FBjBJniRMODQNXfoHKst6qLDOzlua6hqy7rm7tmzs,13222
+reconcile/jira_permissions_validator.py,sha256=GSjLwHrstuO4dGb9Oxfmg_9PLLreFsbJJ8WHhUM8FSY,13144
 reconcile/jira_watcher.py,sha256=L_UL2MKm2SoIGNsCLThm28pnqCkoFc154JWsD6bURug,3593
 reconcile/ldap_users.py,sha256=7hdO5CAPl-VNBvDRmKHg13LoblHXXPt7YEKNGomAoGg,3158
 reconcile/mr_client_gateway.py,sha256=WhjMd-sIXDFCV8-rt8CEjurJ5OYB1pOD0K3o0tZRXQg,1885
@@ -94,7 +94,7 @@ reconcile/quay_mirror.py,sha256=mFp4Z5Nwl-DcFbbsJBOB8f9ldohFT-V67o868d5ux1s,1536
 reconcile/quay_mirror_org.py,sha256=utrJpJaKCs7U6WX6DODdfCeB0EmX-lUC8Y5fkmpgFSs,10764
 reconcile/quay_permissions.py,sha256=9KOutS1w4RFQqkvMSy54VtsKNx56-phzP6yI_rEW-B8,4244
 reconcile/quay_repos.py,sha256=cuEYG0HUe0ut5yvLdEwOF5-CmccpXQHRb_wDazvDrvQ,6895
-reconcile/queries.py,sha256=RF3lGuwo_Y6J_NDdb7XN4s9vBWxHPzfTzw_8mCZcwLQ,51542
+reconcile/queries.py,sha256=of54G-Vqy-_deKdZcWs-B9LwxIdhQFUlQ198pBGCp3g,51488
 reconcile/query_validator.py,sha256=MSh5pKLBksws4AqfuvT8nrIGucIbqX-IOzYyPYTLO7k,1491
 reconcile/requests_sender.py,sha256=914iluuF4UVgG3VyxxtnHOu4yf6YKS2fIy6PViSsFTQ,3875
 reconcile/resource_scraper.py,sha256=znXCHrU7YwPfKuxGBiUrV7T1tYtn4vlz9qmZlfy6Flg,2307
@@ -113,7 +113,7 @@ reconcile/terraform_cloudflare_dns.py,sha256=-aLEe2QnH5cJPu7HWqs-R9NmQ1NlFbcVUm0
 reconcile/terraform_cloudflare_resources.py,sha256=pq8Ieo5NmB-dYQ9X2F0s6iEoINMzhiqGw2yQK4ovok4,14980
 reconcile/terraform_cloudflare_users.py,sha256=iyTG5sj20Jg4J4qWJ144KVptfIHGOSfH8wQKxu0imq0,13942
 reconcile/terraform_repo.py,sha256=TKqlodhQGoAtQ6nDm04TNlpx4wpgJ_n4atoUK5Rfd7o,16444
-reconcile/terraform_resources.py,sha256=jpBtp6vezq79jQ7rWdk49_mW-PIUFVzFK54ilVSEZFM,19564
+reconcile/terraform_resources.py,sha256=iufjMJs_aSEvmh7Cg11beCxKmV8nrOLOpEtiTryPNx0,19470
 reconcile/terraform_tgw_attachments.py,sha256=09svJG9pAiwWp4aY0xRoQRV90T4ZNwHG3r8flI-ZS_s,18810
 reconcile/terraform_users.py,sha256=HqSm3ev3b8dZ9J6F_phDZB-FQsnlsdeKp9RPoY1cU94,10188
 reconcile/terraform_vpc_peerings.py,sha256=VLSfuO7FvHN5McopRiKoKJDHCmIhYtlJEHv_hxV5kcM,27669
@@ -525,7 +525,7 @@ reconcile/test/test_gitlab_permissions.py,sha256=aMf5SUeVp-aQ1bWGQPQLYa85auzRlyf
 reconcile/test/test_instrumented_wrappers.py,sha256=CZzhnQH0c4i7-Rxjg7-0dfFMvVPegLHL46z5NHOOCwo,608
 reconcile/test/test_integrations_manager.py,sha256=xpyQAVz57wAbovrcQzAeuyq8VzdItUyW2d2kp1WW_5c,38184
 reconcile/test/test_jenkins_worker_fleets.py,sha256=o1jlT7OBBSgu0M3iI4xMdz_x6SciF7yhNBpLk5gTJfg,2361
-reconcile/test/test_jira_permissions_validator.py,sha256=zhtAL97IkCyY9R29fDRvDCE1z9S7OVQV7gqu-7Vo5-4,16279
+reconcile/test/test_jira_permissions_validator.py,sha256=OA3hcnsH0eYXA4khJO6d1PE7zo2f0vYg73PrCqTzkyo,17646
 reconcile/test/test_jump_host.py,sha256=EeHMhT5rTZgx__R_29mtCBWt-NZCcKsQ6CR-B3xmCps,3284
 reconcile/test/test_ldap_users.py,sha256=_clylG-Qfes8yNb9T3CMaDQovLwyVZlTfJgRtGHARgE,4080
 reconcile/test/test_make.py,sha256=zTdjgq-3idFlec_0qJenk9wWw0QMLvSpJfPsptXmync,677
@@ -687,7 +687,7 @@ reconcile/utils/helpers.py,sha256=womAD2bKPUAFOjHvNPAe_2Hsb-oVTxuQiYPGeR-Thp0,17
 reconcile/utils/imap_client.py,sha256=h8YDiCSCvroErhpH_-KGYI7Y2WU2Q2oSpuxDFbOkSbY,1989
 reconcile/utils/instrumented_wrappers.py,sha256=eVwMoa6FCrYxLv3RML3WpZF9qKVfCTjMxphgVXG03OM,1073
 reconcile/utils/jenkins_api.py,sha256=RaKuZmO7_lbI-hE6c_Pq2a6CQdmBVj7BcP2jR68cIbI,7081
-reconcile/utils/jira_client.py,sha256=VdWJfI9VAK2ZtYHmvuqL635t0S5eYtmBY6zR8R-qr-s,7775
+reconcile/utils/jira_client.py,sha256=oWi7rcAP1C59oIBTPg6kRntI25Zm4e7FyvdVYvZ9RZ8,7881
 reconcile/utils/jjb_client.py,sha256=9Aw4SfV4pBNW5Kj7dGZwakUlwsWuqtAAiSD9o1F4AZA,14524
 reconcile/utils/jsonpath.py,sha256=wdxOMqR-GMpQf5vRPWRMqAF7bCiXDBkkcFfY2U4j_tk,5536
 reconcile/utils/jump_host.py,sha256=svtWy64zZAx7XYY62vu580KgwdatmHjX4-BdxEl58Uw,5158
@@ -727,7 +727,7 @@ reconcile/utils/state.py,sha256=W0_awkLAPX18hNOF_60o73tkPxDUylqbzYNHfl_sDsk,1638
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=LjX2U2E0Dglt2S_KA5jWQ_dVC8sPn4FEAh0xW_d6JTk,35953
-reconcile/utils/terrascript_aws_client.py,sha256=k2N_ojFPhiPwI0KdkPpfgboq7D9OgledxTSwKarHpKM,283460
+reconcile/utils/terrascript_aws_client.py,sha256=q6Ydbjle7K5Z3LYpoRJGXnb50ix6aGN6jLvP2vglPz8,283769
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=pi0PuyopvCq1gW0cldvy1-Ff6bqLUlCKC2MW0sifvSE,15043
@@ -880,8 +880,8 @@ tools/test/test_qontract_cli.py,sha256=iuzKbQ6ahinvjoQmQLBrG4shey0z-1rB6qCgS8T6d
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1168.dist-info/METADATA,sha256=S5PpMUixHxBbTgNxlV_1wOQVEw9FKiyt5Tw4H9p0Uuc,2213
-qontract_reconcile-0.10.1rc1168.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1168.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1168.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1168.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1170.dist-info/METADATA,sha256=jImSzLQtbCTK_xWaoXSosEFCUSEwNc55O8fQkGPhaxA,2213
+qontract_reconcile-0.10.1rc1170.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1170.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1170.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1170.dist-info/RECORD,,

reconcile/cli.py

@@ -1158,18 +1158,12 @@ def jenkins_webhooks_cleaner(ctx):
 
 
 @integration.command(short_help="Validate permissions in Jira.")
-@click.option(
-    "--exit-on-permission-errors/--no-exit-on-permission-errors",
-    help="Throw and error in case of board permission errors. Useful for PR checks.",
-    default=True,
-)
 @enable_extended_early_exit
 @extended_early_exit_cache_ttl_seconds
 @log_cached_log_output
 @click.pass_context
 def jira_permissions_validator(
     ctx,
-    exit_on_permission_errors,
     enable_extended_early_exit,
     extended_early_exit_cache_ttl_seconds,
     log_cached_log_output,
@@ -1179,7 +1173,6 @@ def jira_permissions_validator(
     run_integration(
         reconcile.jira_permissions_validator,
         ctx.obj,
-        exit_on_permission_errors,
         enable_extended_early_exit=enable_extended_early_exit,
         extended_early_exit_cache_ttl_seconds=extended_early_exit_cache_ttl_seconds,
         log_cached_log_output=log_cached_log_output,

reconcile/jira_permissions_validator.py

@@ -61,11 +61,12 @@ class ValidationError(IntFlag):
     PERMISSION_ERROR = auto()
     PUBLIC_PROJECT_NO_SECURITY_LEVEL = auto()
     INVALID_COMPONENT = auto()
+    PROJECT_ARCHIVED = auto()
 
 
 class RunnerParams(TypedDict):
-    exit_on_permission_errors: bool
     boards: list[JiraBoardV1]
+    dry_run: bool
 
 
 class CacheSource(TypedDict):
@@ -82,6 +83,10 @@ def board_is_valid(
 ) -> ValidationError:
     error = ValidationError(0)
     try:
+        if jira.is_archived:
+            logging.error(f"[{board.name}] project is archived")
+            return ValidationError.PROJECT_ARCHIVED
+
         if not jira.can_create_issues():
             logging.error(f"[{board.name}] can not create issues in project")
             error |= ValidationError.CANT_CREATE_ISSUE
@@ -196,11 +201,11 @@ def board_is_valid(
 def validate_boards(
     metrics_container: metrics.MetricsContainer,
     secret_reader: SecretReaderBase,
-    exit_on_permission_errors: bool,
     jira_client_settings: JiraWatcherSettings | None,
     jira_boards: Iterable[JiraBoardV1],
     default_issue_type: str,
     default_reopen_state: str,
+    dry_run: bool,
     jira_client_class: type[JiraClient] = JiraClient,
 ) -> bool:
     error = False
@@ -238,15 +243,15 @@ def validate_boards(
                         ),
                         value=1,
                     )
-                    # don't fail during PR checks at the moment
-                    # this make the transistion to the new integration behaviour much smoother
-                    if exit_on_permission_errors:
+                    if dry_run:
+                        # throw an error for MR checks but not in prod mode
                         error = True
                 case (
-                    ValidationError.PERMISSION_ERROR | ValidationError.CANT_CREATE_ISSUE
+                    ValidationError.CANT_CREATE_ISSUE | ValidationError.PROJECT_ARCHIVED
                 ):
-                    # we can't create jira tickets, and we don't have all needed the permissions
-                    error = True
+                    if dry_run:
+                        # throw an error for MR checks but not in prod mode
+                        error = True
                 case _:
                     error = True
         except Exception as e:
@@ -269,7 +274,6 @@ def export_boards(boards: list[JiraBoardV1]) -> list[dict]:
 
 def run(
     dry_run: bool,
-    exit_on_permission_errors: bool,
     enable_extended_early_exit: bool = False,
     extended_early_exit_cache_ttl_seconds: int = 3600,
     log_cached_log_output: bool = False,
@@ -277,8 +281,8 @@ def run(
     gql_api = gql.get_api()
     boards = get_jira_boards(query_func=gql_api.query)
     runner_params: RunnerParams = {
-        "exit_on_permission_errors": exit_on_permission_errors,
         "boards": boards,
+        "dry_run": dry_run,
     }
     if enable_extended_early_exit and get_feature_toggle_state(
         "jira-permissions-validator-extended-early-exit",
@@ -308,9 +312,7 @@ def run(
         runner(**runner_params)
 
 
-def runner(
-    exit_on_permission_errors: bool, boards: list[JiraBoardV1]
-) -> ExtendedEarlyExitRunnerResult:
+def runner(boards: list[JiraBoardV1], dry_run: bool) -> ExtendedEarlyExitRunnerResult:
     gql_api = gql.get_api()
     settings = get_jira_settings(gql_api=gql_api)
     jiralert_settings = get_jiralert_settings(query_func=gql_api.query)
@@ -321,11 +323,11 @@ def runner(
         error = validate_boards(
             metrics_container=metrics_container,
             secret_reader=secret_reader,
-            exit_on_permission_errors=exit_on_permission_errors,
             jira_client_settings=settings.jira_watcher,
             jira_boards=boards,
             default_issue_type=jiralert_settings.default_issue_type,
             default_reopen_state=jiralert_settings.default_reopen_state,
+            dry_run=dry_run,
         )
 
     if error:

reconcile/queries.py

@@ -102,11 +102,12 @@ APP_INTERFACE_SETTINGS_QUERY = """
       readTimeout
       connectTimeout
     }
-    terraformResourcesProviderExclusionsByProvisioner {
-      provisioner {
-          name
+    terraformResourcesProviderExclusions {
+      provider
+      excludeProvisioners {
+        name
       }
-      excludedProviders
+      excludeAllProvisioners
     }
   }
 }
@@ -2767,12 +2768,13 @@ def get_jenkins_configs():
 
 TF_RESOURCES_PROVIDER_EXCLUSIONS_BY_PROVISIONER = """
 {
-  tf_provider_exclusions_by_provisioner: app_interface_settings_v1 {
-    terraformResourcesProviderExclusionsByProvisioner {
-      provisioner {
-          name
+  tf_provider_exclusions: app_interface_settings_v1 {
+    terraformResourcesProviderExclusions {
+      provider
+      excludeProvisioners {
+        name
       }
-      excludedProviders
+      excludeAllProvisioners
     }
   }
 }
@@ -2784,13 +2786,10 @@ def get_tf_resources_provider_exclusions_by_provisioner() -> (
 ):
     gqlapi = gql.get_api()
     settings = gqlapi.query(TF_RESOURCES_PROVIDER_EXCLUSIONS_BY_PROVISIONER)[
-        "tf_provider_exclusions_by_provisioner"
+        "tf_provider_exclusions"
     ]
-    if (
-        len(settings) == 1
-        and "terraformResourcesProviderExclusionsByProvisioner" in settings[0]
-    ):
-        return settings[0]["terraformResourcesProviderExclusionsByProvisioner"]
+    if len(settings) == 1 and "terraformResourcesProviderExclusions" in settings[0]:
+        return settings[0]["terraformResourcesProviderExclusions"]
     return None
 
 

reconcile/terraform_resources.py

@@ -266,13 +266,11 @@ def setup(
         ocm_map = None
     tf_namespaces_dicts = [ns.dict(by_alias=True) for ns in tf_namespaces]
 
-    provider_exclusions_by_provisioner = (
-        settings.get("terraformResourcesProviderExclusionsByProvisioner") or []
-    )
+    provider_exclusions = settings.get("terraformResourcesProviderExclusions") or []
     ts.init_populate_specs(
         tf_namespaces_dicts,
         account_names,
-        provider_exclusions_by_provisioner=provider_exclusions_by_provisioner,
+        provider_exclusions,
     )
     tf.populate_terraform_output_secrets(
         resource_specs=ts.resource_spec_inventory, init_rds_replica_source=True

reconcile/test/test_jira_permissions_validator.py

@@ -93,7 +93,7 @@ def test_jira_permissions_validator_get_jira_boards(
 
 
 @pytest.mark.parametrize(
-    "board_is_valid, exit_on_permission_errors, error_returned, metric_set",
+    "board_is_valid, dry_run, error_returned, metric_set",
     [
         (0, True, False, False),
         (ValidationError.CANT_CREATE_ISSUE, True, True, False),
@@ -104,19 +104,11 @@ def test_jira_permissions_validator_get_jira_boards(
         (ValidationError.INVALID_PRIORITY, True, True, False),
         (ValidationError.PUBLIC_PROJECT_NO_SECURITY_LEVEL, True, True, False),
         (ValidationError.PERMISSION_ERROR, True, True, True),
-        # special case: CANT_CREATE_ISSUE and PERMISSION_ERROR
-        (
-            ValidationError.CANT_CREATE_ISSUE | ValidationError.PERMISSION_ERROR,
-            True,
-            True,
-            False,
-        ),
-        (
-            ValidationError.CANT_CREATE_ISSUE | ValidationError.PERMISSION_ERROR,
-            False,
-            True,
-            False,
-        ),
+        (ValidationError.PROJECT_ARCHIVED, True, True, False),
+        # no dry-run
+        (ValidationError.CANT_CREATE_ISSUE, False, False, False),
+        (ValidationError.PERMISSION_ERROR, False, False, True),
+        (ValidationError.PROJECT_ARCHIVED, False, False, False),
         # test with another error
         (
             ValidationError.INVALID_PRIORITY | ValidationError.PERMISSION_ERROR,
@@ -137,7 +129,7 @@ def test_jira_permissions_validator_validate_boards(
     boards: list[JiraBoardV1],
     secret_reader: Mock,
     board_is_valid: ValidationError,
-    exit_on_permission_errors: bool,
+    dry_run: bool,
     error_returned: bool,
     metric_set: bool,
 ) -> None:
@@ -151,11 +143,11 @@ def test_jira_permissions_validator_validate_boards(
         validate_boards(
             metrics_container=metrics_container_mock,
             secret_reader=secret_reader,
-            exit_on_permission_errors=exit_on_permission_errors,
             jira_client_settings=None,
             jira_boards=boards,
             default_issue_type="task",
             default_reopen_state="new",
+            dry_run=dry_run,
             jira_client_class=jira_client_class,
         )
         == error_returned
@@ -192,6 +184,7 @@ def test_jira_permissions_validator_board_is_valid_happy_path(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.return_value = True
     jira_client.can_transition_issues.return_value = True
     jira_client.project_issue_types.return_value = [
@@ -239,6 +232,7 @@ def test_jira_permissions_validator_board_is_valid_all_errors(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.return_value = False
     jira_client.can_transition_issues.return_value = False
     jira_client.project_issue_types.return_value = []
@@ -290,6 +284,7 @@ def test_jira_permissions_validator_board_is_valid_bad_issue_status(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.return_value = True
     jira_client.can_transition_issues.return_value = True
     jira_client.project_issue_types.return_value = [
@@ -340,6 +335,7 @@ def test_jira_permissions_validator_board_is_valid_public_project(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.return_value = True
     jira_client.can_transition_issues.return_value = True
     jira_client.project_issue_types.return_value = [
@@ -390,6 +386,7 @@ def test_jira_permissions_validator_board_is_valid_permission_error(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.side_effect = JIRAError(status_code=403)
     assert (
         board_is_valid(
@@ -430,6 +427,7 @@ def test_jira_permissions_validator_board_is_valid_exception(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.side_effect = JIRAError(status_code=500)
     with pytest.raises(JIRAError):
         board_is_valid(
@@ -468,6 +466,7 @@ def test_jira_permissions_validator_board_is_valid_exception_401(
         },
     )
     jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = False
     jira_client.can_create_issues.side_effect = JIRAError(status_code=401)
     # no error for 401
     board_is_valid(
@@ -478,3 +477,43 @@ def test_jira_permissions_validator_board_is_valid_exception_401(
         jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
         public_projects=[],
     )
+
+
+def test_jira_permissions_validator_board_is_valid_archived(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.is_archived = True
+    assert (
+        board_is_valid(
+            jira=jira_client,
+            board=board,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+            public_projects=[],
+        )
+        == ValidationError.PROJECT_ARCHIVED
+    )

reconcile/utils/jira_client.py

@@ -241,3 +241,7 @@ class JiraClient:
     def components(self) -> list[str]:
         """Return a list of all components for the project."""
         return [c.name for c in self.jira.project_components(self.project)]
+
+    @property
+    def is_archived(self) -> bool:
+        return self.jira.project(self.project).archived

reconcile/utils/terrascript_aws_client.py

@@ -9,7 +9,7 @@ import string
 import tempfile
 from collections import Counter
 from collections.abc import Iterable, Mapping, MutableMapping
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from ipaddress import (
     ip_address,
     ip_network,
@@ -379,6 +379,12 @@ class ElasticSearchLogGroupInfo:
     log_group_identifier: str
 
 
+@dataclass
+class Exclusion:
+    all: bool = False
+    provisioners: set[str] = field(default_factory=set)
+
+
 class ProviderExcludedError(Exception):
     def __init__(self, spec: ExternalResourceSpec) -> None:
         super().__init__(
@@ -1543,38 +1549,49 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             for spec in specs:
                 self.populate_tf_resources(spec, ocm_map=ocm_map)
 
-    def _get_provisioner_provider_exclusions(
+    def _is_provisioner_excluded(
         self,
         spec: ExternalResourceSpec,
-        provider_exclusions_by_provisioner_name: Mapping[str, Iterable[str]],
-    ) -> list[str]:
-        return list(
-            provider_exclusions_by_provisioner_name.get(spec.provisioner["name"], [])
-        )
+        provider_exclusions: Mapping[str, Exclusion],
+    ) -> bool:
+        e = provider_exclusions.get(spec.provider)
+        if not e:
+            return False
+        return e.all or spec.provisioner_name in e.provisioners
 
     def _filter_specs_managed_by_erv2(
         self,
         specs: Iterable[ExternalResourceSpec],
-        provider_exclusions_by_provisioner_name: Mapping[str, Iterable[str]],
+        provider_exclusions: Mapping[str, Exclusion],
     ) -> list[ExternalResourceSpec]:
-        filtered_specs: list[ExternalResourceSpec] = []
-        for spec in specs:
-            if spec.resource.get("managed_by_erv2"):
-                continue
+        filtered_specs = [
+            spec for spec in specs if not spec.resource.get("managed_by_erv2")
+        ]
 
-            if spec.provider in self._get_provisioner_provider_exclusions(
-                spec, provider_exclusions_by_provisioner_name
-            ):
+        for spec in filtered_specs:
+            if self._is_provisioner_excluded(spec, provider_exclusions):
                 raise ProviderExcludedError(spec)
 
-            filtered_specs.append(spec)
         return filtered_specs
 
+    def _get_provider_exclusions_query_dict(
+        self, provider_exclusions: Iterable[Mapping[str, Any]]
+    ) -> dict[str, Exclusion]:
+        return {
+            item["provider"]: Exclusion(
+                all=item.get("excludeAllProvisioners") or False,
+                provisioners={
+                    p["name"] for p in (item.get("excludeProvisioners") or [])
+                },
+            )
+            for item in provider_exclusions
+        }
+
     def init_populate_specs(
         self,
         namespaces: Iterable[Mapping[str, Any]],
         account_names: Iterable[str] | None,
-        provider_exclusions_by_provisioner: Iterable[Mapping[str, Any]] | None = None,
+        provider_exclusions: Iterable[Mapping[str, Any]] | None = None,
     ) -> None:
         """
         Initiates resource specs from the definitions in app-interface
@@ -1586,15 +1603,14 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         self.resource_spec_inventory: ExternalResourceSpecInventory = {}
 
         # Ensure provider exclusions are fetched
-        if provider_exclusions_by_provisioner is None:
-            provider_exclusions_by_provisioner = (
+        if provider_exclusions is None:
+            provider_exclusions = (
                 queries.get_tf_resources_provider_exclusions_by_provisioner() or []
             )
 
-        provider_exclusions_by_provisioner_name = {
-            p["provisioner"]["name"]: p["excludedProviders"]
-            for p in provider_exclusions_by_provisioner or []
-        }
+        provider_exclusions_query_dict = self._get_provider_exclusions_query_dict(
+            provider_exclusions
+        )
 
         for namespace_info in namespaces:
             all_specs = get_external_resource_specs(
@@ -1602,7 +1618,7 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
                 provision_provider=PROVIDER_AWS,
             )
             specs = self._filter_specs_managed_by_erv2(
-                all_specs, provider_exclusions_by_provisioner_name
+                all_specs, provider_exclusions_query_dict
             )
             name_counter = Counter(spec.output_resource_name for spec in specs)
             duplicates = [name for name, count in name_counter.items() if count > 1]