qontract-reconcile 0.10.1rc449__py3-none-any.whl → 0.10.1rc451__py3-none-any.whl

{qontract_reconcile-0.10.1rc449.dist-info → qontract_reconcile-0.10.1rc451.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc449
+Version: 0.10.1rc451
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc449.dist-info → qontract_reconcile-0.10.1rc451.dist-info}/RECORD

@@ -563,7 +563,7 @@ reconcile/utils/state.py,sha256=-a3fOnGZnDRcTXw9Hg3QtGdKePGtnmoCkPeCt-5HgbE,1367
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=qlD7YJjHnxwAvos-9eS40PwzvDfXpt8y00_inNbSbRg,31760
-reconcile/utils/terrascript_aws_client.py,sha256=wYchxDASjewg1-sNd4eB_1xhkTLr0irhxj7VQGU2Cnk,260666
+reconcile/utils/terrascript_aws_client.py,sha256=b9h3bK2l_-nDQ34IrKVqI3WPVqz3zrj93tE-d6E2Qnw,261092
 reconcile/utils/three_way_diff_strategy.py,sha256=xXCWflCzM7KdWuDGzZrv6hZhQJWZ0QGDYoeLLcH-N0c,4470
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/unleash.py,sha256=PboEYjJlLws6SbxAqKuv1yBUXQTD1NPkf36NhMQMFmQ,3584
@@ -646,8 +646,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=dmEcNwZltP1rd_4DbxIYakO
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc449.dist-info/METADATA,sha256=E2bO2KPEa-O0CBcDnYqJkEyOOndI0tpzL0CDdBumIDM,2348
-qontract_reconcile-0.10.1rc449.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc449.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc449.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc449.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc451.dist-info/METADATA,sha256=lZenUyoPN4t7tnYYZMjWDSUB5rfs5ckx40NGP-A6t_o,2348
+qontract_reconcile-0.10.1rc451.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc451.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc451.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc451.dist-info/RECORD,,

reconcile/utils/terrascript_aws_client.py

@@ -2854,8 +2854,56 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values)
         tf_resources.append(bucket_policy_tf_resource)
 
-        # cloud front distribution
         values = common_values.get("distribution_config", {})
+        # aws_s3_bucket_acl
+        if "logging_config" in values.keys():
+            # we could set this at a global level with a standard name like "cloudfront"
+            # but we need all aws accounts upgraded to aws provider >3.60 first
+            tf_resources.append(
+                aws_cloudfront_log_delivery_canonical_user_id(identifier)
+            )
+
+            logging_config_bucket = values["logging_config"]
+            acl_values = {}
+            access_control_policy = {
+                "owner": {
+                    "id": "${data.aws_canonical_user_id.current.id}",
+                },
+                "grant": [
+                    {
+                        "grantee": {
+                            "id": "${data.aws_canonical_user_id.current.id}",
+                            "type": "CanonicalUser",
+                        },
+                        "permission": "FULL_CONTROL",
+                    },
+                    {
+                        "grantee": {
+                            # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership
+                            "id": f"${{data.aws_cloudfront_log_delivery_canonical_user_id.{identifier}.id}}",
+                            "type": "CanonicalUser",
+                        },
+                        "permission": "FULL_CONTROL",
+                    },
+                ],
+            }
+            external_account_id = logging_config_bucket.pop("external_account_id", None)
+            if external_account_id:
+                external_account_policy = {
+                    "grantee": {
+                        "id": external_account_id,
+                        "type": "CanonicalUser",
+                    },
+                    "permission": "FULL_CONTROL",
+                }
+                access_control_policy["grant"].append(external_account_policy)
+            acl_values["access_control_policy"] = access_control_policy
+            acl_values["bucket"] = logging_config_bucket.get("bucket").split(".")[0]
+
+            aws_s3_bucket_acl_resource = aws_s3_bucket_acl(identifier, **acl_values)
+            tf_resources.append(aws_s3_bucket_acl_resource)
+
+        # cloud front distribution
         values["tags"] = common_values["tags"]
         values.setdefault("default_cache_behavior", {}).setdefault(
             "target_origin_id", "default"
@@ -2894,45 +2942,6 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         )
         tf_resources.append(Output(output_name_0_13, value=output_value))
 
-        # aws_s3_bucket_acl
-        values = common_values.get("distribution_config", {})
-        if "logging_config" in values.keys():
-            # we could set this at a global level with a standard name like "cloudfront"
-            # but we need all aws accounts upgraded to aws provider >3.60 first
-            tf_resources.append(
-                aws_cloudfront_log_delivery_canonical_user_id(identifier)
-            )
-
-            logging_config_bucket = values["logging_config"]
-            values = {}
-            access_control_policy = {
-                "owner": {
-                    "id": "${data.aws_canonical_user_id.current.id}",
-                },
-                "grant": [
-                    {
-                        "grantee": {
-                            "id": "${data.aws_canonical_user_id.current.id}",
-                            "type": "CanonicalUser",
-                        },
-                        "permission": "FULL_CONTROL",
-                    },
-                    {
-                        "grantee": {
-                            # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership
-                            "id": f"${{data.aws_cloudfront_log_delivery_canonical_user_id.{identifier}.id}}",
-                            "type": "CanonicalUser",
-                        },
-                        "permission": "FULL_CONTROL",
-                    },
-                ],
-            }
-            values["access_control_policy"] = access_control_policy
-            values["bucket"] = logging_config_bucket.get("bucket").split(".")[0]
-
-            aws_s3_bucket_acl_resource = aws_s3_bucket_acl(identifier, **values)
-            tf_resources.append(aws_s3_bucket_acl_resource)
-
         self.add_resources(account, tf_resources)
 
     def populate_tf_resource_s3_sqs(self, spec):