PyPI - qontract-reconcile - Versions diffs - 0.10.1rc471__py3-none-any.whl → 0.10.1rc473__py3-none-any.whl - Mend

qontract-reconcile 0.10.1rc471py3-none-any.whl → 0.10.1rc473py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

{qontract_reconcile-0.10.1rc471.dist-info → qontract_reconcile-0.10.1rc473.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc471
+Version: 0.10.1rc473
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc471.dist-info → qontract_reconcile-0.10.1rc473.dist-info}/RECORD RENAMED Viewed

@@ -44,7 +44,7 @@ reconcile/jenkins_roles.py,sha256=f8ELpZY36UjoaCpR_9LijQuIMuB6a7sVLFf_H1ct9Hc,44
 reconcile/jenkins_webhooks.py,sha256=j8vhJMWcRhOdc9XzRSm0CPj84jsF3e4Syjm7r1BIsDE,1978
 reconcile/jenkins_webhooks_cleaner.py,sha256=JsN_NVPfZJwv1JtSzZXDIHUqGiefL-DRffFnDGau9aY,1539
 reconcile/jenkins_worker_fleets.py,sha256=PMNGOX0krubFjInPiFT0za0KCiWBLEcVDuXdKRd1BrE,5378
-reconcile/jira_permissions_validator.py,sha256=97gn28OxY0asXlI0OH5OQ-1gzQx9LcHGuZTT-gPa_S4,9884
+reconcile/jira_permissions_validator.py,sha256=kLRG9N441uN5lrLCx8QQBTS8knDdr87von_JjfyJ6X4,10177
 reconcile/jira_watcher.py,sha256=eyOQ92t8TFi6gogfNTO448h_h1CUyr24E0MPHc51R-o,3617
 reconcile/ldap_users.py,sha256=uEWQ0V41tN9KCZi4ZKPamjrJ6djSpdpvDBo7yJ0e7ZI,3008
 reconcile/mr_client_gateway.py,sha256=WhjMd-sIXDFCV8-rt8CEjurJ5OYB1pOD0K3o0tZRXQg,1885
@@ -265,6 +265,7 @@ reconcile/gql_definitions/quay_membership/__init__.py,sha256=47DEQpj8HBSa-_TImW-
 reconcile/gql_definitions/quay_membership/quay_membership.py,sha256=H2xHvdNr3K0QzB2dituwStUIWCqePt35dkgeUZycECM,2824
 reconcile/gql_definitions/rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/rhidp/organizations.py,sha256=8KVbWyvjDlvn-VGpYF06f4ZH6_PZMNCCZ8fa9W0s-Tk,2553
+reconcile/gql_definitions/saas_auto_promotions_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/service_dependencies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/service_dependencies/jenkins_instance_fragment.py,sha256=gEcYRrdhGKG83cOpGEnecE0mCxpQHLRzXFCp5FBIhLA,699
 reconcile/gql_definitions/service_dependencies/service_dependencies.py,sha256=CpMq9KjhFA61yniLo_11ypVInoeMBXbNmcY7_VAep-0,4700
@@ -289,7 +290,7 @@ reconcile/gql_definitions/terraform_cloudflare_dns/app_interface_cloudflare_dns_
 reconcile/gql_definitions/terraform_cloudflare_dns/terraform_cloudflare_zones.py,sha256=uVZYu5EUcvdAQYBK5YKD0mjoMKDb5inSuCJrrOD5KpE,5704
 reconcile/gql_definitions/terraform_cloudflare_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_cloudflare_resources/terraform_cloudflare_accounts.py,sha256=WHMyQlosDCby7p1wWd3PXpmooSeEZyR8CgRDP49bunU,3641
-reconcile/gql_definitions/terraform_cloudflare_resources/terraform_cloudflare_resources.py,sha256=1wxnMo4xV0jMpLQ3IhSVD5LygXeuhuYEai64Dlp7jUY,11223
+reconcile/gql_definitions/terraform_cloudflare_resources/terraform_cloudflare_resources.py,sha256=YWjhWTjOR7B-RsX5gPt1PbRfYDzxPqncNq4vmVHpIQ0,12313
 reconcile/gql_definitions/terraform_cloudflare_users/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_cloudflare_users/app_interface_setting_cloudflare_and_vault.py,sha256=KFey-0ItgpGPeIwViGKqb55HAFJoKdi3eCNSIzf6Rc8,1960
 reconcile/gql_definitions/terraform_cloudflare_users/terraform_cloudflare_roles.py,sha256=1KiTikTKSSRYmISN8tY29rJ_fVtgBnT7sK85IJjN420,4027
@@ -423,7 +424,7 @@ reconcile/test/test_sql_query.py,sha256=rC-lf1_isT9i2ZIV9W0hkUkLi2oBIjZMRMhk-6mV
 reconcile/test/test_status_board.py,sha256=WdAq4pFoWWqcOcfgMzssZD3xfvT1QLrEHJqUARldtvA,7875
 reconcile/test/test_terraform_aws_route53.py,sha256=xHggb8K1P76OyCfFcogbkmyKle-NlUylcbDnuv3IqvY,771
 reconcile/test/test_terraform_cloudflare_dns.py,sha256=aQTXX8Vr4h9aWvJZTnpZEhMGYoBpT2d45ZxU_ECIQ6o,3425
-reconcile/test/test_terraform_cloudflare_resources.py,sha256=siUPsLvHs-Bmt2df3-zI0v1L76lweALTQjI3xxsmMN4,9248
+reconcile/test/test_terraform_cloudflare_resources.py,sha256=NK_uktyWihkQ3gMN4bCaKerpi43CXAVYGIKTfcz05rY,13550
 reconcile/test/test_terraform_cloudflare_users.py,sha256=RAFtMMdqZha3jNnNNsqbNQQUDSqUzdoM63rCw7fs4Fo,27456
 reconcile/test/test_terraform_repo.py,sha256=soKFJfF8tWIimDs39RQl3Hnh-Od-bR4PfnEA2s1UprM,11552
 reconcile/test/test_terraform_resources.py,sha256=1ny_QSFuRjV9jxZY8EeT4NVJ5dMv7cLrEEIx_cBpjgk,9075
@@ -627,7 +628,7 @@ reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79
 reconcile/utils/terraform/config_client.py,sha256=py-Ree-QUYD6Hvng6bM40VgSuttteehIKNgwOSoJO1o,4706
 reconcile/utils/terrascript/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/terrascript/cloudflare_client.py,sha256=EOmAnrgSUZz-UZB7x6TFd4WGk0huWZm2hh29Cueiyr8,10278
-reconcile/utils/terrascript/cloudflare_resources.py,sha256=GQO1KJb19bcxwUdZM3_O24afailfHewtOIs_FTNJVUM,14189
+reconcile/utils/terrascript/cloudflare_resources.py,sha256=ZvmFqE-Atki6ehMA4iirYqpml4bCPHdddq8lu58udGA,15952
 reconcile/utils/terrascript/models.py,sha256=x9HReI0k71MHBpRTvvmPlE0G6rri5GTzPXM9cqyTWm0,475
 reconcile/utils/terrascript/resources.py,sha256=bQzglnO41KZZEIeXYgi-qlup1p8R03Qyx_V944LRPsc,1391
 release/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -649,8 +650,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc471.dist-info/METADATA,sha256=a5MSyt0Nn1ylTv3VJ8Dg_fTqg-KFOBshD57-Hd9QGXk,2348
-qontract_reconcile-0.10.1rc471.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc471.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc471.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc471.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc473.dist-info/METADATA,sha256=Rnigg-CBRz8a3ixHxvm6IblRrV35SbamdffbAThCeJM,2348
+qontract_reconcile-0.10.1rc473.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc473.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc473.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc473.dist-info/RECORD,,

reconcile/gql_definitions/saas_auto_promotions_manager/__init__.py ADDED Viewed

File without changes

reconcile/gql_definitions/terraform_cloudflare_resources/terraform_cloudflare_resources.py CHANGED Viewed

@@ -67,6 +67,7 @@ query TerraformCloudflareResources {
     }
     managedExternalResources
     externalResources {
+      provider
       ... on NamespaceTerraformProviderResourceCloudflare_v1 {
         provider
         provisioner {
@@ -128,6 +129,20 @@ query TerraformCloudflareResources {
               cloudflare_branding
               wait_for_active_status
             }
+            custom_ssl_certificates {
+              identifier
+              type
+              bundle_method
+              geo_restrictions
+              certificate_secret {
+                certificate {
+                  ... VaultSecret
+                }
+                key {
+                  ... VaultSecret
+                }
+              }
+            }
           }
           ... on NamespaceTerraformResourceLogpushOwnershipChallenge_v1
           {
@@ -190,7 +205,7 @@ class ClusterV1(ConfiguredBaseModel):
 class NamespaceExternalResourceV1(ConfiguredBaseModel):
-    ...
+    provider: str = Field(..., alias="provider")
 class CloudflareAccountV1(ConfiguredBaseModel):
@@ -258,6 +273,19 @@ class CloudflareZoneCertificateV1(ConfiguredBaseModel):
     wait_for_active_status: Optional[bool] = Field(..., alias="wait_for_active_status")
+class CertificateSecretV1(ConfiguredBaseModel):
+    certificate: VaultSecret = Field(..., alias="certificate")
+    key: VaultSecret = Field(..., alias="key")
+class CloudflareCustomSSLCertificateV1(ConfiguredBaseModel):
+    identifier: str = Field(..., alias="identifier")
+    q_type: str = Field(..., alias="type")
+    bundle_method: Optional[str] = Field(..., alias="bundle_method")
+    geo_restrictions: Optional[str] = Field(..., alias="geo_restrictions")
+    certificate_secret: CertificateSecretV1 = Field(..., alias="certificate_secret")
 class NamespaceTerraformResourceCloudflareZoneV1(NamespaceTerraformResourceCloudflareV1):
     identifier: str = Field(..., alias="identifier")
     zone: str = Field(..., alias="zone")
@@ -270,6 +298,7 @@ class NamespaceTerraformResourceCloudflareZoneV1(NamespaceTerraformResourceCloud
     records: Optional[list[CloudflareDnsRecordV1]] = Field(..., alias="records")
     workers: Optional[list[CloudflareZoneWorkerV1]] = Field(..., alias="workers")
     certificates: Optional[list[CloudflareZoneCertificateV1]] = Field(..., alias="certificates")
+    custom_ssl_certificates: Optional[list[CloudflareCustomSSLCertificateV1]] = Field(..., alias="custom_ssl_certificates")
 class NamespaceTerraformResourceLogpushOwnershipChallengeV1(NamespaceTerraformResourceCloudflareV1):

reconcile/jira_permissions_validator.py CHANGED Viewed

@@ -128,16 +128,23 @@ def board_is_valid(
                 error |= ValidationError.INVALID_SECURITY_LEVEL
         project_priorities = jira.project_priority_scheme()
+        # get the priority names from the project priorities ids
+        project_priorities_names = [
+            p_name
+            for project_p_id in project_priorities
+            for p_name, p_id in jira_server_priorities.items()
+            if p_id == project_p_id
+        ]
         for priority in board.severity_priority_mappings.mappings:
             if priority.priority not in jira_server_priorities:
                 logging.error(
-                    f"[{board.name}] {priority.priority} is not a valid Jira priority. Valid priorities: {project_priorities}"
+                    f"[{board.name}] {priority.priority} is not a valid Jira priority. Valid priorities: {project_priorities_names}"
                 )
                 error |= ValidationError.INVALID_PRIORITY
                 continue
             if jira_server_priorities[priority.priority] not in project_priorities:
                 logging.error(
-                    f"[{board.name}] {priority.priority} is not a valid priority in project. Valid priorities: {project_priorities}"
+                    f"[{board.name}] {priority.priority} is not a valid priority in project. Valid priorities: {project_priorities_names}"
                 )
                 error |= ValidationError.INVALID_PRIORITY
     except JIRAError as e:

reconcile/test/test_terraform_cloudflare_resources.py CHANGED Viewed

@@ -1,4 +1,5 @@
 import logging
+from unittest.mock import call
 import pytest
@@ -18,7 +19,9 @@ from reconcile.gql_definitions.terraform_cloudflare_resources.terraform_cloudfla
     CloudflareAccountV1 as CFAccountV1,
 )
 from reconcile.gql_definitions.terraform_cloudflare_resources.terraform_cloudflare_resources import (
+    CertificateSecretV1,
     CloudflareAccountV1,
+    CloudflareCustomSSLCertificateV1,
     CloudflareDnsRecordV1,
     CloudflareZoneArgoV1,
     CloudflareZoneCacheReserveV1,
@@ -31,6 +34,10 @@ from reconcile.gql_definitions.terraform_cloudflare_resources.terraform_cloudfla
     NamespaceV1,
     TerraformCloudflareResourcesQueryData,
 )
+from reconcile.status import ExitCodes
+from reconcile.utils.secret_reader import (
+    SecretReaderBase,
+)
 @pytest.fixture
@@ -72,7 +79,7 @@ def external_resources(provisioner_config):
         provisioner=provisioner_config,
         resources=[
             NamespaceTerraformResourceCloudflareZoneV1(
-                provider="cloudflare_zone",
+                provider="zone",
                 identifier="testzone-com",
                 zone="testzone.com",
                 plan="enterprise",
@@ -115,6 +122,28 @@ def external_resources(provisioner_config):
                         wait_for_active_status=False,
                     )
                 ],
+                custom_ssl_certificates=[
+                    CloudflareCustomSSLCertificateV1(
+                        identifier="testcustomssl",
+                        type="legacy_custom",
+                        bundle_method="ubiquitous",
+                        geo_restrictions="us",
+                        certificate_secret=CertificateSecretV1(
+                            certificate=VaultSecret(
+                                path="certificate/secret/cert/path",
+                                field="certificate.crt",
+                                format="plain",
+                                version=1,
+                            ),
+                            key=VaultSecret(
+                                path="certificate/secret/key/path",
+                                field="certificate.key",
+                                format="plain",
+                                version=1,
+                            ),
+                        ),
+                    )
+                ],
             ),
         ],
     )
@@ -126,12 +155,51 @@ def mock_gql(mocker):
 @pytest.fixture
-def mock_vault_secret(mocker):
-    mocked_vault_secret = mocker.patch(
+def mock_app_interface_vault_settings(mocker):
+    mocked_app_interface_vault_settings = mocker.patch(
         "reconcile.terraform_cloudflare_resources.get_app_interface_vault_settings",
         autospec=True,
     )
-    mocked_vault_secret.return_value = AppInterfaceSettingsV1(vault=False)
+    mocked_app_interface_vault_settings.return_value = AppInterfaceSettingsV1(
+        vault=True
+    )
+def secret_reader_side_effect(*args):
+    if {
+        "path": "aws-account-path",
+        "field": "token",
+        "version": 1,
+        "q_format": "plain",
+    } == args[0]:
+        aws_acct_creds = {}
+        aws_acct_creds["aws_access_key_id"] = "key_id"
+        aws_acct_creds["aws_secret_access_key"] = "access_key"
+        return aws_acct_creds
+    if {
+        "path": "cf-account-path",
+        "field": "key",
+        "version": 1,
+        "q_format": "plain",
+    } == args[0]:
+        cf_acct_creds = {}
+        cf_acct_creds["api_token"] = "api_token"
+        cf_acct_creds["account_id"] = "account_id"
+        return cf_acct_creds
+@pytest.fixture
+def mock_create_secret_reader(mocker):
+    secret_reader = mocker.Mock(SecretReaderBase)
+    secret_reader.read_all_secret.side_effect = secret_reader_side_effect
+    mocked_create_secret_reader = mocker.patch(
+        "reconcile.terraform_cloudflare_resources.create_secret_reader",
+        autospec=True,
+    )
+    mocked_create_secret_reader.return_value = secret_reader
 @pytest.fixture
@@ -147,26 +215,27 @@ def mock_cloudflare_accounts(mocker):
                     name="cfaccount",
                     providerVersion="0.33.x",
                     apiCredentials=VaultSecret(
-                        path="somepath",
+                        path="cf-account-path",
                         field="key",
                         version=1,
-                        format="??",
+                        format="plain",
                     ),
                     terraformStateAccount=AWSAccountV1(
                         name="awsaccoutn",
                         automationToken=VaultSecret(
-                            path="someotherpath",
+                            path="aws-account-path",
                             field="token",
                             version=1,
-                            format="",
+                            format="plain",
                         ),
                         terraformState=TerraformStateAWSV1(
-                            provider="",
-                            bucket="",
-                            region="",
+                            provider="s3",
+                            bucket="app-interface",
+                            region="us-east-1",
                             integrations=[
                                 AWSTerraformStateIntegrationsV1(
-                                    integration="terraform-cloudflare-resources", key=""
+                                    integration="terraform-cloudflare-resources",
+                                    key="somekey.tfstate",
                                 )
                             ],
                         ),
@@ -183,16 +252,29 @@ def mock_cloudflare_accounts(mocker):
 @pytest.fixture
-def mock_cloudflare_resources(mocker, external_resources):
+def mock_cloudflare_resources(mocker, query_data):
     mocked_cloudflare_resources = mocker.patch(
         "reconcile.terraform_cloudflare_resources.terraform_cloudflare_resources",
         autospec=True,
     )
-    mocked_cloudflare_resources.query.return_value = external_resources
+    mocked_cloudflare_resources.query.return_value = query_data
+@pytest.fixture
+def mock_terraform_client(mocker):
+    mocked_tf_client = mocker.patch(
+        "reconcile.terraform_cloudflare_resources.TerraformClient", autospec=True
+    )
+    mocked_tf_client.return_value.plan.return_value = False, None
+    return mocked_tf_client
 def test_cloudflare_accounts_validation(
-    mocker, caplog, mock_gql, mock_vault_secret, mock_cloudflare_resources
+    mocker,
+    caplog,
+    mock_gql,
+    mock_app_interface_vault_settings,
+    mock_cloudflare_resources,
 ):
     # Mocking accounts with an empty response
     mocked_cloudflare_accounts = mocker.patch(
@@ -212,14 +294,17 @@ def test_cloudflare_accounts_validation(
 def test_namespace_validation(
-    mocker, caplog, mock_gql, mock_vault_secret, mock_cloudflare_accounts
+    mocker,
+    caplog,
+    mock_gql,
+    mock_app_interface_vault_settings,
+    mock_cloudflare_accounts,
 ):
     # Mocking resources without namespaces
     mocked_resources = mocker.patch(
         "reconcile.terraform_cloudflare_resources.terraform_cloudflare_resources",
         autospec=True,
     )
     mocked_resources.query.return_value = TerraformCloudflareResourcesQueryData(
         namespaces=[],
     )
@@ -233,7 +318,11 @@ def test_namespace_validation(
 def test_cloudflare_namespace_validation(
-    mocker, caplog, mock_gql, mock_vault_secret, mock_cloudflare_accounts
+    mocker,
+    caplog,
+    mock_gql,
+    mock_app_interface_vault_settings,
+    mock_cloudflare_accounts,
 ):
     # Mocking resources without cloudflare namespaces
     mocked_resources = mocker.patch(
@@ -269,3 +358,50 @@ def test_cloudflare_namespace_validation(
     assert ["No cloudflare namespaces were detected, nothing to do."] == [
         rec.message for rec in caplog.records
     ]
+def custom_ssl_secret_reader_side_effect(*args):
+    """For use of secret_reader inside cloudflare client"""
+    if {
+        "path": "certificate/secret/cert/path",
+        "field": "certificate.crt",
+        "version": 1,
+        "q_format": "plain",
+    } == args[0]:
+        return "----- CERTIFICATE -----"
+    if {
+        "path": "certificate/secret/cert/path",
+        "field": "certificate.key",
+        "version": 1,
+        "q_format": "plain",
+    } == args[0]:
+        return "----- KEY -----"
+def test_terraform_cloudflare_resources_dry_run(
+    mocker,
+    mock_gql,
+    mock_create_secret_reader,
+    mock_terraform_client,
+    mock_app_interface_vault_settings,
+    mock_cloudflare_accounts,
+    mock_cloudflare_resources,
+):
+    # Mocking vault settings and secret reader inside cloudflare_client
+    mocker.patch(
+        "reconcile.utils.terrascript.cloudflare_resources.get_app_interface_vault_settings",
+        atospec=True,
+    )
+    secret_reader = mocker.Mock(SecretReaderBase)
+    secret_reader.read.side_effect = custom_ssl_secret_reader_side_effect
+    create_secret_reader = mocker.patch(
+        "reconcile.utils.terrascript.cloudflare_resources.create_secret_reader",
+        autospec=True,
+    )
+    create_secret_reader.return_value = secret_reader
+    with pytest.raises(SystemExit) as sample:
+        integ.run(True, None, False, 10)
+    assert sample.value.code == ExitCodes.SUCCESS
+    assert mock_terraform_client.called is True
+    assert call().apply() not in mock_terraform_client.method_calls

reconcile/utils/terrascript/cloudflare_resources.py CHANGED Viewed

@@ -16,6 +16,7 @@ from terrascript import (
 from terrascript.resource import (
     cloudflare_account_member,
     cloudflare_argo,
+    cloudflare_custom_ssl,
     cloudflare_logpull_retention,
     cloudflare_logpush_job,
     cloudflare_logpush_ownership_challenge,
@@ -186,6 +187,38 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
         return resources
+    def _create_cloudflare_custom_ssl_certificates(
+        self,
+        zone: Resource,
+        zone_custom_ssl: Iterable[MutableMapping[str, Any]],
+    ) -> list[Union[Resource, Output]]:
+        vault_settings = get_app_interface_vault_settings()
+        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+        resources = []
+        for cert_values in zone_custom_ssl:
+            identifier = safe_resource_id(cert_values.pop("identifier"))
+            certificate_secret = cert_values.pop("certificate_secret")
+            certificate = secret_reader.read(certificate_secret.pop("certificate"))
+            key = secret_reader.read(certificate_secret.pop("key"))
+            custom_ssl_values: dict[Any, Any] = {
+                "zone_id": f"${{{zone.id}}}",
+                "depends_on": self._get_dependencies([zone]),
+                "custom_ssl_options": {
+                    "bundle_method": cert_values.pop("bundle_method", "ubiquitous"),
+                    "type": cert_values.pop("type"),
+                    "certificate": certificate,
+                    "private_key": key,
+                },
+            }
+            if cert_values.get("geo_restrictions", None):
+                custom_ssl_values["custom_ssl_options"]["geo_restrictions"] = (
+                    cert_values.get("geo_resrtictions")
+                )
+            custom_ssl = cloudflare_custom_ssl(identifier, **custom_ssl_values)
+            resources.append(custom_ssl)
+        return resources
     def populate(self) -> list[Union[Resource, Output]]:
         resources = []
@@ -202,6 +235,7 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
         zone_records = values.pop("records", [])
         zone_workers = values.pop("workers", [])
         zone_certs = values.pop("certificates", [])
+        zone_custom_ssl = values.pop("custom_ssl_certificates", [])
         zone_values = {
             "account_id": "${var.account_id}",
@@ -268,6 +302,11 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
         resources.extend(self._create_cloudflare_certificate_pack(zone, zone_certs))
+        if zone_custom_ssl:
+            resources.extend(
+                self._create_cloudflare_custom_ssl_certificates(zone, zone_custom_ssl)
+            )
         return resources

{qontract_reconcile-0.10.1rc471.dist-info → qontract_reconcile-0.10.1rc473.dist-info}/WHEEL RENAMED Viewed

File without changes

{qontract_reconcile-0.10.1rc471.dist-info → qontract_reconcile-0.10.1rc473.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{qontract_reconcile-0.10.1rc471.dist-info → qontract_reconcile-0.10.1rc473.dist-info}/top_level.txt RENAMED Viewed

File without changes

qontract-reconcile 0.10.1rc471__py3-none-any.whl → 0.10.1rc473__py3-none-any.whl

qontract-reconcile 0.10.1rc471py3-none-any.whl → 0.10.1rc473py3-none-any.whl