qontract-reconcile 0.10.1rc537__py3-none-any.whl → 0.10.1rc538__py3-none-any.whl

{qontract_reconcile-0.10.1rc537.dist-info → qontract_reconcile-0.10.1rc538.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc537
+Version: 0.10.1rc538
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc537.dist-info → qontract_reconcile-0.10.1rc538.dist-info}/RECORD

@@ -9,7 +9,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=ek511mirANFglUXz_lrnIjmHZ48ZDJOx-53OFf-fSO4,84491
+reconcile/cli.py,sha256=LFsNTM36MINQ_iDqIpXlJPrUcLUL7BUEE4GpPG2LmaQ,85546
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -111,7 +111,7 @@ reconcile/terraform_cloudflare_dns.py,sha256=auU4bzeLwd4S8D8oqpqJbrCUoEdELXrgi7v
 reconcile/terraform_cloudflare_resources.py,sha256=EbQQaoDnZ7brvRCpbFtwlD7KLk2hDVNcjhrJGaAywEk,15023
 reconcile/terraform_cloudflare_users.py,sha256=1EbTHwJgiPkJpMP-Ag340QNgGK3mXn3dcC3DpLakudM,13987
 reconcile/terraform_repo.py,sha256=c0GZFuY3rCm6VHjHqYbsgOHrEkRWKF_1LrMThsn2XDw,16127
-reconcile/terraform_resources.py,sha256=x5Do4xBBhjJdIVRi0Gy4h-ryCCZ6kU7bT_iB0_mGing,17105
+reconcile/terraform_resources.py,sha256=3-q0WyCzBbfgvfDjCEKGp09bNGgxtbzUs9jEeoLr6u4,19176
 reconcile/terraform_tgw_attachments.py,sha256=_g7QSHM03YZzTU7O189S4HYtUn7WmwOBq67G4AieU24,15298
 reconcile/terraform_users.py,sha256=kXRUxCUchKCP2dbXXOzctynqMii4oyCP6bYZHQTrlTg,10202
 reconcile/terraform_vpc_peerings.py,sha256=rnDH1u93OyzrBM8Hib0HwSnlxZtx4ScRQaZAcn3mx-k,25402
@@ -440,7 +440,7 @@ reconcile/test/test_terraform_cloudflare_dns.py,sha256=aQTXX8Vr4h9aWvJZTnpZEhMGY
 reconcile/test/test_terraform_cloudflare_resources.py,sha256=NK_uktyWihkQ3gMN4bCaKerpi43CXAVYGIKTfcz05rY,13550
 reconcile/test/test_terraform_cloudflare_users.py,sha256=RAFtMMdqZha3jNnNNsqbNQQUDSqUzdoM63rCw7fs4Fo,27456
 reconcile/test/test_terraform_repo.py,sha256=soKFJfF8tWIimDs39RQl3Hnh-Od-bR4PfnEA2s1UprM,11552
-reconcile/test/test_terraform_resources.py,sha256=1ny_QSFuRjV9jxZY8EeT4NVJ5dMv7cLrEEIx_cBpjgk,9075
+reconcile/test/test_terraform_resources.py,sha256=O8kCYxGKqILbbCP86eJ3ESjatdPa1m3wQYXxrVfc_eo,15082
 reconcile/test/test_terraform_tgw_attachments.py,sha256=cAq6exc-K-jtLla1CZUZQzVnBkyDnIlL7jybnddhLKc,36861
 reconcile/test/test_terraform_users.py,sha256=Xn4y6EcxnNQb6XcPoOhz_Ikxmh9Nrsu88OM1scN9hzY,5434
 reconcile/test/test_terraform_vpc_peerings.py,sha256=ubcsKh0TrUIwuI1-W3ETIgzsFvzAyeoFmEJFC-IK6JY,20538
@@ -524,13 +524,14 @@ reconcile/utils/defer.py,sha256=SniUsbgOEs9Pa8JkecLu0F94O63yQPByKXaElDYe0FI,377
 reconcile/utils/differ.py,sha256=kJmUp9ZffFPSUEviaAw3s9c92ErwRJeHaRexGPai7wA,7643
 reconcile/utils/disabled_integrations.py,sha256=avdDsFyl_LdTsrPVzlcIhWzT_V4C4MXw1ZC__aOtluE,1126
 reconcile/utils/dnsutils.py,sha256=VX4gDQXpiMYVuT0pvNbzzSgfqmsWOM2qtjNQHUyIYF8,370
-reconcile/utils/early_exit_cache.py,sha256=EOZK-Z3w9SXooa42p-mwCa6LbIxZFJ7qWlyUcXsus7w,2344
+reconcile/utils/early_exit_cache.py,sha256=2uaiYIILA64D8mqqPj-GSvVBa80bN5XQRKz9x33iIpc,2304
 reconcile/utils/elasticsearch_exceptions.py,sha256=UY5Z3y2hw7T73sPJ6dHmUybegiIophrKFdTfdsOa6UY,379
 reconcile/utils/environ.py,sha256=VnW3zp6Un_UJn5BU4FU8RfhuqtZp0s-VeuuHnqC_WcQ,515
 reconcile/utils/exceptions.py,sha256=DwfnWUpVOotpP79RWZ2pycmG6nKCL00RBIeZLYkQPW4,635
 reconcile/utils/expiration.py,sha256=BXwKE50sNIV-Lszke97fxitNkLxYszoOLW1LBgp_yqg,1246
+reconcile/utils/extended_early_exit.py,sha256=gLWRtgzRB584iX4pVfGjfZxbIDd_AQPYu8MkQkReA3U,5688
 reconcile/utils/external_resource_spec.py,sha256=OGPKH3IKXgJszRTgE5U_QKgU-s4BHQnx97Lj-Krz46k,6655
-reconcile/utils/external_resources.py,sha256=eF9Wup8zbLWx56WoA0FlqguT6BRXRYgoyN3cbmpT_Dk,7443
+reconcile/utils/external_resources.py,sha256=a2CkJ3KLociYBnc_9F2VWfZGWMhzDl6fDNhwo2U-MWU,7501
 reconcile/utils/filtering.py,sha256=zZnHH0u0SaTDyzuFXZ_mREURGLvjEqQIQy4z-7QBVlc,419
 reconcile/utils/git.py,sha256=Qad7mfPuS9s7eKODeWSewehwSGgJPCbQuLda1qg_6GA,1522
 reconcile/utils/git_secrets.py,sha256=0wGNL5mvDtVPRuu3vEQgld1Am64gIDJHtmu1_ZKxMAI,1973
@@ -553,7 +554,7 @@ reconcile/utils/keycloak.py,sha256=UqOsAcHKmmIunroWB5YzC1fUZ3S3aq6L7trn6vLRmXY,3
 reconcile/utils/ldap_client.py,sha256=ho4veSrHqQWs0YhLFyKeD-duCwY8Nc5gUIA5qLENuMY,2502
 reconcile/utils/lean_terraform_client.py,sha256=zReyNPJbr2uOdrdh8Qfe-OZQBoRwxb5Za_ddeoUCYVk,4064
 reconcile/utils/make.py,sha256=QaEwucrzbl8-VHS66Wfdjfo0ubmAcvt_hZGpiGsKU50,231
-reconcile/utils/metrics.py,sha256=r93j_9WmsR4jC9uqgGrkzk9gycolhZhbsomHcpmJv8g,18297
+reconcile/utils/metrics.py,sha256=7nXdctmZ0UtGMHPpS3V55sfH4xpMPqdYaJ3JKAUc_sM,18474
 reconcile/utils/models.py,sha256=R3wF68yiaT0H2sQVMmHhHSTGI3JKKYEVjoizhHkySn8,4533
 reconcile/utils/oc.py,sha256=iAoM7zSm72zBOmCNW19ttAvm76tUgS26vlpb8SvVYwU,64058
 reconcile/utils/oc_connection_parameters.py,sha256=85slrnDigYwYmzhyceVkMElWzFArp4ge1d-fHXVqh0w,9729
@@ -580,8 +581,8 @@ reconcile/utils/sqs_gateway.py,sha256=gFl9DM4DmGnptuxTOe4lS3YTyE80eSAvK42ljS8h4d
 reconcile/utils/state.py,sha256=SAa6QLHu9lr0yqLCBy2AypNx1IPCJWlrRBrvlzAKsOU,14505
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
-reconcile/utils/terraform_client.py,sha256=V7AMQOEU4tvUOT-LQN2cXLqcphD5L93PMGMfurQQyPY,31753
-reconcile/utils/terrascript_aws_client.py,sha256=wA6AcAqbS2tIuqh8soMfpdpuf0IbAJWjONMmffJ-0vA,265467
+reconcile/utils/terraform_client.py,sha256=_jBriLBwU005bDxWlq7CRByOkVCfiH47oBzB0ArNAY8,31901
+reconcile/utils/terrascript_aws_client.py,sha256=Ht2akaR4bRERLoyN_Zh2JBbN1-p-ofXICqW-oXzGcFk,265789
 reconcile/utils/three_way_diff_strategy.py,sha256=nyqeQsLCoPI6e16k2CF3b9KNgQLU-rPf5RtfdUfVMwE,4468
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/unleash.py,sha256=1D56CsZfE3ShDtN3IErE1T2eeIwNmxhK-yYbCotJ99E,3601
@@ -657,7 +658,7 @@ tools/app_interface_metrics_exporter.py,sha256=zkwkxdAUAxjdc-pzx2_oJXG25fo0Fnyd5
 tools/app_interface_reporter.py,sha256=upA-J-n-HXHKVDINRuMR7vTt-iJvQORKUVi9D3leQto,17738
 tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=bw7JVS9zaob2hvb-0MkGovTEK5HnxAy5ms-MEAU9WQU,103543
+tools/qontract_cli.py,sha256=mN5oXM_lmFmCGwoGU77qqO8nzlfKnNGlP6y-ILFyHIQ,103423
 tools/sd_app_sre_alert_report.py,sha256=e9vAdyenUz2f5c8-z-5WY0wv-SJ9aePKDH2r4IwB6pc,5063
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tools/cli_commands/gpg_encrypt.py,sha256=w8hl4jIEWk5wKbEFN6fVEOwUJGmdlvOqYodW3XSN7mU,4978
@@ -665,11 +666,11 @@ tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOy
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
 tools/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvftCWEEf-g1mfXOtgCog-g,1271
-tools/test/test_qontract_cli.py,sha256=d18KrdhtUGqoC7_kWZU128U0-VJEj-0rjFkLVufcI6I,2755
+tools/test/test_qontract_cli.py,sha256=se-YG_YVCWRFrnCPvBVHDBT_59CkbIoEni-4SJa8_MU,2755
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc537.dist-info/METADATA,sha256=dGXxQQQzpUMW_Kyo_ktrTXrUVvKSJ9GMS7SG5jKdMoo,2349
-qontract_reconcile-0.10.1rc537.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc537.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc537.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc537.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc538.dist-info/METADATA,sha256=TkmlNiYqcISDkpP1_R0KR4m709lpVpeeJUAkfjVEFVc,2349
+qontract_reconcile-0.10.1rc538.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc538.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc538.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc538.dist-info/RECORD,,

reconcile/cli.py

@@ -507,6 +507,30 @@ def trigger_integration(function):
     return function
 
 
+def enable_extended_early_exit(function):
+    return click.option(
+        "--enable-extended-early-exit/--no-enable-extended-early-exit",
+        default=False,
+        help="enable extended early exit.",
+    )(function)
+
+
+def extended_early_exit_cache_ttl_seconds(function):
+    return click.option(
+        "--extended-early-exit-cache-ttl-seconds",
+        default=3600,
+        help="TTL of extended early exit cache in seconds.",
+    )(function)
+
+
+def log_cached_log_output(function):
+    return click.option(
+        "--log-cached-log-output/--no-log-cached-log-output",
+        default=False,
+        help="log the cached log output.",
+    )(function)
+
+
 def register_faulthandler(fileobj=sys.__stderr__):
     if fileobj:
         if not faulthandler.is_enabled():
@@ -1738,6 +1762,9 @@ def terraform_repo(ctx, output_file, gitlab_project_id, gitlab_merge_request_id)
 @enable_deletion(default=False)
 @account_name_multiple
 @exclude_aws_accounts
+@enable_extended_early_exit
+@extended_early_exit_cache_ttl_seconds
+@log_cached_log_output
 @click.option(
     "--light/--full",
     default=False,
@@ -1755,6 +1782,9 @@ def terraform_resources(
     vault_output_path,
     account_name,
     exclude_accounts,
+    enable_extended_early_exit,
+    extended_early_exit_cache_ttl_seconds,
+    log_cached_log_output,
 ):
     import reconcile.terraform_resources
 
@@ -1772,6 +1802,9 @@ def terraform_resources(
         vault_output_path,
         account_name=account_name,
         exclude_accounts=exclude_accounts,
+        enable_extended_early_exit=enable_extended_early_exit,
+        extended_early_exit_cache_ttl_seconds=extended_early_exit_cache_ttl_seconds,
+        log_cached_log_output=log_cached_log_output,
     )
 
 

reconcile/terraform_resources.py

@@ -1,6 +1,4 @@
 import logging
-import shutil
-import sys
 from collections.abc import (
     Callable,
     Iterable,
@@ -11,6 +9,7 @@ from typing import (
     Collection,
     Optional,
     Sequence,
+    TypedDict,
     cast,
 )
 
@@ -33,6 +32,10 @@ from reconcile.typed_queries.terraform_namespaces import get_namespaces
 from reconcile.utils import gql
 from reconcile.utils.aws_api import AWSApi
 from reconcile.utils.defer import defer
+from reconcile.utils.extended_early_exit import (
+    ExtendedEarlyExitRunnerResult,
+    extended_early_exit_run,
+)
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
     ExternalResourceSpecInventory,
@@ -52,10 +55,12 @@ from reconcile.utils.ocm import OCMMap
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
 from reconcile.utils.openshift_resource import ResourceInventory
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
-from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.utils.secret_reader import SecretReaderBase, create_secret_reader
 from reconcile.utils.semver_helper import make_semver
 from reconcile.utils.terraform_client import TerraformClient as Terraform
+from reconcile.utils.terrascript_aws_client import TerrascriptClient
 from reconcile.utils.terrascript_aws_client import TerrascriptClient as Terrascript
+from reconcile.utils.unleash import get_feature_toggle_state
 from reconcile.utils.vault import (
     VaultClient,
     _VaultClient,
@@ -117,18 +122,14 @@ def populate_oc_resources(
 
 
 def fetch_current_state(
-    dry_run: bool,
     namespaces: Iterable[NamespaceV1],
     thread_pool_size: int,
     internal: Optional[bool],
     use_jump_host: bool,
     account_names: Optional[Iterable[str]],
-) -> tuple[ResourceInventory, Optional[OCMap]]:
+    secret_reader: SecretReaderBase,
+) -> tuple[ResourceInventory, OCMap]:
     ri = ResourceInventory()
-    if dry_run:
-        return ri, None
-    vault_settings = get_app_interface_vault_settings()
-    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
     oc_map = init_oc_map_from_namespaces(
         namespaces=namespaces,
         integration=QONTRACT_INTEGRATION,
@@ -172,64 +173,74 @@ def init_working_dirs(
 
 
 def filter_accounts_by_name(
-    accounts: Iterable[Mapping[str, Any]], filter: Iterable[str]
-) -> Collection[Mapping[str, Any]]:
-    return [ac for ac in accounts if ac["name"] in filter]
+    accounts: Iterable[dict[str, Any]], names: Iterable[str]
+) -> list[dict[str, Any]]:
+    return [ac for ac in accounts if ac["name"] in names]
 
 
 def exclude_accounts_by_name(
-    accounts: Iterable[Mapping[str, Any]], filter: Iterable[str]
-) -> Collection[Mapping[str, Any]]:
-    return [ac for ac in accounts if ac["name"] not in filter]
+    accounts: Iterable[dict[str, Any]], names: Iterable[str]
+) -> list[dict[str, Any]]:
+    return [ac for ac in accounts if ac["name"] not in names]
 
 
 def validate_account_names(
     accounts: Collection[Mapping[str, Any]], names: Collection[str]
 ) -> None:
-    if len(accounts) != len(names):
-        missing_names = set(names) - {a["name"] for a in accounts}
+    if missing_names := set(names) - {a["name"] for a in accounts}:
         raise ValueError(
             f"Accounts {missing_names} were provided as arguments, but not found in app-interface. Check your input for typos or for missing AWS account definitions."
         )
 
 
-def setup(
+def get_aws_accounts(
     dry_run: bool,
-    print_to_file: Optional[str],
-    thread_pool_size: int,
-    internal: Optional[bool],
-    use_jump_host: bool,
     include_accounts: Optional[Collection[str]],
     exclude_accounts: Optional[Collection[str]],
-) -> tuple[
-    ResourceInventory, Optional[OCMap], Terraform, ExternalResourceSpecInventory
-]:
+) -> list[dict[str, Any]]:
+    if exclude_accounts and not dry_run:
+        message = "--exclude-accounts is only supported in dry-run mode"
+        logging.error(message)
+        raise ExcludeAccountsAndDryRunException(message)
+
+    if exclude_accounts and include_accounts:
+        message = "Using --exclude-accounts and --account-name at the same time is not allowed"
+        logging.error(message)
+        raise ExcludeAccountsAndAccountNameException(message)
+
+    # If we are not running in dry run we don't want to run with more than one account
+    if include_accounts and len(include_accounts) > 1 and not dry_run:
+        message = "Running with multiple accounts is only supported in dry-run mode"
+        logging.error(message)
+        raise MultipleAccountNamesInDryRunException(message)
+
     accounts = queries.get_aws_accounts(terraform_state=True)
-    if not include_accounts and exclude_accounts:
-        excluding = filter_accounts_by_name(accounts, exclude_accounts)
-        validate_account_names(excluding, exclude_accounts)
-        accounts = exclude_accounts_by_name(accounts, exclude_accounts)
-        if len(accounts) == 0:
+
+    if exclude_accounts:
+        validate_account_names(accounts, exclude_accounts)
+        filtered_accounts = exclude_accounts_by_name(accounts, exclude_accounts)
+        if not filtered_accounts:
             raise ValueError("You have excluded all aws accounts, verify your input")
-        account_names = tuple(ac["name"] for ac in accounts)
-    elif include_accounts:
-        accounts = filter_accounts_by_name(accounts, include_accounts)
+        return filtered_accounts
+
+    if include_accounts:
         validate_account_names(accounts, include_accounts)
-    account_names = tuple(a["name"] for a in accounts)
-    settings = queries.get_app_interface_settings()
+        return filter_accounts_by_name(accounts, include_accounts)
 
-    # build a resource inventory for all the kube secrets managed by the
-    # app-interface managed terraform resources
-    tf_namespaces = get_tf_namespaces(account_names)
-    if not tf_namespaces:
-        logging.warning(
-            "No terraform namespaces found, consider disabling this integration, account names: "
-            f"{', '.join(account_names)}"
-        )
-    ri, oc_map = fetch_current_state(
-        dry_run, tf_namespaces, thread_pool_size, internal, use_jump_host, account_names
-    )
+    return accounts
+
+
+def setup(
+    accounts: list[dict[str, Any]],
+    account_names: set[str],
+    tf_namespaces: list[NamespaceV1],
+    print_to_file: Optional[str],
+    thread_pool_size: int,
+) -> tuple[Terraform, TerrascriptClient, SecretReaderBase]:
+    vault_settings = get_app_interface_vault_settings()
+    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
 
+    settings = queries.get_app_interface_settings()
     # initialize terrascript (scripting engine to generate terraform manifests)
     ts, working_dirs = init_working_dirs(accounts, thread_pool_size, settings=settings)
 
@@ -260,7 +271,7 @@ def setup(
     ts.populate_resources(ocm_map=ocm_map)
     ts.dump(print_to_file, existing_dirs=working_dirs)
 
-    return ri, oc_map, tf, ts.resource_spec_inventory
+    return tf, ts, secret_reader
 
 
 def filter_tf_namespaces(
@@ -290,21 +301,6 @@ def filter_tf_namespaces(
     return tf_namespaces
 
 
-def cleanup_and_exit(
-    tf: Optional[Terraform] = None,
-    status: bool = False,
-    working_dirs: Optional[Mapping[str, str]] = None,
-) -> None:
-    if working_dirs is None:
-        working_dirs = {}
-    if tf is None:
-        for wd in working_dirs.values():
-            shutil.rmtree(wd)
-    else:
-        tf.cleanup()
-    sys.exit(status)
-
-
 @retry()
 def write_outputs_to_vault(
     vault_path: str, resource_specs: ExternalResourceSpecInventory
@@ -366,65 +362,125 @@ def run(
     vault_output_path: str = "",
     account_name: Optional[Sequence[str]] = None,
     exclude_accounts: Optional[Sequence[str]] = None,
+    enable_extended_early_exit: bool = False,
+    extended_early_exit_cache_ttl_seconds: int = 3600,
+    log_cached_log_output: bool = False,
     defer: Optional[Callable] = None,
 ) -> None:
-    if exclude_accounts and not dry_run:
-        message = "--exclude-accounts is only supported in dry-run mode"
-        logging.error(message)
-        raise ExcludeAccountsAndDryRunException(message)
-
-    if exclude_accounts and account_name:
-        message = "Using --exclude-accounts and --account-name at the same time is not allowed"
-        logging.error(message)
-        raise ExcludeAccountsAndAccountNameException(message)
-
     # account_name is a tuple of account names for more detail go to
     # https://click.palletsprojects.com/en/8.1.x/options/#multiple-options
-    account_names = account_name
-
-    # acc_name will prevent type error since account_name is not a str
-    acc_name: Optional[str] = account_names[0] if account_names else None
-
-    # If we are not running in dry run we don't want to run with more than one account
-    if account_names and len(account_names) > 1 and not dry_run:
-        message = "Running with multiple accounts is only supported in dry-run mode"
-        logging.error(message)
-        raise MultipleAccountNamesInDryRunException(message)
+    accounts = get_aws_accounts(dry_run, account_name, exclude_accounts)
+    account_names = {a["name"] for a in accounts}
+    tf_namespaces = get_tf_namespaces(account_names)
+    if not tf_namespaces:
+        logging.warning(
+            "No terraform namespaces found, consider disabling this integration, account names: "
+            f"{', '.join(account_names)}"
+        )
 
-    ri, oc_map, tf, resource_specs = setup(
-        dry_run,
+    tf, ts, secret_reader = setup(
+        accounts,
+        account_names,
+        tf_namespaces,
         print_to_file,
         thread_pool_size,
-        internal,
-        use_jump_host,
-        account_names,
-        exclude_accounts,
     )
-    publish_metrics(resource_specs, QONTRACT_INTEGRATION)
+    if defer:
+        defer(tf.cleanup)
 
-    if not dry_run and oc_map and defer:
-        defer(oc_map.cleanup)
+    publish_metrics(ts.resource_spec_inventory, QONTRACT_INTEGRATION)
 
     if print_to_file:
-        cleanup_and_exit(tf)
-    if tf is None:
-        err = True
-        cleanup_and_exit(tf, err)
+        return
+
+    runner_params: RunnerParams = dict(
+        accounts=accounts,
+        account_names=account_names,
+        tf_namespaces=tf_namespaces,
+        tf=tf,
+        ts=ts,
+        secret_reader=secret_reader,
+        dry_run=dry_run,
+        enable_deletion=enable_deletion,
+        thread_pool_size=thread_pool_size,
+        internal=internal,
+        use_jump_host=use_jump_host,
+        light=light,
+        vault_output_path=vault_output_path,
+        defer=defer,
+    )
 
+    if enable_extended_early_exit and get_feature_toggle_state(
+        "terraform-resources-extended-early-exit",
+        default=False,
+    ):
+        extended_early_exit_run(
+            integration=QONTRACT_INTEGRATION,
+            integration_version=QONTRACT_INTEGRATION_VERSION,
+            dry_run=dry_run,
+            cache_source=ts.terraform_configurations(),
+            ttl_seconds=extended_early_exit_cache_ttl_seconds,
+            logger=logging.getLogger(),
+            runner=runner,
+            runner_params=runner_params,
+            secret_reader=secret_reader,
+            log_cached_log_output=log_cached_log_output,
+        )
+    else:
+        runner(**runner_params)
+
+
+class RunnerParams(TypedDict):
+    accounts: list[dict[str, Any]]
+    account_names: set[str]
+    tf_namespaces: list[NamespaceV1]
+    tf: Terraform
+    ts: Terrascript
+    secret_reader: SecretReaderBase
+    dry_run: bool
+    enable_deletion: bool
+    thread_pool_size: int
+    internal: Optional[bool]
+    use_jump_host: bool
+    light: bool
+    vault_output_path: str
+    defer: Optional[Callable]
+
+
+def runner(
+    accounts: list[dict[str, Any]],
+    account_names: set[str],
+    tf_namespaces: list[NamespaceV1],
+    tf: Terraform,
+    ts: Terrascript,
+    secret_reader: SecretReaderBase,
+    dry_run: bool,
+    enable_deletion: bool = False,
+    thread_pool_size: int = 10,
+    internal: Optional[bool] = None,
+    use_jump_host: bool = True,
+    light: bool = False,
+    vault_output_path: str = "",
+    defer: Optional[Callable] = None,
+) -> ExtendedEarlyExitRunnerResult:
     if not light:
         disabled_deletions_detected, err = tf.plan(enable_deletion)
         if err:
-            cleanup_and_exit(tf, err)
+            raise RuntimeError("Terraform plan has errors")
         if disabled_deletions_detected:
-            cleanup_and_exit(tf, disabled_deletions_detected)
+            raise RuntimeError("Terraform plan has disabled deletions detected")
 
     if dry_run:
-        cleanup_and_exit(tf)
+        return ExtendedEarlyExitRunnerResult(
+            payload=ts.terraform_configurations(),
+            applied_count=0,
+        )
 
-    if not light and tf.should_apply:
+    acc_name = accounts[0]["name"] if accounts else None
+    if not light and tf.should_apply():
         err = tf.apply()
         if err:
-            cleanup_and_exit(tf, err)
+            raise RuntimeError("Terraform apply has errors")
 
         if defer:
             defer(
@@ -437,26 +493,41 @@ def run(
 
     # refresh output data after terraform apply
     tf.populate_terraform_output_secrets(
-        resource_specs=resource_specs, init_rds_replica_source=True
+        resource_specs=ts.resource_spec_inventory, init_rds_replica_source=True
     )
+
+    ri, oc_map = fetch_current_state(
+        tf_namespaces,
+        thread_pool_size,
+        internal,
+        use_jump_host,
+        account_names,
+        secret_reader=secret_reader,
+    )
+    if defer:
+        defer(oc_map.cleanup)
     # populate the resource inventory with latest output data
-    populate_desired_state(ri, resource_specs)
+    populate_desired_state(ri, ts.resource_spec_inventory)
 
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
-    actions = []
-    if oc_map:
-        actions = ob.realize_data(
-            dry_run, oc_map, ri, thread_pool_size, caller=acc_name
-        )
+    actions = ob.realize_data(
+        dry_run,
+        oc_map,
+        ri,
+        thread_pool_size,
+        caller=acc_name,
+    )
 
     if actions and vault_output_path:
-        write_outputs_to_vault(vault_output_path, resource_specs)
+        write_outputs_to_vault(vault_output_path, ts.resource_spec_inventory)
 
     if ri.has_error_registered():
-        err = True
-        cleanup_and_exit(tf, err)
+        raise RuntimeError("Resource inventory has errors registered")
 
-    cleanup_and_exit(tf)
+    return ExtendedEarlyExitRunnerResult(
+        payload=ts.terraform_configurations(),
+        applied_count=tf.apply_count + len(actions),
+    )
 
 
 def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:

reconcile/test/test_terraform_resources.py

@@ -4,6 +4,7 @@ from collections.abc import (
     Mapping,
 )
 from typing import Any
+from unittest.mock import MagicMock, create_autospec
 
 import pytest
 from pytest_mock import MockerFixture
@@ -12,6 +13,7 @@ import reconcile.terraform_resources as integ
 from reconcile.gql_definitions.terraform_resources.terraform_resources_namespaces import (
     NamespaceV1,
 )
+from reconcile.utils.secret_reader import SecretReaderBase
 
 
 def test_cannot_use_exclude_accounts_if_not_dry_run():
@@ -71,7 +73,7 @@ def test_cannot_pass_two_aws_account_if_not_dry_run():
 def test_filter_accounts_by_name():
     accounts = [{"name": "a"}, {"name": "b"}, {"name": "c"}]
 
-    filtered = integ.filter_accounts_by_name(accounts, filter=("a", "b"))
+    filtered = integ.filter_accounts_by_name(accounts, names=("a", "b"))
 
     assert filtered == [{"name": "a"}, {"name": "b"}]
 
@@ -79,7 +81,7 @@ def test_filter_accounts_by_name():
 def test_exclude_accounts_by_name():
     accounts = [{"name": "a"}, {"name": "b"}, {"name": "c"}]
 
-    filtered = integ.exclude_accounts_by_name(accounts, filter=("a", "b"))
+    filtered = integ.exclude_accounts_by_name(accounts, names=("a", "b"))
 
     assert filtered == [{"name": "c"}]
 
@@ -258,27 +260,255 @@ def test_filter_tf_namespaces_namespace_deleted(gql_class_factory: Callable):
     assert filtered == [ns2]
 
 
-def test_empty_run(mocker: MockerFixture) -> None:
+def setup_mocks(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+    aws_accounts: list[dict[str, Any]],
+    tf_namespaces: list[NamespaceV1],
+    feature_toggle_state: bool = True,
+) -> dict[str, Any]:
     mocked_queries = mocker.patch("reconcile.terraform_resources.queries")
-    mocked_queries.get_aws_accounts.return_value = [{"name": "a"}]
+    mocked_queries.get_aws_accounts.return_value = aws_accounts
     mocked_queries.get_app_interface_settings.return_value = []
 
-    mocker.patch("reconcile.terraform_resources.get_namespaces").return_value = []
+    mocker.patch(
+        "reconcile.terraform_resources.get_namespaces"
+    ).return_value = tf_namespaces
 
-    mocked_ts = mocker.patch("reconcile.terraform_resources.Terrascript", autospec=True)
-    mocked_ts.return_value.resource_spec_inventory = {}
+    mocked_ts = mocker.patch(
+        "reconcile.terraform_resources.Terrascript", autospec=True
+    ).return_value
+    mocked_ts.resource_spec_inventory = {}
 
-    mocked_tf = mocker.patch("reconcile.terraform_resources.Terraform", autospec=True)
-    mocked_tf.return_value.plan.return_value = (False, None)
-    mocked_tf.return_value.should_apply = False
+    mocked_tf = mocker.patch(
+        "reconcile.terraform_resources.Terraform", autospec=True
+    ).return_value
+    mocked_tf.plan.return_value = (False, None)
+    mocked_tf.should_apply.return_value = False
 
     mocker.patch("reconcile.terraform_resources.AWSApi", autospec=True)
-    mocker.patch("reconcile.terraform_resources.sys")
 
     mocked_logging = mocker.patch("reconcile.terraform_resources.logging")
 
+    mocker.patch("reconcile.terraform_resources.get_app_interface_vault_settings")
+
+    mocker.patch(
+        "reconcile.terraform_resources.create_secret_reader",
+        return_value=secret_reader,
+    )
+
+    mock_extended_early_exit_run = mocker.patch(
+        "reconcile.terraform_resources.extended_early_exit_run"
+    )
+
+    get_feature_toggle_state = mocker.patch(
+        "reconcile.terraform_resources.get_feature_toggle_state",
+        return_value=feature_toggle_state,
+    )
+
+    return {
+        "queries": mocked_queries,
+        "ts": mocked_ts,
+        "tf": mocked_tf,
+        "logging": mocked_logging,
+        "extended_early_exit_run": mock_extended_early_exit_run,
+        "get_feature_toggle_state": get_feature_toggle_state,
+    }
+
+
+def test_empty_run(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+) -> None:
+    mocks = setup_mocks(
+        mocker,
+        secret_reader,
+        aws_accounts=[{"name": "a"}],
+        tf_namespaces=[],
+    )
+
     integ.run(True, account_name="a")
 
-    mocked_logging.warning.assert_called_once_with(
+    mocks["logging"].warning.assert_called_once_with(
         "No terraform namespaces found, consider disabling this integration, account names: a"
     )
+
+
+def test_run_with_extended_early_exit_run_enabled(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+) -> None:
+    mocks = setup_mocks(
+        mocker,
+        secret_reader,
+        aws_accounts=[{"name": "a"}],
+        tf_namespaces=[],
+    )
+    defer = MagicMock()
+    expected_runner_params = integ.RunnerParams(
+        accounts=[{"name": "a"}],
+        account_names={"a"},
+        tf_namespaces=[],
+        tf=mocks["tf"],
+        ts=mocks["ts"],
+        secret_reader=secret_reader,
+        dry_run=True,
+        enable_deletion=False,
+        thread_pool_size=10,
+        internal=None,
+        use_jump_host=True,
+        light=False,
+        vault_output_path="",
+        defer=defer,
+    )
+
+    integ.run.__wrapped__(
+        True,
+        account_name="a",
+        enable_extended_early_exit=True,
+        extended_early_exit_cache_ttl_seconds=60,
+        log_cached_log_output=True,
+        defer=defer,
+    )
+
+    mocks["extended_early_exit_run"].assert_called_once_with(
+        integration=integ.QONTRACT_INTEGRATION,
+        integration_version=integ.QONTRACT_INTEGRATION_VERSION,
+        dry_run=True,
+        cache_source=mocks["ts"].terraform_configurations.return_value,
+        ttl_seconds=60,
+        logger=mocks["logging"].getLogger.return_value,
+        runner=integ.runner,
+        runner_params=expected_runner_params,
+        secret_reader=secret_reader,
+        log_cached_log_output=True,
+    )
+
+
+def test_run_with_extended_early_exit_run_disabled(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+) -> None:
+    mocks = setup_mocks(
+        mocker,
+        secret_reader,
+        aws_accounts=[{"name": "a"}],
+        tf_namespaces=[],
+    )
+
+    integ.run(
+        True,
+        account_name="a",
+        enable_extended_early_exit=False,
+    )
+
+    mocks["extended_early_exit_run"].assert_not_called()
+    mocks["tf"].plan.assert_called_once_with(False)
+
+
+def test_run_with_extended_early_exit_run_feature_disabled(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+) -> None:
+    mocks = setup_mocks(
+        mocker,
+        secret_reader,
+        aws_accounts=[{"name": "a"}],
+        tf_namespaces=[],
+        feature_toggle_state=False,
+    )
+
+    integ.run(
+        True,
+        account_name="a",
+        enable_extended_early_exit=True,
+    )
+
+    mocks["extended_early_exit_run"].assert_not_called()
+    mocks["tf"].plan.assert_called_once_with(False)
+    mocks["get_feature_toggle_state"].assert_called_once_with(
+        "terraform-resources-extended-early-exit",
+        default=False,
+    )
+
+
+def test_terraform_resources_runner_dry_run(
+    secret_reader: SecretReaderBase,
+) -> None:
+    tf = create_autospec(integ.Terraform)
+    tf.plan.return_value = (False, None)
+
+    ts = create_autospec(integ.Terrascript)
+    terraform_configurations = {"a": "b"}
+    ts.terraform_configurations.return_value = terraform_configurations
+
+    defer = MagicMock()
+
+    runner_params = dict(
+        accounts=[{"name": "a"}],
+        account_names={"a"},
+        tf_namespaces=[],
+        tf=tf,
+        ts=ts,
+        secret_reader=secret_reader,
+        dry_run=True,
+        enable_deletion=False,
+        thread_pool_size=10,
+        internal=None,
+        use_jump_host=True,
+        light=False,
+        vault_output_path="",
+        defer=defer,
+    )
+
+    result = integ.runner(**runner_params)
+
+    assert result == integ.ExtendedEarlyExitRunnerResult(
+        payload=terraform_configurations,
+        applied_count=0,
+    )
+
+
+def test_terraform_resources_runner_no_dry_run(
+    mocker: MockerFixture,
+    secret_reader: SecretReaderBase,
+) -> None:
+    tf = create_autospec(integ.Terraform)
+    tf.plan.return_value = (False, None)
+    tf.apply_count = 1
+    tf.should_apply.return_value = True
+    tf.apply.return_value = False
+
+    ts = create_autospec(integ.Terrascript)
+    terraform_configurations = {"a": "b"}
+    ts.terraform_configurations.return_value = terraform_configurations
+    ts.resource_spec_inventory = {}
+
+    defer = MagicMock()
+
+    mocked_ob = mocker.patch("reconcile.terraform_resources.ob")
+    mocked_ob.realize_data.return_value = [{"action": "applied"}]
+
+    runner_params = dict(
+        accounts=[{"name": "a"}],
+        account_names={"a"},
+        tf_namespaces=[],
+        tf=tf,
+        ts=ts,
+        secret_reader=secret_reader,
+        dry_run=False,
+        enable_deletion=False,
+        thread_pool_size=10,
+        internal=None,
+        use_jump_host=True,
+        light=False,
+        vault_output_path="",
+        defer=defer,
+    )
+
+    result = integ.runner(**runner_params)
+
+    assert result == integ.ExtendedEarlyExitRunnerResult(
+        payload=terraform_configurations,
+        applied_count=2,
+    )

reconcile/utils/early_exit_cache.py

@@ -1,6 +1,6 @@
 from datetime import UTC, datetime, timedelta
 from enum import Enum
-from typing import Any, Optional, Self
+from typing import Any, Self
 
 from deepdiff import DeepHash
 from pydantic import BaseModel
@@ -16,19 +16,19 @@ class CacheKey(BaseModel):
     integration: str
     integration_version: str
     dry_run: bool
-    cache_desired_state: object
+    cache_source: object
 
     def __str__(self) -> str:
         return "/".join([
             self.integration,
             self.integration_version,
             "dry-run" if self.dry_run else "no-dry-run",
-            DeepHash(self.cache_desired_state)[self.cache_desired_state],
+            DeepHash(self.cache_source)[self.cache_source],
         ])
 
 
 class CacheValue(BaseModel):
-    desired_state: object
+    payload: object
     log_output: str
     applied_count: int
 
@@ -46,7 +46,7 @@ class EarlyExitCache:
     @classmethod
     def build(
         cls,
-        secret_reader: Optional[SecretReaderBase] = None,
+        secret_reader: SecretReaderBase | None = None,
     ) -> Self:
         state = init_state(STATE_INTEGRATION, secret_reader)
         return cls(state)

reconcile/utils/extended_early_exit.py

@@ -0,0 +1,177 @@
+import logging
+from collections.abc import Callable, Generator, Mapping
+from contextlib import contextmanager
+from io import StringIO
+from logging import Logger
+
+from pydantic import BaseModel
+
+from reconcile.utils.early_exit_cache import (
+    CacheKey,
+    CacheStatus,
+    CacheValue,
+    EarlyExitCache,
+)
+from reconcile.utils.metrics import (
+    CounterMetric,
+    GaugeMetric,
+    inc_counter,
+    normalize_integration_name,
+    set_gauge,
+)
+from reconcile.utils.secret_reader import SecretReaderBase
+
+
+class ExtendedEarlyExitRunnerResult(BaseModel):
+    payload: object
+    applied_count: int
+
+
+class ExtendedEarlyExitBaseMetric(BaseModel):
+    integration: str
+    integration_version: str
+    dry_run: bool
+    cache_status: str
+
+
+class ExtendedEarlyExitCounter(ExtendedEarlyExitBaseMetric, CounterMetric):
+    @classmethod
+    def name(cls) -> str:
+        return "qontract_reconcile_extended_early_exit"
+
+
+class ExtendedEarlyExitAppliedCountGauge(ExtendedEarlyExitBaseMetric, GaugeMetric):
+    @classmethod
+    def name(cls) -> str:
+        return "qontract_reconcile_extended_early_exit_applied_count"
+
+
+def _publish_metrics(
+    cache_key: CacheKey,
+    cache_status: CacheStatus,
+    applied_count: int,
+) -> None:
+    inc_counter(
+        ExtendedEarlyExitCounter(
+            integration=cache_key.integration,
+            integration_version=cache_key.integration_version,
+            dry_run=cache_key.dry_run,
+            cache_status=cache_status.value,
+        ),
+    )
+    set_gauge(
+        ExtendedEarlyExitAppliedCountGauge(
+            integration=cache_key.integration,
+            integration_version=cache_key.integration_version,
+            dry_run=cache_key.dry_run,
+            cache_status=cache_status.value,
+        ),
+        applied_count,
+    )
+
+
+def _ttl_seconds(
+    applied_count: int,
+    ttl_seconds: int,
+) -> int:
+    """
+    Pick the ttl based on the applied count.
+    If the applied count is greater than 0, then we want to set ttl to 0 so that the next run will not hit the cache,
+    this will allow us to easy debug reconcile loops, as we will be able to see the logs of the next run,
+    and check cached value for more details.
+
+    :param applied_count: The number of resources that were applied
+    :param ttl_seconds: A ttl in seconds
+    :return: The ttl in seconds
+    """
+    return 0 if applied_count > 0 else ttl_seconds
+
+
+@contextmanager
+def log_stream_handler(
+    logger: Logger,
+) -> Generator[StringIO, None, None]:
+    """
+    Add a stream handler to the logger, and return the stream generator, automatically remove the handler when done.
+
+    :param logger: A logger
+    :return: A stream generator
+    """
+    log_stream = StringIO()
+    log_handler = logging.StreamHandler(log_stream)
+    logger.addHandler(log_handler)
+    try:
+        yield log_stream
+    finally:
+        logger.removeHandler(log_handler)
+
+
+def extended_early_exit_run(
+    integration: str,
+    integration_version: str,
+    dry_run: bool,
+    cache_source: object,
+    ttl_seconds: int,
+    logger: Logger,
+    runner: Callable[..., ExtendedEarlyExitRunnerResult],
+    runner_params: Mapping | None = None,
+    secret_reader: SecretReaderBase | None = None,
+    log_cached_log_output: bool = False,
+) -> None:
+    """
+    Run the runner based on the cache status. Early exit when cache hit.
+    Runner log output will be extracted and stored in cache value,
+    and will be logged when hit if log_cached_log_output is True,
+    this is mainly used to show all log output from different integrations in one place (CI).
+    When runner returns no applies (applied_count is 0), the ttl will be set to ttl_seconds,
+    otherwise it will be set to 0.
+
+    :param integration: The integration name
+    :param integration_version: The integration version
+    :param dry_run: True if the run is in dry run mode, False otherwise
+    :param cache_source: The cache source, usually the static desired state
+    :param ttl_seconds: A ttl in seconds
+    :param logger: A Logger
+    :param runner: A runner can return ExtendedEarlyExitRunnerResult when called
+    :param runner_params: Runner params, will be spread into kwargs when calling runner
+    :param secret_reader: A secret reader
+    :param log_cached_log_output: Whether to log the cached log output when there is a cache hit
+    :return: None
+    """
+    with EarlyExitCache.build(secret_reader) as cache:
+        key = CacheKey(
+            integration=normalize_integration_name(integration),
+            integration_version=integration_version,
+            dry_run=dry_run,
+            cache_source=cache_source,
+        )
+        cache_status = cache.head(key)
+        logger.debug("Early exit cache status for key=%s: %s", key, cache_status)
+
+        if cache_status == CacheStatus.HIT:
+            if log_cached_log_output:
+                logger.info(cache.get(key).log_output)
+            _publish_metrics(
+                cache_key=key,
+                cache_status=cache_status,
+                applied_count=0,
+            )
+            return
+
+        with log_stream_handler(logger) as log_stream:
+            result = runner(**(runner_params or {}))
+            log_output = log_stream.getvalue()
+
+        value = CacheValue(
+            payload=result.payload,
+            log_output=log_output,
+            applied_count=result.applied_count,
+        )
+        ttl = _ttl_seconds(result.applied_count, ttl_seconds)
+        logger.debug("Set early exit cache for key=%s with ttl=%d", key, ttl)
+        cache.set(key, value, ttl)
+        _publish_metrics(
+            cache_key=key,
+            cache_status=cache_status,
+            applied_count=result.applied_count,
+        )

reconcile/utils/external_resources.py

@@ -79,11 +79,12 @@ def get_inventory_count_combinations(
 
 def publish_metrics(inventory: ExternalResourceSpecInventory, integration: str) -> None:
     count_combinations = get_inventory_count_combinations(inventory)
+    integration_name = metrics.normalize_integration_name(integration)
     for combination, count in count_combinations.items():
         provision_provider, provisioner_name, provider = combination
         metrics.set_gauge(
             ExternalResourceInventoryGauge(
-                integration=integration.replace("_", "-"),
+                integration=integration_name,
                 provision_provider=provision_provider,
                 provisioner_name=provisioner_name,
                 provider=provider,

reconcile/utils/metrics.py

@@ -563,3 +563,10 @@ class ErrorRateMetricSet:
         if exc_value:
             self.fail(exc_value)
         inc_counter(self._error_counter, by=(1 if self._errors else 0))
+
+
+def normalize_integration_name(integration: str) -> str:
+    """
+    Normalize the integration name to be used in prometheus.
+    """
+    return integration.replace("_", "-")

reconcile/utils/terraform_client.py

@@ -90,7 +90,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
         self.thread_pool_size = thread_pool_size
         self._aws_api = aws_api
         self._log_lock = Lock()
-        self.should_apply = False
+        self.apply_count = 0
 
         self.specs: list[TerraformSpec] = []
         self.init_specs()
@@ -111,6 +111,12 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
             for account, output in self.outputs.items()
         }
 
+    def increment_apply_count(self):
+        self.apply_count += 1
+
+    def should_apply(self) -> bool:
+        return self.apply_count > 0
+
     def get_new_users(self):
         new_users = []
         self.init_outputs()  # get updated output
@@ -282,7 +288,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
             after = output_change.get("after")
             if before != after:
                 logging.info(["update", name, "output", output_name])
-                self.should_apply = True
+                self.increment_apply_count()
 
         # A way to detect deleted outputs is by comparing
         # the prior state with the output changes.
@@ -295,7 +301,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
         deleted_outputs = [po for po in prior_outputs if po not in output_changes]
         for output_name in deleted_outputs:
             logging.info(["delete", name, "output", output_name])
-            self.should_apply = True
+            self.increment_apply_count()
 
         resource_changes = output.get("resource_changes")
         if resource_changes is None:
@@ -339,7 +345,7 @@ class TerraformClient:  # pylint: disable=too-many-public-methods
                         resource_name,
                         self._resource_diff_changed_fields(action, resource_change),
                     ])
-                    self.should_apply = True
+                    self.increment_apply_count()
                 if action == "create":
                     if resource_type == "aws_iam_user_login_profile":
                         created_users.append(AccountUser(name, resource_name))

reconcile/utils/terrascript_aws_client.py

@@ -3890,22 +3890,30 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             if os.path.isfile(print_to_file):
                 os.remove(print_to_file)
 
-        for name, ts in self.tss.items():
+        for name, ts in self.terraform_configurations().items():
             if print_to_file:
                 with open(print_to_file, "a", encoding="locale") as f:
                     f.write(f"##### {name} #####\n")
-                    f.write(str(ts))
+                    f.write(ts)
                     f.write("\n")
             if existing_dirs is None:
                 wd = tempfile.mkdtemp(prefix=TMP_DIR_PREFIX)
             else:
                 wd = working_dirs[name]
             with open(wd + "/config.tf.json", "w", encoding="locale") as f:
-                f.write(str(ts))
+                f.write(ts)
             working_dirs[name] = wd
 
         return working_dirs
 
+    def terraform_configurations(self) -> dict[str, str]:
+        """
+        Return the Terraform configurations (in JSON format) for each AWS account.
+
+        :return: key is AWS account name and value is terraform configuration
+        """
+        return {name: str(ts) for name, ts in self.tss.items()}
+
     def init_values(self, spec: ExternalResourceSpec, init_tags: bool = True) -> dict:
         """
         Initialize the values of the terraform resource and merge the defaults and

tools/qontract_cli.py

@@ -2446,8 +2446,8 @@ def early_exit_cache(ctx):
 )
 @click.option(
     "-c",
-    "--cache-desired-state",
-    help="Cache desired state. It should be a JSON string.",
+    "--cache-source",
+    help="Cache source. It should be a JSON string.",
     required=True,
 )
 @click.pass_context
@@ -2456,14 +2456,14 @@ def early_exit_cache_head(
     integration,
     integration_version,
     dry_run,
-    cache_desired_state,
+    cache_source,
 ):
     with EarlyExitCache.build() as cache:
         cache_key = CacheKey(
             integration=integration,
             integration_version=integration_version,
             dry_run=dry_run,
-            cache_desired_state=json.loads(cache_desired_state),
+            cache_source=json.loads(cache_source),
         )
         status = cache.head(cache_key)
         print(status)
@@ -2489,8 +2489,8 @@ def early_exit_cache_head(
 )
 @click.option(
     "-c",
-    "--cache-desired-state",
-    help="Cache desired state. It should be a JSON string.",
+    "--cache-source",
+    help="Cache source. It should be a JSON string.",
     required=True,
 )
 @click.pass_context
@@ -2499,14 +2499,14 @@ def early_exit_cache_get(
     integration,
     integration_version,
     dry_run,
-    cache_desired_state,
+    cache_source,
 ):
     with EarlyExitCache.build() as cache:
         cache_key = CacheKey(
             integration=integration,
             integration_version=integration_version,
             dry_run=dry_run,
-            cache_desired_state=json.loads(cache_desired_state),
+            cache_source=json.loads(cache_source),
         )
         value = cache.get(cache_key)
         print(value)
@@ -2532,14 +2532,14 @@ def early_exit_cache_get(
 )
 @click.option(
     "-c",
-    "--cache-desired-state",
-    help="Cache desired state. It should be a JSON string.",
+    "--cache-source",
+    help="Cache source. It should be a JSON string.",
     required=True,
 )
 @click.option(
-    "-d",
-    "--desired-state",
-    help="Desired state. It should be a JSON string.",
+    "-p",
+    "--payload",
+    help="Payload in Cache value. It should be a JSON string.",
     required=True,
 )
 @click.option(
@@ -2568,8 +2568,8 @@ def early_exit_cache_set(
     integration,
     integration_version,
     dry_run,
-    cache_desired_state,
-    desired_state,
+    cache_source,
+    payload,
     log_output,
     applied_count,
     ttl,
@@ -2579,10 +2579,10 @@ def early_exit_cache_set(
             integration=integration,
             integration_version=integration_version,
             dry_run=dry_run,
-            cache_desired_state=json.loads(cache_desired_state),
+            cache_source=json.loads(cache_source),
         )
         cache_value = CacheValue(
-            desired_state=json.loads(desired_state),
+            payload=json.loads(payload),
             log_output=log_output,
             applied_count=applied_count,
         )

tools/test/test_qontract_cli.py

@@ -84,7 +84,7 @@ def test_early_exit_cache_set(env_vars, mock_queries, mock_early_exit_cache):
 
     result = runner.invoke(
         qontract_cli.early_exit_cache,
-        "set -i a -v b --no-dry-run -c {} -d {} -l log -t 30",
+        "set -i a -v b --no-dry-run -c {} -p {} -l log -t 30",
     )
     assert result.exit_code == 0
     mock_early_exit_cache.build.return_value.__enter__.return_value.set.assert_called()