qontract-reconcile 0.10.1rc548__py3-none-any.whl → 0.10.1rc550__py3-none-any.whl

{qontract_reconcile-0.10.1rc548.dist-info → qontract_reconcile-0.10.1rc550.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc548
+Version: 0.10.1rc550
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc548.dist-info → qontract_reconcile-0.10.1rc550.dist-info}/RECORD

@@ -9,7 +9,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=glH6d_cL8D8Bd2Wl_iYiV5H39o74nElXQjck_HjUkpY,85765
+reconcile/cli.py,sha256=H28wYQd623XEfcEYODG15elir-fvW4BBhjNznc0JJFs,87169
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -70,7 +70,7 @@ reconcile/openshift_namespaces.py,sha256=DboMc6t0vXD54lL9ZP9P9fQnCRo2g_0z5FWubtW
 reconcile/openshift_network_policies.py,sha256=_qqv7yj17OM1J8KJPsFmzFZ85gzESJeBocC672z4_WU,4231
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
 reconcile/openshift_resources.py,sha256=kwsY5cko7udEKNlhL2oKiKv_5wzEw9wmmwROE016ng8,1400
-reconcile/openshift_resources_base.py,sha256=XSctdE3pD4BI-91tlV5rdXIhvdtymZYeOKiCad8ZJl4,45839
+reconcile/openshift_resources_base.py,sha256=rlzHO9mIQ2RGtlma-KHjtzkWirge6nZy-NP6cXlXeo0,45952
 reconcile/openshift_rolebindings.py,sha256=0sEKajdqVuBSzlagyPbLxtNXQdI2vyabmbIRifs0des,6629
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=NFiNrk7055vunzzJmI7cVBubFj6JPDlEpJqDwpG_t9g,12706
@@ -132,6 +132,8 @@ reconcile/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 reconcile/aws_ami_cleanup/integration.py,sha256=IW95cpMj2P5ffs-AxsR_TDQCJnYFBhLIfP2de7dz_8A,10109
 reconcile/aws_cloudwatch_log_retention/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_cloudwatch_log_retention/integration.py,sha256=0UcSZIrGvnGY4m9fj87oejIolIP_qTxtJInpmW9jrQ0,7772
+reconcile/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/aws_saml_idp/integration.py,sha256=k14YqAIE2w4P7s_3zX1astJNim9E0bZEPv95UpO79gA,4841
 reconcile/aws_version_sync/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_version_sync/integration.py,sha256=dN_lZIeM5i0p6-yHYadGg65QgDs0nVWYJkPzU-KGwuo,15196
 reconcile/aws_version_sync/utils.py,sha256=sVv-48PKi2VITlqqvmpbjnFDOPeGqfKzgkpIszlmjL0,1708
@@ -176,6 +178,8 @@ reconcile/gql_definitions/app_interface_metrics_exporter/__init__.py,sha256=47DE
 reconcile/gql_definitions/app_interface_metrics_exporter/onboarding_status.py,sha256=uVEEqU6YYmKsNTo6EWlFnoVmqha2rvBDx-wiD64VmG0,1679
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_ami_cleanup/asg_namespaces.py,sha256=OJmeTu7uirLGAysZ3IQTtRXqMyL8noi_QZxPuWYxxmI,3678
+reconcile/gql_definitions/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/aws_saml_idp/aws_accounts.py,sha256=ZhsTyUmR-i-0eDXEEl2qZV64bIHMK25KrvlkqpzwO8Y,2652
 reconcile/gql_definitions/aws_version_sync/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_version_sync/clusters.py,sha256=2TOJOFxpTkZ2HKuqAGUo6tQkzOINSfO-bYDINVpJeL0,2295
 reconcile/gql_definitions/aws_version_sync/namespaces.py,sha256=eBLyXlSjWdmEE-jY9M2Ocgk7JGi2OsWisTkjHLfgU_A,4311
@@ -583,7 +587,7 @@ reconcile/utils/state.py,sha256=SAa6QLHu9lr0yqLCBy2AypNx1IPCJWlrRBrvlzAKsOU,1450
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=_jBriLBwU005bDxWlq7CRByOkVCfiH47oBzB0ArNAY8,31901
-reconcile/utils/terrascript_aws_client.py,sha256=3jtFVmL0O10yvx-Lo8Qj63BKiM9jLMGSbdonJaTWb14,266082
+reconcile/utils/terrascript_aws_client.py,sha256=j3DzUROG_oP2Q-YnG3Lc4DazTyQV7MRAVZIkU53FhBk,266379
 reconcile/utils/three_way_diff_strategy.py,sha256=nyqeQsLCoPI6e16k2CF3b9KNgQLU-rPf5RtfdUfVMwE,4468
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/unleash.py,sha256=1D56CsZfE3ShDtN3IErE1T2eeIwNmxhK-yYbCotJ99E,3601
@@ -670,8 +674,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=se-YG_YVCWRFrnCPvBVHDBT_59CkbIoEni-4SJa8_MU,2755
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc548.dist-info/METADATA,sha256=96wIaY6LGAn5tRcG1TNghKvMbpgGEqj3Wep8MMnC7gA,2349
-qontract_reconcile-0.10.1rc548.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc548.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc548.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc548.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc550.dist-info/METADATA,sha256=UCdLxw5-f02snUpWCllNiE-3f5PuEWHyyCqVJm7jBpw,2349
+qontract_reconcile-0.10.1rc550.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc550.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc550.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc550.dist-info/RECORD,,

reconcile/aws_saml_idp/integration.py

@@ -0,0 +1,158 @@
+import sys
+from collections.abc import (
+    Callable,
+    Iterable,
+)
+from typing import (
+    Any,
+)
+
+import requests
+from pydantic import BaseModel, HttpUrl
+
+from reconcile import queries
+from reconcile.gql_definitions.aws_saml_idp.aws_accounts import (
+    AWSAccountV1,
+)
+from reconcile.gql_definitions.aws_saml_idp.aws_accounts import (
+    query as aws_accounts_query,
+)
+from reconcile.status import ExitCodes
+from reconcile.utils import gql
+from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.defer import defer
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+from reconcile.utils.terraform_client import TerraformClient
+from reconcile.utils.terrascript_aws_client import TerrascriptClient
+
+QONTRACT_INTEGRATION = "aws-saml-idp"
+QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
+
+
+class AwsSamlIdpIntegrationParams(PydanticRunParams):
+    thread_pool_size: int = 10
+    print_to_file: str | None = None
+    enable_deletion: bool = False
+    # integration specific parameters
+    saml_idp_name: str
+    saml_metadata_url: HttpUrl
+    account_name: str | None = None
+
+
+class SamlIdpConfig(BaseModel):
+    account_name: str
+    name: str
+    metadata: str
+
+
+class AwsSamlIdpIntegration(QontractReconcileIntegration[AwsSamlIdpIntegrationParams]):
+    """Manage the SAML IDP config for all AWS accounts."""
+
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION
+
+    def get_early_exit_desired_state(
+        self, query_func: Callable | None = None
+    ) -> dict[str, Any]:
+        """Return the desired state for early exit."""
+        if not query_func:
+            query_func = gql.get_api().query
+        return {
+            "accounts": [c.dict() for c in self.get_aws_accounts(query_func)],
+        }
+
+    def get_aws_accounts(
+        self, query_func: Callable, account_name: str | None = None
+    ) -> list[AWSAccountV1]:
+        """Get all AWS accounts."""
+        data = aws_accounts_query(query_func)
+        return [
+            account
+            for account in data.accounts or []
+            if integration_is_enabled(self.name, account)
+            and (not account_name or account.name == account_name)
+        ]
+
+    def build_saml_idp_config(
+        self,
+        aws_accounts: Iterable[AWSAccountV1],
+        saml_idp_name: str,
+        saml_metadata: str,
+    ) -> list[SamlIdpConfig]:
+        """Build the desired state."""
+        return [
+            SamlIdpConfig(
+                account_name=account.name, name=saml_idp_name, metadata=saml_metadata
+            )
+            for account in aws_accounts
+            if account.sso
+        ]
+
+    def get_saml_metadata(self, saml_metadata_url: str) -> str:
+        """Get the SAML metadata from the given URL."""
+        response = requests.get(saml_metadata_url)
+        response.raise_for_status()
+        return response.text
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        """Run the integration."""
+        gql_api = gql.get_api()
+        settings = queries.get_app_interface_settings()
+        aws_accounts = self.get_aws_accounts(
+            gql_api.query, account_name=self.params.account_name
+        )
+        aws_accounts_dict = [account.dict(by_alias=True) for account in aws_accounts]
+
+        ts = TerrascriptClient(
+            self.name.replace("-", "_"),
+            "",
+            self.params.thread_pool_size,
+            aws_accounts_dict,
+            settings=settings,
+        )
+
+        for saml_idp_config in self.build_saml_idp_config(
+            aws_accounts,
+            saml_idp_name=self.params.saml_idp_name,
+            saml_metadata=self.get_saml_metadata(self.params.saml_metadata_url),
+        ):
+            ts.populate_saml_idp(
+                account_name=saml_idp_config.account_name,
+                name=saml_idp_config.name,
+                metadata=saml_idp_config.metadata,
+            )
+        working_dirs = ts.dump(print_to_file=self.params.print_to_file)
+
+        if self.params.print_to_file:
+            sys.exit(ExitCodes.SUCCESS)
+
+        aws_api = AWSApi(1, aws_accounts_dict, settings=settings, init_users=False)
+        tf = TerraformClient(
+            self.name,
+            QONTRACT_INTEGRATION_VERSION,
+            "",
+            aws_accounts_dict,
+            working_dirs,
+            self.params.thread_pool_size,
+            aws_api,
+        )
+        if defer:
+            defer(tf.cleanup)
+
+        _, err = tf.plan(self.params.enable_deletion)
+        if err:
+            sys.exit(ExitCodes.ERROR)
+
+        if dry_run:
+            return
+
+        err = tf.apply()
+        if err:
+            sys.exit(ExitCodes.ERROR)

reconcile/cli.py

@@ -698,6 +698,55 @@ def terraform_aws_route53(
     )
 
 
+@integration.command(short_help="Manage the SAML IDP config for all AWS accounts.")
+@print_to_file
+@threaded()
+@binary(["terraform", "git"])
+@binary_version("terraform", ["version"], TERRAFORM_VERSION_REGEX, TERRAFORM_VERSION)
+@enable_deletion(default=True)
+@account_name
+@click.option(
+    "--saml-idp-name",
+    help="Name of the SAML IDP. Must match the name the SAML response!",
+    required=True,
+    default="RedHatInternal",
+)
+@click.option(
+    "--saml-metadata-url",
+    help="URL of the SAML metadata xml file. Must be a valid URL!",
+    required=True,
+    default="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/saml/descriptor",
+)
+@click.pass_context
+def aws_saml_idp(
+    ctx,
+    print_to_file,
+    enable_deletion,
+    thread_pool_size,
+    account_name,
+    saml_idp_name,
+    saml_metadata_url,
+):
+    from reconcile.aws_saml_idp.integration import (
+        AwsSamlIdpIntegration,
+        AwsSamlIdpIntegrationParams,
+    )
+
+    run_class_integration(
+        integration=AwsSamlIdpIntegration(
+            AwsSamlIdpIntegrationParams(
+                thread_pool_size=thread_pool_size,
+                print_to_file=print_to_file,
+                enable_deletion=enable_deletion,
+                saml_idp_name=saml_idp_name,
+                saml_metadata_url=saml_metadata_url,
+                account_name=account_name,
+            )
+        ),
+        ctx=ctx.obj,
+    )
+
+
 @integration.command(short_help="Configures the teams and members in a GitHub org.")
 @click.pass_context
 def github(ctx):

reconcile/gql_definitions/aws_saml_idp/aws_accounts.py

@@ -0,0 +1,116 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.aws_account_common import AWSAccountCommon
+from reconcile.gql_definitions.fragments.terraform_state import TerraformState
+
+
+DEFINITION = """
+fragment AWSAccountCommon on AWSAccount_v1 {
+  path
+  name
+  uid
+  terraformUsername
+  consoleUrl
+  resourcesDefaultRegion
+  supportedDeploymentRegions
+  providerVersion
+  accountOwners {
+    name
+    email
+  }
+  automationToken {
+    ... VaultSecret
+  }
+  garbageCollection
+  enableDeletion
+  deletionApprovals {
+    type
+    name
+    expiration
+  }
+  disable {
+    integrations
+  }
+  deleteKeys
+  premiumSupport
+  partition
+}
+
+fragment TerraformState on TerraformStateAWS_v1 {
+  provider
+  bucket
+  region
+  integrations {
+    key
+    integration
+  }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query AWSAccountsSamlIdp {
+  accounts: awsaccounts_v1 {
+    sso
+    ...AWSAccountCommon
+    terraformState {
+      ...TerraformState
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class AWSAccountV1(AWSAccountCommon):
+    sso: Optional[bool] = Field(..., alias="sso")
+    terraform_state: Optional[TerraformState] = Field(..., alias="terraformState")
+
+
+class AWSAccountsSamlIdpQueryData(ConfiguredBaseModel):
+    accounts: Optional[list[AWSAccountV1]] = Field(..., alias="accounts")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AWSAccountsSamlIdpQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AWSAccountsSamlIdpQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AWSAccountsSamlIdpQueryData(**raw_data)

reconcile/openshift_resources_base.py

@@ -194,8 +194,14 @@ NAMESPACES_QUERY = """
         %s
       }
       spec {
+        ... on ClusterSpecROSA_v1 {
+          account {
+            uid
+          }
+        }
         version
         region
+        hypershift
       }
       network {
         pod

reconcile/utils/terrascript_aws_client.py

@@ -90,6 +90,7 @@ from terrascript.resource import (
     aws_iam_role,
     aws_iam_role_policy,
     aws_iam_role_policy_attachment,
+    aws_iam_saml_provider,
     aws_iam_service_linked_role,
     aws_iam_user,
     aws_iam_user_group_membership,
@@ -6454,3 +6455,9 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             )
         )
         self.add_resources(account, tf_resources)
+
+    def populate_saml_idp(self, account_name: str, name: str, metadata: str) -> None:
+        saml_idp = aws_iam_saml_provider(
+            f"{account_name}-{name}", name=name, saml_metadata_document=metadata
+        )
+        self.add_resource(account_name, saml_idp)