qontract-reconcile 0.10.1rc602__py3-none-any.whl → 0.10.1rc604__py3-none-any.whl

{qontract_reconcile-0.10.1rc602.dist-info → qontract_reconcile-0.10.1rc604.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc602
+Version: 0.10.1rc604
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team
@@ -11,7 +11,7 @@ Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Requires-Python: >=3.11
-Requires-Dist: sretoolbox ~=2.5.1
+Requires-Dist: sretoolbox ~=2.5.2
 Requires-Dist: Click <9.0,>=7.0
 Requires-Dist: gql ==3.1.0
 Requires-Dist: toml <0.11.0,>=0.10.0

{qontract_reconcile-0.10.1rc602.dist-info → qontract_reconcile-0.10.1rc604.dist-info}/RECORD

@@ -539,7 +539,7 @@ reconcile/typed_queries/terraform_tgw_attachments/aws_accounts.py,sha256=T5HSeyB
 reconcile/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/aggregated_list.py,sha256=pkYoBj7WwmaNgEefETqEOFTnQMcUzHE3mdsVdzGYj60,3372
 reconcile/utils/amtool.py,sha256=JV5-to_e_FaIcvJWTKYA9d6L3LwzwijM0MjUWn83eD4,2204
-reconcile/utils/aws_api.py,sha256=Wy040GBQ3HrWmtxe1QAx3zl1I3phVDVjXEx_OITEcOw,69191
+reconcile/utils/aws_api.py,sha256=sgmxCXYle0jjmMHPpBOAKl-kWTDWwuc0AlLO2NmDB8M,65612
 reconcile/utils/aws_helper.py,sha256=6Nfgsz0aQ97LBAJ0JBRdnPaFTAkEBSqXvCH6_pVIWdw,2006
 reconcile/utils/binary.py,sha256=3IBnwjKakHM367skPPvG6yVSQYjKt5muQlFNdoa63DU,2352
 reconcile/utils/config.py,sha256=aId5zrPjM_84u_T4yTRE_Psu3zo5-5_JCR6_7Wgv5UQ,990
@@ -618,6 +618,11 @@ reconcile/utils/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSu
 reconcile/utils/acs/base.py,sha256=Qih-xZ3RBJZEE291iHHlv7lUY6ShcAvSj1PA3_aTTnM,2276
 reconcile/utils/acs/policies.py,sha256=_jAz6cv8KRYtDsXjGoJgNbD8_9PUa5LSwwVlpK4A_cQ,5505
 reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
+reconcile/utils/aws_api_typed/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/utils/aws_api_typed/api.py,sha256=ICBrpoZ1Y8ShMaNOQmzPzChmw-Ffdg0tCsu97fVwZ-w,6374
+reconcile/utils/aws_api_typed/iam.py,sha256=wH82lA2kUgEKR5McmyU5gB8ASfemT5xAk3Bb9cairVo,1508
+reconcile/utils/aws_api_typed/organization.py,sha256=dJ7J02BNHu7UDyFa9083b92vSamIX8DtHIoF8VwEijY,3675
+reconcile/utils/aws_api_typed/sts.py,sha256=5Sauncj9Fif3YDLkJYkBZrtOX0v0bGAqOmY0A5Bh9yA,1237
 reconcile/utils/cloud_resource_best_practice/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/cloud_resource_best_practice/aws_rds.py,sha256=EvE6XKLsrZ531MJptKqPht2lOETrOjySTHXk6CzMgo0,2279
 reconcile/utils/glitchtip/__init__.py,sha256=FT6iBhGqoe7KExFdbgL8AYUb64iW_4snF5__Dcl7yt0,258
@@ -704,8 +709,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=OvalpVRfY4pNmpMaWHHYqBjV68b1eGQjX8SCyTAXb1w,3501
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc602.dist-info/METADATA,sha256=63UVto0tsq6BwLN2ztvG4TOvP2_EXbX3IahwEhuh0HA,2349
-qontract_reconcile-0.10.1rc602.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc602.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc602.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc602.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc604.dist-info/METADATA,sha256=8DqZZvzBIt5WiKjrw88w6gjkqWMvmmFJteu3Hskyuyo,2349
+qontract_reconcile-0.10.1rc604.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc604.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc604.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc604.dist-info/RECORD,,

reconcile/utils/aws_api.py

@@ -1,9 +1,7 @@
 import logging
 import os
 import re
-import textwrap
 import time
-from abc import ABC, abstractmethod
 from collections.abc import (
     Iterable,
     Iterator,
@@ -89,118 +87,6 @@ KeyStatus = Union[Literal["Active"], Literal["Inactive"]]
 GOVCLOUD_PARTITION = "aws-us-gov"
 
 
-class AWSCredentials(ABC):
-    @abstractmethod
-    def as_env_vars(self) -> dict[str, str]:
-        """
-        Returns a dictionary of environment variables that can be used to authenticate with AWS.
-        """
-        ...
-
-    @abstractmethod
-    def as_credentials_file(self, profile_name: str = "default") -> str:
-        """
-        Returns a string that can be used to write an AWS credentials file.
-        """
-        ...
-
-    @abstractmethod
-    def build_session(self) -> Session:
-        """
-        Builds an AWS session using these credentials.
-        """
-        ...
-
-    def get_temporary_credentials(
-        self, duration_seconds: int = 900
-    ) -> "AWSTemporaryCredentials":
-        """
-        Builds temporary AWS credentials from a session. This is similar to assuming a role,
-        in the sense that the credentials will expire after a certain amount of time.
-
-        These temporary credentials have the same permissions as the session they were built from, except:
-        - they can't be used for anything IAM related
-        - for the STS API only the AssumeRole and GetSessionToken actions are allowed
-        """
-        session = self.build_session()
-        response = session.client("sts").get_session_token(
-            DurationSeconds=duration_seconds
-        )
-        tmp_creds = response["Credentials"]
-        return AWSTemporaryCredentials(
-            access_key_id=tmp_creds["AccessKeyId"],
-            secret_access_key=tmp_creds["SecretAccessKey"],
-            session_token=tmp_creds["SessionToken"],
-            region=session.region_name,
-        )
-
-
-class AWSStaticCredentials(BaseModel, AWSCredentials):
-    """
-    A model representing AWS credentials.
-    """
-
-    access_key_id: str
-    secret_access_key: str
-    region: str
-
-    def as_env_vars(self) -> dict[str, str]:
-        return {
-            "AWS_ACCESS_KEY_ID": self.access_key_id,
-            "AWS_SECRET_ACCESS_KEY": self.secret_access_key,
-            "AWS_REGION": self.region,
-        }
-
-    def as_credentials_file(self, profile_name: str = "default") -> str:
-        return textwrap.dedent(
-            f"""\
-            [{profile_name}]
-            aws_access_key_id = {self.access_key_id}
-            aws_secret_access_key = {self.secret_access_key}
-            region = {self.region}
-            """
-        )
-
-    def build_session(self) -> Session:
-        return Session(
-            aws_access_key_id=self.access_key_id,
-            aws_secret_access_key=self.secret_access_key,
-            region_name=self.region,
-        )
-
-
-class AWSTemporaryCredentials(AWSStaticCredentials):
-    """
-    A model representing temporary AWS credentials.
-    """
-
-    session_token: str
-
-    def as_env_vars(self) -> dict[str, str]:
-        env_vars = super().as_env_vars()
-        env_vars["AWS_SESSION_TOKEN"] = self.session_token
-        return env_vars
-
-    def as_credentials_file(self, profile_name: str = "default") -> str:
-        return textwrap.dedent(
-            f"""\
-            [{profile_name}]
-            aws_access_key_id = {self.access_key_id}
-            aws_secret_access_key = {self.secret_access_key}
-            aws_session_token = {self.session_token}
-            region = {self.region}
-            """
-        )
-
-    def build_session(self) -> Session:
-        return Session(
-            aws_access_key_id=self.access_key_id,
-            aws_secret_access_key=self.secret_access_key,
-            aws_session_token=self.session_token,
-            region_name=self.region,
-        )
-
-
 class AmiTag(BaseModel):
     name: str
     value: str

reconcile/utils/aws_api_typed/api.py

@@ -0,0 +1,190 @@
+from __future__ import annotations
+
+import textwrap
+from abc import ABC, abstractmethod
+from functools import cached_property
+from typing import Any, TypeVar
+
+from boto3 import Session
+from botocore.client import BaseClient
+from pydantic import BaseModel
+
+import reconcile.utils.aws_api_typed.iam
+import reconcile.utils.aws_api_typed.organization
+import reconcile.utils.aws_api_typed.sts
+from reconcile.utils.aws_api_typed.iam import AWSApiIam
+from reconcile.utils.aws_api_typed.organization import AWSApiOrganizations
+from reconcile.utils.aws_api_typed.sts import AWSApiSts
+
+SubApi = TypeVar("SubApi")
+
+
+class AWSCredentials(ABC):
+    @abstractmethod
+    def as_env_vars(self) -> dict[str, str]:
+        """
+        Returns a dictionary of environment variables that can be used to authenticate with AWS.
+        """
+        ...
+
+    @abstractmethod
+    def as_credentials_file(self, profile_name: str = "default") -> str:
+        """
+        Returns a string that can be used to write an AWS credentials file.
+        """
+        ...
+
+    @abstractmethod
+    def build_session(self) -> Session:
+        """
+        Builds an AWS session using these credentials.
+        """
+        ...
+
+
+class AWSStaticCredentials(BaseModel, AWSCredentials):
+    """
+    A model representing AWS credentials.
+    """
+
+    access_key_id: str
+    secret_access_key: str
+    region: str
+
+    def as_env_vars(self) -> dict[str, str]:
+        return {
+            "AWS_ACCESS_KEY_ID": self.access_key_id,
+            "AWS_SECRET_ACCESS_KEY": self.secret_access_key,
+            "AWS_REGION": self.region,
+        }
+
+    def as_credentials_file(self, profile_name: str = "default") -> str:
+        return textwrap.dedent(
+            f"""\
+            [{profile_name}]
+            aws_access_key_id = {self.access_key_id}
+            aws_secret_access_key = {self.secret_access_key}
+            region = {self.region}
+            """
+        )
+
+    def build_session(self) -> Session:
+        return Session(
+            aws_access_key_id=self.access_key_id,
+            aws_secret_access_key=self.secret_access_key,
+            region_name=self.region,
+        )
+
+
+class AWSTemporaryCredentials(AWSStaticCredentials):
+    """
+    A model representing temporary AWS credentials.
+    """
+
+    session_token: str
+
+    def as_env_vars(self) -> dict[str, str]:
+        env_vars = super().as_env_vars()
+        env_vars["AWS_SESSION_TOKEN"] = self.session_token
+        return env_vars
+
+    def as_credentials_file(self, profile_name: str = "default") -> str:
+        return textwrap.dedent(
+            f"""\
+            [{profile_name}]
+            aws_access_key_id = {self.access_key_id}
+            aws_secret_access_key = {self.secret_access_key}
+            aws_session_token = {self.session_token}
+            region = {self.region}
+            """
+        )
+
+    def build_session(self) -> Session:
+        return Session(
+            aws_access_key_id=self.access_key_id,
+            aws_secret_access_key=self.secret_access_key,
+            aws_session_token=self.session_token,
+            region_name=self.region,
+        )
+
+
+class AWSApi:
+    def __init__(self, aws_credentials: AWSCredentials) -> None:
+        self.session = aws_credentials.build_session()
+        self._session_clients: list[BaseClient] = []
+
+    def __enter__(self) -> AWSApi:
+        return self
+
+    def __exit__(self, *exec: Any) -> None:
+        self.close()
+
+    def close(self) -> None:
+        """Close all clients created by this API instance."""
+        for client in self._session_clients:
+            client.close()
+        self._session_clients = []
+
+    def _init_sub_api(self, api_cls: type[SubApi]) -> SubApi:
+        """Return a new or cached sub api client."""
+        match api_cls:
+            case reconcile.utils.aws_api_typed.iam.AWSApiIam:
+                client = self.session.client("iam")
+                api = api_cls(client)  # type: ignore # mypy bug, it doesn't recognize that api_cls is callable
+            case reconcile.utils.aws_api_typed.organization.AWSApiOrganizations:
+                client = self.session.client("organizations")
+                api = api_cls(client)
+            case reconcile.utils.aws_api_typed.sts.AWSApiSts:
+                client = self.session.client("sts")
+                api = api_cls(client)
+            case _:
+                raise ValueError(f"Unknown API class: {api_cls}")
+
+        self._session_clients.append(client)
+        return api
+
+    @cached_property
+    def sts(self) -> AWSApiSts:
+        """Return an AWS STS Api client."""
+        return self._init_sub_api(AWSApiSts)
+
+    @cached_property
+    def organizations(self) -> AWSApiOrganizations:
+        """Return an AWS Organizations Api client."""
+        return self._init_sub_api(AWSApiOrganizations)
+
+    @cached_property
+    def iam(self) -> AWSApiIam:
+        """Return an AWS IAM Api client."""
+        return self._init_sub_api(AWSApiIam)
+
+    def assume_role(self, account_id: str, role: str) -> AWSApi:
+        """Return a new AWSApi with the assumed role."""
+        credentials = self.sts.assume_role(account_id=account_id, role=role)
+        return AWSApi(
+            AWSTemporaryCredentials(
+                access_key_id=credentials.access_key_id,
+                secret_access_key=credentials.secret_access_key,
+                session_token=credentials.session_token,
+                region=self.session.region_name,
+            )
+        )
+
+    def temporary_session(self, duration_seconds: int = 900) -> AWSApi:
+        """Return a new AWSAPI with temporary AWS credentials from a session.
+
+        This is similar to assuming a role, in the sense that the credentials will expire after a certain amount of time.
+
+        These temporary credentials have the same permissions as the session they were built from, except:
+        - they can't be used for anything IAM related
+        - for the STS API only the AssumeRole and GetSessionToken actions are allowed
+        """
+        tmp_creds = self.sts.get_session_token(duration_seconds=duration_seconds)
+        return AWSApi(
+            AWSTemporaryCredentials(
+                access_key_id=tmp_creds.access_key_id,
+                secret_access_key=tmp_creds.secret_access_key,
+                session_token=tmp_creds.session_token,
+                region=self.session.region_name,
+            )
+        )

reconcile/utils/aws_api_typed/iam.py

@@ -0,0 +1,50 @@
+from typing import TYPE_CHECKING
+
+from pydantic import BaseModel, Field
+
+if TYPE_CHECKING:
+    from mypy_boto3_iam import IAMClient
+else:
+    IAMClient = object
+
+
+class AWSAccessKey(BaseModel):
+    access_key_id: str = Field(..., alias="AccessKeyId")
+    secret_access_key: str = Field(..., alias="SecretAccessKey")
+
+
+class AWSUser(BaseModel):
+    user_name: str = Field(..., alias="UserName")
+    user_id: str = Field(..., alias="UserId")
+    arn: str = Field(..., alias="Arn")
+    path: str = Field(..., alias="Path")
+
+
+class AWSApiIam:
+    def __init__(self, client: IAMClient) -> None:
+        self.client = client
+
+    def create_access_key(self, user_name: str) -> AWSAccessKey:
+        """Create an access key for a given user."""
+        credentials = self.client.create_access_key(
+            UserName=user_name,
+        )
+        return AWSAccessKey(**credentials["AccessKey"])
+
+    def create_user(self, user_name: str) -> AWSUser:
+        """Create a new IAM user."""
+        user = self.client.create_user(
+            UserName=user_name,
+        )
+        return AWSUser(**user["User"])
+
+    def attach_user_policy(self, user_name: str, policy_arn: str) -> None:
+        """Attach a policy to a user."""
+        self.client.attach_user_policy(
+            UserName=user_name,
+            PolicyArn=policy_arn,
+        )
+
+    def create_account_alias(self, account_alias: str) -> None:
+        """Create an account alias."""
+        self.client.create_account_alias(AccountAlias=account_alias)

reconcile/utils/aws_api_typed/organization.py

@@ -0,0 +1,104 @@
+from collections.abc import Mapping
+from typing import TYPE_CHECKING
+
+from pydantic import BaseModel, Field
+
+if TYPE_CHECKING:
+    from mypy_boto3_organizations import OrganizationsClient
+    from mypy_boto3_organizations.literals import CreateAccountFailureReasonType
+else:
+    OrganizationsClient = object
+    CreateAccountFailureReasonType = object
+
+
+class AwsOrganizationOU(BaseModel):
+    id: str = Field(..., alias="Id")
+    arn: str = Field(..., alias="Arn")
+    name: str = Field(..., alias="Name")
+    children: list["AwsOrganizationOU"] = []
+
+    def find(self, path: str) -> "AwsOrganizationOU":
+        """Return an organizational unit by its path."""
+        name, *rest = path.strip("/").split("/")
+        subs = "/".join(rest)
+        if self.name == name:
+            if not rest:
+                return self
+            for child in self.children:
+                try:
+                    return child.find(subs)
+                except KeyError:
+                    pass
+        raise KeyError(f"OU not found: {path}")
+
+
+class AWSAccountStatus(BaseModel):
+    id: str = Field(..., alias="Id")
+    account_name: str = Field(..., alias="AccountName")
+    account_id: str = Field(..., alias="AccountId")
+    state: str = Field(..., alias="State")
+    failure_reason: CreateAccountFailureReasonType | None = Field(alias="FailureReason")
+
+
+class AWSAccountCreationException(Exception):
+    pass
+
+
+class AWSApiOrganizations:
+    def __init__(self, client: OrganizationsClient) -> None:
+        self.client = client
+
+    def get_organizational_units_tree(
+        self, root: AwsOrganizationOU | None = None
+    ) -> AwsOrganizationOU:
+        """List all organizational units for a given root recursively."""
+        if not root:
+            root = AwsOrganizationOU(**self.client.list_roots()["Roots"][0])
+
+        paginator = self.client.get_paginator("list_organizational_units_for_parent")
+        for page in paginator.paginate(ParentId=root.id):
+            for ou_raw in page["OrganizationalUnits"]:
+                ou = AwsOrganizationOU(**ou_raw)
+                root.children.append(ou)
+                self.get_organizational_units_tree(root=ou)
+        return root
+
+    def create_account(
+        self,
+        email: str,
+        account_name: str,
+        tags: Mapping[str, str],
+        access_to_billing: bool = True,
+    ) -> AWSAccountStatus:
+        """Create a new account in the organization."""
+        resp = self.client.create_account(
+            Email=email,
+            AccountName=account_name,
+            IamUserAccessToBilling="ALLOW" if access_to_billing else "DENY",
+            Tags=[{"Key": k, "Value": v} for k, v in tags.items()],
+        )
+        status = AWSAccountStatus(**resp["CreateAccountStatus"])
+        if status.state == "FAILED":
+            raise AWSAccountCreationException(
+                f"Account creation failed: {status.failure_reason}"
+            )
+        return status
+
+    def describe_create_account_status(
+        self, create_account_request_id: str
+    ) -> AWSAccountStatus:
+        """Return the status of a create account request."""
+        resp = self.client.describe_create_account_status(
+            CreateAccountRequestId=create_account_request_id
+        )
+        return AWSAccountStatus(**resp["CreateAccountStatus"])
+
+    def move_account(
+        self, account_id: str, source_parent_id: str, destination_parent_id: str
+    ) -> None:
+        """Move an account to a different organizational unit."""
+        self.client.move_account(
+            AccountId=account_id,
+            SourceParentId=source_parent_id,
+            DestinationParentId=destination_parent_id,
+        )

reconcile/utils/aws_api_typed/sts.py

@@ -0,0 +1,36 @@
+from datetime import datetime
+from typing import TYPE_CHECKING
+
+from pydantic import BaseModel, Field
+
+if TYPE_CHECKING:
+    from mypy_boto3_sts import STSClient
+else:
+    STSClient = object
+
+
+class AWSCredentials(BaseModel):
+    access_key_id: str = Field(..., alias="AccessKeyId")
+    secret_access_key: str = Field(..., alias="SecretAccessKey")
+    session_token: str = Field(..., alias="SessionToken")
+    expiration: datetime = Field(..., alias="Expiration")
+
+
+class AWSApiSts:
+    def __init__(self, client: STSClient) -> None:
+        self.client = client
+
+    def assume_role(self, account_id: str, role: str) -> AWSCredentials:
+        """Assume a role and return temporary credentials."""
+        assumed_role_object = self.client.assume_role(
+            RoleArn=f"arn:aws:iam::{account_id}:role/{role}",
+            RoleSessionName=role,
+        )
+        return AWSCredentials(**assumed_role_object["Credentials"])
+
+    def get_session_token(self, duration_seconds: int = 900) -> AWSCredentials:
+        """Return temporary credentials."""
+        assumed_role_object = self.client.get_session_token(
+            DurationSeconds=duration_seconds
+        )
+        return AWSCredentials(**assumed_role_object["Credentials"])