qontract-reconcile 0.10.1rc734__py3-none-any.whl → 0.10.1rc735__py3-none-any.whl

{qontract_reconcile-0.10.1rc734.dist-info → qontract_reconcile-0.10.1rc735.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc734
+Version: 0.10.1rc735
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc734.dist-info → qontract_reconcile-0.10.1rc735.dist-info}/RECORD

@@ -1,4 +1,5 @@
 reconcile/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/acs_notifiers.py,sha256=1UBRTGsLrMUxpgm3WGceNyCmY9MZwUht4t26eIMWOLU,5589
 reconcile/acs_policies.py,sha256=1iRYmMdz0YtqyQgA9O0uGQdmMKUCCe-ApRa6LIEAdps,8769
 reconcile/acs_rbac.py,sha256=JEDevU4AdhTjMW-fAnNG3iw6Od5tYxGuYSirmu9KurI,22657
 reconcile/aws_ami_share.py,sha256=eeu0TI3M5yyUaozyAq_aW3tir-9be4YFguOXvIvKHSo,3757
@@ -9,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=lAZ68_w6IcvXfB6C8D97DtdRlpodqjrCGLLYGvRUkSs,96887
+reconcile/cli.py,sha256=XBUVgDXU9vIUWu4F3qkNN39FlMH7XN8kaGjzfShPWGM,97162
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -185,7 +186,7 @@ reconcile/glitchtip_project_dsn/integration.py,sha256=qt2a33FOUUlCyonSHm3nUb7pNX
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
-reconcile/gql_definitions/acs/acs_policies.py,sha256=Z6Z7duvS9W4cbciBED4oK40Vg9QyYti3zXvoEXM-fak,4422
+reconcile/gql_definitions/acs/acs_policies.py,sha256=negfb87RDVH7WT1qiouD8ywfgH4Iumsv9Q2bf9rbjcA,7089
 reconcile/gql_definitions/acs/acs_rbac.py,sha256=cZsIlCWliPQdQHgmBsIMx54fJNOtkdRXLzmOKZmJNHk,3009
 reconcile/gql_definitions/advanced_upgrade_service/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/advanced_upgrade_service/aus_clusters.py,sha256=zrZCHaxkffdX2bvFUt1Hd_czViI3v3FPhZz5vJQ73jI,4301
@@ -285,6 +286,8 @@ reconcile/gql_definitions/integrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JC
 reconcile/gql_definitions/integrations/integrations.py,sha256=LfpgVbCCCk20ohwP5pDea5fwxMFGrcgE6J_WHBuGqek,11595
 reconcile/gql_definitions/jenkins_configs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/jenkins_configs/jenkins_configs.py,sha256=0nMkH0G-AjQwu53fqHykth6X6jjbHdW2hBp5n7N-r24,2766
+reconcile/gql_definitions/jira/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/jira/jira_servers.py,sha256=i8_P30m-r5Ek6TMgZpqN9fSChDcOf9nLkWD966CXdNw,2102
 reconcile/gql_definitions/jira_permissions_validator/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/jira_permissions_validator/jira_boards_for_permissions_validator.py,sha256=7p-GA-dGeuouUcAvOIMBbgGJJtIXPG5Jx4n024to97M,3856
 reconcile/gql_definitions/jumphosts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -425,7 +428,8 @@ reconcile/templating/lib/rendering.py,sha256=_BVQ2gqip8K1AgLYfaTWh8NKJFTW6VjUZ6r
 reconcile/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/test/conftest.py,sha256=rQousYrxUz-EwAIbsYO6bIwR1B4CrOz9y_zaUVo2lfI,4466
 reconcile/test/fixtures.py,sha256=9SDWAUlSd1rCx7z3GhULHcpr-I6FyCsXxaFAZIqYQsQ,591
-reconcile/test/test_acs_policies.py,sha256=pffUzH4IHKuXntvGMi-iV0Epg4YsCBF2G2-R9nYIt40,15699
+reconcile/test/test_acs_notifiers.py,sha256=LIVXu7EBlfKh5CWgR5jcA0vJ4IhUtxkZM6-1im204rc,12865
+reconcile/test/test_acs_policies.py,sha256=9TPGbF4mS2B18S7ldibZrugztaTQvcrBFvzs5eXbN-E,19211
 reconcile/test/test_acs_rbac.py,sha256=lvNd8GY0-GHzcOdOn13QWdrqbBXXKzNT7EEDHNH7cjM,28272
 reconcile/test/test_aggregated_list.py,sha256=iiWitQuNYC58aimWaiBoE4NROHjr1NCgQ91MnHEG_Ro,6412
 reconcile/test/test_amtool.py,sha256=vxRhGieeydMBOb9UI2ziMHjJa8puMeGNsUhGhy-yMnk,1032
@@ -655,7 +659,8 @@ reconcile/utils/vault.py,sha256=S0eHqvZ9N3fya1E8YDaUffEvLk_fdtpzL4rvWn6f828,1499
 reconcile/utils/vaultsecretref.py,sha256=3Ed2uBy36TzSvL0B-l4FoWQqB2SbBKDKEuUPIO608Bo,931
 reconcile/utils/vcs.py,sha256=o1r0n_IrU2El75CED_6sjR2GZGM-exuWsj5F7jONaMU,6779
 reconcile/utils/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/utils/acs/base.py,sha256=8qZhCYteLCe3xSIeiNj-HXm6J0nBLFGBbZ7b7xXlA6I,2381
+reconcile/utils/acs/base.py,sha256=kjcxLGIMe8oLNFOxZ_bDcClFqGCL7Auwug5is0yNGbw,2555
+reconcile/utils/acs/notifiers.py,sha256=LfWw9LGq7hA90A69n8Ie9f-NozvCGdYwXEXRLIc17rY,3735
 reconcile/utils/acs/policies.py,sha256=_jAz6cv8KRYtDsXjGoJgNbD8_9PUa5LSwwVlpK4A_cQ,5505
 reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
 reconcile/utils/aws_api_typed/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -765,8 +770,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=w2l4BHB09k1d-BGJ1jBUNCqDv7zkqYrMHojQXg-21kQ,4155
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc734.dist-info/METADATA,sha256=4yl8FRQHqk6s4yWQgBGblLVlgOJiOKeSuEo-S5mcl8I,2382
-qontract_reconcile-0.10.1rc734.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc734.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
-qontract_reconcile-0.10.1rc734.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc734.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc735.dist-info/METADATA,sha256=AQww9xL2v9VdTWvywruYZoPnQRbH2TO1wlIpHlpfGqE,2382
+qontract_reconcile-0.10.1rc735.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc735.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
+qontract_reconcile-0.10.1rc735.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc735.dist-info/RECORD,,

reconcile/acs_notifiers.py

@@ -0,0 +1,156 @@
+import logging
+from typing import Any
+
+import reconcile.gql_definitions.acs.acs_policies as gql_acs_policies
+from reconcile.gql_definitions.jira.jira_servers import (
+    JiraServerV1,
+)
+from reconcile.gql_definitions.jira.jira_servers import (
+    query as query_jira_servers,
+)
+from reconcile.utils import gql
+from reconcile.utils.acs.notifiers import (
+    AcsNotifiersApi,
+    JiraCredentials,
+    JiraNotifier,
+    SeverityPriorityMapping,
+)
+from reconcile.utils.differ import diff_iterables
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.runtime.integration import (
+    NoParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+
+
+class AcsNotifiersIntegration(QontractReconcileIntegration[NoParams]):
+    def __init__(self) -> None:
+        super().__init__(NoParams())
+        self.qontract_integration = "acs-notifiers"
+        self.qontract_integration_version = make_semver(0, 1, 0)
+
+    @property
+    def name(self) -> str:
+        return self.qontract_integration
+
+    def _get_escalation_policies(
+        self, acs_policies: list[gql_acs_policies.AcsPolicyV1]
+    ) -> list[gql_acs_policies.AppEscalationPolicyV1]:
+        return list(
+            {
+                p.integrations.notifiers.jira.escalation_policy.name: p.integrations.notifiers.jira.escalation_policy
+                for p in acs_policies
+                if p.integrations
+                and p.integrations.notifiers
+                and p.integrations.notifiers.jira
+                and integration_is_enabled(
+                    self.qontract_integration,
+                    p.integrations.notifiers.jira.escalation_policy.channels.jira_board[
+                        0
+                    ],
+                )
+            }.values()
+        )
+
+    def _build_jira_notifier(
+        self, escalation_policy: gql_acs_policies.AppEscalationPolicyV1
+    ) -> JiraNotifier:
+        jira_board = escalation_policy.channels.jira_board[0]
+
+        custom_fields: dict[str, Any] = {}
+        if jira_board.issue_security_id:
+            custom_fields["security"] = {"id": jira_board.issue_security_id}
+        if escalation_policy.channels.jira_component:
+            custom_fields["components"] = [
+                {"name": escalation_policy.channels.jira_component}
+            ]
+        if escalation_policy.channels.jira_labels:
+            custom_fields["labels"] = escalation_policy.channels.jira_labels
+
+        item = JiraNotifier(
+            name=f"jira-{escalation_policy.name}",
+            board=jira_board.name,
+            url=jira_board.server.server_url,
+            issue_type=jira_board.issue_type or "Task",
+            severity_priority_mappings=sorted(
+                [
+                    SeverityPriorityMapping(**vars(sp))
+                    for sp in jira_board.severity_priority_mappings.mappings
+                ],
+                key=lambda m: m.severity,
+            ),
+            custom_fields=custom_fields,
+        )
+
+        return item
+
+    def get_desired_state(
+        self, acs_policies: list[gql_acs_policies.AcsPolicyV1]
+    ) -> list[JiraNotifier]:
+        return [
+            self._build_jira_notifier(ep)
+            for ep in self._get_escalation_policies(acs_policies)
+        ]
+
+    def get_jira_credentials(
+        self, jira_servers: list[JiraServerV1]
+    ) -> dict[str, JiraCredentials]:
+        return {
+            server.server_url: JiraCredentials(
+                url=server.server_url,
+                username=server.username,
+                token=self.secret_reader.read_secret(server.token),
+            )
+            for server in jira_servers
+        }
+
+    def reconcile(
+        self,
+        current_state: list[JiraNotifier],
+        desired_state: list[JiraNotifier],
+        acs_api: AcsNotifiersApi,
+        jira_credentials: dict[str, JiraCredentials],
+        dry_run: bool,
+    ) -> None:
+        diff = diff_iterables(
+            current=current_state, desired=desired_state, key=lambda x: x.name
+        )
+        for a in diff.add.values():
+            logging.info(f"Create Jira notifier: {a.name}")
+            if not dry_run:
+                acs_api.create_jira_notifier(
+                    a,
+                    jira_credentials=jira_credentials[a.url],
+                )
+        for c in diff.change.values():
+            logging.info(f"Update Jira notifier: {c.desired.name}")
+            if not dry_run:
+                acs_api.update_jira_notifier(
+                    c.desired,
+                    jira_credentials=jira_credentials[c.desired.url],
+                )
+        for d in diff.delete.values():
+            logging.info(f"Delete Jira notifier: {d.name}")
+            if not dry_run:
+                acs_api.delete_jira_notifier(d)
+
+    def run(
+        self,
+        dry_run: bool,
+    ) -> None:
+        gql_api_query = gql.get_api().query
+        jira_credentials = self.get_jira_credentials(
+            query_jira_servers(query_func=gql_api_query).jira_servers or []
+        )
+        desired_state = self.get_desired_state(
+            gql_acs_policies.query(query_func=gql_api_query).acs_policies or []
+        )
+        instance = AcsNotifiersApi.get_acs_instance(query_func=gql_api_query)
+        with AcsNotifiersApi(
+            url=instance.url, token=self.secret_reader.read_secret(instance.credentials)
+        ) as acs_api:
+            current_state = acs_api.get_jira_notifiers()
+            self.reconcile(
+                desired_state, current_state, acs_api, jira_credentials, dry_run
+            )

reconcile/cli.py

@@ -3441,6 +3441,17 @@ def acs_policies(ctx):
     )
 
 
+@integration.command(short_help="Manages RHACS notifier configurations")
+@click.pass_context
+def acs_notifiers(ctx):
+    from reconcile import acs_notifiers
+
+    run_class_integration(
+        integration=acs_notifiers.AcsNotifiersIntegration(),
+        ctx=ctx.obj,
+    )
+
+
 @integration.command(short_help="Automate Deadmanssnitch Creation/Deletion")
 @click.pass_context
 def deadmanssnitch(ctx):

reconcile/gql_definitions/acs/acs_policies.py

@@ -25,6 +25,37 @@ query AcsPolicy {
     description
     severity
     notifiers
+    integrations {
+      notifiers {
+        jira {
+          escalationPolicy {
+            name
+            channels {
+              jiraBoard {
+                name
+                server {
+                  serverUrl
+                }
+                severityPriorityMappings {
+                  name
+                  mappings {
+                    severity
+                    priority
+                  }
+                }
+                issueType
+                issueSecurityId
+                disable {
+                  integrations
+                }
+              }
+              jiraComponent
+              jiraLabels
+            }
+          }
+        }
+      }
+    }
     categories
     scope {
       level
@@ -74,6 +105,56 @@ class ConfiguredBaseModel(BaseModel):
         extra=Extra.forbid
 
 
+class JiraServerV1(ConfiguredBaseModel):
+    server_url: str = Field(..., alias="serverUrl")
+
+
+class SeverityPriorityMappingV1(ConfiguredBaseModel):
+    severity: str = Field(..., alias="severity")
+    priority: str = Field(..., alias="priority")
+
+
+class JiraSeverityPriorityMappingsV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    mappings: list[SeverityPriorityMappingV1] = Field(..., alias="mappings")
+
+
+class DisableJiraBoardAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class JiraBoardV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    server: JiraServerV1 = Field(..., alias="server")
+    severity_priority_mappings: JiraSeverityPriorityMappingsV1 = Field(..., alias="severityPriorityMappings")
+    issue_type: Optional[str] = Field(..., alias="issueType")
+    issue_security_id: Optional[str] = Field(..., alias="issueSecurityId")
+    disable: Optional[DisableJiraBoardAutomationsV1] = Field(..., alias="disable")
+
+
+class AppEscalationPolicyChannelsV1(ConfiguredBaseModel):
+    jira_board: list[JiraBoardV1] = Field(..., alias="jiraBoard")
+    jira_component: Optional[str] = Field(..., alias="jiraComponent")
+    jira_labels: Optional[list[str]] = Field(..., alias="jiraLabels")
+
+
+class AppEscalationPolicyV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    channels: AppEscalationPolicyChannelsV1 = Field(..., alias="channels")
+
+
+class AcsPolicyIntegrationNotifierJiraV1(ConfiguredBaseModel):
+    escalation_policy: AppEscalationPolicyV1 = Field(..., alias="escalationPolicy")
+
+
+class AcsPolicyIntegrationNotifiersV1(ConfiguredBaseModel):
+    jira: Optional[AcsPolicyIntegrationNotifierJiraV1] = Field(..., alias="jira")
+
+
+class AcsPolicyIntegrationsV1(ConfiguredBaseModel):
+    notifiers: Optional[AcsPolicyIntegrationNotifiersV1] = Field(..., alias="notifiers")
+
+
 class AcsPolicyScopeV1(ConfiguredBaseModel):
     level: str = Field(..., alias="level")
 
@@ -131,6 +212,7 @@ class AcsPolicyV1(ConfiguredBaseModel):
     description: Optional[str] = Field(..., alias="description")
     severity: str = Field(..., alias="severity")
     notifiers: Optional[list[str]] = Field(..., alias="notifiers")
+    integrations: Optional[AcsPolicyIntegrationsV1] = Field(..., alias="integrations")
     categories: list[str] = Field(..., alias="categories")
     scope: Union[AcsPolicyScopeClusterV1, AcsPolicyScopeNamespaceV1, AcsPolicyScopeV1] = Field(..., alias="scope")
     conditions: list[Union[AcsPolicyConditionsCvssV1, AcsPolicyConditionsSeverityV1, AcsPolicyConditionsImageTagV1, AcsPolicyConditionsCveV1, AcsPolicyConditionsImageAgeV1, AcsPolicyConditionsV1]] = Field(..., alias="conditions")

reconcile/gql_definitions/jira/jira_servers.py

@@ -0,0 +1,76 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query JiraServers {
+  jira_servers: jira_servers_v1 {
+    serverUrl
+    username
+    token {
+      path
+      version
+      field
+      format
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class VaultSecretV1(ConfiguredBaseModel):
+    path: str = Field(..., alias="path")
+    version: Optional[int] = Field(..., alias="version")
+    field: str = Field(..., alias="field")
+    q_format: Optional[str] = Field(..., alias="format")
+
+
+class JiraServerV1(ConfiguredBaseModel):
+    server_url: str = Field(..., alias="serverUrl")
+    username: str = Field(..., alias="username")
+    token: VaultSecretV1 = Field(..., alias="token")
+
+
+class JiraServersQueryData(ConfiguredBaseModel):
+    jira_servers: Optional[list[JiraServerV1]] = Field(..., alias="jira_servers")
+
+
+def query(query_func: Callable, **kwargs: Any) -> JiraServersQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        JiraServersQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return JiraServersQueryData(**raw_data)

reconcile/test/test_acs_notifiers.py

@@ -0,0 +1,399 @@
+import copy
+from typing import Any
+
+import pytest
+from pytest_mock import MockerFixture
+
+from reconcile.acs_notifiers import AcsNotifiersIntegration
+from reconcile.gql_definitions.acs.acs_policies import (
+    AcsPolicyIntegrationNotifierJiraV1,
+    AcsPolicyIntegrationNotifiersV1,
+    AcsPolicyIntegrationsV1,
+    AcsPolicyScopeClusterV1,
+    AcsPolicyScopeNamespaceV1,
+    AcsPolicyV1,
+    AppEscalationPolicyChannelsV1,
+    AppEscalationPolicyV1,
+    DisableJiraBoardAutomationsV1,
+    JiraBoardV1,
+    JiraServerV1,
+    JiraSeverityPriorityMappingsV1,
+    SeverityPriorityMappingV1,
+)
+from reconcile.utils.acs.notifiers import (
+    AcsNotifiersApi,
+    JiraCredentials,
+    JiraNotifier,
+    SeverityPriorityMapping,
+)
+
+
+@pytest.fixture
+def severity_priority_mapping() -> SeverityPriorityMapping:
+    return SeverityPriorityMapping(severity="critical", priority="Critical")
+
+
+@pytest.fixture
+def severity_priority_mapping_api_payload() -> dict[str, str]:
+    return {
+        "severity": "CRITICAL_SEVERITY",
+        "priorityName": "Critical",
+    }
+
+
+def test_severity_priority_mappings_to_api(
+    severity_priority_mapping: SeverityPriorityMapping,
+    severity_priority_mapping_api_payload: dict[str, str],
+) -> None:
+    assert severity_priority_mapping.to_api() == severity_priority_mapping_api_payload
+
+
+def test_severity_priority_mappings_from_api(
+    severity_priority_mapping: SeverityPriorityMapping,
+    severity_priority_mapping_api_payload: dict[str, str],
+) -> None:
+    assert (
+        SeverityPriorityMapping.from_api(severity_priority_mapping_api_payload)
+        == severity_priority_mapping
+    )
+
+
+@pytest.fixture
+def jira_credentials() -> JiraCredentials:
+    return JiraCredentials(
+        url="https://jira.example.com",
+        username="jirabot",
+        token="topsecret",
+    )
+
+
+@pytest.fixture
+def jira_notifier(
+    severity_priority_mapping: SeverityPriorityMapping,
+    jira_credentials: JiraCredentials,
+) -> JiraNotifier:
+    return JiraNotifier(
+        name="jira-notifier-1",
+        board="JIRAPLAY",
+        url=jira_credentials.url,
+        issue_type="Task",
+        severity_priority_mappings=[severity_priority_mapping],
+        custom_fields={"security": {"id": "0"}},
+    )
+
+
+@pytest.fixture
+def jira_notifier_api_payload(
+    severity_priority_mapping: SeverityPriorityMapping,
+    jira_credentials: JiraCredentials,
+) -> dict[str, Any]:
+    return {
+        "name": "jira-notifier-1",
+        "type": "jira",
+        "uiEndpoint": "https://acs.example.com",
+        "labelDefault": "JIRAPLAY",
+        "jira": {
+            "url": jira_credentials.url,
+            "username": jira_credentials.username,
+            "password": jira_credentials.token,
+            "issueType": "Task",
+            "priorityMappings": [severity_priority_mapping.to_api()],
+            "defaultFieldsJson": '{"security": {"id": "0"}}',
+        },
+    }
+
+
+def test_jira_notifier_to_api(
+    jira_notifier: JiraNotifier,
+    jira_credentials: JiraCredentials,
+    jira_notifier_api_payload: dict[str, Any],
+) -> None:
+    assert (
+        jira_notifier.to_api(
+            ui_endpoint="https://acs.example.com", jira_credentials=jira_credentials
+        )
+        == jira_notifier_api_payload
+    )
+
+
+@pytest.fixture
+def acs_notifier_api() -> AcsNotifiersApi:
+    return AcsNotifiersApi(
+        url="https://acs.example.com",
+        token="topsecret",
+    )
+
+
+@pytest.fixture
+def acs_notifier_api_notifiers_api_payload(
+    jira_notifier: JiraNotifier,
+    jira_credentials: JiraCredentials,
+) -> list[Any]:
+    return [
+        jira_notifier.to_api(
+            ui_endpoint="https://acs.example.com", jira_credentials=jira_credentials
+        )
+    ]
+
+
+def test_acs_notifier_api_get_notifiers(
+    mocker: MockerFixture,
+    acs_notifier_api_notifiers_api_payload: list[Any],
+    acs_notifier_api: AcsNotifiersApi,
+) -> None:
+    generic_request_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.generic_request_json"
+    )
+    generic_request_mock.return_value = {
+        "notifiers": acs_notifier_api_notifiers_api_payload
+    }
+
+    assert acs_notifier_api.get_notifiers() == acs_notifier_api_notifiers_api_payload
+    generic_request_mock.assert_called_once_with("/v1/notifiers", "GET")
+
+
+def test_acs_notifier_api_get_jira_notifiers(
+    mocker: MockerFixture,
+    acs_notifier_api_notifiers_api_payload: list[Any],
+    acs_notifier_api: AcsNotifiersApi,
+    jira_notifier: JiraNotifier,
+) -> None:
+    get_notifiers_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.get_notifiers"
+    )
+    get_notifiers_mock.return_value = acs_notifier_api_notifiers_api_payload
+
+    assert acs_notifier_api.get_jira_notifiers() == [jira_notifier]
+
+
+def test_get_notifier_id_by_name(
+    mocker: MockerFixture,
+    acs_notifier_api_notifiers_api_payload: list[Any],
+    acs_notifier_api: AcsNotifiersApi,
+) -> None:
+    get_notifiers_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.get_notifiers"
+    )
+    get_notifiers_mock.return_value = acs_notifier_api_notifiers_api_payload
+    acs_notifier_api_notifiers_api_payload[0]["id"] = "jira-notifier-id-1"
+
+    assert (
+        acs_notifier_api.get_notifier_id_by_name("jira-notifier-1")
+        == "jira-notifier-id-1"
+    )
+    get_notifiers_mock.assert_called_once()
+
+
+def test_update_jira_notifier(
+    mocker: MockerFixture,
+    acs_notifier_api: AcsNotifiersApi,
+    jira_notifier: JiraNotifier,
+    jira_credentials: JiraCredentials,
+) -> None:
+    get_notifier_id_by_name_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.get_notifier_id_by_name"
+    )
+    get_notifier_id_by_name_mock.return_value = "jira-notifier-id-1"
+    generic_request_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.generic_request"
+    )
+
+    acs_notifier_api.update_jira_notifier(jira_notifier, jira_credentials)
+    get_notifier_id_by_name_mock.assert_called_once_with(jira_notifier.name)
+    body = jira_notifier.to_api(acs_notifier_api.url, jira_credentials)
+    generic_request_mock.assert_called_once_with(
+        "/v1/notifiers/jira-notifier-id-1", "PUT", body
+    )
+
+
+def test_create_jira_notifier(
+    mocker: MockerFixture,
+    acs_notifier_api: AcsNotifiersApi,
+    jira_notifier: JiraNotifier,
+    jira_credentials: JiraCredentials,
+) -> None:
+    generic_request_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.generic_request"
+    )
+    acs_notifier_api.create_jira_notifier(jira_notifier, jira_credentials)
+    body = jira_notifier.to_api(acs_notifier_api.url, jira_credentials)
+    generic_request_mock.assert_called_once_with("/v1/notifiers", "POST", body)
+
+
+def test_delete_jira_notifier(
+    mocker: MockerFixture,
+    acs_notifier_api: AcsNotifiersApi,
+    jira_notifier: JiraNotifier,
+) -> None:
+    get_notifier_id_by_name_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.get_notifier_id_by_name"
+    )
+    get_notifier_id_by_name_mock.return_value = "jira-notifier-id-1"
+    generic_request_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.generic_request"
+    )
+    acs_notifier_api.delete_jira_notifier(jira_notifier)
+    get_notifier_id_by_name_mock.assert_called_once_with(jira_notifier.name)
+    generic_request_mock.assert_called_once_with(
+        "/v1/notifiers/jira-notifier-id-1", "DELETE"
+    )
+
+
+@pytest.fixture
+def acs_notifier_integration() -> AcsNotifiersIntegration:
+    return AcsNotifiersIntegration()
+
+
+@pytest.fixture
+def escalation_policy() -> AppEscalationPolicyV1:
+    return AppEscalationPolicyV1(
+        name="notifier-1",
+        channels=AppEscalationPolicyChannelsV1(
+            jiraBoard=[
+                JiraBoardV1(
+                    name="JIRAPLAY",
+                    server=JiraServerV1(
+                        serverUrl="https://jira.example.com",
+                    ),
+                    severityPriorityMappings=JiraSeverityPriorityMappingsV1(
+                        name="sp",
+                        mappings=[
+                            SeverityPriorityMappingV1(
+                                severity="critical", priority="Critical"
+                            )
+                        ],
+                    ),
+                    issueType="Task",
+                    issueSecurityId="0",
+                    disable=DisableJiraBoardAutomationsV1(integrations=[]),
+                )
+            ],
+            jiraComponent="",
+            jiraLabels=[],
+        ),
+    )
+
+
+@pytest.fixture
+def acs_policies(
+    escalation_policy: AppEscalationPolicyV1,
+) -> list[AcsPolicyV1]:
+    return [
+        AcsPolicyV1(
+            name="acs-policy-1",
+            description="CVEs within app-sre clusters with CVSS score gte to 7 and fixable",
+            severity="high",
+            notifiers=[],
+            integrations=AcsPolicyIntegrationsV1(
+                notifiers=AcsPolicyIntegrationNotifiersV1(
+                    jira=AcsPolicyIntegrationNotifierJiraV1(
+                        escalationPolicy=escalation_policy,
+                    ),
+                ),
+            ),
+            categories=["vulnerability-management"],
+            scope=AcsPolicyScopeClusterV1(
+                level="cluster",
+                clusters=[],
+            ),
+            conditions=[],
+        ),
+        AcsPolicyV1(
+            name="acs-policy-2",
+            description="image security policy violations of critical severity within app-sre namespaces",
+            severity="critical",
+            notifiers=[],
+            integrations=AcsPolicyIntegrationsV1(
+                notifiers=AcsPolicyIntegrationNotifiersV1(
+                    jira=AcsPolicyIntegrationNotifierJiraV1(
+                        escalationPolicy=escalation_policy,
+                    ),
+                ),
+            ),
+            categories=["vulnerability-management", "devops-best-practices"],
+            scope=AcsPolicyScopeNamespaceV1(
+                level="namespace",
+                namespaces=[],
+            ),
+            conditions=[],
+        ),
+    ]
+
+
+def test_integration_get_escalation_policies(
+    acs_notifier_integration: AcsNotifiersIntegration,
+    acs_policies: list[AcsPolicyV1],
+    escalation_policy: AppEscalationPolicyV1,
+) -> None:
+    result = acs_notifier_integration._get_escalation_policies(acs_policies)
+
+    assert len(acs_policies) > 1
+    assert len(result) == 1
+    assert result[0] == escalation_policy
+
+
+def test_build_jira_notifier(
+    acs_notifier_integration: AcsNotifiersIntegration,
+    escalation_policy: AppEscalationPolicyV1,
+    jira_notifier: JiraNotifier,
+) -> None:
+    assert (
+        acs_notifier_integration._build_jira_notifier(escalation_policy)
+        == jira_notifier
+    )
+
+
+def test_get_desired_state(
+    acs_notifier_integration: AcsNotifiersIntegration,
+    acs_policies: list[AcsPolicyV1],
+    jira_notifier: JiraNotifier,
+) -> None:
+    assert acs_notifier_integration.get_desired_state(acs_policies) == [jira_notifier]
+
+
+def test_reconcile(
+    mocker: MockerFixture,
+    acs_notifier_integration: AcsNotifiersIntegration,
+    acs_notifier_api: AcsNotifiersApi,
+    jira_credentials: JiraCredentials,
+    jira_notifier: JiraNotifier,
+) -> None:
+    notifier_to_add = copy.deepcopy(jira_notifier)
+    notifier_to_add.name = "jira-notifier-to-add"
+    notifier_to_update_current = copy.deepcopy(jira_notifier)
+    notifier_to_update_current.name = "jira-notifier-to-update"
+    notifier_to_update_current.issue_type = "Task"
+    notifier_to_update_desired = copy.deepcopy(jira_notifier)
+    notifier_to_update_desired.name = "jira-notifier-to-update"
+    notifier_to_update_current.issue_type = "Bug"
+    notifier_to_delete = copy.deepcopy(jira_notifier)
+    notifier_to_delete.name = "jira-notifier-to-delete"
+
+    current_state = [notifier_to_delete, notifier_to_update_current]
+    desired_state = [notifier_to_add, notifier_to_update_desired]
+
+    create_jira_notifier_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.create_jira_notifier"
+    )
+    update_jira_notifier_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.update_jira_notifier"
+    )
+
+    delete_jira_notifier_mock = mocker.patch(
+        "reconcile.utils.acs.notifiers.AcsNotifiersApi.delete_jira_notifier"
+    )
+    acs_notifier_integration.reconcile(
+        current_state,
+        desired_state,
+        acs_notifier_api,
+        {jira_credentials.url: jira_credentials},
+        dry_run=False,
+    )
+
+    create_jira_notifier_mock.assert_called_once_with(
+        notifier_to_add, jira_credentials=jira_credentials
+    )
+    update_jira_notifier_mock.assert_called_once_with(
+        notifier_to_update_desired, jira_credentials=jira_credentials
+    )
+    delete_jira_notifier_mock.assert_called_once_with(notifier_to_delete)

reconcile/test/test_acs_policies.py

@@ -10,11 +10,20 @@ from reconcile.gql_definitions.acs.acs_policies import (
     AcsPolicyConditionsCveV1,
     AcsPolicyConditionsCvssV1,
     AcsPolicyConditionsSeverityV1,
+    AcsPolicyIntegrationNotifierJiraV1,
+    AcsPolicyIntegrationNotifiersV1,
+    AcsPolicyIntegrationsV1,
     AcsPolicyQueryData,
     AcsPolicyScopeClusterV1,
     AcsPolicyScopeNamespaceV1,
     AcsPolicyV1,
+    AppEscalationPolicyChannelsV1,
+    AppEscalationPolicyV1,
     ClusterV1,
+    DisableJiraBoardAutomationsV1,
+    JiraBoardV1,
+    JiraServerV1,
+    JiraSeverityPriorityMappingsV1,
     NamespaceV1,
     NamespaceV1_ClusterV1,
 )
@@ -41,6 +50,36 @@ def query_data_desired_state() -> AcsPolicyQueryData:
                 description="CVEs within app-sre clusters with CVSS score gte to 7 and fixable",
                 severity="high",
                 notifiers=[JIRA_NOTIFIER_NAME],
+                integrations=AcsPolicyIntegrationsV1(
+                    notifiers=AcsPolicyIntegrationNotifiersV1(
+                        jira=AcsPolicyIntegrationNotifierJiraV1(
+                            escalationPolicy=AppEscalationPolicyV1(
+                                name="test-ep",
+                                channels=AppEscalationPolicyChannelsV1(
+                                    jiraBoard=[
+                                        JiraBoardV1(
+                                            name="board",
+                                            server=JiraServerV1(
+                                                serverUrl="server",
+                                            ),
+                                            severityPriorityMappings=JiraSeverityPriorityMappingsV1(
+                                                name="sp",
+                                                mappings=[],
+                                            ),
+                                            issueType="Task",
+                                            issueSecurityId="0",
+                                            disable=DisableJiraBoardAutomationsV1(
+                                                integrations=[]
+                                            ),
+                                        )
+                                    ],
+                                    jiraComponent="",
+                                    jiraLabels=[],
+                                ),
+                            ),
+                        ),
+                    ),
+                ),
                 categories=["vulnerability-management"],
                 scope=AcsPolicyScopeClusterV1(
                     level="cluster",
@@ -61,6 +100,36 @@ def query_data_desired_state() -> AcsPolicyQueryData:
                 description="image security policy violations of critical severity within app-sre namespaces",
                 severity="critical",
                 notifiers=[],
+                integrations=AcsPolicyIntegrationsV1(
+                    notifiers=AcsPolicyIntegrationNotifiersV1(
+                        jira=AcsPolicyIntegrationNotifierJiraV1(
+                            escalationPolicy=AppEscalationPolicyV1(
+                                name="test-ep",
+                                channels=AppEscalationPolicyChannelsV1(
+                                    jiraBoard=[
+                                        JiraBoardV1(
+                                            name="board",
+                                            server=JiraServerV1(
+                                                serverUrl="server",
+                                            ),
+                                            severityPriorityMappings=JiraSeverityPriorityMappingsV1(
+                                                name="sp",
+                                                mappings=[],
+                                            ),
+                                            issueType="Task",
+                                            issueSecurityId="0",
+                                            disable=DisableJiraBoardAutomationsV1(
+                                                integrations=[]
+                                            ),
+                                        )
+                                    ],
+                                    jiraComponent="",
+                                    jiraLabels=[],
+                                ),
+                            ),
+                        ),
+                    ),
+                ),
                 categories=["vulnerability-management", "devops-best-practices"],
                 scope=AcsPolicyScopeNamespaceV1(
                     level="namespace",

reconcile/utils/acs/base.py

@@ -75,3 +75,8 @@ class AcsBaseApi(BaseModel):
             raise
 
         return response
+
+    def generic_request_json(
+        self, path: str, verb: str, json: Optional[Any] = None
+    ) -> Any:
+        return self.generic_request(path, verb, json=json).json()

reconcile/utils/acs/notifiers.py

@@ -0,0 +1,111 @@
+import json
+from typing import Any, Optional
+
+from pydantic import BaseModel
+
+from reconcile.utils.acs.base import AcsBaseApi
+
+
+class JiraCredentials(BaseModel):
+    url: str
+    username: str
+    token: str
+
+
+class SeverityPriorityMapping(BaseModel):
+    severity: str
+    priority: str
+
+    @staticmethod
+    def from_api(mapping: dict[str, str]) -> "SeverityPriorityMapping":
+        return SeverityPriorityMapping(
+            severity=mapping["severity"].replace("_SEVERITY", "").lower(),
+            priority=mapping["priorityName"],
+        )
+
+    def to_api(self) -> Any:
+        return {
+            "severity": f"{self.severity.upper()}_SEVERITY",
+            "priorityName": self.priority,
+        }
+
+
+class JiraNotifier(BaseModel):
+    name: str
+    board: str
+    url: str
+    issue_type: Optional[str]
+    severity_priority_mappings: list[SeverityPriorityMapping]
+    custom_fields: Optional[dict[str, Any]]
+
+    @staticmethod
+    def from_api(notifier: dict[str, Any]) -> "JiraNotifier":
+        notifier_jira = notifier["jira"]
+        return JiraNotifier(
+            name=notifier["name"],
+            board=notifier["labelDefault"],
+            url=notifier_jira["url"],
+            issue_type=notifier_jira["issueType"],
+            severity_priority_mappings=sorted(
+                [
+                    SeverityPriorityMapping.from_api(mapping)
+                    for mapping in notifier_jira["priorityMappings"]
+                ],
+                key=lambda m: m.severity,
+            ),
+            custom_fields=json.loads(notifier_jira.get("defaultFieldsJson") or "{}"),
+        )
+
+    def to_api(self, ui_endpoint: str, jira_credentials: JiraCredentials) -> Any:
+        return {
+            "name": self.name,
+            "type": "jira",
+            "uiEndpoint": ui_endpoint,
+            "labelDefault": self.board,
+            "jira": {
+                "url": jira_credentials.url,
+                "username": jira_credentials.username,
+                "password": jira_credentials.token,
+                "issueType": self.issue_type or "Task",
+                "priorityMappings": [
+                    mapping.to_api() for mapping in self.severity_priority_mappings
+                ],
+                "defaultFieldsJson": json.dumps(self.custom_fields or {}),
+            },
+        }
+
+
+class AcsNotifiersApi(AcsBaseApi):
+    """
+    Implements methods to support reconcile operations against the ACS NotifiersService api
+    """
+
+    def get_notifiers(self) -> list[Any]:
+        return self.generic_request_json("/v1/notifiers", "GET")["notifiers"]
+
+    def get_jira_notifiers(self) -> list[JiraNotifier]:
+        return [
+            JiraNotifier.from_api(notifier)
+            for notifier in self.get_notifiers()
+            if notifier["type"] == "jira"
+        ]
+
+    def get_notifier_id_by_name(self, name: str) -> str:
+        return [n["id"] for n in self.get_notifiers() if n["name"] == name][0]
+
+    def update_jira_notifier(
+        self, jira_notifier: JiraNotifier, jira_credentials: JiraCredentials
+    ) -> None:
+        notifier_id = self.get_notifier_id_by_name(jira_notifier.name)
+        body = jira_notifier.to_api(self.url, jira_credentials)
+        self.generic_request(f"/v1/notifiers/{notifier_id}", "PUT", body)
+
+    def create_jira_notifier(
+        self, jira_notifier: JiraNotifier, jira_credentials: JiraCredentials
+    ) -> None:
+        body = jira_notifier.to_api(self.url, jira_credentials)
+        self.generic_request("/v1/notifiers", "POST", body)
+
+    def delete_jira_notifier(self, jira_notifier: JiraNotifier) -> None:
+        notifier_id = self.get_notifier_id_by_name(jira_notifier.name)
+        self.generic_request(f"/v1/notifiers/{notifier_id}", "DELETE")