qontract-reconcile 0.10.1rc745__py3-none-any.whl → 0.10.1rc747__py3-none-any.whl

{qontract_reconcile-0.10.1rc745.dist-info → qontract_reconcile-0.10.1rc747.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc745
+Version: 0.10.1rc747
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc745.dist-info → qontract_reconcile-0.10.1rc747.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=Fra8s6kxIuCoLF-moSto81gDFoJ6Q-WrsaRcVxR-KRI,98281
+reconcile/cli.py,sha256=Vw8P6w0nPOGkMRvxpn4lR75jUeRoXLJ4R-WspWNX6Cg,98702
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -47,7 +47,7 @@ reconcile/jenkins_roles.py,sha256=f8ELpZY36UjoaCpR_9LijQuIMuB6a7sVLFf_H1ct9Hc,44
 reconcile/jenkins_webhooks.py,sha256=j8vhJMWcRhOdc9XzRSm0CPj84jsF3e4Syjm7r1BIsDE,1978
 reconcile/jenkins_webhooks_cleaner.py,sha256=JsN_NVPfZJwv1JtSzZXDIHUqGiefL-DRffFnDGau9aY,1539
 reconcile/jenkins_worker_fleets.py,sha256=PMNGOX0krubFjInPiFT0za0KCiWBLEcVDuXdKRd1BrE,5378
-reconcile/jira_permissions_validator.py,sha256=8Nl7rSc8x_AXXVRYvRlq_arR7N5pz0YM4M7Pb60RoCg,11597
+reconcile/jira_permissions_validator.py,sha256=iDsFdGqB8Zv9cjIVgYFq_N3xtRCrcR5uAZmcc51D-2o,13240
 reconcile/jira_watcher.py,sha256=eyOQ92t8TFi6gogfNTO448h_h1CUyr24E0MPHc51R-o,3617
 reconcile/ldap_users.py,sha256=uEWQ0V41tN9KCZi4ZKPamjrJ6djSpdpvDBo7yJ0e7ZI,3008
 reconcile/mr_client_gateway.py,sha256=WhjMd-sIXDFCV8-rt8CEjurJ5OYB1pOD0K3o0tZRXQg,1885
@@ -112,7 +112,7 @@ reconcile/terraform_aws_route53.py,sha256=R8eZHlvP368nvtmLd_cMSK3RGxD7jso9qE7NP9
 reconcile/terraform_cloudflare_dns.py,sha256=auU4bzeLwd4S8D8oqpqJbrCUoEdELXrgi7vHOedjYFk,13332
 reconcile/terraform_cloudflare_resources.py,sha256=EbQQaoDnZ7brvRCpbFtwlD7KLk2hDVNcjhrJGaAywEk,15023
 reconcile/terraform_cloudflare_users.py,sha256=1EbTHwJgiPkJpMP-Ag340QNgGK3mXn3dcC3DpLakudM,13987
-reconcile/terraform_repo.py,sha256=c0GZFuY3rCm6VHjHqYbsgOHrEkRWKF_1LrMThsn2XDw,16127
+reconcile/terraform_repo.py,sha256=tQkMUEDEB6QfuWYwiW7H-NnX4SHxYK7mLZYZffKj-hE,16301
 reconcile/terraform_resources.py,sha256=BN8XuJwjOt1ztruEAHydkd0YiBlb3fHZ7n0snZtRhck,19356
 reconcile/terraform_tgw_attachments.py,sha256=k9Lf0ST65gmI6aUV6HnvxSGcKL7MGx_lN22OXuRGH9Y,16224
 reconcile/terraform_users.py,sha256=9rgbM572LfmOSnV3uCP20G_Cw6T7due94g8rhhiz904,10225
@@ -300,6 +300,7 @@ reconcile/gql_definitions/membershipsources/roles.py,sha256=d3nv3GLsj_eKgwB1glsi
 reconcile/gql_definitions/ocm_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/ocm_labels/clusters.py,sha256=MIVR5c8JxEOjsdGNpB737QyHGkjmHCycY6MAYNclPck,2916
 reconcile/gql_definitions/ocm_labels/organizations.py,sha256=mmYB5C5Fp_nPzwBDKdKG4qWiLre2VkZ26U_2O-jRKC4,2001
+reconcile/gql_definitions/ocm_oidc_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/ocm_subscription_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/openshift_cluster_bots/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/openshift_cluster_bots/clusters.py,sha256=68meUg2Wgh91gplbPHAIlRWjnGg2RDrwtWd93QK6qRE,3672
@@ -345,7 +346,7 @@ reconcile/gql_definitions/terraform_cloudflare_users/terraform_cloudflare_roles.
 reconcile/gql_definitions/terraform_init/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_init/aws_accounts.py,sha256=OJ0hDbRachRaDkL-OGT6-byr9cKdBiQDnNCpwUe3oJ8,2674
 reconcile/gql_definitions/terraform_repo/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/terraform_repo/terraform_repo.py,sha256=pefTRhb0ZcWm_j6dYz6m6qNqZFteqgrQ25SgUqRAVaI,3173
+reconcile/gql_definitions/terraform_repo/terraform_repo.py,sha256=_rdq3efy5Q3QFpI-vcs3-wacsXo_1fu1kVix_E83h5Q,3599
 reconcile/gql_definitions/terraform_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_resources/database_access_manager.py,sha256=yv0_YC-LmhaKD_gyGG3le1w5BtypBjlsO894-Zgdg4U,4813
 reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py,sha256=ElJTVH2cwNqJiLFl3Zi5zt9y7dN0yLmdtmwZC5X7ir0,42189
@@ -501,7 +502,7 @@ reconcile/test/test_terraform_aws_route53.py,sha256=xHggb8K1P76OyCfFcogbkmyKle-N
 reconcile/test/test_terraform_cloudflare_dns.py,sha256=aQTXX8Vr4h9aWvJZTnpZEhMGYoBpT2d45ZxU_ECIQ6o,3425
 reconcile/test/test_terraform_cloudflare_resources.py,sha256=NK_uktyWihkQ3gMN4bCaKerpi43CXAVYGIKTfcz05rY,13550
 reconcile/test/test_terraform_cloudflare_users.py,sha256=RAFtMMdqZha3jNnNNsqbNQQUDSqUzdoM63rCw7fs4Fo,27456
-reconcile/test/test_terraform_repo.py,sha256=soKFJfF8tWIimDs39RQl3Hnh-Od-bR4PfnEA2s1UprM,11552
+reconcile/test/test_terraform_repo.py,sha256=HTr8HMtLgecBTxKYbRAQFSty7tGzeKsv_fxtOAbDlNA,12184
 reconcile/test/test_terraform_resources.py,sha256=EFCqPI5_G8hPRh1zmnU91o8wMeT2qK1CabDUa_X1rSk,15283
 reconcile/test/test_terraform_tgw_attachments.py,sha256=cAq6exc-K-jtLla1CZUZQzVnBkyDnIlL7jybnddhLKc,36861
 reconcile/test/test_terraform_users.py,sha256=XOAfGvITCJPI1LTlISmHbA4ONMQMkxYUMTsny7pQCFw,4319
@@ -617,7 +618,7 @@ reconcile/utils/helpers.py,sha256=k9svgFFZG7H5FvHYY0g5jJyvgvh2UDZxf0Ib221teag,11
 reconcile/utils/imap_client.py,sha256=byFAJATbITJPsGECSbvXBOcCnoeTUpDFiEjzOAxLm_U,1975
 reconcile/utils/instrumented_wrappers.py,sha256=eVwMoa6FCrYxLv3RML3WpZF9qKVfCTjMxphgVXG03OM,1073
 reconcile/utils/jenkins_api.py,sha256=MyJSB_S3uYf3sXnt9t03-gZNQ7tbdd7Wusv3MoF2fRc,7113
-reconcile/utils/jira_client.py,sha256=KjsakExjlii6lkxUlHRScBtPG4wuomJOTIoNiM-edQw,7322
+reconcile/utils/jira_client.py,sha256=sCswWH-SctzPSElI9_oHv9LKuNnPfjP_FIOizxqh6nE,7693
 reconcile/utils/jjb_client.py,sha256=Pdy0dLCFvD6GPCaC0tZydYgkVJPOxYXIiwWECZaFJBU,14551
 reconcile/utils/jsonpath.py,sha256=NRpAEijKN4cMDjo7qivNPqpm0__GQQ1TiE0PBEBO45s,5572
 reconcile/utils/jump_host.py,sha256=AdwmCZYNhRe53VwV2iAsUdVyUdVtSd4REmdThJDkM5w,4973
@@ -777,8 +778,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=w2l4BHB09k1d-BGJ1jBUNCqDv7zkqYrMHojQXg-21kQ,4155
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc745.dist-info/METADATA,sha256=K-tNwC_Bwk22pf6PCk8t7tgUuxwXMW7XSa0kPS41UmY,2382
-qontract_reconcile-0.10.1rc745.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc745.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
-qontract_reconcile-0.10.1rc745.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc745.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc747.dist-info/METADATA,sha256=faEGscy4hQmj3OUFAXW7ImzUqwGYG--n1IM8fNXYPns,2382
+qontract_reconcile-0.10.1rc747.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc747.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
+qontract_reconcile-0.10.1rc747.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc747.dist-info/RECORD,,

reconcile/cli.py

@@ -1144,12 +1144,26 @@ def jenkins_webhooks_cleaner(ctx):
     help="Throw and error in case of board permission errors. Useful for PR checks.",
     default=True,
 )
+@enable_extended_early_exit
+@extended_early_exit_cache_ttl_seconds
+@log_cached_log_output
 @click.pass_context
-def jira_permissions_validator(ctx, exit_on_permission_errors):
+def jira_permissions_validator(
+    ctx,
+    exit_on_permission_errors,
+    enable_extended_early_exit,
+    extended_early_exit_cache_ttl_seconds,
+    log_cached_log_output,
+):
     import reconcile.jira_permissions_validator
 
     run_integration(
-        reconcile.jira_permissions_validator, ctx.obj, exit_on_permission_errors
+        reconcile.jira_permissions_validator,
+        ctx.obj,
+        exit_on_permission_errors,
+        enable_extended_early_exit=enable_extended_early_exit,
+        extended_early_exit_cache_ttl_seconds=extended_early_exit_cache_ttl_seconds,
+        log_cached_log_output=log_cached_log_output,
     )
 
 

reconcile/gql_definitions/terraform_repo/terraform_repo.py

@@ -52,6 +52,15 @@ query TerraformRepo {
     projectPath
     delete
     requireFips
+    tfVersion
+    variables {
+      inputs {
+        ...VaultSecret
+      }
+      outputs {
+        ...VaultSecret
+      }
+    }
   }
 }
 """
@@ -82,6 +91,11 @@ class AWSAccountV1(ConfiguredBaseModel):
     terraform_state: Optional[TerraformStateAWSV1] = Field(..., alias="terraformState")
 
 
+class TerraformRepoVariablesV1(ConfiguredBaseModel):
+    inputs: VaultSecret = Field(..., alias="inputs")
+    outputs: VaultSecret = Field(..., alias="outputs")
+
+
 class TerraformRepoV1(ConfiguredBaseModel):
     account: AWSAccountV1 = Field(..., alias="account")
     name: str = Field(..., alias="name")
@@ -90,6 +104,8 @@ class TerraformRepoV1(ConfiguredBaseModel):
     project_path: str = Field(..., alias="projectPath")
     delete: Optional[bool] = Field(..., alias="delete")
     require_fips: Optional[bool] = Field(..., alias="requireFips")
+    tf_version: str = Field(..., alias="tfVersion")
+    variables: Optional[TerraformRepoVariablesV1] = Field(..., alias="variables")
 
 
 class TerraformRepoQueryData(ConfiguredBaseModel):

reconcile/jira_permissions_validator.py

@@ -2,14 +2,11 @@ import logging
 import sys
 from collections.abc import Callable, Iterable
 from enum import IntFlag, auto
-from typing import Any
+from typing import Any, TypedDict
 
 from jira import JIRAError
 from pydantic import BaseModel
 
-from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
-    DEFINITION as JIRA_BOARDS_DEFINITION,
-)
 from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
     JiraBoardV1,
 )
@@ -24,10 +21,17 @@ from reconcile.typed_queries.jira_settings import get_jira_settings
 from reconcile.typed_queries.jiralert_settings import get_jiralert_settings
 from reconcile.utils import gql, metrics
 from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.extended_early_exit import (
+    ExtendedEarlyExitRunnerResult,
+    extended_early_exit_run,
+)
 from reconcile.utils.jira_client import JiraClient, JiraWatcherSettings
 from reconcile.utils.secret_reader import SecretReaderBase, create_secret_reader
+from reconcile.utils.semver_helper import make_semver
+from reconcile.utils.unleash import get_feature_toggle_state
 
 QONTRACT_INTEGRATION = "jira-permissions-validator"
+QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
 
 NameToIdMap = dict[str, str]
 
@@ -59,6 +63,15 @@ class ValidationError(IntFlag):
     INVALID_COMPONENT = auto()
 
 
+class RunnerParams(TypedDict):
+    exit_on_permission_errors: bool
+    boards: list[JiraBoardV1]
+
+
+class CacheSource(TypedDict):
+    boards: list
+
+
 def board_is_valid(
     jira: JiraClient,
     board: JiraBoardV1,
@@ -90,7 +103,7 @@ def board_is_valid(
                 error |= ValidationError.INVALID_COMPONENT
 
         issue_type = board.issue_type if board.issue_type else default_issue_type
-        project_issue_types = jira.project_issue_types(board.name)
+        project_issue_types = jira.project_issue_types()
         project_issue_types_str = [i.name for i in project_issue_types]
         if issue_type not in project_issue_types_str:
             logging.error(
@@ -192,7 +205,6 @@ def validate_boards(
 ) -> bool:
     error = False
     jira_clients: dict[str, JiraClient] = {}
-    public_projects_cache: dict[str, list[str]] = {}
     for board in jira_boards:
         logging.debug(f"[{board.name}] checking ...")
         if board.server.server_url not in jira_clients:
@@ -204,10 +216,6 @@ def validate_boards(
             )
         jira = jira_clients[board.server.server_url]
         jira.project = board.name
-        if board.server.server_url not in public_projects_cache:
-            public_projects_cache[board.server.server_url] = jira.public_projects()
-        public_projects = public_projects_cache[board.server.server_url]
-
         try:
             error_flags = board_is_valid(
                 jira=jira,
@@ -215,7 +223,7 @@ def validate_boards(
                 default_issue_type=default_issue_type,
                 default_reopen_state=default_reopen_state,
                 jira_server_priorities={p.name: p.id for p in jira.priorities()},
-                public_projects=public_projects,
+                public_projects=jira.public_projects(),
             )
             match error_flags:
                 case 0:
@@ -256,13 +264,59 @@ def get_jira_boards(query_func: Callable) -> list[JiraBoardV1]:
     ]
 
 
-def run(dry_run: bool, exit_on_permission_errors: bool) -> None:
+def export_boards(boards: list[JiraBoardV1]) -> list[dict]:
+    return [board.dict() for board in boards]
+
+
+def run(
+    dry_run: bool,
+    exit_on_permission_errors: bool,
+    enable_extended_early_exit: bool = False,
+    extended_early_exit_cache_ttl_seconds: int = 3600,
+    log_cached_log_output: bool = False,
+) -> None:
+    gql_api = gql.get_api()
+    boards = get_jira_boards(query_func=gql_api.query)
+    runner_params: RunnerParams = dict(
+        exit_on_permission_errors=exit_on_permission_errors,
+        boards=boards,
+    )
+    if enable_extended_early_exit and get_feature_toggle_state(
+        "jira-permissions-validator-extended-early-exit",
+        default=True,
+    ):
+        vault_settings = get_app_interface_vault_settings()
+        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+
+        cache_source = CacheSource(
+            boards=export_boards(boards),
+        )
+        extended_early_exit_run(
+            integration=QONTRACT_INTEGRATION,
+            integration_version=QONTRACT_INTEGRATION_VERSION,
+            # don't use `dry_run` in the cache key because this is a read-only integration
+            dry_run=False,
+            cache_source=cache_source,
+            shard="",
+            ttl_seconds=extended_early_exit_cache_ttl_seconds,
+            logger=logging.getLogger(),
+            runner=runner,
+            runner_params=runner_params,
+            secret_reader=secret_reader,
+            log_cached_log_output=log_cached_log_output,
+        )
+    else:
+        runner(**runner_params)
+
+
+def runner(
+    exit_on_permission_errors: bool, boards: list[JiraBoardV1]
+) -> ExtendedEarlyExitRunnerResult:
     gql_api = gql.get_api()
     settings = get_jira_settings(gql_api=gql_api)
     jiralert_settings = get_jiralert_settings(query_func=gql_api.query)
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    boards = get_jira_boards(query_func=gql_api.query)
 
     with metrics.transactional_metrics("jira-boards") as metrics_container:
         error = validate_boards(
@@ -278,8 +332,8 @@ def run(dry_run: bool, exit_on_permission_errors: bool) -> None:
     if error:
         sys.exit(ExitCodes.ERROR)
 
+    return ExtendedEarlyExitRunnerResult(payload=export_boards(boards), applied_count=0)
+
 
 def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
-    return {
-        "boards": gql.get_api().query(JIRA_BOARDS_DEFINITION)["jira_boards"],
-    }
+    return {"boards": export_boards(get_jira_boards(query_func=gql.get_api().query))}

reconcile/terraform_repo.py

@@ -12,8 +12,10 @@ from pydantic import (
 )
 
 from reconcile import queries
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
 from reconcile.gql_definitions.terraform_repo.terraform_repo import (
     TerraformRepoV1,
+    TerraformRepoVariablesV1,
     query,
 )
 from reconcile.utils import gql
@@ -35,22 +37,19 @@ from reconcile.utils.state import (
 )
 
 
-class RepoSecret(BaseModel):
-    path: str
-    version: Optional[int]
-
-
 class RepoOutput(BaseModel):
     repository: str
     name: str
     ref: str
     project_path: str
     delete: bool
-    secret: RepoSecret
+    aws_creds: VaultSecret
+    variables: Optional[TerraformRepoVariablesV1]
     bucket: Optional[str]
     region: Optional[str]
     bucket_path: Optional[str]
     require_fips: bool
+    tf_version: str
 
 
 class OutputFile(BaseModel):
@@ -126,13 +125,16 @@ class TerraformRepoIntegration(
                 recreate_state=True,
             )
 
-    def print_output(self, diff: list[TerraformRepoV1], dry_run: bool) -> None:
+    def print_output(self, diff: list[TerraformRepoV1], dry_run: bool) -> OutputFile:
         """Parses and prints the output of a Terraform Repo diff for the executor
 
         :param diff: list of terraform repos to be acted on
         :type diff: list[TerraformRepoV1]
         :param dry_run: whether the executor should perform a tf apply
         :type dry_run: bool
+
+        :return: output of diff (used for testing)
+        :rtype: OutputFile
         """
         actions_list: list[RepoOutput] = []
 
@@ -144,10 +146,9 @@ class TerraformRepoIntegration(
                 project_path=repo.project_path,
                 delete=repo.delete or False,
                 require_fips=repo.require_fips or False,
-                secret=RepoSecret(
-                    path=repo.account.automation_token.path,
-                    version=repo.account.automation_token.version,
-                ),
+                tf_version=repo.tf_version,
+                aws_creds=repo.account.automation_token,
+                variables=repo.variables,
             )
             # terraform-repo will store its statefiles in a specified directory if there is a
             # terraform-state yaml file associated with the AWS account and a configuration is
@@ -179,6 +180,8 @@ class TerraformRepoIntegration(
         else:
             print(yaml.safe_dump(data=output.dict(), explicit_start=True))
 
+        return output
+
     def get_repos(self, query_func: Callable) -> list[TerraformRepoV1]:
         """Gets a list of terraform repos defined in App Interface
 

reconcile/test/test_terraform_repo.py

@@ -1,7 +1,6 @@
 from unittest.mock import MagicMock
 
 import pytest
-import yaml
 
 from reconcile.gql_definitions.fragments.terraform_state import (
     AWSTerraformStateIntegrationsV1,
@@ -10,9 +9,12 @@ from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
 from reconcile.gql_definitions.terraform_repo.terraform_repo import (
     AWSAccountV1,
     TerraformRepoV1,
+    TerraformRepoVariablesV1,
     TerraformStateAWSV1,
 )
 from reconcile.terraform_repo import (
+    OutputFile,
+    RepoOutput,
     TerraformRepoIntegration,
     TerraformRepoIntegrationParams,
 )
@@ -21,8 +23,10 @@ from reconcile.utils.state import State
 
 A_REPO = "https://git-example/tf-repo-example"
 A_REPO_SHA = "a390f5cb20322c90861d6d80e9b70c6a579be1d0"
+A_REPO_VERSION = "1.4.5"
 B_REPO = "https://git-example/tf-repo-example2"
 B_REPO_SHA = "94edb90815e502b387c25358f5ec602e52d0bfbb"
+B_REPO_VERSION = "1.5.7"
 AWS_UID = "000000000000"
 AUTOMATION_TOKEN_PATH = "aws-secrets/terraform/foo"
 STATE_REGION = "us-east-1"
@@ -31,7 +35,7 @@ STATE_PROVIDER = "s3"
 
 
 @pytest.fixture
-def existing_repo(aws_account) -> TerraformRepoV1:
+def existing_repo(aws_account, tf_variables) -> TerraformRepoV1:
     return TerraformRepoV1(
         name="a_repo",
         repository=A_REPO,
@@ -40,27 +44,34 @@ def existing_repo(aws_account) -> TerraformRepoV1:
         projectPath="tf",
         delete=False,
         requireFips=True,
+        tfVersion=A_REPO_VERSION,
+        variables=tf_variables,
     )
 
 
 @pytest.fixture
-def existing_repo_output() -> str:
-    return f"""
-        dry_run: true
-        repos:
-        - repository: {A_REPO}
-          name: a_repo
-          ref: {A_REPO_SHA}
-          project_path: tf
-          delete: false
-          secret:
-            path: {AUTOMATION_TOKEN_PATH}
-            version: 1
-          bucket: {STATE_BUCKET}
-          region: {STATE_REGION}
-          bucket_path: tf-repo
-          require_fips: true
-    """
+def existing_repo_output(tf_variables) -> OutputFile:
+    return OutputFile(
+        dry_run=True,
+        repos=[
+            RepoOutput(
+                repository=A_REPO,
+                name="a_repo",
+                ref=A_REPO_SHA,
+                project_path="tf",
+                delete=False,
+                aws_creds=VaultSecret(
+                    path=AUTOMATION_TOKEN_PATH, version=1, field="all", format=None
+                ),
+                bucket=STATE_BUCKET,
+                region=STATE_REGION,
+                bucket_path="tf-repo",
+                require_fips=True,
+                tf_version=A_REPO_VERSION,
+                variables=tf_variables,
+            )
+        ],
+    )
 
 
 @pytest.fixture
@@ -73,27 +84,34 @@ def new_repo(aws_account_no_state) -> TerraformRepoV1:
         projectPath="tf",
         delete=False,
         requireFips=False,
+        tfVersion=B_REPO_VERSION,
+        variables=None,
     )
 
 
 @pytest.fixture
-def new_repo_output() -> str:
-    return f"""
-        dry_run: true
-        repos:
-        - repository: {B_REPO}
-          name: b_repo
-          ref: {B_REPO_SHA}
-          project_path: tf
-          delete: false
-          secret:
-            path: {AUTOMATION_TOKEN_PATH}
-            version: 1
-          bucket: null
-          region: null
-          bucket_path: null
-          require_fips: false
-    """
+def new_repo_output() -> OutputFile:
+    return OutputFile(
+        dry_run=True,
+        repos=[
+            RepoOutput(
+                repository=B_REPO,
+                name="b_repo",
+                ref=B_REPO_SHA,
+                project_path="tf",
+                delete=False,
+                aws_creds=VaultSecret(
+                    path=AUTOMATION_TOKEN_PATH, version=1, field="all", format=None
+                ),
+                bucket=None,
+                region=None,
+                bucket_path=None,
+                require_fips=False,
+                tf_version=B_REPO_VERSION,
+                variables=None,
+            )
+        ],
+    )
 
 
 @pytest.fixture()
@@ -101,6 +119,18 @@ def automation_token() -> VaultSecret:
     return VaultSecret(path=AUTOMATION_TOKEN_PATH, version=1, field="all", format=None)
 
 
+@pytest.fixture()
+def tf_variables() -> TerraformRepoVariablesV1:
+    return TerraformRepoVariablesV1(
+        inputs=VaultSecret(
+            path="terraform-repo/inputs/abc", field="all", version=2, format=None
+        ),
+        outputs=VaultSecret(
+            path="terraform-repo/outputs/abc", field="all", version=2, format=None
+        ),
+    )
+
+
 @pytest.fixture()
 def terraform_state(terraform_state_integrations) -> TerraformStateAWSV1:
     return TerraformStateAWSV1(
@@ -143,13 +173,6 @@ def int_params() -> TerraformRepoIntegrationParams:
     return TerraformRepoIntegrationParams(output_file=None, validate_git=False)
 
 
-@pytest.fixture
-def int_params_print_to_tmp(tmp_path) -> TerraformRepoIntegrationParams:
-    return TerraformRepoIntegrationParams(
-        output_file=f"{tmp_path}/tf-repo.yaml", validate_git=False
-    )
-
-
 @pytest.fixture()
 def state_mock() -> MagicMock:
     return MagicMock(spec=State)
@@ -253,7 +276,7 @@ def test_delete_repo_without_flag(existing_repo, int_params):
         )
 
 
-def test_get_repo_state(s3_state_builder, int_params, existing_repo):
+def test_get_repo_state(s3_state_builder, int_params, existing_repo, tf_variables):
     state = s3_state_builder({
         "ls": [
             "/a_repo",
@@ -266,6 +289,8 @@ def test_get_repo_state(s3_state_builder, int_params, existing_repo):
                 "projectPath": "tf",
                 "delete": False,
                 "requireFips": True,
+                "tfVersion": A_REPO_VERSION,
+                "variables": tf_variables,
                 "account": {
                     "name": "foo",
                     "uid": AWS_UID,
@@ -319,15 +344,13 @@ def test_update_repo_state(int_params, existing_repo, state_mock):
 # these two output tests are to ensure that there isn't a sudden change to outputs that throws
 # off tf-executor
 def test_output_correct_statefile(
-    int_params_print_to_tmp, existing_repo, existing_repo_output, tmp_path, state_mock
+    int_params, existing_repo, existing_repo_output, state_mock
 ):
-    integration = TerraformRepoIntegration(params=int_params_print_to_tmp)
+    integration = TerraformRepoIntegration(params=int_params)
 
     existing_state: list = []
     desired_state = [existing_repo]
 
-    expected_output = yaml.safe_load(existing_repo_output)
-
     diff = integration.calculate_diff(
         existing_state=existing_state,
         desired_state=desired_state,
@@ -337,24 +360,19 @@ def test_output_correct_statefile(
     )
 
     assert diff
-    integration.print_output(diff, True)
-
-    with open(f"{tmp_path}/tf-repo.yaml", "r", encoding="locale") as output:
-        yaml_rep = yaml.safe_load(output)
+    current_output = integration.print_output(diff, True)
 
-        assert expected_output == yaml_rep
+    assert existing_repo_output == current_output
 
 
 def test_output_correct_no_statefile(
-    int_params_print_to_tmp, new_repo, new_repo_output, tmp_path, state_mock
+    int_params, new_repo, new_repo_output, tmp_path, state_mock
 ):
-    integration = TerraformRepoIntegration(params=int_params_print_to_tmp)
+    integration = TerraformRepoIntegration(params=int_params)
 
     existing_state: list = []
     desired_state = [new_repo]
 
-    expected_output = yaml.safe_load(new_repo_output)
-
     diff = integration.calculate_diff(
         existing_state=existing_state,
         desired_state=desired_state,
@@ -364,12 +382,9 @@ def test_output_correct_no_statefile(
     )
 
     assert diff
-    integration.print_output(diff, True)
-
-    with open(f"{tmp_path}/tf-repo.yaml", "r", encoding="locale") as output:
-        yaml_rep = yaml.safe_load(output)
+    current_output = integration.print_output(diff, True)
 
-        assert expected_output == yaml_rep
+    assert new_repo_output == current_output
 
 
 def test_fail_on_multiple_repos_dry_run(int_params, existing_repo, new_repo):

reconcile/utils/jira_client.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import functools
 import logging
 from collections.abc import (
     Iterable,
@@ -82,6 +83,11 @@ class JiraClient:
         self.project = project
         self.jira = jira_api
 
+        # some caches
+        self.priorities = functools.lru_cache(maxsize=None)(self._priorities)
+        self.public_projects = functools.lru_cache(maxsize=None)(self._public_projects)
+        self.my_permissions = functools.lru_cache(maxsize=None)(self._my_permissions)
+
     def _deprecated_init(
         self, jira_board: Mapping[str, Any], settings: Optional[Mapping]
     ) -> None:
@@ -174,11 +180,12 @@ class JiraClient:
             )
         return issue
 
+    def _my_permissions(self, project: str) -> dict[str, Any]:
+        return self.jira.my_permissions(projectKey=project)["permissions"]
+
     def can_i(self, permission: str) -> bool:
         return bool(
-            self.jira.my_permissions(projectKey=self.project)["permissions"][
-                permission
-            ]["havePermission"]
+            self.my_permissions(project=self.project)[permission]["havePermission"]
         )
 
     def can_create_issues(self) -> bool:
@@ -187,10 +194,10 @@ class JiraClient:
     def can_transition_issues(self) -> bool:
         return self.can_i("TRANSITION_ISSUES")
 
-    def project_issue_types(self, project: str) -> list[IssueType]:
+    def project_issue_types(self) -> list[IssueType]:
         return [
             IssueType(id=t.id, name=t.name, statuses=[s.name for s in t.statuses])
-            for t in self.jira.issue_types_for_project(project)
+            for t in self.jira.issue_types_for_project(self.project)
         ]
 
     def security_levels(self) -> list[SecurityLevel]:
@@ -201,7 +208,7 @@ class JiraClient:
         scheme = self.jira.project_issue_security_level_scheme(self.project)
         return [SecurityLevel(id=level.id, name=level.name) for level in scheme.levels]
 
-    def priorities(self) -> list[Priority]:
+    def _priorities(self) -> list[Priority]:
         """Return a list of all available Jira priorities."""
         return [Priority(id=p.id, name=p.name) for p in self.jira.priorities()]
 
@@ -210,7 +217,7 @@ class JiraClient:
         scheme = self.jira.project_priority_scheme(self.project)
         return scheme.optionIds
 
-    def public_projects(self) -> list[str]:
+    def _public_projects(self) -> list[str]:
         """Return a list of all public available projects."""
         if not self.server:
             raise RuntimeError("JiraClient.server is not set.")