qontract-reconcile 0.10.1rc770__py3-none-any.whl → 0.10.1rc772__py3-none-any.whl

{qontract_reconcile-0.10.1rc770.dist-info → qontract_reconcile-0.10.1rc772.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc770
+Version: 0.10.1rc772
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc770.dist-info → qontract_reconcile-0.10.1rc772.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=knLmE8YaI61Vg6tbcl5YW8HXIthq91yQknVtnXygCgY,99475
+reconcile/cli.py,sha256=0m82693uepqTj5rWIXToHTTxdjXs-cScKTj0Wkjxjrg,99574
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -179,14 +179,14 @@ reconcile/cna/assets/null.py,sha256=Fby1Fbn7oNRIGNasdyhRDvXJ0ktpxv-pUAPN0lZWSzk,
 reconcile/external_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/external_resources/aws.py,sha256=JvjKaABy2Pg8u8Lq82Acv4zMvpE3_qGKes7OG-zlHOM,2956
 reconcile/external_resources/factories.py,sha256=bLboXX5Dq0xN60mtDGNjCOLC6HlKofXMWQxVbRwMMwo,4485
-reconcile/external_resources/integration.py,sha256=QQZdKTeHoUD7afUTNKh878u-KWovYptAFZwjUBTIbCg,3317
+reconcile/external_resources/integration.py,sha256=rIfDVnTUy3qdmrh7NRwvZ7l1hOiNfk0a57J1ZsRSNrg,4959
 reconcile/external_resources/manager.py,sha256=APszaw9PRIiHnFyCffHZjIFseIwhlYROIPLt18pHUTQ,13685
 reconcile/external_resources/meta.py,sha256=SA4Km1r7ePdcNqHn2GA4ByQp4ZnIeo_n8qOOd-11IEg,151
 reconcile/external_resources/metrics.py,sha256=m2TIOao2N7pD6k45driFbBGVCC_N7ai44m-lLPfa5qk,454
 reconcile/external_resources/model.py,sha256=FJUb7rHU2l7YSAv-t4QaacL9pqheFBxhPydWSPqu3vY,7413
 reconcile/external_resources/reconciler.py,sha256=E50X_lnOD0OWYXMzyZld1P6dCFJFYjHGyICWff9bxlc,9323
 reconcile/external_resources/secrets_sync.py,sha256=g-ksvzmTlCTwo3PM3FgYXm0LUBcnwfAxcvisuR1jAMY,7982
-reconcile/external_resources/state.py,sha256=rRePQdA3A6U9oFDDs9aaL5Ja7nSIXpOC1wHwY8R47_8,9197
+reconcile/external_resources/state.py,sha256=V1lpgr0SmESA_x_MAk_tz3GCH9bfzvNmA21u6jHlGzU,9332
 reconcile/glitchtip/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip/integration.py,sha256=Y7ofQg_xCt3dOln3pjeXp7rAnwohCgD2zcUAb-Hciis,8375
 reconcile/glitchtip/reconciler.py,sha256=nUvDv7qG1ly0cA16MmlL6NV71yl1mJYLT2mui7lmi0Y,12402
@@ -262,9 +262,10 @@ reconcile/gql_definitions/dashdotdb_slo/slo_documents_query.py,sha256=zUa-CmpOwi
 reconcile/gql_definitions/dynatrace_token_provider/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/dynatrace_token_provider/dynatrace_bootstrap_tokens.py,sha256=38b9JR7gFTdID3EJO9zeqrCT1adbLrurOLYIGAKPxtA,2045
 reconcile/gql_definitions/external_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/external_resources/aws_accounts.py,sha256=XR69j9dpTQ0gv8y-AZN7AJ0dPvO-wbHscyCDgrax6Bk,2046
 reconcile/gql_definitions/external_resources/external_resources_modules.py,sha256=2VIb3hC2MRNhYDZ1al4PvudT2oSfd3fPGpzv4CEJNiw,2341
 reconcile/gql_definitions/external_resources/external_resources_namespaces.py,sha256=UyOAUY1rROenjTz6y-uSEFjrEwhh-lPsIQPbi6EQLFg,40915
-reconcile/gql_definitions/external_resources/external_resources_settings.py,sha256=Gnuy7dqikXHtDjh7P2nkPux9uCDf-a2t4WINMUyiXkc,2240
+reconcile/gql_definitions/external_resources/external_resources_settings.py,sha256=989_pG9NWKB5BPvdwqjqZUYp_2qf-xYmJ9c9kq8Kmfw,2886
 reconcile/gql_definitions/fragments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/fragments/aus_organization.py,sha256=ARI87YAbC0VjFri9eVGYrRPBc4s0kWsa25RR8FFoq7E,4433
 reconcile/gql_definitions/fragments/aws_account_common.py,sha256=d_FwpS_dY8o8DCLa3NERs93FVxQLiDUIPm5tGNac-iw,2320
@@ -646,7 +647,7 @@ reconcile/utils/pagerduty_api.py,sha256=fcSAUez6w51woDvbm0plJW2qSw6_NXQs1Fit_KTN
 reconcile/utils/parse_dhms_duration.py,sha256=TONpLnec5gHeF7k815YNJpQyDjXhkxZIcv9s8ffbTSY,1840
 reconcile/utils/password_validator.py,sha256=XwuWg-8CPlcuG7dl_oQ1G1h2gSVSnfMym_VkuprpWVg,2183
 reconcile/utils/prometheus.py,sha256=i5aCQ_I4WOg76iEjglVxxO9-OKby2N80ScErAbDtHE8,3848
-reconcile/utils/promotion_state.py,sha256=avYxHUf4zK3dBhXEdUEry79EOSgJ7gfStvvOpcedZnI,2575
+reconcile/utils/promotion_state.py,sha256=cCynjmatVjjBSf0nKUmKVvk3i_Kx24iqHsCWzWRphoA,2638
 reconcile/utils/promtool.py,sha256=kT2rFZSBaRqW7SSHAuYzGZzQxM5Dzk8KW1NnEUYZU_s,2896
 reconcile/utils/quay_api.py,sha256=EuOegpb-7ntEjkKLFwM2Oo4Nw7SyFtmyl3sQ9aXMtrM,8152
 reconcile/utils/raw_github_api.py,sha256=ZHC-SZuAyRe1zaMoOU7Krt1-zecDxENd9c_NzQYqK9g,2968
@@ -676,7 +677,8 @@ reconcile/utils/acs/notifiers.py,sha256=2n5blP9N1FdGLZuy3do9bpjd8NKg88kmLNNqhAGn
 reconcile/utils/acs/policies.py,sha256=_jAz6cv8KRYtDsXjGoJgNbD8_9PUa5LSwwVlpK4A_cQ,5505
 reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
 reconcile/utils/aws_api_typed/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/utils/aws_api_typed/api.py,sha256=uqLNd_uNB11sQqLfcrqvXb1Z_K8GtX3K0FZ8zC_FK-A,8329
+reconcile/utils/aws_api_typed/api.py,sha256=NJJXmV01nBtQLf-Vv5xfieboCsY3inNd4ekRKxS_-Wo,8790
+reconcile/utils/aws_api_typed/dynamodb.py,sha256=AKUbz8HGzmSq4cnpjJe7PgqsikMkjbpbzUD2UJv2b58,383
 reconcile/utils/aws_api_typed/iam.py,sha256=ka46H2-SzTCgy6EJYapKTzyZK9vR1bkfD0wF8bDdy1Q,2201
 reconcile/utils/aws_api_typed/organization.py,sha256=oXftcLVuSs9qej6efdssl38FvjeZaQC5R2Wj3NzxX4U,5529
 reconcile/utils/aws_api_typed/s3.py,sha256=J2uOTtEFgMyKT22pa4DbFnV7zfg575m2DeidQaeselM,1034
@@ -748,7 +750,7 @@ reconcile/utils/runtime/sharding.py,sha256=roCdbnBklhTK_g34zbgQYqzpKPaNQ8J6Xd9XL
 reconcile/utils/saasherder/__init__.py,sha256=J3MBZBFa5YmhqYm08QsjBXz8mFcVOCiOCkyIcw41t7E,343
 reconcile/utils/saasherder/interfaces.py,sha256=XXY35h8VWQ66z3LBPxaoUAMkIW50264DQiecrzyV6oA,9076
 reconcile/utils/saasherder/models.py,sha256=1DKXUmiTS_MejUfSpFCeuBLMTgR4ldv2N1tAz8qHAwc,5547
-reconcile/utils/saasherder/saasherder.py,sha256=4IQL-r2uo1iejv0krdaPXaW9CnqBKF6t9Skjs2m263I,86170
+reconcile/utils/saasherder/saasherder.py,sha256=CfTNBjVS9HwH1hlz7K50J-vpT8B5UVJTmyd2ZGbAPAg,86293
 reconcile/utils/terraform/__init__.py,sha256=zNbiyTWo35AT1sFTElL2j_AA0jJ_yWE_bfFn-nD2xik,250
 reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79evfV_8,164
 reconcile/utils/terraform/config_client.py,sha256=py-Ree-QUYD6Hvng6bM40VgSuttteehIKNgwOSoJO1o,4706
@@ -783,8 +785,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=w2l4BHB09k1d-BGJ1jBUNCqDv7zkqYrMHojQXg-21kQ,4155
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc770.dist-info/METADATA,sha256=ampDiSjjZ3cRjowLOSs7GYHbz5K7qYf5qypzbGQw5Xc,2382
-qontract_reconcile-0.10.1rc770.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc770.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
-qontract_reconcile-0.10.1rc770.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc770.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc772.dist-info/METADATA,sha256=ggkGwJEVc2hcdi_OZpg-AGRT0hX8-c-5bD6NTbwG6ro,2382
+qontract_reconcile-0.10.1rc772.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc772.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
+qontract_reconcile-0.10.1rc772.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc772.dist-info/RECORD,,

reconcile/cli.py

@@ -3515,9 +3515,15 @@ def deadmanssnitch(ctx):
 @integration.command(short_help="Manages External Resources")
 @click.pass_context
 @threaded(default=5)
-@click.option("--cluster", help="Cluster where the Jobs will be created", default=None)
 @click.option(
-    "--namespace", help="Namespace where the Jobs will be created", default=None
+    "--workers_cluster",
+    help="Cluster name where the Jobs will be created",
+    default=None,
+)
+@click.option(
+    "--workers_namespace",
+    help="Namespace name where the Jobs will be created",
+    default=None,
 )
 @click.option(
     "--dry-run-job-suffix",
@@ -3525,17 +3531,21 @@ def deadmanssnitch(ctx):
     default="",
 )
 def external_resources(
-    ctx, cluster: str, namespace: str, dry_run_job_suffix: str, thread_pool_size: int
+    ctx,
+    workers_cluster: str,
+    workers_namespace: str,
+    dry_run_job_suffix: str,
+    thread_pool_size: int,
 ):
     import reconcile.external_resources.integration
 
     run_integration(
         reconcile.external_resources.integration,
         ctx.obj,
-        cluster,
-        namespace,
         dry_run_job_suffix,
         thread_pool_size,
+        workers_cluster,
+        workers_namespace,
     )
 
 

reconcile/external_resources/integration.py

@@ -1,4 +1,5 @@
 import logging
+from typing import Callable
 
 from reconcile.external_resources.manager import (
     ExternalResourcesInventory,
@@ -15,6 +16,9 @@ from reconcile.external_resources.secrets_sync import (
     build_incluster_secrets_reconciler,
 )
 from reconcile.external_resources.state import ExternalResourcesStateDynamoDB
+from reconcile.gql_definitions.external_resources.aws_accounts import (
+    query as aws_accounts_query,
+)
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
@@ -23,6 +27,8 @@ from reconcile.typed_queries.external_resources import (
     get_namespaces,
     get_settings,
 )
+from reconcile.utils import gql
+from reconcile.utils.aws_api_typed.api import AWSApi, AWSStaticCredentials
 from reconcile.utils.jobcontroller.controller import (
     build_job_controller,
 )
@@ -30,7 +36,7 @@ from reconcile.utils.oc import (
     OCCli,
 )
 from reconcile.utils.openshift_resource import OpenshiftResource, ResourceInventory
-from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.utils.secret_reader import SecretReaderBase, create_secret_reader
 
 
 def fetch_current_state(
@@ -41,12 +47,38 @@ def fetch_current_state(
         ri.add_current(cluster, namespace, "Job", r.name, r)
 
 
+def get_aws_api(
+    query_func: Callable,
+    account_name: str,
+    region: str,
+    secret_reader: SecretReaderBase,
+) -> AWSApi:
+    accounts = (
+        aws_accounts_query(
+            query_func, variables={"filter": {"name": account_name}}
+        ).accounts
+        or []
+    )
+    if not accounts:
+        raise Exception(
+            "External Resources configured AWS account does not exist or can not be found"
+        )
+    account = accounts[0]
+    automation_token = secret_reader.read_all_secret(account.automation_token)
+    aws_credentials = AWSStaticCredentials(
+        access_key_id=automation_token["aws_access_key_id"],
+        secret_access_key=automation_token["aws_secret_access_key"],
+        region=region,
+    )
+    return AWSApi(aws_credentials)
+
+
 def run(
     dry_run: bool,
-    cluster: str,
-    namespace: str,
     dry_run_job_suffix: str,
     thread_pool_size: int,
+    workers_cluster: str | None = None,
+    workers_namespace: str | None = None,
 ) -> None:
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
@@ -55,41 +87,52 @@ def run(
     namespaces = [ns for ns in get_namespaces() if ns.external_resources]
     er_inventory = ExternalResourcesInventory(namespaces)
 
-    er_mgr = ExternalResourcesManager(
-        thread_pool_size=thread_pool_size,
-        settings=er_settings,
+    if not workers_cluster:
+        workers_cluster = er_settings.workers_cluster.name
+    if not workers_namespace:
+        workers_namespace = er_settings.workers_namespace.name
+
+    with get_aws_api(
+        query_func=gql.get_api().query,
+        account_name=er_settings.state_dynamodb_account.name,
+        region=er_settings.state_dynamodb_region,
         secret_reader=secret_reader,
-        factories=setup_factories(
-            er_settings, m_inventory, er_inventory, secret_reader
-        ),
-        er_inventory=er_inventory,
-        module_inventory=m_inventory,
-        state_manager=ExternalResourcesStateDynamoDB(
-            table_name=er_settings.state_dynamodb_table,
-            region_name=er_settings.state_dynamodb_region,
-        ),
-        reconciler=K8sExternalResourcesReconciler(
-            controller=build_job_controller(
-                integration=QONTRACT_INTEGRATION,
-                integration_version=QONTRACT_INTEGRATION_VERSION,
-                cluster=cluster,
-                namespace=namespace,
-                secret_reader=secret_reader,
+    ) as aws_api:
+        er_mgr = ExternalResourcesManager(
+            thread_pool_size=thread_pool_size,
+            settings=er_settings,
+            secret_reader=secret_reader,
+            factories=setup_factories(
+                er_settings, m_inventory, er_inventory, secret_reader
+            ),
+            er_inventory=er_inventory,
+            module_inventory=m_inventory,
+            state_manager=ExternalResourcesStateDynamoDB(
+                aws_api=aws_api,
+                table_name=er_settings.state_dynamodb_table,
+            ),
+            reconciler=K8sExternalResourcesReconciler(
+                controller=build_job_controller(
+                    integration=QONTRACT_INTEGRATION,
+                    integration_version=QONTRACT_INTEGRATION_VERSION,
+                    cluster=workers_cluster,
+                    namespace=workers_namespace,
+                    secret_reader=secret_reader,
+                    dry_run=dry_run,
+                ),
                 dry_run=dry_run,
+                dry_run_job_suffix=dry_run_job_suffix,
             ),
-            dry_run=dry_run,
-            dry_run_job_suffix=dry_run_job_suffix,
-        ),
-        secrets_reconciler=build_incluster_secrets_reconciler(
-            cluster, namespace, secret_reader, vault_path="app-sre"
-        ),
-    )
+            secrets_reconciler=build_incluster_secrets_reconciler(
+                workers_cluster, workers_namespace, secret_reader, vault_path="app-sre"
+            ),
+        )
 
-    if dry_run:
-        er_mgr.handle_dry_run_resources()
-        if er_mgr.errors:
-            logging.error("Validation Errors:")
-            for k, e in er_mgr.errors.items():
-                logging.error("ExternalResourceKey: %s, Error: %s" % (k, e))
-    else:
-        er_mgr.handle_resources()
+        if dry_run:
+            er_mgr.handle_dry_run_resources()
+            if er_mgr.errors:
+                logging.error("Validation Errors:")
+                for k, e in er_mgr.errors.items():
+                    logging.error("ExternalResourceKey: %s, Error: %s" % (k, e))
+        else:
+            er_mgr.handle_resources()

reconcile/external_resources/state.py

@@ -4,7 +4,6 @@ from datetime import datetime, timezone
 from enum import Enum
 from typing import Any
 
-import boto3
 from pydantic import BaseModel
 
 from reconcile.external_resources.model import (
@@ -12,6 +11,7 @@ from reconcile.external_resources.model import (
     ExternalResourceModuleConfiguration,
     Reconciliation,
 )
+from reconcile.utils.aws_api_typed.api import AWSApi
 
 DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ"
 
@@ -178,16 +178,16 @@ class ExternalResourcesStateDynamoDB:
         f"{DynamoDBStateAdapter.RECONC}.{DynamoDBStateAdapter.RECONC_RESOURCE_HASH}",
     ])
 
-    def __init__(self, table_name: str, region_name: str) -> None:
+    def __init__(self, aws_api: AWSApi, table_name: str) -> None:
         self.adapter = DynamoDBStateAdapter()
-        self.client = boto3.client("dynamodb", region_name=region_name)
+        self.aws_api = aws_api
         self._table = table_name
         self.partial_resources = self._get_partial_resources()
 
     def get_external_resource_state(
         self, key: ExternalResourceKey
     ) -> ExternalResourceState:
-        data = self.client.get_item(
+        data = self.aws_api.dynamodb.boto3_client.get_item(
             TableName=self._table,
             ConsistentRead=True,
             Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
@@ -207,10 +207,12 @@ class ExternalResourcesStateDynamoDB:
         self,
         state: ExternalResourceState,
     ) -> None:
-        self.client.put_item(TableName=self._table, Item=self.adapter.serialize(state))
+        self.aws_api.dynamodb.boto3_client.put_item(
+            TableName=self._table, Item=self.adapter.serialize(state)
+        )
 
     def del_external_resource_state(self, key: ExternalResourceKey) -> None:
-        self.client.delete_item(
+        self.aws_api.dynamodb.boto3_client.delete_item(
             TableName=self._table,
             Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
         )
@@ -224,7 +226,7 @@ class ExternalResourcesStateDynamoDB:
         """
         logging.info("Getting Managed resources from DynamoDb")
         partials = {}
-        for item in self.client.scan(
+        for item in self.aws_api.dynamodb.boto3_client.scan(
             TableName=self._table, ProjectionExpression=self.PARTIALS_PROJECTED_VALUES
         ).get("Items", []):
             s = self.adapter.deserialize(item, partial_data=True)
@@ -237,7 +239,7 @@ class ExternalResourcesStateDynamoDB:
     def update_resource_status(
         self, key: ExternalResourceKey, status: ResourceStatus
     ) -> None:
-        self.client.update_item(
+        self.aws_api.dynamodb.boto3_client.update_item(
             TableName=self._table,
             Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
             UpdateExpression="set resource_status=:new_value",

reconcile/gql_definitions/external_resources/aws_accounts.py

@@ -0,0 +1,73 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
+
+
+DEFINITION = """
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query AWSExternalResourcesAccounts($filter: JSON) {
+  accounts: awsaccounts_v1(filter: $filter) {
+    name
+    automationToken {
+      ...VaultSecret
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class AWSAccountV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    automation_token: VaultSecret = Field(..., alias="automationToken")
+
+
+class AWSExternalResourcesAccountsQueryData(ConfiguredBaseModel):
+    accounts: Optional[list[AWSAccountV1]] = Field(..., alias="accounts")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AWSExternalResourcesAccountsQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AWSExternalResourcesAccountsQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AWSExternalResourcesAccountsQueryData(**raw_data)

reconcile/gql_definitions/external_resources/external_resources_settings.py

@@ -21,8 +21,17 @@ from pydantic import (  # noqa: F401 # pylint: disable=W0611
 DEFINITION = """
 query ExternalResourcesSettings {
     settings: external_resources_settings_v1 {
+        state_dynamodb_account {
+            name
+        }
         state_dynamodb_table
         state_dynamodb_region
+        workers_cluster {
+            name
+        }
+        workers_namespace {
+            name
+        }
         tf_state_bucket
         tf_state_region
         tf_state_dynamodb_table
@@ -37,9 +46,24 @@ class ConfiguredBaseModel(BaseModel):
         extra=Extra.forbid
 
 
+class AWSAccountV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
 class ExternalResourcesSettingsV1(ConfiguredBaseModel):
+    state_dynamodb_account: AWSAccountV1 = Field(..., alias="state_dynamodb_account")
     state_dynamodb_table: str = Field(..., alias="state_dynamodb_table")
     state_dynamodb_region: str = Field(..., alias="state_dynamodb_region")
+    workers_cluster: ClusterV1 = Field(..., alias="workers_cluster")
+    workers_namespace: NamespaceV1 = Field(..., alias="workers_namespace")
     tf_state_bucket: Optional[str] = Field(..., alias="tf_state_bucket")
     tf_state_region: Optional[str] = Field(..., alias="tf_state_region")
     tf_state_dynamodb_table: Optional[str] = Field(..., alias="tf_state_dynamodb_table")

reconcile/utils/aws_api_typed/api.py

@@ -9,12 +9,14 @@ from boto3 import Session
 from botocore.client import BaseClient
 from pydantic import BaseModel
 
+import reconcile.utils.aws_api_typed.dynamodb
 import reconcile.utils.aws_api_typed.iam
 import reconcile.utils.aws_api_typed.organization
 import reconcile.utils.aws_api_typed.s3
 import reconcile.utils.aws_api_typed.service_quotas
 import reconcile.utils.aws_api_typed.sts
 import reconcile.utils.aws_api_typed.support
+from reconcile.utils.aws_api_typed.dynamodb import AWSApiDynamoDB
 from reconcile.utils.aws_api_typed.iam import AWSApiIam
 from reconcile.utils.aws_api_typed.organization import AWSApiOrganizations
 from reconcile.utils.aws_api_typed.s3 import AWSApiS3
@@ -30,6 +32,7 @@ SubApi = TypeVar(
     AWSApiServiceQuotas,
     AWSApiSts,
     AWSApiSupport,
+    AWSApiDynamoDB,
 )
 
 
@@ -183,6 +186,9 @@ class AWSApi:
             case reconcile.utils.aws_api_typed.support.AWSApiSupport:
                 client = self.session.client("support")
                 api = api_cls(client)
+            case reconcile.utils.aws_api_typed.dynamodb.AWSApiDynamoDB:
+                client = self.session.client("dynamodb")
+                api = api_cls(client)
             case _:
                 raise ValueError(f"Unknown API class: {api_cls}")
 
@@ -219,6 +225,11 @@ class AWSApi:
         """Return an AWS Support Api client."""
         return self._init_sub_api(AWSApiSupport)
 
+    @cached_property
+    def dynamodb(self) -> AWSApiDynamoDB:
+        """Return an AWS DynamoDB Api client"""
+        return self._init_sub_api(AWSApiDynamoDB)
+
     def assume_role(self, account_id: str, role: str) -> AWSApi:
         """Return a new AWSApi with the assumed role."""
         credentials = self.sts.assume_role(account_id=account_id, role=role)

reconcile/utils/aws_api_typed/dynamodb.py

@@ -0,0 +1,16 @@
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from mypy_boto3_dynamodb import DynamoDBClient
+else:
+    DynamoDBClient = object
+
+
+class AWSApiDynamoDB:
+    def __init__(self, client: DynamoDBClient) -> None:
+        self.client = client
+
+    @property
+    def boto3_client(self) -> DynamoDBClient:
+        """Gets the RAW boto3 DynamoDB client"""
+        return self.client

reconcile/utils/promotion_state.py

@@ -1,5 +1,6 @@
 import logging
 from collections import defaultdict
+from datetime import datetime
 from typing import Optional
 
 from pydantic import (
@@ -22,6 +23,7 @@ class PromotionData(BaseModel):
     success: bool
     target_config_hash: Optional[str]
     saas_file: Optional[str]
+    check_in: Optional[datetime]
 
     class Config:
         smart_union = True

reconcile/utils/saasherder/saasherder.py

@@ -16,6 +16,7 @@ from collections.abc import (
     Sequence,
 )
 from contextlib import suppress
+from datetime import datetime, timezone
 from types import TracebackType
 from typing import (
     Any,
@@ -1965,6 +1966,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         if not (self.state and self._promotion_state):
             raise Exception("state is not initialized")
 
+        now = datetime.now(timezone.utc)
         for promotion in self.promotions:
             if promotion is None:
                 continue
@@ -1982,6 +1984,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                             saas_file=promotion.saas_file,
                             success=success,
                             target_config_hash=promotion.target_config_hash,
+                            check_in=now,
                         ),
                     )
                     logging.info(