qontract-reconcile 0.10.1rc834__py3-none-any.whl → 0.10.1rc835__py3-none-any.whl

{qontract_reconcile-0.10.1rc834.dist-info → qontract_reconcile-0.10.1rc835.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc834
+Version: 0.10.1rc835
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc834.dist-info → qontract_reconcile-0.10.1rc835.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=bRYr5vnUstP3dkRmt3NOyCaA4n-1xIxQU6vooISgFTk,102404
+reconcile/cli.py,sha256=9k1FKxkGO8yLB_-J3juHg6MoM3wTtHv7TOHLKh51t0k,103241
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=R2JuwiXAEYAFiCtnztM_IIr1rtVzPpaWAmgxuDa2FgY,4813
@@ -238,6 +238,7 @@ reconcile/gql_definitions/common/app_interface_dms_settings.py,sha256=h-N7-XGpmH
 reconcile/gql_definitions/common/app_interface_repo_settings.py,sha256=rud0rz9NIFF-h1fFdk3MnwGmx73rhwrn1taN_HefvyU,1754
 reconcile/gql_definitions/common/app_interface_state_settings.py,sha256=VXIK0Hmyv6GTShI86IGkjxyHGwufqUBAh617XKUAKaI,2507
 reconcile/gql_definitions/common/app_interface_vault_settings.py,sha256=w8quvdG0cSq71ZyJokPPp7MyMpoDb6-HLQ3o9JHVGRQ,1771
+reconcile/gql_definitions/common/aws_vpc_requests.py,sha256=BBBQLiLRBuvkXdNFN_uyZ_kyvmroziHByyJBH6X0oCA,2269
 reconcile/gql_definitions/common/aws_vpcs.py,sha256=Dss9dQ3xagnz3Ltg1e9mtG2PAmQGBbUzKCmmzvuN28s,1892
 reconcile/gql_definitions/common/clusters.py,sha256=eJIbMQltj-Sc7h_QVIeFkbRy1b_QJIkHATfbagxM-yU,21527
 reconcile/gql_definitions/common/clusters_minimal.py,sha256=JYrJV_aStmryiiGKyiXhj47qpF_8KilCqy-d9CofBCo,4635
@@ -280,6 +281,8 @@ reconcile/gql_definitions/fragments/aws_account_managed.py,sha256=zXbux0Bb7QZ37f
 reconcile/gql_definitions/fragments/aws_account_sso.py,sha256=ITR3PLz4Iq1SiWAoYGWPDuHJnAmTyZ0QQqs2Zsi8pxA,979
 reconcile/gql_definitions/fragments/aws_infra_management_account.py,sha256=uAmALVRF2gBM3p_Dmez_ew6KVAtetamwOPkRIPZAlGc,1254
 reconcile/gql_definitions/fragments/aws_vpc.py,sha256=T2egTwi2Rb0IRBBmsyag8xKpu_m6GbIAy80fhZNZwk8,1434
+reconcile/gql_definitions/fragments/aws_vpc_request.py,sha256=KleRM5asZJGcrUjW5LzUE5vyRFmL-3dVakdnyXNdYKc,2046
+reconcile/gql_definitions/fragments/aws_vpc_request_subnet.py,sha256=qaTFT8cGzEslw51nUeb45Nfnv6kFxUm4CWrRR3xfBvA,760
 reconcile/gql_definitions/fragments/deplopy_resources.py,sha256=0u3xYqL5NpMf149BJLfPhHqAOWu06aLULdNk_2Mulxg,1089
 reconcile/gql_definitions/fragments/disable.py,sha256=Ojw98OSxcovrtmw_aAyhaVHhIa1MSUbBfKX4i2IpI74,715
 reconcile/gql_definitions/fragments/jumphost_common_fields.py,sha256=FOqqDRqzPdt4ZNTRRZPFYCKE1HIa1ATF0u0NsdZzyaw,1034
@@ -463,6 +466,10 @@ reconcile/terraform_init/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZ
 reconcile/terraform_init/integration.py,sha256=xcFKTc_or3xB3kE_I3OECNkkgbwALIwwdiktnF-MyWI,6114
 reconcile/terraform_init/merge_request.py,sha256=3CYtgSd7Q9zjKg4wsDz437EPCRfGeZZ8fZ0Y-ChKXJY,1475
 reconcile/terraform_init/merge_request_manager.py,sha256=fMcT6hbdEF3nFATJpvr8BedvQHq_MzFkgVJSloBNwOQ,3101
+reconcile/terraform_vpc_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/terraform_vpc_resources/integration.py,sha256=eyIo2hJC2Uv6H48dZp5-P7HS5IyrU1upVQOVJtDzP18,7862
+reconcile/terraform_vpc_resources/merge_request.py,sha256=loRymUigCIvaaT0s_NzktZchh-DGRQnCICdBSCAcFPY,1503
+reconcile/terraform_vpc_resources/merge_request_manager.py,sha256=Vj2nuQbQyrL4q_il1My-bLxYNh_r3YXqX45P8fwtP6Q,3259
 reconcile/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/test/conftest.py,sha256=0pO4UxFeBALKbL9gwemyap0VkbPR8n5TtZbf5c9pSv0,4303
 reconcile/test/fixtures.py,sha256=9SDWAUlSd1rCx7z3GhULHcpr-I6FyCsXxaFAZIqYQsQ,591
@@ -571,6 +578,7 @@ reconcile/typed_queries/app_interface_deadmanssnitch_settings.py,sha256=y30_SmS0
 reconcile/typed_queries/app_interface_repo_url.py,sha256=ePr_nvjDeyZPR4sHsDQFubV2gslj9lPUSzIWWhm0syo,609
 reconcile/typed_queries/app_interface_state_settings.py,sha256=ytNAf3feg8JwmdCC4vO1WtVb-Ok5_ZtNAL3mXe2d1Pw,479
 reconcile/typed_queries/app_interface_vault_settings.py,sha256=uFS7qLjjGnrK8gm2fkUT8RFd7s_5kxTWWpxZRhr1Ndo,746
+reconcile/typed_queries/aws_vpc_requests.py,sha256=c3nNVapucJR4AtZuUfcVoynSSLb_hLlsDkjQsP1qD98,390
 reconcile/typed_queries/aws_vpcs.py,sha256=bM7dWpVHV6J1WYjgHOe2rfAl4vKpUoC8khPQSdtkxVQ,371
 reconcile/typed_queries/clusters.py,sha256=tptLP2Ov1lNqtDGuPKBOVvpDtREm5CQFDDVyp0xKkRQ,506
 reconcile/typed_queries/clusters_minimal.py,sha256=flvs4oXVR4b971h-zMTK3C2GL3bjMnvZgrAeI3XgBQQ,517
@@ -632,7 +640,7 @@ reconcile/utils/git_secrets.py,sha256=0wGNL5mvDtVPRuu3vEQgld1Am64gIDJHtmu1_ZKxMA
 reconcile/utils/github_api.py,sha256=_bttNxYKeam_tLVe27L7O4gKqSn6CeyuFnJn8tSaUVY,2488
 reconcile/utils/gitlab_api.py,sha256=9C6oS98w1z-pDAAz5k9kgEvRO6r7hduHoOl7cufFr5s,27400
 reconcile/utils/gpg.py,sha256=EKG7_fdMv8BMlV5yUdPiqoTx-KrzmVSEAl2sLkaKwWI,1123
-reconcile/utils/gql.py,sha256=bzIYYYYGIO_4Db4sA-mnZUOPVNBELZD5EcIUSTbYG1o,13604
+reconcile/utils/gql.py,sha256=qMWj39ilJGV1YAeUvbqVYq6u9zxuPvZqxFLaLb6A-bA,14256
 reconcile/utils/grouping.py,sha256=kWKivD14eAkiDneH_VIl_XyUdcVVQgiaKA9sLsuD2dw,441
 reconcile/utils/helm.py,sha256=Rt1ao4yI4GdThZyIPV75JLJjkvu9d8kOLKQht6KUzyE,1325
 reconcile/utils/helpers.py,sha256=k9svgFFZG7H5FvHYY0g5jJyvgvh2UDZxf0Ib221teag,1179
@@ -679,7 +687,7 @@ reconcile/utils/state.py,sha256=DRxzuOw3Iha-b2esBMjZTZ5K-OxfrGbkyEvpTT5xHTs,1636
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=mZEKpu6nbfiQd60wRkc8-5sljBTUTOgaAKnF89itMzU,32085
-reconcile/utils/terrascript_aws_client.py,sha256=VlvIHgrZRiMFVgx6a8ZHxoiJoDwqbtOmsZFnwwNrdL0,273199
+reconcile/utils/terrascript_aws_client.py,sha256=87J2RszhfqYkABzZ5yO-JxycOvjvrx3bWgSmISop1tQ,276092
 reconcile/utils/three_way_diff_strategy.py,sha256=nnTk4VDex1GIEqryFVfATU1AeRwzXyoPl_FX6zzmRFI,4643
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=AYGG5aDJ7CSVhTFdZowfEg3iSQWenoAt676aGjHQMX8,14978
@@ -812,8 +820,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jrss,4941
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc834.dist-info/METADATA,sha256=GwMy-WLj9_4L9kW4KPlgRfD7XUInbC5v6Kn7gHcOVNg,2275
-qontract_reconcile-0.10.1rc834.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc834.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc834.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc834.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc835.dist-info/METADATA,sha256=FvhcaquoyfUx-ny_1HtDquApeBVedhJNdqbWpmbmCc4,2275
+qontract_reconcile-0.10.1rc835.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc835.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc835.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc835.dist-info/RECORD,,

reconcile/cli.py

@@ -2287,6 +2287,35 @@ def terraform_users(
     )
 
 
+@integration.command(short_help="Manage VPC creation")
+@binary(["terraform"])
+@binary_version("terraform", ["version"], TERRAFORM_VERSION_REGEX, TERRAFORM_VERSION)
+@account_name
+@print_to_file
+@threaded()
+@enable_deletion(default=False)
+@click.pass_context
+def terraform_vpc_resources(
+    ctx, account_name, print_to_file, thread_pool_size, enable_deletion
+):
+    from reconcile.terraform_vpc_resources.integration import (
+        TerraformVpcResources,
+        TerraformVpcResourcesParams,
+    )
+
+    run_class_integration(
+        TerraformVpcResources(
+            TerraformVpcResourcesParams(
+                account_name=account_name,
+                print_to_file=print_to_file,
+                thread_pool_size=thread_pool_size,
+                enable_deletion=enable_deletion,
+            )
+        ),
+        ctx.obj,
+    )
+
+
 @integration.command(
     short_help="Manage VPC peerings between OSD clusters and AWS accounts or other OSD clusters."
 )

reconcile/gql_definitions/common/aws_vpc_requests.py

@@ -0,0 +1,102 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.aws_vpc_request import VPCRequest
+
+
+DEFINITION = """
+fragment TerraformState on TerraformStateAWS_v1 {
+  provider
+  bucket
+  region
+  integrations {
+    key
+    integration
+  }
+}
+
+fragment VPCRequest on VPCRequest_v1 {
+  identifier
+  account {
+    name
+    uid
+    terraformUsername
+    automationToken {
+      ...VaultSecret
+    }
+    supportedDeploymentRegions
+    resourcesDefaultRegion
+    providerVersion
+    terraformState {
+      ...TerraformState
+    }
+  }
+  region
+  cidr_block {
+    networkAddress
+  }
+  subnets {
+    private 
+    public
+    availability_zones
+  }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query VPCRequest {
+  vpc_requests: aws_vpc_request_v1 {
+    ...VPCRequest
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class VPCRequestQueryData(ConfiguredBaseModel):
+    vpc_requests: Optional[list[VPCRequest]] = Field(..., alias="vpc_requests")
+
+
+def query(query_func: Callable, **kwargs: Any) -> VPCRequestQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        VPCRequestQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return VPCRequestQueryData(**raw_data)

reconcile/gql_definitions/fragments/aws_vpc_request.py

@@ -0,0 +1,56 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.terraform_state import TerraformState
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class AWSAccountV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    uid: str = Field(..., alias="uid")
+    terraform_username: Optional[str] = Field(..., alias="terraformUsername")
+    automation_token: VaultSecret = Field(..., alias="automationToken")
+    supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
+    resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
+    provider_version: str = Field(..., alias="providerVersion")
+    terraform_state: Optional[TerraformState] = Field(..., alias="terraformState")
+
+
+class NetworkV1(ConfiguredBaseModel):
+    network_address: str = Field(..., alias="networkAddress")
+
+
+class VPCRequestSubnetsListsV1(ConfiguredBaseModel):
+    private: Optional[list[str]] = Field(..., alias="private")
+    public: Optional[list[str]] = Field(..., alias="public")
+    availability_zones: Optional[list[str]] = Field(..., alias="availability_zones")
+
+
+class VPCRequest(ConfiguredBaseModel):
+    identifier: str = Field(..., alias="identifier")
+    account: AWSAccountV1 = Field(..., alias="account")
+    region: str = Field(..., alias="region")
+    cidr_block: NetworkV1 = Field(..., alias="cidr_block")
+    subnets: Optional[VPCRequestSubnetsListsV1] = Field(..., alias="subnets")

reconcile/gql_definitions/fragments/aws_vpc_request_subnet.py

@@ -0,0 +1,29 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class VPCRequestSubnet(ConfiguredBaseModel):
+    availability_zone: str = Field(..., alias="availability_zone")
+    cidr_block: str = Field(..., alias="cidr_block")

reconcile/terraform_vpc_resources/integration.py

@@ -0,0 +1,214 @@
+import logging
+import sys
+from collections.abc import Mapping, MutableMapping
+from typing import Any, Iterable, Optional
+
+import jinja2
+
+from reconcile.gql_definitions.fragments.aws_vpc_request import (
+    AWSAccountV1,
+    VPCRequest,
+)
+from reconcile.status import ExitCodes
+from reconcile.terraform_vpc_resources.merge_request import Renderer, create_parser
+from reconcile.terraform_vpc_resources.merge_request_manager import (
+    MergeRequestManager,
+    MrData,
+)
+from reconcile.typed_queries.app_interface_repo_url import get_app_interface_repo_url
+from reconcile.typed_queries.app_interface_vault_settings import (
+    get_app_interface_vault_settings,
+)
+from reconcile.typed_queries.aws_vpc_requests import get_aws_vpc_requests
+from reconcile.typed_queries.github_orgs import get_github_orgs
+from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
+from reconcile.utils import gql
+from reconcile.utils.runtime.integration import (
+    DesiredStateShardConfig,
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.utils.semver_helper import make_semver
+from reconcile.utils.terraform_client import TerraformClient
+from reconcile.utils.terrascript_aws_client import TerrascriptClient
+from reconcile.utils.vcs import VCS
+
+QONTRACT_INTEGRATION = "terraform_vpc_resources"
+QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
+QONTRACT_TF_PREFIX = "qrtvr"
+AWS_PROVIDER_VERSION = "5.7.1"
+
+
+class TerraformVpcResourcesParams(PydanticRunParams):
+    account_name: Optional[str]
+    print_to_file: Optional[str]
+    thread_pool_size: int
+    enable_deletion: bool = False
+
+
+class NoManagedVPCForAccount(Exception):
+    pass
+
+
+class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesParams]):
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION.replace("_", "-")
+
+    def _filter_accounts(
+        self, data: Iterable[VPCRequest], account_name: Optional[str]
+    ) -> list[AWSAccountV1]:
+        """Return a list of accounts extracted from the provided VPCRequests.
+        If account_name is given returns the account object with that name."""
+        accounts = [vpc.account for vpc in data]
+
+        if account_name:
+            accounts = [account for account in accounts if account.name == account_name]
+
+        return accounts
+
+    def _handle_outputs(
+        self, requests: Iterable[VPCRequest], outputs: Mapping[str, Any]
+    ) -> Mapping[str, Any]:
+        """Receives a terraform outputs dict and returns a map of outputs per VPC requests"""
+        outputs_per_request: MutableMapping[str, Any] = {}
+        for request in requests:
+            outputs_per_request[request.identifier] = []
+            outputs_per_account = outputs[request.account.name]
+
+            # If the output exists for that request get its value
+            # Else get None
+            private_subnets = outputs_per_account.get(
+                f"{request.identifier}-private_subnets", {}
+            ).get("value", [])
+            public_subnets = outputs_per_account.get(
+                f"{request.identifier}-public_subnets", {}
+            ).get("value", [])
+
+            values = {
+                "static": {
+                    "vpc_id": outputs_per_account.get(
+                        f"{request.identifier}-vpc_id", {}
+                    ).get("value"),
+                    "subnets": {
+                        "private": private_subnets,
+                        "public": public_subnets,
+                    },
+                    "account_name": request.account.name,
+                    "region": request.region,
+                    "cidr_block": request.cidr_block.network_address,
+                    "identifier": request.identifier,
+                }
+            }
+
+            outputs_per_request[request.identifier] = values
+
+        return outputs_per_request
+
+    def _render_template(self, template: str, data: Mapping[str, Any]) -> str:
+        return jinja2.Template(
+            template,
+            undefined=jinja2.StrictUndefined,
+            trim_blocks=False,
+            lstrip_blocks=False,
+            keep_trailing_newline=False,
+        ).render(data)
+
+    def run(self, dry_run: bool) -> None:
+        account_name = self.params.account_name
+        thread_pool_size = self.params.thread_pool_size
+        enable_deletion = self.params.enable_deletion
+
+        vault_settings = get_app_interface_vault_settings()
+        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+
+        gql_api = gql.get_api()
+        data = get_aws_vpc_requests(gql_api=gql_api)
+
+        if data:
+            accounts = self._filter_accounts(data, account_name)
+            if account_name and not accounts:
+                error_msg = f"The account {account_name} doesn't have any managed vpc. Verify your input"
+                logging.error(error_msg)
+                raise NoManagedVPCForAccount(error_msg)
+        else:
+            logging.warning("No VPC requests found, nothing to do.")
+            sys.exit(ExitCodes.SUCCESS)
+
+        accounts_untyped: list[dict] = [acc.dict(by_alias=True) for acc in accounts]
+        with TerrascriptClient(
+            integration=QONTRACT_INTEGRATION,
+            integration_prefix=QONTRACT_TF_PREFIX,
+            thread_pool_size=thread_pool_size,
+            accounts=accounts_untyped,
+            secret_reader=secret_reader,
+        ) as ts_client:
+            ts_client.populate_vpc_requests(data, AWS_PROVIDER_VERSION)
+
+        working_dirs = ts_client.dump(print_to_file=self.params.print_to_file)
+
+        if self.params.print_to_file:
+            sys.exit(ExitCodes.SUCCESS)
+
+        tf_client = TerraformClient(
+            integration=QONTRACT_INTEGRATION,
+            integration_version=QONTRACT_INTEGRATION_VERSION,
+            integration_prefix=QONTRACT_TF_PREFIX,
+            accounts=accounts_untyped,
+            working_dirs=working_dirs,
+            thread_pool_size=thread_pool_size,
+        )
+
+        tf_client.plan(enable_deletion=enable_deletion)
+
+        if dry_run:
+            sys.exit(ExitCodes.SUCCESS)
+
+        tf_client.apply()
+
+        handled_output = self._handle_outputs(data, tf_client.outputs)
+
+        # MR and template Management
+        vcs = VCS(
+            secret_reader=secret_reader,
+            github_orgs=get_github_orgs(),
+            gitlab_instances=get_gitlab_instances(),
+            app_interface_repo_url=get_app_interface_repo_url(),
+            dry_run=dry_run,
+            allow_deleting_mrs=False,
+            allow_opening_mrs=True,
+        )
+
+        mr_manager = MergeRequestManager(
+            vcs=vcs,
+            renderer=Renderer(),
+            parser=create_parser(),
+            auto_merge_enabled=True,
+        )
+
+        mr_manager._fetch_managed_open_merge_requests()
+
+        # Create a MR for each vpc request if the MR don't exist yet
+        for _, outputs in handled_output.items():
+            template = gql_api.get_template(
+                path="/templating/templates/terraform-vpc-resources/vpc.yml"
+            )["template"]
+            content = self._render_template(template=template, data=outputs)
+
+            mr_manager.create_merge_request(
+                MrData(
+                    account=outputs["static"]["account_name"],
+                    content=content,
+                    path=f"data/aws/{outputs['static']['account_name']}/vpcs/{outputs['static']['identifier']}.yml",
+                )
+            )
+
+    def get_desired_state_shard_config(self) -> DesiredStateShardConfig:
+        return DesiredStateShardConfig(
+            shard_arg_name="account_name",
+            shard_path_selectors={
+                "accounts[*].name",
+            },
+            sharded_run_review=lambda proposal: len(proposal.proposed_shards) <= 2,
+        )

reconcile/terraform_vpc_resources/merge_request.py

@@ -0,0 +1,57 @@
+import re
+import string
+
+from pydantic import BaseModel
+
+from reconcile.utils.merge_request_manager.parser import Parser
+
+PROMOTION_DATA_SEPARATOR = "**DO NOT MANUALLY CHANGE ANYTHING BELOW THIS LINE**"
+VERSION = "0.1.0"
+LABEL = "terraform-vpc-resources"
+
+VERSION_REF = "tf_vpc_resources_version"
+ACCOUNT_REF = "account"
+COMPILED_REGEXES = {
+    i: re.compile(rf".*{i}: (.*)$", re.MULTILINE) for i in [VERSION_REF, ACCOUNT_REF]
+}
+
+DESC = string.Template(
+    f"""
+This MR is triggered by app-interface's [terraform-vpc-resources](https://github.com/app-sre/qontract-reconcile/tree/master/reconcile/terraform_vpc_request).
+
+Please **do not remove** the **{LABEL}** label from this MR!
+
+Parts of this description are used by integration to manage the MR.
+
+{PROMOTION_DATA_SEPARATOR}
+
+* {VERSION_REF}: {VERSION}
+* {ACCOUNT_REF}: $account
+"""
+)
+
+
+class Info(BaseModel):
+    account: str
+
+
+def create_parser() -> Parser:
+    """Create a parser for MRs created by terraform-vpc-resources."""
+
+    return Parser[Info](
+        klass=Info,
+        compiled_regexes=COMPILED_REGEXES,
+        version_ref=VERSION_REF,
+        expected_version=VERSION,
+        data_separator=PROMOTION_DATA_SEPARATOR,
+    )
+
+
+class Renderer:
+    """This class is only concerned with rendering text for MRs."""
+
+    def render_description(self, account: str) -> str:
+        return DESC.safe_substitute(account=account)
+
+    def render_title(self, account: str) -> str:
+        return f"[auto] VPC data file creation to {account}"

reconcile/terraform_vpc_resources/merge_request_manager.py

@@ -0,0 +1,107 @@
+import logging
+
+from gitlab.exceptions import GitlabGetError
+from pydantic import BaseModel
+
+from reconcile.terraform_vpc_resources.merge_request import (
+    LABEL,
+    Info,
+    Renderer,
+)
+from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.merge_request_manager.merge_request_manager import (
+    MergeRequestManagerBase,
+)
+from reconcile.utils.merge_request_manager.parser import Parser
+from reconcile.utils.mr.base import MergeRequestBase
+from reconcile.utils.mr.labels import AUTO_MERGE
+from reconcile.utils.vcs import VCS
+
+
+class VPCRequestMR(MergeRequestBase):
+    name = "VPCRequest"
+
+    def __init__(
+        self,
+        title: str,
+        description: str,
+        vpc_tmpl_file_path: str,
+        vpc_tmpl_file_content: str,
+        labels: list[str],
+    ):
+        super().__init__()
+        self._title = title
+        self._description = description
+        self._vpc_tmpl_file_path = vpc_tmpl_file_path
+        self._vpc_tmpl_file_content = vpc_tmpl_file_content
+        self.labels = labels
+
+    @property
+    def title(self) -> str:
+        return self._title
+
+    @property
+    def description(self) -> str:
+        return self._description
+
+    def process(self, gitlab_cli: GitLabApi) -> None:
+        gitlab_cli.create_file(
+            branch_name=self.branch,
+            file_path=self._vpc_tmpl_file_path,
+            commit_message="add vpc datafile",
+            content=self._vpc_tmpl_file_content,
+        )
+
+
+class MrData(BaseModel):
+    account: str
+    content: str
+    path: str
+
+
+class MergeRequestManager(MergeRequestManagerBase[Info]):
+    """Manager for the merge requests.
+
+    This class is responsible for housekeeping (closing old/bad MRs) and
+    opening new MRs.
+    """
+
+    def __init__(
+        self, vcs: VCS, renderer: Renderer, parser: Parser, auto_merge_enabled: bool
+    ):
+        super().__init__(vcs, parser, LABEL)
+        self._renderer = renderer
+        self._auto_merge_enabled = auto_merge_enabled
+
+    def create_merge_request(self, data: MrData) -> None:
+        """Open a new MR, if not already present, for a VPC datafile and close any outdated before."""
+        if not self._housekeeping_ran:
+            self.housekeeping()
+
+        if self._merge_request_already_exists({"account": data.account}):
+            logging.info("MR already exists for %s", data.account)
+            return None
+
+        try:
+            self._vcs.get_file_content_from_app_interface_master(file_path=data.path)
+            # the file exists, nothing to do
+            return None
+        except GitlabGetError as e:
+            if e.response_code != 404:
+                raise
+
+        description = self._renderer.render_description(account=data.account)
+        title = self._renderer.render_title(account=data.account)
+        logging.info("Open MR for %s", data.account)
+        mr_labels = [LABEL]
+        if self._auto_merge_enabled:
+            mr_labels.append(AUTO_MERGE)
+        self._vcs.open_app_interface_merge_request(
+            mr=VPCRequestMR(
+                vpc_tmpl_file_path=data.path,
+                title=title,
+                description=description,
+                vpc_tmpl_file_content=data.content,
+                labels=mr_labels,
+            )
+        )

reconcile/typed_queries/aws_vpc_requests.py

@@ -0,0 +1,11 @@
+from typing import Optional
+
+from reconcile.gql_definitions.common.aws_vpc_requests import VPCRequest, query
+from reconcile.utils import gql
+from reconcile.utils.gql import GqlApi
+
+
+def get_aws_vpc_requests(gql_api: Optional[GqlApi] = None) -> list[VPCRequest]:
+    api = gql_api if gql_api else gql.get_api()
+    data = query(query_func=api.query)
+    return list(data.vpc_requests or [])

reconcile/utils/gql.py

@@ -178,6 +178,29 @@ class GqlApi:
 
         return result["data"]
 
+    def get_template(self, path: str) -> dict[str, str]:
+        query = """
+        query Template($path: String) {
+          templates: template_v1(path: $path) {
+            path
+            template
+          }
+        }
+        """
+
+        try:
+            templates = []
+            q_result = self.query(query, {"path": path})
+            if q_result:
+                templates = q_result["templates"]
+        except GqlApiError:
+            raise GqlGetResourceError(path, "Template not found.")
+
+        if len(templates) != 1:
+            raise GqlGetResourceError(path, "Expecting one and only one template.")
+
+        return templates[0]
+
     def get_resource(self, path: str) -> dict[str, Any]:
         query = """
         query Resource($path: String) {

reconcile/utils/terrascript_aws_client.py

@@ -36,6 +36,7 @@ from sretoolbox.utils import threaded
 from terrascript import (
     Backend,
     Data,
+    Module,
     Output,
     Provider,
     Resource,
@@ -144,6 +145,9 @@ import reconcile.utils.aws_helper as awsh
 from reconcile import queries
 from reconcile.cli import TERRAFORM_VERSION
 from reconcile.github_org import get_default_config
+from reconcile.gql_definitions.fragments.aws_vpc_request import (
+    VPCRequest,
+)
 from reconcile.gql_definitions.terraform_resources.terraform_resources_namespaces import (
     NamespaceTerraformResourceLifecycleV1,
 )
@@ -1181,6 +1185,66 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
                     tf_resource = aws_route(route_identifier, **values)
                     self.add_resource(infra_account_name, tf_resource)
 
+    def populate_vpc_requests(
+        self, vpc_requests: Iterable[VPCRequest], aws_provider_version: str
+    ) -> None:
+        for request in vpc_requests:
+            # The default values here come from infra repo's module configuration
+            values = {
+                "source": "terraform-aws-modules/vpc/aws",
+                "version": aws_provider_version,
+                "name": request.identifier,
+                "cidr": request.cidr_block.network_address,
+                "private_subnet_tags": {"kubernetes.io/role/internal-elb": "1"},
+                "public_subnet_tags": {"kubernetes.io/role/elb": "1"},
+                "create_database_subnet_group": False,
+                "enable_dns_hostnames": True,
+                "tags": {
+                    "managed_by_integration": self.integration,
+                },
+            }
+
+            if request.subnets and request.subnets.public:
+                values["public_subnets"] = request.subnets.public
+            if request.subnets and request.subnets.private:
+                values["private_subnets"] = request.subnets.private
+            if request.subnets and request.subnets.availability_zones:
+                values["azs"] = request.subnets.availability_zones
+
+            # We only want to enable nat_gateway if we have public and private subnets
+            if request.subnets and request.subnets.public and request.subnets.private:
+                values["enable_nat_gateway"] = True
+
+            aws_account = request.account.name
+            module = Module(request.identifier, **values)
+            self.add_resource(aws_account, module)
+
+            # The outputs for module are only working with this sintaxe
+            vpc_id_output = Output(
+                f"{request.identifier}-vpc_id", value=f"${{{module.vpc_id}}}"
+            )
+            self.add_resource(aws_account, vpc_id_output)
+
+            vpc_cidr_block_output = Output(
+                f"{request.identifier}-vpc_cidr_block",
+                value=f"${{{module.vpc_cidr_block}}}",
+            )
+            self.add_resource(aws_account, vpc_cidr_block_output)
+
+            if request.subnets and request.subnets.private:
+                private_subnets_output = Output(
+                    f"{request.identifier}-private_subnets",
+                    value=f"${{module.{request.identifier}.private_subnets}}",
+                )
+                self.add_resource(aws_account, private_subnets_output)
+
+            if request.subnets and request.subnets.public:
+                public_subnets_output = Output(
+                    f"{request.identifier}-public_subnets",
+                    value=f"${{module.{request.identifier}.public_subnets}}",
+                )
+                self.add_resource(aws_account, public_subnets_output)
+
     def populate_tgw_attachments(self, desired_state):
         for item in desired_state:
             if item.deleted: