qontract-reconcile 0.10.1rc879__py3-none-any.whl → 0.10.1rc881__py3-none-any.whl

{qontract_reconcile-0.10.1rc879.dist-info → qontract_reconcile-0.10.1rc881.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc879
+Version: 0.10.1rc881
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc879.dist-info → qontract_reconcile-0.10.1rc881.dist-info}/RECORD

@@ -138,11 +138,11 @@ reconcile/aus/version_gates/ingress_gate_handler.py,sha256=ZCtyggBzzcb0prtdbMpJs
 reconcile/aus/version_gates/ocp_gate_handler.py,sha256=RW1ppDaCZXVegV9AzzqYXxDUu_Z_7d43Z5h2Pk_piKc,716
 reconcile/aus/version_gates/sts_version_gate_handler.py,sha256=PhJ7yBh2q-rv9CJcfFhc0H11nyDyG7NAryNS3F74xdY,3697
 reconcile/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/aws_account_manager/integration.py,sha256=FRZ1_jaK4maY4ClJmVGB7dCkDxZCaQP4yMDlYF-Lc3E,15042
+reconcile/aws_account_manager/integration.py,sha256=60tMmQNAsc5BGqJh3v3sOrnIjfTPRG2rgPxwAbCsPP4,15005
 reconcile/aws_account_manager/merge_request_manager.py,sha256=zZct3NxWMBQupl4QfD7ULxnt4ipt_2FBoH_NusboIuw,3781
 reconcile/aws_account_manager/metrics.py,sha256=YB10ea4kIGwJfs5N14RF-RoXPb-QQWaDBz1jLZ3YWE0,917
-reconcile/aws_account_manager/reconciler.py,sha256=AqAA3TIEfuYzIogHSBgwYTebxbTy1D6JhcxdLiOfCsc,13588
-reconcile/aws_account_manager/utils.py,sha256=K4rAjEMK-eQ_Sv4lOf6dPynQy97xZ4h-n6cJn5Z6zVw,1248
+reconcile/aws_account_manager/reconciler.py,sha256=5YG7nZ4GG1SY2Pe_OxetdtzOnl37MllZMu_ca22vRSo,15025
+reconcile/aws_account_manager/utils.py,sha256=iYPPOtbZ7FiKkz9v5f1YXRIHw5YFOtSavUkF8oMwfJY,1439
 reconcile/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_ami_cleanup/integration.py,sha256=IW95cpMj2P5ffs-AxsR_TDQCJnYFBhLIfP2de7dz_8A,10109
 reconcile/aws_cloudwatch_log_retention/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -194,12 +194,12 @@ reconcile/external_resources/reconciler.py,sha256=E50X_lnOD0OWYXMzyZld1P6dCFJFYj
 reconcile/external_resources/secrets_sync.py,sha256=xFQ_ObWl29btbxzEJSkndvHBPcsVpSTkmUlWcUGzZ70,15132
 reconcile/external_resources/state.py,sha256=fA_CzT4oNie4wnaImwW-W1duWEOKFyS1omcnMyYwx2Q,9644
 reconcile/glitchtip/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/glitchtip/integration.py,sha256=Y7ofQg_xCt3dOln3pjeXp7rAnwohCgD2zcUAb-Hciis,8375
+reconcile/glitchtip/integration.py,sha256=SCfdllg0cywCyLKCA66yUm9Z_Sb8t5E0jDEKdwRk6HI,8372
 reconcile/glitchtip/reconciler.py,sha256=nUvDv7qG1ly0cA16MmlL6NV71yl1mJYLT2mui7lmi0Y,12402
 reconcile/glitchtip_project_alerts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/glitchtip_project_alerts/integration.py,sha256=EJBZJldOyK_ECAfgr1RjxabtsVRIBbZcW-7JU4cwVsA,12429
+reconcile/glitchtip_project_alerts/integration.py,sha256=HI_HgvTTc2K-8Md0SpEBs6tOZ3CQm-AbOatbw_NrKqg,12425
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/glitchtip_project_dsn/integration.py,sha256=qt2a33FOUUlCyonSHm3nUb7pNXgLAq8sv_JQCm6Vj3U,8113
+reconcile/glitchtip_project_dsn/integration.py,sha256=5c8RVIO3Wjz2kBfB52EmxZ6VP2JQ1rLGMM9lybNhdAE,8109
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
@@ -211,7 +211,7 @@ reconcile/gql_definitions/advanced_upgrade_service/aus_organization.py,sha256=zU
 reconcile/gql_definitions/app_interface_metrics_exporter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/app_interface_metrics_exporter/onboarding_status.py,sha256=uVEEqU6YYmKsNTo6EWlFnoVmqha2rvBDx-wiD64VmG0,1679
 reconcile/gql_definitions/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=jJfIzTtDiW6rasv3PFEbyVHA0d8bfRYSVYP5HxslYnY,4649
+reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=R-Au5ZErdKSWqANtpiayLikvMSj3ha9muWoX5FI7-AE,4718
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_ami_cleanup/asg_namespaces.py,sha256=OJmeTu7uirLGAysZ3IQTtRXqMyL8noi_QZxPuWYxxmI,3678
 reconcile/gql_definitions/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -281,7 +281,7 @@ reconcile/gql_definitions/external_resources/external_resources_settings.py,sha2
 reconcile/gql_definitions/fragments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/fragments/aus_organization.py,sha256=uBKbTuBa3CZmTXR5HOcGhRcu2U9kM93KbYmoWTxcpB0,4767
 reconcile/gql_definitions/fragments/aws_account_common.py,sha256=3-7ZAP6GSff7Z2Syz2VQCLY4IySqBOSVmceaRiVNQpw,2385
-reconcile/gql_definitions/fragments/aws_account_managed.py,sha256=zXbux0Bb7QZ37fU4LLMKB4m0rT3Y8bD10C1TuOsH_ZQ,1470
+reconcile/gql_definitions/fragments/aws_account_managed.py,sha256=sM5J4TczyqpzhBFkX0IIQifRYvYpDIMY7pOhEDOUXCY,1789
 reconcile/gql_definitions/fragments/aws_account_sso.py,sha256=ITR3PLz4Iq1SiWAoYGWPDuHJnAmTyZ0QQqs2Zsi8pxA,979
 reconcile/gql_definitions/fragments/aws_infra_management_account.py,sha256=uAmALVRF2gBM3p_Dmez_ew6KVAtetamwOPkRIPZAlGc,1254
 reconcile/gql_definitions/fragments/aws_vpc.py,sha256=T2egTwi2Rb0IRBBmsyag8xKpu_m6GbIAy80fhZNZwk8,1434
@@ -309,9 +309,9 @@ reconcile/gql_definitions/gitlab_members/gitlab_instances.py,sha256=oYPvfiOsPTGH
 reconcile/gql_definitions/gitlab_members/permissions.py,sha256=Qzj3Fpv7xj8v9eygeP312nHRNg8er8XMRBveynPIyQM,3302
 reconcile/gql_definitions/glitchtip/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/glitchtip/glitchtip_instance.py,sha256=QUfLhRkdE_-SorWgLBB8LHFD6kihbFwEoVByCLax3yM,2781
-reconcile/gql_definitions/glitchtip/glitchtip_project.py,sha256=oFijq1LIQysUM-IOyNUjxVZgRD93NK12lNvJuBq4vjE,6008
+reconcile/gql_definitions/glitchtip/glitchtip_project.py,sha256=AojrkCDGbVjY0TOkfookz-9tqLA9txY7_xNdsWe174c,6004
 reconcile/gql_definitions/glitchtip_project_alerts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/glitchtip_project_alerts/glitchtip_project.py,sha256=tZhSFb5eIIc5BOgMPQeV9tEwrVu1MnrxaQ5pQ0zEKk4,4468
+reconcile/gql_definitions/glitchtip_project_alerts/glitchtip_project.py,sha256=pnkysdaQtdiVVxz9s7V8qttFygqcXOuXREd4LF7tCW8,4466
 reconcile/gql_definitions/integrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/integrations/integrations.py,sha256=LfpgVbCCCk20ohwP5pDea5fwxMFGrcgE6J_WHBuGqek,11595
 reconcile/gql_definitions/jenkins_configs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -715,7 +715,8 @@ reconcile/utils/acs/notifiers.py,sha256=2n5blP9N1FdGLZuy3do9bpjd8NKg88kmLNNqhAGn
 reconcile/utils/acs/policies.py,sha256=_jAz6cv8KRYtDsXjGoJgNbD8_9PUa5LSwwVlpK4A_cQ,5505
 reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
 reconcile/utils/aws_api_typed/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/utils/aws_api_typed/api.py,sha256=NJJXmV01nBtQLf-Vv5xfieboCsY3inNd4ekRKxS_-Wo,8790
+reconcile/utils/aws_api_typed/account.py,sha256=puYfDsWF1E1Ub5e8yh0Hqz-whqERGn819N08i-g4zgY,626
+reconcile/utils/aws_api_typed/api.py,sha256=1h_dQXnE7FUAZi4RRgBEU7nbyAz8awRo0cpuilXyhHE,9239
 reconcile/utils/aws_api_typed/dynamodb.py,sha256=AKUbz8HGzmSq4cnpjJe7PgqsikMkjbpbzUD2UJv2b58,383
 reconcile/utils/aws_api_typed/iam.py,sha256=ka46H2-SzTCgy6EJYapKTzyZK9vR1bkfD0wF8bDdy1Q,2201
 reconcile/utils/aws_api_typed/organization.py,sha256=oXftcLVuSs9qej6efdssl38FvjeZaQC5R2Wj3NzxX4U,5529
@@ -837,8 +838,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jrss,4941
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc879.dist-info/METADATA,sha256=4h4jN56Q5GugfmWXxRkczGqc0xzefD2xu-AnO3BlsBc,2273
-qontract_reconcile-0.10.1rc879.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc879.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc879.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc879.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc881.dist-info/METADATA,sha256=aWt-wXRL72DWuJYJh5aKEqNiw9lbIpToGNsTP6zL8tI,2273
+qontract_reconcile-0.10.1rc881.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc881.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc881.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc881.dist-info/RECORD,,

reconcile/aws_account_manager/integration.py

@@ -114,10 +114,8 @@ class AwsAccountMgmtIntegration(
             for account in data.accounts or []
             if integration_is_enabled(self.name, account)
             and (not account_name or account.name == account_name)
+            and validate(account)
         ]
-        for account in all_aws_accounts:
-            validate(account)
-
         payer_accounts = [
             account
             for account in all_aws_accounts
@@ -219,18 +217,16 @@ class AwsAccountMgmtIntegration(
                 self.reconcile_account(account_role_api, reconciler, account)
 
     def reconcile_account(
-        self,
-        aws_api: AWSApi,
-        reconciler: AWSReconciler,
-        account: AWSAccountManaged,
-        create_initial_user: bool = True,
+        self, aws_api: AWSApi, reconciler: AWSReconciler, account: AWSAccountManaged
     ) -> None:
         """Reconcile an AWS account."""
+        assert account.security_contact  # mypy
         reconciler.reconcile_account(
             aws_api=aws_api,
             name=account.name,
             alias=account.alias,
             quotas=[q for ql in account.quota_limits or [] for q in ql.quotas],
+            security_contact=account.security_contact,
         )
 
     def reconcile_payer_accounts(
@@ -245,8 +241,7 @@ class AwsAccountMgmtIntegration(
         # reconcile accounts within payer accounts, aka organization accounts
         for payer_account in payer_accounts:
             # having a state per flavor and payer account makes it easier in a shared environment
-            reconciler.state.state_path = default_state_path
-            reconciler.state.state_path += f"/{payer_account.name}"
+            reconciler.state.state_path = f"{default_state_path}/{payer_account.name}"
             aws_account_manager_role = (
                 payer_account.automation_role.aws_account_manager
                 if payer_account.automation_role
@@ -290,8 +285,8 @@ class AwsAccountMgmtIntegration(
     ) -> None:
         """Reconcile accounts not part of an organization via a payer account (e.g. payer accounts themselves)"""
         for account in non_organization_accounts:
-            reconciler.state.state_path = default_state_path
-            reconciler.state.state_path += f"/{account.name}"
+            # the state must be account specific
+            reconciler.state.state_path = f"{default_state_path}/{account.name}"
             secret = self.secret_reader.read_all_secret(account.automation_token)
             with AWSApi(
                 AWSStaticCredentials(

reconcile/aws_account_manager/reconciler.py

@@ -25,6 +25,7 @@ TASK_REQUEST_SERVICE_QUOTA = "request-service-quota"
 TASK_CHECK_SERVICE_QUOTA_STATUS = "check-service-quota-status"
 TASK_ENABLE_ENTERPRISE_SUPPORT = "enable-enterprise-support"
 TASK_CHECK_ENTERPRISE_SUPPORT_STATUS = "check-enterprise-support-status"
+TASK_SET_SECURITY_CONTACT = "set-security-contact"
 
 
 class Quota(Protocol):
@@ -35,6 +36,15 @@ class Quota(Protocol):
     def dict(self) -> dict[str, Any]: ...
 
 
+class Contact(Protocol):
+    name: str
+    title: str | None
+    email: str
+    phone_number: str
+
+    def dict(self) -> dict[str, Any]: ...
+
+
 class AWSReconciler:
     def __init__(self, state: State, dry_run: bool) -> None:
         self.state = state
@@ -288,6 +298,33 @@ class AWSReconciler:
             )
             raise AbortStateTransaction("Enterprise support case still open")
 
+    def _set_security_contact(
+        self,
+        aws_api: AWSApi,
+        account: str,
+        name: str,
+        title: str | None,
+        email: str,
+        phone_number: str,
+    ) -> None:
+        """Set the security contact for the account."""
+        title = title or name
+        security_contact = f"{name} {title} {email} {phone_number}"
+        with self.state.transaction(
+            state_key(account, TASK_SET_SECURITY_CONTACT)
+        ) as _state:
+            if _state.exists and _state.value == security_contact:
+                return
+
+            logging.info(f"Setting security contact for {account}")
+            if self.dry_run:
+                raise AbortStateTransaction("Dry run")
+
+            aws_api.account.set_security_contact(
+                name=name, title=title, email=email, phone_number=phone_number
+            )
+            _state.value = security_contact
+
     #
     # Public methods
     #
@@ -345,9 +382,22 @@ class AWSReconciler:
             self._check_enterprise_support_status(aws_api, case_id)
 
     def reconcile_account(
-        self, aws_api: AWSApi, name: str, alias: str | None, quotas: Iterable[Quota]
+        self,
+        aws_api: AWSApi,
+        name: str,
+        alias: str | None,
+        quotas: Iterable[Quota],
+        security_contact: Contact,
     ) -> None:
         """Reconcile/update the AWS account. Return the initial user access key if a new user was created."""
         self._set_account_alias(aws_api, name, alias)
         if request_ids := self._request_quotas(aws_api, name, quotas):
             self._check_quota_change_requests(aws_api, name, request_ids)
+        self._set_security_contact(
+            aws_api,
+            account=name,
+            name=security_contact.name,
+            title=security_contact.title,
+            email=security_contact.email,
+            phone_number=security_contact.phone_number,
+        )

reconcile/aws_account_manager/utils.py

@@ -30,6 +30,9 @@ def validate(account: AWSAccountV1) -> bool:
                 f"Premium support is required for payer account {account.name}"
             )
 
+    # security contact is mandatory for all accounts since June 2024
+    if not account.security_contact:
+        raise ValueError(f"Security contact is required for account {account.name}")
     return True
 
 

reconcile/glitchtip/integration.py

@@ -19,7 +19,7 @@ from reconcile.gql_definitions.glitchtip.glitchtip_project import (
     DEFINITION as GLITCHTIP_PROJECT_DEFINITION,
 )
 from reconcile.gql_definitions.glitchtip.glitchtip_project import (
-    GlitchtipProjectsV1,
+    GlitchtipProjectV1,
     RoleV1,
 )
 from reconcile.gql_definitions.glitchtip.glitchtip_project import (
@@ -87,7 +87,7 @@ def fetch_current_state(
 
 
 def fetch_desired_state(
-    glitchtip_projects: Sequence[GlitchtipProjectsV1],
+    glitchtip_projects: Sequence[GlitchtipProjectV1],
     mail_domain: str,
     internal_groups_client: InternalGroupsClient,
 ) -> list[Organization]:
@@ -143,7 +143,7 @@ def fetch_desired_state(
     return list(organizations.values())
 
 
-def get_glitchtip_projects(query_func: Callable) -> list[GlitchtipProjectsV1]:
+def get_glitchtip_projects(query_func: Callable) -> list[GlitchtipProjectV1]:
     glitchtip_projects = (
         glitchtip_project_query(query_func=query_func).glitchtip_projects or []
     )

reconcile/glitchtip_project_alerts/integration.py

@@ -18,7 +18,7 @@ from reconcile.gql_definitions.glitchtip_project_alerts.glitchtip_project import
     GlitchtipProjectAlertRecipientEmailV1,
     GlitchtipProjectAlertRecipientV1,
     GlitchtipProjectAlertRecipientWebhookV1,
-    GlitchtipProjectsV1,
+    GlitchtipProjectV1,
 )
 from reconcile.gql_definitions.glitchtip_project_alerts.glitchtip_project import (
     query as glitchtip_project_query,
@@ -73,7 +73,7 @@ class GlitchtipProjectAlertsIntegration(
     def get_early_exit_desired_state(self) -> Optional[dict[str, Any]]:
         return {"projects": [c.dict() for c in self.get_projects(gql.get_api().query)]}
 
-    def get_projects(self, query_func: Callable) -> list[GlitchtipProjectsV1]:
+    def get_projects(self, query_func: Callable) -> list[GlitchtipProjectV1]:
         return glitchtip_project_query(query_func=query_func).glitchtip_projects or []
 
     def _build_project_alert_recipient(
@@ -95,7 +95,7 @@ class GlitchtipProjectAlertsIntegration(
 
     def fetch_desired_state(
         self,
-        glitchtip_projects: Iterable[GlitchtipProjectsV1],
+        glitchtip_projects: Iterable[GlitchtipProjectV1],
         gjb_alert_url: str | None,
         gjb_token: str | None,
     ) -> list[Organization]:
@@ -264,7 +264,7 @@ class GlitchtipProjectAlertsIntegration(
         glitchtip_instances = glitchtip_instance_query(
             query_func=gqlapi.query
         ).instances
-        glitchtip_projects_by_instance: dict[str, list[GlitchtipProjectsV1]] = (
+        glitchtip_projects_by_instance: dict[str, list[GlitchtipProjectV1]] = (
             defaultdict(list)
         )
         for glitchtip_project in self.get_projects(query_func=gqlapi.query):

reconcile/glitchtip_project_dsn/integration.py

@@ -20,7 +20,7 @@ from reconcile.gql_definitions.glitchtip.glitchtip_instance import (
 from reconcile.gql_definitions.glitchtip.glitchtip_project import (
     DEFINITION as GLITCHTIP_PROJECT_DEFINITION,
 )
-from reconcile.gql_definitions.glitchtip.glitchtip_project import GlitchtipProjectsV1
+from reconcile.gql_definitions.glitchtip.glitchtip_project import GlitchtipProjectV1
 from reconcile.gql_definitions.glitchtip.glitchtip_project import (
     query as glitchtip_project_query,
 )
@@ -73,7 +73,7 @@ def glitchtip_project_dsn_secret(project: Project, key: ProjectKey) -> dict[str,
 
 
 def fetch_current_state(
-    project: GlitchtipProjectsV1,
+    project: GlitchtipProjectV1,
     oc_map: OCMap,
     ri: ResourceInventory,
 ) -> None:
@@ -110,7 +110,7 @@ def fetch_current_state(
 
 
 def fetch_desired_state(
-    glitchtip_projects: Iterable[GlitchtipProjectsV1],
+    glitchtip_projects: Iterable[GlitchtipProjectV1],
     ri: ResourceInventory,
     glitchtip_client: GlitchtipClient,
 ) -> None:
@@ -145,7 +145,7 @@ def fetch_desired_state(
             )
 
 
-def projects_query(query_func: Callable) -> list[GlitchtipProjectsV1]:
+def projects_query(query_func: Callable) -> list[GlitchtipProjectV1]:
     glitchtip_projects = []
     for project in (
         glitchtip_project_query(query_func=query_func).glitchtip_projects or []

reconcile/gql_definitions/aws_account_manager/aws_accounts.py

@@ -39,6 +39,12 @@ fragment AWSAccountManaged on AWSAccount_v1 {
       value
     }
   }
+  securityContact {
+    name
+    title
+    email
+    phoneNumber
+  }
 }
 
 fragment VaultSecret on VaultSecret_v1 {

reconcile/gql_definitions/fragments/aws_account_managed.py

@@ -40,6 +40,13 @@ class AWSQuotaLimitsV1(ConfiguredBaseModel):
     quotas: list[AWSQuotaV1] = Field(..., alias="quotas")
 
 
+class AWSContactV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    title: Optional[str] = Field(..., alias="title")
+    email: str = Field(..., alias="email")
+    phone_number: str = Field(..., alias="phoneNumber")
+
+
 class AWSAccountManaged(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     uid: str = Field(..., alias="uid")
@@ -47,3 +54,4 @@ class AWSAccountManaged(ConfiguredBaseModel):
     premium_support: bool = Field(..., alias="premiumSupport")
     organization: Optional[AWSOrganizationV1] = Field(..., alias="organization")
     quota_limits: Optional[list[AWSQuotaLimitsV1]] = Field(..., alias="quotaLimits")
+    security_contact: Optional[AWSContactV1] = Field(..., alias="securityContact")

reconcile/gql_definitions/glitchtip/glitchtip_project.py

@@ -143,7 +143,7 @@ class GlitchtipInstanceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
 
 
-class GlitchtipProjectsV1_GlitchtipOrganizationV1(ConfiguredBaseModel):
+class GlitchtipProjectV1_GlitchtipOrganizationV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     instance: GlitchtipInstanceV1 = Field(..., alias="instance")
     owners: Optional[list[str]] = Field(..., alias="owners")
@@ -180,19 +180,19 @@ class AppV1(ConfiguredBaseModel):
     path: str = Field(..., alias="path")
 
 
-class GlitchtipProjectsV1(ConfiguredBaseModel):
+class GlitchtipProjectV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     platform: str = Field(..., alias="platform")
     project_id: Optional[str] = Field(..., alias="projectId")
     event_throttle_rate: Optional[int] = Field(..., alias="eventThrottleRate")
     teams: list[GlitchtipTeamV1] = Field(..., alias="teams")
-    organization: GlitchtipProjectsV1_GlitchtipOrganizationV1 = Field(..., alias="organization")
+    organization: GlitchtipProjectV1_GlitchtipOrganizationV1 = Field(..., alias="organization")
     namespaces: list[NamespaceV1] = Field(..., alias="namespaces")
     app: Optional[AppV1] = Field(..., alias="app")
 
 
 class ProjectsQueryData(ConfiguredBaseModel):
-    glitchtip_projects: Optional[list[GlitchtipProjectsV1]] = Field(..., alias="glitchtip_projects")
+    glitchtip_projects: Optional[list[GlitchtipProjectV1]] = Field(..., alias="glitchtip_projects")
 
 
 def query(query_func: Callable, **kwargs: Any) -> ProjectsQueryData:

reconcile/gql_definitions/glitchtip_project_alerts/glitchtip_project.py

@@ -122,7 +122,7 @@ class GlitchtipProjectJiraV1(ConfiguredBaseModel):
     labels: Optional[list[str]] = Field(..., alias="labels")
 
 
-class GlitchtipProjectsV1(ConfiguredBaseModel):
+class GlitchtipProjectV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     project_id: Optional[str] = Field(..., alias="projectId")
     organization: GlitchtipOrganizationV1 = Field(..., alias="organization")
@@ -131,7 +131,7 @@ class GlitchtipProjectsV1(ConfiguredBaseModel):
 
 
 class GlitchtipProjectsWithAlertsQueryData(ConfiguredBaseModel):
-    glitchtip_projects: Optional[list[GlitchtipProjectsV1]] = Field(..., alias="glitchtip_projects")
+    glitchtip_projects: Optional[list[GlitchtipProjectV1]] = Field(..., alias="glitchtip_projects")
 
 
 def query(query_func: Callable, **kwargs: Any) -> GlitchtipProjectsWithAlertsQueryData:

reconcile/utils/aws_api_typed/account.py

@@ -0,0 +1,23 @@
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from mypy_boto3_account import AccountClient
+else:
+    AccountClient = object
+
+
+class AWSApiAccount:
+    def __init__(self, client: AccountClient) -> None:
+        self.client = client
+
+    def set_security_contact(
+        self, name: str, title: str, email: str, phone_number: str
+    ) -> None:
+        """Set the security contact for the account."""
+        self.client.put_alternate_contact(
+            AlternateContactType="SECURITY",
+            EmailAddress=email,
+            Name=name,
+            Title=title,
+            PhoneNumber=phone_number,
+        )

reconcile/utils/aws_api_typed/api.py

@@ -9,6 +9,7 @@ from boto3 import Session
 from botocore.client import BaseClient
 from pydantic import BaseModel
 
+import reconcile.utils.aws_api_typed.account
 import reconcile.utils.aws_api_typed.dynamodb
 import reconcile.utils.aws_api_typed.iam
 import reconcile.utils.aws_api_typed.organization
@@ -16,6 +17,7 @@ import reconcile.utils.aws_api_typed.s3
 import reconcile.utils.aws_api_typed.service_quotas
 import reconcile.utils.aws_api_typed.sts
 import reconcile.utils.aws_api_typed.support
+from reconcile.utils.aws_api_typed.account import AWSApiAccount
 from reconcile.utils.aws_api_typed.dynamodb import AWSApiDynamoDB
 from reconcile.utils.aws_api_typed.iam import AWSApiIam
 from reconcile.utils.aws_api_typed.organization import AWSApiOrganizations
@@ -26,13 +28,14 @@ from reconcile.utils.aws_api_typed.support import AWSApiSupport
 
 SubApi = TypeVar(
     "SubApi",
+    AWSApiAccount,
+    AWSApiDynamoDB,
     AWSApiIam,
     AWSApiOrganizations,
     AWSApiS3,
     AWSApiServiceQuotas,
     AWSApiSts,
     AWSApiSupport,
-    AWSApiDynamoDB,
 )
 
 
@@ -168,6 +171,12 @@ class AWSApi:
     def _init_sub_api(self, api_cls: type[SubApi]) -> SubApi:
         """Return a new or cached sub api client."""
         match api_cls:
+            case reconcile.utils.aws_api_typed.account.AWSApiAccount:
+                client = self.session.client("account")
+                api = api_cls(client)
+            case reconcile.utils.aws_api_typed.dynamodb.AWSApiDynamoDB:
+                client = self.session.client("dynamodb")
+                api = api_cls(client)
             case reconcile.utils.aws_api_typed.iam.AWSApiIam:
                 client = self.session.client("iam")
                 api = api_cls(client)
@@ -186,15 +195,22 @@ class AWSApi:
             case reconcile.utils.aws_api_typed.support.AWSApiSupport:
                 client = self.session.client("support")
                 api = api_cls(client)
-            case reconcile.utils.aws_api_typed.dynamodb.AWSApiDynamoDB:
-                client = self.session.client("dynamodb")
-                api = api_cls(client)
             case _:
                 raise ValueError(f"Unknown API class: {api_cls}")
 
         self._session_clients.append(client)
         return api
 
+    @cached_property
+    def account(self) -> AWSApiAccount:
+        """Return an AWS Acount Api client"""
+        return self._init_sub_api(AWSApiAccount)
+
+    @cached_property
+    def dynamodb(self) -> AWSApiDynamoDB:
+        """Return an AWS DynamoDB Api client"""
+        return self._init_sub_api(AWSApiDynamoDB)
+
     @cached_property
     def iam(self) -> AWSApiIam:
         """Return an AWS IAM Api client."""
@@ -225,11 +241,6 @@ class AWSApi:
         """Return an AWS Support Api client."""
         return self._init_sub_api(AWSApiSupport)
 
-    @cached_property
-    def dynamodb(self) -> AWSApiDynamoDB:
-        """Return an AWS DynamoDB Api client"""
-        return self._init_sub_api(AWSApiDynamoDB)
-
     def assume_role(self, account_id: str, role: str) -> AWSApi:
         """Return a new AWSApi with the assumed role."""
         credentials = self.sts.assume_role(account_id=account_id, role=role)