qontract-reconcile 0.10.2.dev152__py3-none-any.whl → 0.10.2.dev154__py3-none-any.whl

{qontract_reconcile-0.10.2.dev152.dist-info → qontract_reconcile-0.10.2.dev154.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev152
+Version: 0.10.2.dev154
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev152.dist-info → qontract_reconcile-0.10.2.dev154.dist-info}/RECORD

@@ -657,7 +657,7 @@ reconcile/utils/state.py,sha256=az4tBmZ0EdbFcAGiBVUxs3cr2-BVWsuDQiNTvjjQq8s,1637
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=IDlrNvGEc2i6ElZIL_fzaJEad1nRC3DkP9_VXhJXmU0,37329
-reconcile/utils/terrascript_aws_client.py,sha256=WMT9cZ4Cu4vjiIgRiTMyZ3Iio2_HNODg2OlrWGW9nQA,288803
+reconcile/utils/terrascript_aws_client.py,sha256=-knIxxuez_gmaI4OvkMq3YeYdZgzkDIVVorFdS_nw4E,289989
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=aSA8l9cJlPUHpChFGl27nSY-Mpq9FMjBo7Dcgb1BVfM,15036
@@ -797,7 +797,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev152.dist-info/METADATA,sha256=vJsdGK7g6V30epBk2e5-Z3IjYTweJywk5bBbC636psU,24627
-qontract_reconcile-0.10.2.dev152.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev152.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev152.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev154.dist-info/METADATA,sha256=GeAWXva3akSPG_o0MRXF2OzW9PyOPP-v3_kTGWRcDSw,24627
+qontract_reconcile-0.10.2.dev154.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev154.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev154.dist-info/RECORD,,

reconcile/utils/terrascript_aws_client.py

@@ -4639,11 +4639,14 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             admin_user_secret = auth_options["admin_user_credentials"]
             secret_data = self.secret_reader.read_all(admin_user_secret)
 
-            required_keys = {"master_user_name", "master_user_password"}
-            if secret_data.keys() != required_keys:
+            required_keys = {
+                "master_user_name",
+                "master_user_password",
+            }
+            if not (required_keys <= secret_data.keys()):
                 raise KeyError(
                     f"vault secret '{admin_user_secret['path']}' must "
-                    f"exactly contain these keys: {', '.join(required_keys)}"
+                    f"contain these keys: {', '.join(required_keys)}"
                 )
 
             # AWS requires the admin user password must be at least 8 chars long, contain at least one
@@ -4880,10 +4883,11 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             es_values["provider"] = provider
 
         auth_options = values.get("auth", {})
+        advanced_security_options = None
         # TODO: @fishi0x01 make mandatory after migration APPSRE-3409
         if auth_options:
-            es_values["advanced_security_options"] = (
-                self._build_es_advanced_security_options(auth_options)
+            advanced_security_options = self._build_es_advanced_security_options(
+                auth_options
             )
 
         # TODO: @fishi0x01 remove after migration APPSRE-3409
@@ -4897,6 +4901,84 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
                     )
                 )
         # ++++++++ END: REMOVE ++++++++++
+        if advanced_security_options:
+            master_user_options_with_optional_keys_values = advanced_security_options[
+                "master_user_options"
+            ]
+            # this secret can include optional kv pairs which are then saved to secrets manager in AWS
+            # however this step strips those extra values from `master_user_options` which only expects
+            # 2 fields https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#master_user_options-1
+            advanced_security_options["master_user_options"] = {
+                k: v
+                for k, v in master_user_options_with_optional_keys_values.items()
+                if k in {"master_user_name", "master_user_password"}
+            }
+            es_values["advanced_security_options"] = advanced_security_options
+            if advanced_security_options.get("internal_user_database_enabled", False):
+                # add master user creds to output and secretsmanager if internal_user_database_enabled
+                master_user = master_user_options_with_optional_keys_values
+                secret_name = f"qrtf/es/{identifier}"
+                secret_identifier = secret_name.replace("/", "-")
+                secret_values = {"name": secret_name, "tags": tags}
+                if provider:
+                    secret_values["provider"] = provider
+                aws_secret_resource = aws_secretsmanager_secret(
+                    secret_identifier, **secret_values
+                )
+                tf_resources.append(aws_secret_resource)
+
+                version_values = {
+                    "secret_id": "${" + aws_secret_resource.id + "}",
+                    "secret_string": json.dumps(master_user, sort_keys=True),
+                }
+                if provider:
+                    version_values["provider"] = provider
+                aws_version_resource = aws_secretsmanager_secret_version(
+                    secret_identifier, **version_values
+                )
+                tf_resources.append(aws_version_resource)
+
+                policy = {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Effect": "Allow",
+                            "Action": [
+                                "secretsmanager:GetResourcePolicy",
+                                "secretsmanager:GetSecretValue",
+                                "secretsmanager:DescribeSecret",
+                                "secretsmanager:ListSecretVersionIds",
+                            ],
+                            "Resource": "${" + aws_secret_resource.id + "}",
+                        }
+                    ],
+                }
+                iam_policy_resource = aws_iam_policy(
+                    secret_identifier,
+                    name=f"{identifier}-secretsmanager-policy",
+                    policy=json.dumps(policy, sort_keys=True),
+                    tags=tags,
+                )
+                tf_resources.append(iam_policy_resource)
+
+                output_name = output_prefix + "__secret_name"
+                output_value = secret_name
+                tf_resources.append(Output(output_name, value=output_value))
+                output_name = output_prefix + "__secret_policy_arn"
+                output_value = "${" + iam_policy_resource.arn + "}"
+                tf_resources.append(Output(output_name, value=output_value))
+                # master_user_name
+                output_name = output_prefix + "__master_user_name"
+                output_value = master_user["master_user_name"]
+                tf_resources.append(
+                    Output(output_name, value=output_value, sensitive=True)
+                )
+                # master_user_password
+                output_name = output_prefix + "__master_user_password"
+                output_value = master_user["master_user_password"]
+                tf_resources.append(
+                    Output(output_name, value=output_value, sensitive=True)
+                )
 
         es_tf_resource = aws_elasticsearch_domain(identifier, **es_values)
         tf_resources.append(es_tf_resource)
@@ -4928,70 +5010,6 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             "${aws_elasticsearch_domain." + identifier + ".vpc_options.0.vpc_id}"
         )
         tf_resources.append(Output(output_name, value=output_value))
-        # add master user creds to output and secretsmanager if internal_user_database_enabled
-        security_options = es_values.get("advanced_security_options")
-        if security_options and security_options.get(
-            "internal_user_database_enabled", False
-        ):
-            master_user = security_options["master_user_options"]
-            secret_name = f"qrtf/es/{identifier}"
-            secret_identifier = secret_name.replace("/", "-")
-            secret_values = {"name": secret_name, "tags": tags}
-            if provider:
-                secret_values["provider"] = provider
-            aws_secret_resource = aws_secretsmanager_secret(
-                secret_identifier, **secret_values
-            )
-            tf_resources.append(aws_secret_resource)
-
-            version_values = {
-                "secret_id": "${" + aws_secret_resource.id + "}",
-                "secret_string": json.dumps(master_user, sort_keys=True),
-            }
-            if provider:
-                version_values["provider"] = provider
-            aws_version_resource = aws_secretsmanager_secret_version(
-                secret_identifier, **version_values
-            )
-            tf_resources.append(aws_version_resource)
-
-            policy = {
-                "Version": "2012-10-17",
-                "Statement": [
-                    {
-                        "Effect": "Allow",
-                        "Action": [
-                            "secretsmanager:GetResourcePolicy",
-                            "secretsmanager:GetSecretValue",
-                            "secretsmanager:DescribeSecret",
-                            "secretsmanager:ListSecretVersionIds",
-                        ],
-                        "Resource": "${" + aws_secret_resource.id + "}",
-                    }
-                ],
-            }
-            iam_policy_resource = aws_iam_policy(
-                secret_identifier,
-                name=f"{identifier}-secretsmanager-policy",
-                policy=json.dumps(policy, sort_keys=True),
-                tags=tags,
-            )
-            tf_resources.append(iam_policy_resource)
-
-            output_name = output_prefix + "__secret_name"
-            output_value = secret_name
-            tf_resources.append(Output(output_name, value=output_value))
-            output_name = output_prefix + "__secret_policy_arn"
-            output_value = "${" + iam_policy_resource.arn + "}"
-            tf_resources.append(Output(output_name, value=output_value))
-            # master_user_name
-            output_name = output_prefix + "__master_user_name"
-            output_value = master_user["master_user_name"]
-            tf_resources.append(Output(output_name, value=output_value, sensitive=True))
-            # master_user_password
-            output_name = output_prefix + "__master_user_password"
-            output_value = master_user["master_user_password"]
-            tf_resources.append(Output(output_name, value=output_value, sensitive=True))
 
         self.add_resources(account, tf_resources)
 
@@ -5005,11 +5023,14 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             master_user_secret = master_user_options["master_user_secret"]
             secret_data = self.secret_reader.read_all(master_user_secret)
 
-            required_keys = {"master_user_name", "master_user_password"}
-            if secret_data.keys() != required_keys:
+            required_keys = {
+                "master_user_name",
+                "master_user_password",
+            }
+            if not (required_keys <= secret_data.keys()):
                 raise KeyError(
                     f"vault secret '{master_user_secret['path']}' must "
-                    f"exactly contain these keys: {', '.join(required_keys)}"
+                    f"contain these keys: {', '.join(required_keys)}"
                 )
 
             advanced_security_options["master_user_options"] = secret_data