qontract-reconcile 0.10.2.dev235__py3-none-any.whl → 0.10.2.dev237__py3-none-any.whl

{qontract_reconcile-0.10.2.dev235.dist-info → qontract_reconcile-0.10.2.dev237.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev235
+Version: 0.10.2.dev237
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile
@@ -109,7 +109,6 @@ OpenShift templates can be found [here](/openshift/qontract-reconcile.yaml). In
   aws-cloudwatch-log-retention    Set up retention period for Cloudwatch logs.
   aws-ecr-image-pull-secrets      Generate AWS ECR image pull secrets and
                                   store them in Vault.
-  aws-garbage-collector           Delete orphan AWS resources.
   aws-iam-keys                    Delete IAM access keys by access key ID.
   aws-iam-password-reset          Reset IAM user password by user reference.
   aws-saml-idp                    Manage the SAML IDP config for all AWS

{qontract_reconcile-0.10.2.dev235.dist-info → qontract_reconcile-0.10.2.dev237.dist-info}/RECORD

@@ -3,13 +3,12 @@ reconcile/acs_policies.py,sha256=pwFKP3afmRbpRq-7FRAosI-A60yfufE2vvXBjOMgsCU,865
 reconcile/acs_rbac.py,sha256=15vNfNzdG_DeXaJ-f5m8DSaJh__LUK766_xAECqyTsg,22657
 reconcile/aws_ami_share.py,sha256=M_gT7y3cSAyT_Pm90PBCNDSmbZtqREqe2jNETh0i9Qs,3808
 reconcile/aws_ecr_image_pull_secrets.py,sha256=F58PtX1GlB9XHqj8hGy9ItiTznXLAAKTNlWD9iT2MWI,2593
-reconcile/aws_garbage_collector.py,sha256=PG_0qccQIW347WhdLAhfT9x0P9Mq_ojacvSy5vbJWj8,471
 reconcile/aws_iam_keys.py,sha256=mw_lvmWqpJkzYW8Za6lHfxEMkT-_DOzWiCPhJAmYPIQ,3987
 reconcile/aws_iam_password_reset.py,sha256=O0JX2N5kNRKs3u2xzu4NNrI6p0ag5JWy3MTsvZmtleg,3173
 reconcile/aws_support_cases_sos.py,sha256=PDhilxQ4TBxVnxUPIUdTbKEaNUI0wzPiEsB91oHT2fY,3384
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=bDNLgSAIMkv1zE637ZJSO76nVdfjmhEsTA88jDuX50k,113598
+reconcile/cli.py,sha256=7uAtN-LiukRmaoowvgyHvmfTDf4Ffw-eo1teD11IK2g,113302
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=al7m8EgnnYx90rY1REryW3byN_ItfJfAzEeLtjbCfi0,4921
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -76,7 +75,7 @@ reconcile/openshift_rolebindings.py,sha256=9mlJ2FjWUoH-rsjtasreA_hV-K5Z_YR00qR_R
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=T1dvb9zajisaJNjbnR6-AZHU-itscHtr4oCqLj8KCK0,13037
 reconcile/openshift_saas_deploy_change_tester.py,sha256=12uyBwaeMka1C3_pejmQPIBPAx2V1sJ4dJkScq-2e2M,8793
-reconcile/openshift_saas_deploy_trigger_base.py,sha256=ftG8vqXCfaMUrkl1QqbPjnRpnQAmMIGCG0IT-YWAG6U,14366
+reconcile/openshift_saas_deploy_trigger_base.py,sha256=MDu_T7Cx27pmNPkGNFfETht9CaYeBzfe0lmnOAmZir0,14549
 reconcile/openshift_saas_deploy_trigger_cleaner.py,sha256=roLyVAVntaQptKaZbnN1LyLvCA8fyvqELfjU6M8xfeY,3511
 reconcile/openshift_saas_deploy_trigger_configs.py,sha256=eUejMGWuaQabZTLuvPLLvROfN5HOFyYZOpH4YEsiU_g,928
 reconcile/openshift_saas_deploy_trigger_images.py,sha256=iUsiBGJf-CyFw7tSLWo59rXmSvsVnN6TTaAObbsVpNg,936
@@ -589,7 +588,7 @@ reconcile/unleash_feature_toggles/integration.py,sha256=nx7BhtzCsTfPbOp60vI5MkNw
 reconcile/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/aggregated_list.py,sha256=_9UeaS1TWbJsGIESvXlzzK-omPI2lMMcCsoqc9LBclc,4022
 reconcile/utils/amtool.py,sha256=Ng5VVNCiPYEK67eDjIwfuuTLs5JsfltCwt6w5UfXbcY,2289
-reconcile/utils/aws_api.py,sha256=Xrt4uukct0u5kkQBvl0azquF8JEbrb_aFtlBNEL2G2E,81488
+reconcile/utils/aws_api.py,sha256=s3I1dNGe3JET4r-7KZA6hCc642Xm3JLYadTxO8eNEwI,62117
 reconcile/utils/aws_helper.py,sha256=8PvDR17ntAGX3bBzlTIxDuENl2rkK-RECsNYKm2_DZw,2955
 reconcile/utils/batches.py,sha256=TtEm64a8lWhFuNbUVpFEmXVdU2Q0sTBrP_I0Cjbgh7g,320
 reconcile/utils/binary.py,sha256=lSIevhilMeoGMePPHD7A-pxe45LVpBT0LksecYbM-EA,2477
@@ -754,8 +753,8 @@ reconcile/utils/runtime/runner.py,sha256=I30KRrX1UQbHc_Ir1cIZX3OfNSdoHKdnDSPAEB6
 reconcile/utils/runtime/sharding.py,sha256=r0ieUtNed7NvknSw6qQrCkKpVXE1shuHGnfFcnpA_k4,16142
 reconcile/utils/saasherder/__init__.py,sha256=3U8plqMAPRE1kjwZ5YnIsYsggTf4_gS7flRUEuXVBAs,343
 reconcile/utils/saasherder/interfaces.py,sha256=nbGVLiIXJvOtd5ZfKsP3bfrFbMpdQ02D0cTTM9rrED0,9286
-reconcile/utils/saasherder/models.py,sha256=MSKaC65_bXSxKvhCibRH5K1DNppLPbw5w7_6VrjCCFU,11018
-reconcile/utils/saasherder/saasherder.py,sha256=W9nmQyULr4Jx9VAMwFyhULbKo5WRP9nSieOnpO5UxKQ,90224
+reconcile/utils/saasherder/models.py,sha256=qMYY3SBOEnQlaOqn3bQhV33LDIMLcPjWbtfU9Li8-f0,10986
+reconcile/utils/saasherder/saasherder.py,sha256=BKbus6Rr1cCm7ITKSrvBBJzJnZcRzIofqYa69oX2aY8,91785
 reconcile/utils/terraform/__init__.py,sha256=zNbiyTWo35AT1sFTElL2j_AA0jJ_yWE_bfFn-nD2xik,250
 reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79evfV_8,164
 reconcile/utils/terraform/config_client.py,sha256=gRL1rQ0AqvShei_rcGqC3HDYGskOFKE1nPrJyJE9yno,4676
@@ -801,7 +800,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev235.dist-info/METADATA,sha256=m1DlgWSMs0aGmwJgvPC_StxHTNdllvXi0DW5ST3KD8s,24352
-qontract_reconcile-0.10.2.dev235.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev235.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev235.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev237.dist-info/METADATA,sha256=khc8UZpNkvSGuEeKsWh0ul7U5A7UF3ycaXC-Q6rvR3g,24289
+qontract_reconcile-0.10.2.dev237.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev237.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev237.dist-info/RECORD,,

reconcile/cli.py

@@ -1236,15 +1236,6 @@ def gitlab_mr_sqs_consumer(ctx: click.Context, gitlab_project_id: str) -> None:
     run_integration(reconcile.gitlab_mr_sqs_consumer, ctx, gitlab_project_id)
 
 
-@integration.command(short_help="Delete orphan AWS resources.")
-@threaded()
-@click.pass_context
-def aws_garbage_collector(ctx: click.Context, thread_pool_size: int) -> None:
-    import reconcile.aws_garbage_collector
-
-    run_integration(reconcile.aws_garbage_collector, ctx, thread_pool_size)
-
-
 @integration.command(short_help="Delete IAM access keys by access key ID.")
 @threaded()
 @account_name

reconcile/openshift_saas_deploy_trigger_base.py

@@ -278,6 +278,7 @@ def _trigger_tekton(
         integration_version,
         saasherder.include_trigger_trace,
         spec.reason,
+        spec.target_ref,
     )
 
     error = False
@@ -334,6 +335,7 @@ def _construct_tekton_trigger_resource(
     integration_version: str,
     include_trigger_trace: bool,
     reason: str | None,
+    target_ref: str,
 ) -> tuple[OR, str]:
     """Construct a resource (PipelineRun) to trigger a deployment via Tekton.
 
@@ -348,6 +350,7 @@ def _construct_tekton_trigger_resource(
         integration_version (string): Version of calling integration
         include_trigger_trace (bool): Should include traces of the triggering integration and reason
         reason (string): The reason this trigger was created
+        target_ref (string): the ref of the target, can be a branch or a commit hash.
 
     Returns:
         OpenshiftResource: OpenShift resource to be applied
@@ -385,6 +388,7 @@ def _construct_tekton_trigger_resource(
             "labels": {
                 "qontract.saas_file_name": saas_file_name,
                 "qontract.env_name": env_name,
+                "qontract.target_ref": target_ref,
             },
         },
         "spec": {

reconcile/utils/aws_api.py

@@ -2,14 +2,12 @@ import logging
 import operator
 import os
 import re
-import time
 from collections.abc import (
     Iterable,
     Iterator,
     Mapping,
     Sequence,
 )
-from datetime import datetime
 from functools import lru_cache
 from threading import Lock
 from typing import (
@@ -21,7 +19,6 @@ from typing import (
     overload,
 )
 
-import botocore
 from boto3 import Session
 from botocore.client import BaseClient
 from botocore.config import Config
@@ -142,13 +139,6 @@ RESOURCE_NAME = Literal[
     "s3",
     "sqs",
 ]
-RESOURCE_TYPE = Literal[
-    "dynamodb",
-    "rds",
-    "rds_snapshots",
-    "s3",
-    "sqs",
-]
 
 
 class AWSApi:
@@ -169,17 +159,10 @@ class AWSApi:
             self.secret_reader = secret_reader
         else:
             self.secret_reader = SecretReader(settings=settings)
-        self.init_sessions_and_resources(accounts)
+        self.init_sessions(accounts)
         if init_ecr_auth_tokens:
             self.init_ecr_auth_tokens(accounts)
         self._lock = Lock()
-        self.resource_types: list[RESOURCE_TYPE] = [
-            "s3",
-            "sqs",
-            "dynamodb",
-            "rds",
-            "rds_snapshots",
-        ]
 
         # store the app-interface accounts in a dictionary indexed by name
         self.accounts = {acc["name"]: acc for acc in accounts}
@@ -208,7 +191,7 @@ class AWSApi:
         if init_users:
             self.init_users()
 
-    def init_sessions_and_resources(self, accounts: Iterable[awsh.Account]) -> None:
+    def init_sessions(self, accounts: Iterable[awsh.Account]) -> None:
         results = threaded.run(
             awsh.get_tf_secrets,
             accounts,
@@ -216,7 +199,6 @@ class AWSApi:
             secret_reader=self.secret_reader,
         )
         self.sessions: dict[str, Session] = {}
-        self.resources: dict[str, Any] = {}
         for account_name, secret in results:
             account = awsh.get_account(accounts, account_name)
             access_key = secret["aws_access_key_id"]
@@ -235,7 +217,6 @@ class AWSApi:
                 region_name=region_name,
             )
             self.sessions[account_name] = session
-            self.resources[account_name] = {}
 
     def __enter__(self) -> Self:
         return self
@@ -490,121 +471,6 @@ class AWSApi:
             users = [u["UserName"] for u in users]
             self.users[account] = users
 
-    def map_resources(self) -> None:
-        threaded.run(self.map_resource, self.resource_types, self.thread_pool_size)
-
-    def map_resource(self, resource_type: str) -> None:
-        match resource_type:
-            case "s3":
-                self.map_s3_resources()
-            case "sqs":
-                self.map_sqs_resources()
-            case "dynamodb":
-                self.map_dynamodb_resources()
-            case "rds":
-                self.map_rds_resources()
-            case "rds_snapshots":
-                self.map_rds_snapshots()
-            case "route53":
-                self.map_route53_resources()
-            case "ecr":
-                self.map_ecr_resources()
-            case _:
-                raise InvalidResourceTypeError(resource_type)
-
-    def map_s3_resources(self) -> None:
-        for account, s in self.sessions.items():
-            s3 = self.get_session_client(s, "s3")
-            buckets_list = s3.list_buckets()
-            if "Buckets" not in buckets_list:
-                continue
-            buckets = [b["Name"] for b in buckets_list["Buckets"]]
-            self.set_resouces(account, "s3", buckets)
-            buckets_without_owner = self.get_resources_without_owner(account, buckets)
-            unfiltered_buckets = self.custom_s3_filter(
-                account, s3, buckets_without_owner
-            )
-            self.set_resouces(account, "s3_no_owner", unfiltered_buckets)
-
-    def map_sqs_resources(self) -> None:
-        for account, s in self.sessions.items():
-            sqs = self.get_session_client(s, "sqs")
-            queues_list = sqs.list_queues()
-            if "QueueUrls" not in queues_list:
-                continue
-            queues = queues_list["QueueUrls"]
-            self.set_resouces(account, "sqs", queues)
-            queues_without_owner = self.get_resources_without_owner(account, queues)
-            unfiltered_queues = self.custom_sqs_filter(
-                account, sqs, queues_without_owner
-            )
-            self.set_resouces(account, "sqs_no_owner", unfiltered_queues)
-
-    def map_dynamodb_resources(self) -> None:
-        for account, s in self.sessions.items():
-            dynamodb = self.get_session_client(s, "dynamodb")
-            tables = self.paginate(dynamodb, "list_tables", "TableNames")
-            self.set_resouces(account, "dynamodb", tables)
-            tables_without_owner = self.get_resources_without_owner(account, tables)
-            unfiltered_tables = self.custom_dynamodb_filter(
-                account, s, dynamodb, tables_without_owner
-            )
-            self.set_resouces(account, "dynamodb_no_owner", unfiltered_tables)
-
-    def map_rds_resources(self) -> None:
-        for account, s in self.sessions.items():
-            rds = self.get_session_client(s, "rds")
-            results = self.paginate(rds, "describe_db_instances", "DBInstances")
-            instances = [t["DBInstanceIdentifier"] for t in results]
-            self.set_resouces(account, "rds", instances)
-            instances_without_owner = self.get_resources_without_owner(
-                account, instances
-            )
-            unfiltered_instances = self.custom_rds_filter(
-                account, rds, instances_without_owner
-            )
-            self.set_resouces(account, "rds_no_owner", unfiltered_instances)
-
-    def map_rds_snapshots(self) -> None:
-        self.wait_for_resource("rds")
-        for account, s in self.sessions.items():
-            rds = self.get_session_client(s, "rds")
-            results = self.paginate(rds, "describe_db_snapshots", "DBSnapshots")
-            snapshots = [t["DBSnapshotIdentifier"] for t in results]
-            self.set_resouces(account, "rds_snapshots", snapshots)
-            snapshots_without_db = [
-                t["DBSnapshotIdentifier"]
-                for t in results
-                if t["DBInstanceIdentifier"] not in self.resources[account]["rds"]
-            ]
-            unfiltered_snapshots = self.custom_rds_snapshot_filter(
-                account, rds, snapshots_without_db
-            )
-            self.set_resouces(account, "rds_snapshots_no_owner", unfiltered_snapshots)
-
-    def map_route53_resources(self) -> None:
-        for account, s in self.sessions.items():
-            client = self.get_session_client(s, "route53")
-            results = self.paginate(client, "list_hosted_zones", "HostedZones")
-            zones = list(results)
-            for zone in zones:
-                results = self.paginate(
-                    client,
-                    "list_resource_record_sets",
-                    "ResourceRecordSets",
-                    {"HostedZoneId": zone["Id"]},
-                )
-                zone["records"] = results
-            self.set_resouces(account, "route53", zones)
-
-    def map_ecr_resources(self) -> None:
-        for account, s in self.sessions.items():
-            client = self.get_session_client(s, "ecr")
-            repositories = self.paginate(
-                client=client, method="describe_repositories", key="repositories"
-            )
-            self.set_resouces(account, "ecr", repositories)
-
     @staticmethod
     def paginate(
         client: BaseClient, method: str, key: str, params: Mapping | None = None
@@ -620,246 +486,6 @@ class AWSApi:
             for values in page.get(key, [])
         ]
 
-    def wait_for_resource(self, resource: str) -> None:
-        """wait_for_resource waits until the specified resource type
-        is ready for all accounts.
-        When we have more resource types then threads,
-        this function will need to change to a dependency graph."""
-        wait = True
-        while wait:
-            wait = False
-            for account in self.sessions:
-                if self.resources[account].get(resource) is None:
-                    wait = True
-            if wait:
-                time.sleep(2)
-
-    def set_resouces(self, account: str, key: str, value: Any) -> None:
-        with self._lock:
-            self.resources[account][key] = value
-
-    def get_resources_without_owner(
-        self, account: str, resources: Iterable[str]
-    ) -> list[str]:
-        return [r for r in resources if not self.has_owner(account, r)]
-
-    def has_owner(self, account: str, resource: str) -> bool:
-        has_owner = False
-        for u in self.users[account]:
-            if resource.lower().startswith(u.lower()):
-                has_owner = True
-                break
-            if "://" in resource:
-                if resource.split("/")[-1].startswith(u.lower()):
-                    has_owner = True
-                    break
-        return has_owner
-
-    def custom_s3_filter(
-        self, account: str, s3: S3Client, buckets: Iterable[str]
-    ) -> list[str]:
-        type = "s3 bucket"
-        unfiltered_buckets = []
-        for b in buckets:
-            try:
-                tags = s3.get_bucket_tagging(Bucket=b)
-            except botocore.exceptions.ClientError:
-                tags = {}  # type: ignore
-            if not self.should_filter(account, type, b, tags, "TagSet"):
-                unfiltered_buckets.append(b)
-
-        return unfiltered_buckets
-
-    def custom_sqs_filter(
-        self, account: str, sqs: SQSClient, queues: Iterable[str]
-    ) -> list[str]:
-        type = "sqs queue"
-        unfiltered_queues = []
-        for q in queues:
-            tags = sqs.list_queue_tags(QueueUrl=q)
-            if not self.should_filter(account, type, q, tags, "Tags"):
-                unfiltered_queues.append(q)
-
-        return unfiltered_queues
-
-    def custom_dynamodb_filter(
-        self,
-        account: str,
-        session: Session,
-        dynamodb: DynamoDBClient,
-        tables: Iterable[str],
-    ) -> list[str]:
-        type = "dynamodb table"
-        dynamodb_resource = self._get_session_resource(session, "dynamodb")
-        unfiltered_tables = []
-        for t in tables:
-            table_arn = dynamodb_resource.Table(t).table_arn
-            tags = dynamodb.list_tags_of_resource(ResourceArn=table_arn)
-            if not self.should_filter(account, type, t, tags, "Tags"):
-                unfiltered_tables.append(t)
-
-        return unfiltered_tables
-
-    def custom_rds_filter(
-        self, account: str, rds: RDSClient, instances: Iterable[str]
-    ) -> list[str]:
-        type = "rds instance"
-        unfiltered_instances = []
-        for i in instances:
-            instance = rds.describe_db_instances(DBInstanceIdentifier=i)
-            instance_arn = instance["DBInstances"][0]["DBInstanceArn"]
-            tags = rds.list_tags_for_resource(ResourceName=instance_arn)
-            if not self.should_filter(account, type, i, tags, "TagList"):
-                unfiltered_instances.append(i)
-
-        return unfiltered_instances
-
-    def custom_rds_snapshot_filter(
-        self, account: str, rds: RDSClient, snapshots: Iterable[str]
-    ) -> list[str]:
-        type = "rds snapshots"
-        unfiltered_snapshots = []
-        for s in snapshots:
-            snapshot = rds.describe_db_snapshots(DBSnapshotIdentifier=s)
-            snapshot_arn = snapshot["DBSnapshots"][0]["DBSnapshotArn"]
-            tags = rds.list_tags_for_resource(ResourceName=snapshot_arn)
-            if not self.should_filter(account, type, s, tags, "TagList"):
-                unfiltered_snapshots.append(s)
-
-        return unfiltered_snapshots
-
-    def should_filter(
-        self,
-        account: str,
-        resource_type: str,
-        resource_name: str,
-        resource_tags: Mapping,
-        tags_key: str,
-    ) -> bool:
-        if self.resource_has_special_name(account, resource_type, resource_name):
-            return True
-        if tags_key in resource_tags:
-            tags = resource_tags[tags_key]
-            if self.resource_has_special_tags(
-                account, resource_type, resource_name, tags
-            ):
-                return True
-
-        return False
-
-    @staticmethod
-    def resource_has_special_name(account: str, type: str, resource: str) -> bool:
-        skip_msg = f"[{account}] skipping {type} " + "({} related) {}"
-
-        ignore_names = {
-            "production": ["prod"],
-            "stage": ["stage", "staging"],
-            "terraform": ["terraform", "-tf-"],
-        }
-
-        for msg, tags in ignore_names.items():
-            for tag in tags:
-                if tag.lower() in resource.lower():
-                    logging.debug(skip_msg.format(msg, resource))
-                    return True
-
-        return False
-
-    def resource_has_special_tags(
-        self, account: str, type: str, resource: str, tags: Mapping | list[Mapping]
-    ) -> bool:
-        skip_msg = f"[{account}] skipping {type} " + "({}={}) {}"
-
-        ignore_tags = {
-            "ENV": ["prod", "stage", "staging"],
-            "environment": ["prod", "stage", "staging"],
-            "owner": ["app-sre"],
-            "managed_by_integration": ["terraform_resources", "terraform_users"],
-            "aws_gc_hands_off": ["true"],
-        }
-
-        for tag, ignore_values in ignore_tags.items():
-            for ignore_value in ignore_values:
-                value = self.get_tag_value(tags, tag)
-                if ignore_value.lower() in value.lower():
-                    logging.debug(skip_msg.format(tag, value, resource))
-                    return True
-
-        return False
-
-    @staticmethod
-    def get_tag_value(tags: Mapping | list[Mapping], tag: str) -> str:
-        if isinstance(tags, dict):
-            return tags.get(tag, "")
-        if isinstance(tags, list):
-            for t in tags:
-                if t["Key"] == tag:
-                    return t["Value"]
-
-        return ""
-
-    def delete_resources_without_owner(self, dry_run: bool) -> None:
-        for account, s in self.sessions.items():
-            for rt in self.resource_types:
-                for r in self.resources[account].get(rt + "_no_owner", []):
-                    logging.info(["delete_resource", account, rt, r])
-                    if not dry_run:
-                        self.delete_resource(s, rt, r)
-
-    def delete_resource(
-        self, session: Session, resource_type: RESOURCE_TYPE, resource_name: str
-    ) -> None:
-        match resource_type:
-            case "s3":
-                self.delete_bucket(
-                    self._get_session_resource(session, resource_type), resource_name
-                )
-            case "sqs":
-                self.delete_queue(
-                    self.get_session_client(session, resource_type), resource_name
-                )
-            case "dynamodb":
-                self.delete_table(
-                    self._get_session_resource(session, resource_type), resource_name
-                )
-            case "rds":
-                self.delete_instance(
-                    self.get_session_client(session, resource_type), resource_name
-                )
-            case "rds_snapshots":
-                self.delete_snapshot(
-                    self.get_session_client(session, "rds"), resource_name
-                )
-            case _:
-                raise InvalidResourceTypeError(resource_type)
-
-    @staticmethod
-    def delete_bucket(s3: S3ServiceResource, bucket_name: str) -> None:
-        bucket = s3.Bucket(bucket_name)
-        bucket.object_versions.delete()
-        bucket.delete()
-
-    @staticmethod
-    def delete_queue(sqs: SQSClient, queue_url: str) -> None:
-        sqs.delete_queue(QueueUrl=queue_url)
-
-    @staticmethod
-    def delete_table(dynamodb: DynamoDBServiceResource, table_name: str) -> None:
-        table = dynamodb.Table(table_name)
-        table.delete()
-
-    @staticmethod
-    def delete_instance(rds: RDSClient, instance_name: str) -> None:
-        rds.delete_db_instance(
-            DBInstanceIdentifier=instance_name,
-            SkipFinalSnapshot=True,
-            DeleteAutomatedBackups=True,
-        )
-
-    @staticmethod
-    def delete_snapshot(rds: RDSClient, snapshot_identifier: str) -> None:
-        rds.delete_db_snapshot(DBSnapshotIdentifier=snapshot_identifier)
-
     @staticmethod
     def determine_key_type(iam: IAMClient, user: str) -> str:
         tags = iam.list_user_tags(UserName=user)["Tags"]
@@ -1875,145 +1501,6 @@ class AWSApi:
         ns_records = self._extract_records(resource_records)
         return ns_records
 
-    def get_route53_zones(self) -> dict[str, list[dict[str, str]]]:
-        """
-        Return a list of (str, dict) representing Route53 DNS zones per account
-
-        :return: route53 dns zones per account
-        :rtype: list of (str, dict)
-        """
-        return {
-            account: self.resources.get(account, {}).get("route53", [])
-            for account, _ in self.sessions.items()
-        }
-
-    def create_route53_zone(self, account_name: str, zone_name: str) -> None:
-        """
-        Create a Route53 DNS zone
-
-        :param account_name: the account name to operate on
-        :param zone_name: name of the zone to create
-        :type account_name: str
-        :type zone_name: str
-        """
-        session = self.get_session(account_name)
-        client = self.get_session_client(session, "route53")
-
-        try:
-            caller_ref = f"{datetime.now()}"
-            client.create_hosted_zone(
-                Name=zone_name,
-                CallerReference=caller_ref,
-                HostedZoneConfig={
-                    "Comment": "Managed by App-Interface",
-                },
-            )
-        except client.exceptions.InvalidDomainName:
-            logging.error(f"[{account_name}] invalid domain name {zone_name}")
-        except client.exceptions.HostedZoneAlreadyExists:
-            logging.error(f"[{account_name}] hosted zone already exists: {zone_name}")
-        except client.exceptions.TooManyHostedZones:
-            logging.error(f"[{account_name}] too many hosted zones in account")
-        except Exception as e:
-            logging.error(f"[{account_name}] unhandled exception: {e}")
-
-    def delete_route53_zone(self, account_name: str, zone_id: str) -> None:
-        """
-        Delete a Route53 DNS zone
-
-        :param account_name: the account name to operate on
-        :param zone_id: aws zone id of the zone to delete
-        :type account_name: str
-        :type zone_id: str
-        """
-        session = self.get_session(account_name)
-        client = self.get_session_client(session, "route53")
-
-        try:
-            client.delete_hosted_zone(Id=zone_id)
-        except client.exceptions.NoSuchHostedZone:
-            logging.error(
-                f"[{account_name}] Error trying to delete unknown DNS zone {zone_id}"
-            )
-        except client.exceptions.HostedZoneNotEmpty:
-            logging.error(
-                f"[{account_name}] Cannot delete DNS zone that is not empty {zone_id}"
-            )
-        except Exception as e:
-            logging.error(f"[{account_name}] unhandled exception: {e}")
-
-    def delete_route53_record(
-        self, account_name: str, zone_id: str, awsdata: ResourceRecordSetTypeDef
-    ) -> None:
-        """
-        Delete a Route53 DNS zone record
-
-        :param account_name: the account name to operate on
-        :param zone_id: aws zone id of the zone to operate on
-        :param awsdata: aws record data of the record to delete
-        :type account_name: str
-        :type zone_id: str
-        :type awsdata: dict
-        """
-        session = self.get_session(account_name)
-        client = self.get_session_client(session, "route53")
-
-        try:
-            client.change_resource_record_sets(
-                HostedZoneId=zone_id,
-                ChangeBatch={
-                    "Changes": [
-                        {
-                            "Action": "DELETE",
-                            "ResourceRecordSet": awsdata,
-                        }
-                    ]
-                },
-            )
-        except client.exceptions.NoSuchHostedZone:
-            logging.error(
-                f"[{account_name}] Error trying to delete record: "
-                f"unknown DNS zone {zone_id}"
-            )
-        except Exception as e:
-            logging.error(f"[{account_name}] unhandled exception: {e}")
-
-    def upsert_route53_record(
-        self, account_name: str, zone_id: str, recordset: ResourceRecordSetTypeDef
-    ) -> None:
-        """
-        Upsert a Route53 DNS zone record
-
-        :param account_name: the account name to operate on
-        :param zone_id: aws zone id of the zone to operate on
-        :param recordset: aws record data of the record to create or update
-        :type account_name: str
-        :type zone_id: str
-        :type recordset: dict
-        """
-        session = self.get_session(account_name)
-        client = self.get_session_client(session, "route53")
-
-        try:
-            client.change_resource_record_sets(
-                HostedZoneId=zone_id,
-                ChangeBatch={
-                    "Changes": [
-                        {
-                            "Action": "UPSERT",
-                            "ResourceRecordSet": recordset,
-                        }
-                    ]
-                },
-            )
-        except client.exceptions.NoSuchHostedZone:
-            logging.error(
-                f"[{account_name}] Error trying to delete record: "
-                f"unknown DNS zone {zone_id}"
-            )
-        except Exception as e:
-            logging.error(f"[{account_name}] unhandled exception: {e}")
-
     def get_image_id(
         self, account_name: str, region_name: str, tags: Iterable[AmiTag]
     ) -> str | None:

reconcile/utils/saasherder/models.py

@@ -53,7 +53,7 @@ class UpstreamJob:
         return self.__str__()
 
 
-@dataclass
+@dataclass(frozen=True)
 class TriggerSpecBase:
     saas_file_name: str
     env_name: str
@@ -63,6 +63,8 @@ class TriggerSpecBase:
     cluster_name: str
     namespace_name: str
     state_content: Any
+    reason: str | None
+    target_ref: str
 
     @property
     def state_key(self) -> str:
@@ -76,13 +78,11 @@ class SLOKey:
     cluster_name: str
 
 
-@dataclass
+@dataclass(frozen=True)
 class TriggerSpecConfig(TriggerSpecBase):
     resource_template_url: str
-    target_ref: str
     slos: list[SLODocument] | None = None
     target_name: str | None = None
-    reason: str | None = None
 
     @property
     def state_key(self) -> str:
@@ -108,10 +108,9 @@ class TriggerSpecConfig(TriggerSpecBase):
         ]
 
 
-@dataclass
+@dataclass(frozen=True)
 class TriggerSpecMovingCommit(TriggerSpecBase):
     ref: str
-    reason: str | None = None
 
     @property
     def state_key(self) -> str:
@@ -122,11 +121,10 @@ class TriggerSpecMovingCommit(TriggerSpecBase):
         return key
 
 
-@dataclass
+@dataclass(frozen=True)
 class TriggerSpecUpstreamJob(TriggerSpecBase):
     instance_name: str
     job_name: str
-    reason: str | None = None
 
     @property
     def state_key(self) -> str:
@@ -137,10 +135,9 @@ class TriggerSpecUpstreamJob(TriggerSpecBase):
         return key
 
 
-@dataclass
+@dataclass(frozen=True)
 class TriggerSpecContainerImage(TriggerSpecBase):
     images: Sequence[str]
-    reason: str | None = None
 
     @property
     def state_key(self) -> str:

reconcile/utils/saasherder/saasherder.py

@@ -1278,6 +1278,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                     resource_template_url=rt.url,
                     target_ref=target.ref,
                     state_content=None,
+                    reason=None,
                 ).state_key
                 digest = SaasHerder.get_target_config_hash(
                     all_trigger_specs[state_key].state_content
@@ -1432,6 +1433,15 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         )
         return list(itertools.chain.from_iterable(results))
 
+    def _build_trigger_spec_moving_commit_reason(
+        self,
+        url: str,
+        desired_commit_sha: str,
+    ) -> str | None:
+        if not self.include_trigger_trace:
+            return None
+        return f"{url}/commit/{desired_commit_sha}"
+
     def get_moving_commits_diff_saas_file(
         self, saas_file: SaasFile, dry_run: bool
     ) -> list[TriggerSpecMovingCommit]:
@@ -1461,9 +1471,12 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                         namespace_name=target.namespace.name,
                         ref=target.ref,
                         state_content=desired_commit_sha,
+                        reason=self._build_trigger_spec_moving_commit_reason(
+                            url=rt.url,
+                            desired_commit_sha=desired_commit_sha,
+                        ),
+                        target_ref=desired_commit_sha,
                     )
-                    if self.include_trigger_trace:
-                        trigger_spec.reason = f"{rt.url}/commit/{desired_commit_sha}"
 
                     if not self.state:
                         raise Exception("state is not initialized")
@@ -1519,6 +1532,24 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
 
         return current_state, error
 
+    def _build_trigger_spec_upstream_job_reason(
+        self,
+        last_build_result: Any,
+        server_url: str,
+        job_name: str,
+        url: str,
+    ) -> str | None:
+        if not self.include_trigger_trace:
+            return None
+        last_build_result_number = last_build_result["number"]
+        last_build_result_commit_sha = last_build_result.get("commit_sha")
+        prefix = (
+            f"{url}/commit/{last_build_result_commit_sha} via "
+            if last_build_result_commit_sha
+            else ""
+        )
+        return f"{prefix}{server_url}/job/{job_name}/{last_build_result_number}"
+
     def get_upstream_jobs_diff_saas_file(
         self, saas_file: SaasFile, dry_run: bool, current_state: dict[str, Any]
     ) -> list[TriggerSpecUpstreamJob]:
@@ -1546,16 +1577,14 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                     instance_name=target.upstream.instance.name,
                     job_name=job_name,
                     state_content=last_build_result,
+                    reason=self._build_trigger_spec_upstream_job_reason(
+                        last_build_result=last_build_result,
+                        server_url=target.upstream.instance.server_url,
+                        job_name=job_name,
+                        url=rt.url,
+                    ),
+                    target_ref=last_build_result.get("commit_sha") or target.ref,
                 )
-                last_build_result_number = last_build_result["number"]
-                if self.include_trigger_trace:
-                    trigger_spec.reason = f"{target.upstream.instance.server_url}/job/{job_name}/{last_build_result_number}"
-                    last_build_result_commit_sha = last_build_result.get("commit_sha")
-                    if last_build_result_commit_sha:
-                        trigger_spec.reason = (
-                            f"{rt.url}/commit/{last_build_result_commit_sha} via "
-                            + trigger_spec.reason
-                        )
                 if not self.state:
                     raise Exception("state is not initialized")
                 state_build_result = self.state.get(trigger_spec.state_key, None)
@@ -1576,6 +1605,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                         self.update_state(trigger_spec)
                     continue
 
+                last_build_result_number = last_build_result["number"]
                 state_build_result_number = state_build_result["number"]
                 # this is the most important condition
                 # if there is a successful newer build -
@@ -1609,6 +1639,20 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         )
         return list(itertools.chain.from_iterable(results))
 
+    def _build_trigger_spec_container_image_reason(
+        self,
+        desired_image_tag: str,
+        image_registries: list[str],
+        url: str,
+        commit_sha: str,
+    ) -> str | None:
+        if not self.include_trigger_trace:
+            return None
+        image_uris = ", ".join(
+            f"{image}:{desired_image_tag}" for image in sorted(image_registries)
+        )
+        return f"{url}/commit/{commit_sha} build {image_uris}"
+
     def get_container_images_diff_saas_file(
         self, saas_file: SaasFile, dry_run: bool
     ) -> list[TriggerSpecContainerImage]:
@@ -1657,15 +1701,14 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                         namespace_name=target.namespace.name,
                         images=image_registries,
                         state_content=desired_image_tag,
+                        reason=self._build_trigger_spec_container_image_reason(
+                            desired_image_tag=desired_image_tag,
+                            image_registries=image_registries,
+                            url=rt.url,
+                            commit_sha=commit_sha,
+                        ),
+                        target_ref=commit_sha,
                     )
-                    if self.include_trigger_trace:
-                        image_uris = ", ".join(
-                            f"{image}:{desired_image_tag}"
-                            for image in sorted(image_registries)
-                        )
-                        trigger_spec.reason = (
-                            f"{rt.url}/commit/{commit_sha} build {image_uris}"
-                        )
                     if not self.state:
                         raise Exception("state is not initialized")
                     current_image_tag = self.state.get(trigger_spec.state_key, None)
@@ -1804,15 +1847,6 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
             dtc = SaasHerder.remove_none_values(trigger_spec.state_content)
             if ctc == dtc:
                 continue
-            if self.include_trigger_trace:
-                trigger_spec.reason = f"{self.repo_url}/commit/{RunningState().commit}"
-                # For now we count every saas config change as an auto-promotion
-                # if the auto promotion field is enabled in the saas target.
-                # Ideally, we check if there was an actual ref change in order
-                # to reduce false-positives.
-                promotion = trigger_spec.state_content.get("promotion")
-                if promotion and promotion.get("auto", False):
-                    trigger_spec.reason += " [auto-promotion]"
             trigger_specs.append(trigger_spec)
         return trigger_specs
 
@@ -1823,6 +1857,23 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         digest = m.hexdigest()[:16]
         return digest
 
+    def _build_trigger_spec_config_reason(
+        self,
+        state_content: dict,
+    ) -> str | None:
+        if not self.include_trigger_trace:
+            return None
+        # For now we count every saas config change as an auto-promotion
+        # if the auto promotion field is enabled in the saas target.
+        # Ideally, we check if there was an actual ref change in order
+        # to reduce false-positives.
+        auto_promotion_suffix = (
+            " [auto-promotion]"
+            if state_content.get("promotion", {}).get("auto", False)
+            else ""
+        )
+        return f"{self.repo_url}/commit/{RunningState().commit}{auto_promotion_suffix}"
+
     def get_saas_targets_config_trigger_specs(
         self, saas_file: SaasFile
     ) -> dict[str, TriggerSpecConfig]:
@@ -1901,6 +1952,9 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                     resource_template_url=rt.url,
                     target_ref=target.ref,
                     slos=target.slos or None,
+                    reason=self._build_trigger_spec_config_reason(
+                        state_content=serializable_target_config
+                    ),
                 )
                 configs[trigger_spec.state_key] = trigger_spec
 

reconcile/aws_garbage_collector.py

@@ -1,12 +0,0 @@
-from reconcile import queries
-from reconcile.utils.aws_api import AWSApi
-
-QONTRACT_INTEGRATION = "aws-garbage-collector"
-
-
-def run(dry_run: bool, thread_pool_size: int = 10) -> None:
-    accounts = [a for a in queries.get_aws_accounts() if a.get("garbageCollection")]
-    settings = queries.get_app_interface_settings()
-    with AWSApi(thread_pool_size, accounts, settings=settings) as aws:
-        aws.map_resources()
-        aws.delete_resources_without_owner(dry_run)