qontract-reconcile 0.10.2.dev268__py3-none-any.whl → 0.10.2.dev270__py3-none-any.whl

reconcile/openshift_rhcs_certs.py

@@ -22,6 +22,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
 )
 from reconcile.typed_queries.rhcs_provider_settings import get_rhcs_provider_settings
 from reconcile.utils import gql, metrics
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.metrics import GaugeMetric, normalize_integration_name
@@ -243,7 +244,7 @@ def fetch_desired_state(
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     cluster_name: Iterable[str] | None = None,

reconcile/openshift_rolebindings.py

@@ -1,5 +1,7 @@
 import contextlib
 import sys
+from collections.abc import Callable, Mapping, Sequence
+from typing import Any
 
 import reconcile.openshift_base as ob
 from reconcile import queries
@@ -7,9 +9,13 @@ from reconcile.utils import (
     expiration,
     gql,
 )
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
-from reconcile.utils.openshift_resource import ResourceKeyExistsError
+from reconcile.utils.openshift_resource import (
+    ResourceInventory,
+    ResourceKeyExistsError,
+)
 from reconcile.utils.semver_helper import make_semver
 from reconcile.utils.sharding import is_in_shard
 
@@ -49,7 +55,7 @@ QONTRACT_INTEGRATION = "openshift-rolebindings"
 QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
 
 
-def construct_user_oc_resource(role, user):
+def construct_user_oc_resource(role: str, user: str) -> tuple[OR, str]:
     name = f"{role}-{user}"
     body = {
         "apiVersion": "rbac.authorization.k8s.io/v1",
@@ -66,7 +72,7 @@ def construct_user_oc_resource(role, user):
     )
 
 
-def construct_sa_oc_resource(role, namespace, sa_name):
+def construct_sa_oc_resource(role: str, namespace: str, sa_name: str) -> tuple[OR, str]:
     name = f"{role}-{namespace}-{sa_name}"
     body = {
         "apiVersion": "rbac.authorization.k8s.io/v1",
@@ -85,9 +91,16 @@ def construct_sa_oc_resource(role, namespace, sa_name):
     )
 
 
-def fetch_desired_state(ri, oc_map, enforced_user_keys=None):
+def fetch_desired_state(
+    ri: ResourceInventory | None,
+    oc_map: ob.ClusterMap | None,
+    enforced_user_keys: list[str] | None = None,
+) -> list[dict[str, str]]:
     gqlapi = gql.get_api()
-    roles: list[dict] = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
+    roles_query_result = gqlapi.query(ROLES_QUERY)
+    if not roles_query_result:
+        return []
+    roles: Sequence[Mapping[str, Any]] = expiration.filter(roles_query_result["roles"])
     users_desired_state = []
     for role in roles:
         permissions = [
@@ -124,11 +137,15 @@ def fetch_desired_state(ri, oc_map, enforced_user_keys=None):
 
             # get username keys based on used IDPs
             user_keys = ob.determine_user_keys_for_access(
-                cluster, cluster_info["auth"], enforced_user_keys=enforced_user_keys
+                cluster,
+                cluster_info.get("auth") or [],
+                enforced_user_keys=enforced_user_keys,
             )
             # create user rolebindings for user * user_keys
-            for user in role["users"]:
-                for username in {user[user_key] for user_key in user_keys}:
+            for user in role.get("users") or []:
+                for username in {user.get(key) for key in user_keys}:
+                    if not username:
+                        continue
                     # used by openshift-users and github integrations
                     # this is just to simplify things a bit on the their side
                     users_desired_state.append({"cluster": cluster, "user": username})
@@ -171,7 +188,13 @@ def fetch_desired_state(ri, oc_map, enforced_user_keys=None):
 
 
 @defer
-def run(dry_run, thread_pool_size=10, internal=None, use_jump_host=True, defer=None):
+def run(
+    dry_run: bool,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    defer: Callable | None = None,
+) -> None:
     namespaces = [
         namespace_info
         for namespace_info in queries.get_namespaces()
@@ -190,7 +213,8 @@ def run(dry_run, thread_pool_size=10, internal=None, use_jump_host=True, defer=N
         internal=internal,
         use_jump_host=use_jump_host,
     )
-    defer(oc_map.cleanup)
+    if defer:
+        defer(oc_map.cleanup)
     fetch_desired_state(ri, oc_map)
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     ob.realize_data(dry_run, oc_map, ri, thread_pool_size)

reconcile/openshift_routes.py

@@ -1,6 +1,8 @@
+from collections.abc import Callable
 from typing import Any
 
 import reconcile.openshift_resources_base as orb
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.semver_helper import make_semver
 
@@ -10,14 +12,14 @@ PROVIDERS = ["route"]
 
 
 def run(
-    dry_run,
-    thread_pool_size=10,
-    internal=None,
-    use_jump_host=True,
-    cluster_name=None,
-    namespace_name=None,
-    defer=None,
-):
+    dry_run: bool,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    cluster_name: str | None = None,
+    namespace_name: str | None = None,
+    defer: Callable | None = None,
+) -> None:
     orb.QONTRACT_INTEGRATION = QONTRACT_INTEGRATION
     orb.QONTRACT_INTEGRATION_VERSION = QONTRACT_INTEGRATION_VERSION
 
@@ -32,7 +34,7 @@ def run(
     )
 
 
-def early_exit_desired_state(*args, **kwargs) -> dict[str, Any]:
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
     return orb.early_exit_desired_state(PROVIDERS)
 
 

reconcile/openshift_saas_deploy.py

@@ -25,6 +25,7 @@ from reconcile.typed_queries.saas_files import (
     SaasFileList,
     get_saasherder_settings,
 )
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import GitLabApi
 from reconcile.utils.openshift_resource import ResourceInventory
@@ -109,7 +110,7 @@ def slack_notify(
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     io_dir: str = "throughput/",
     use_jump_host: bool = True,
     saas_file_name: str | None = None,
@@ -259,7 +260,7 @@ def run(
         all_callers=[sf.name for sf in all_saas_files if not sf.deprecated],
         wait_for_namespace=True,
         no_dry_run_skip_compare=(not saasherder.compare),
-        take_over=saasherder.take_over,
+        take_over=bool(saasherder.take_over),
     )
 
     if not dry_run:

reconcile/openshift_saas_deploy_trigger_cleaner.py

@@ -18,6 +18,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
 from reconcile.typed_queries.tekton_pipeline_providers import (
     get_tekton_pipeline_providers,
 )
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
     OCLogMsg,
@@ -63,7 +64,7 @@ def get_pipeline_runs_to_delete(
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     defer: Callable | None = None,

reconcile/openshift_saas_deploy_trigger_configs.py

@@ -2,6 +2,7 @@ import sys
 
 import reconcile.openshift_saas_deploy_trigger_base as osdt_base
 from reconcile.status import ExitCodes
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.saasherder import TriggerTypes
 from reconcile.utils.semver_helper import make_semver
 
@@ -11,7 +12,7 @@ QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
 
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     include_trigger_trace: bool = False,

reconcile/openshift_saas_deploy_trigger_images.py

@@ -2,6 +2,7 @@ import sys
 
 import reconcile.openshift_saas_deploy_trigger_base as osdt_base
 from reconcile.status import ExitCodes
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.saasherder import TriggerTypes
 from reconcile.utils.semver_helper import make_semver
 
@@ -11,7 +12,7 @@ QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
 
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     include_trigger_trace: bool = False,

reconcile/openshift_saas_deploy_trigger_moving_commits.py

@@ -2,6 +2,7 @@ import sys
 
 import reconcile.openshift_saas_deploy_trigger_base as osdt_base
 from reconcile.status import ExitCodes
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.saasherder import TriggerTypes
 from reconcile.utils.semver_helper import make_semver
 
@@ -11,7 +12,7 @@ QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
 
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     include_trigger_trace: bool = False,

reconcile/openshift_saas_deploy_trigger_upstream_jobs.py

@@ -2,6 +2,7 @@ import sys
 
 import reconcile.openshift_saas_deploy_trigger_base as osdt_base
 from reconcile.status import ExitCodes
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.saasherder import TriggerTypes
 from reconcile.utils.semver_helper import make_semver
 
@@ -11,7 +12,7 @@ QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
 
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     include_trigger_trace: bool = False,

reconcile/openshift_serviceaccount_tokens.py

@@ -9,6 +9,7 @@ from reconcile.gql_definitions.openshift_serviceaccount_tokens.tokens import (
     query as serviceaccount_tokens_query,
 )
 from reconcile.utils import gql
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.oc import OC_Map
@@ -204,7 +205,7 @@ def get_namespaces_with_serviceaccount_tokens(
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     vault_output_path: str = "",

reconcile/openshift_tekton_resources.py

@@ -11,6 +11,7 @@ from reconcile import openshift_base as ob
 from reconcile import queries
 from reconcile.status import ExitCodes
 from reconcile.utils import gql
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
 from reconcile.utils.parse_dhms_duration import (
@@ -421,7 +422,7 @@ def build_one_per_saas_file_tkn_task_name(
 
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     saas_file_name: str | None = None,

reconcile/openshift_upgrade_watcher.py

@@ -12,6 +12,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.clusters import get_clusters
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
     OCLogMsg,
@@ -155,7 +156,7 @@ def notify_cluster_new_version(
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     defer: Callable | None = None,

reconcile/openshift_users.py

@@ -22,6 +22,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.clusters_minimal import get_clusters_minimal
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
     OCLogMsg,
@@ -167,7 +168,7 @@ def act(diff: Mapping[str, Any], oc_map: OCMap) -> None:
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     defer: Callable | None = None,

reconcile/openshift_vault_secrets.py

@@ -1,9 +1,11 @@
 from collections import defaultdict
+from collections.abc import Callable
 from typing import Any
 
 from deepdiff import DeepHash
 
 import reconcile.openshift_resources_base as orb
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.semver_helper import make_semver
 
@@ -13,14 +15,14 @@ PROVIDERS = ["vault-secret"]
 
 
 def run(
-    dry_run,
-    thread_pool_size=10,
-    internal=None,
-    use_jump_host=True,
-    cluster_name=None,
-    namespace_name=None,
-    defer=None,
-):
+    dry_run: bool,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    cluster_name: str | None = None,
+    namespace_name: str | None = None,
+    defer: Callable | None = None,
+) -> None:
     orb.QONTRACT_INTEGRATION = QONTRACT_INTEGRATION
     orb.QONTRACT_INTEGRATION_VERSION = QONTRACT_INTEGRATION_VERSION
 
@@ -35,7 +37,7 @@ def run(
     )
 
 
-def early_exit_desired_state(*args, **kwargs) -> dict[str, Any]:
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
     namespaces, _ = orb.get_namespaces(PROVIDERS)
 
     state_for_clusters = defaultdict(list)

reconcile/skupper_network/integration.py

@@ -21,6 +21,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.utils import gql
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.oc_map import (
@@ -246,7 +247,7 @@ def get_skupper_networks(query_func: Callable) -> list[SkupperNetworkV1]:
 @defer
 def run(
     dry_run: bool,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     defer: Callable | None = None,

reconcile/terraform_aws_route53.py

@@ -10,6 +10,7 @@ from reconcile import queries
 from reconcile.status import ExitCodes
 from reconcile.utils import dnsutils
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.external_resources import (
     PROVIDER_AWS,
@@ -205,7 +206,7 @@ def run(
     dry_run: bool = False,
     print_to_file: str | None = None,
     enable_deletion: bool = True,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     account_name: str | None = None,
     defer=None,
 ):

reconcile/terraform_resources.py

@@ -31,6 +31,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
 from reconcile.typed_queries.terraform_namespaces import get_namespaces
 from reconcile.utils import gql
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.extended_early_exit import (
     ExtendedEarlyExitRunnerResult,
@@ -367,7 +368,7 @@ def run(
     dry_run: bool,
     print_to_file: str | None = None,
     enable_deletion: bool = False,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     light: bool = False,
@@ -473,7 +474,7 @@ def runner(
     secret_reader: SecretReaderBase,
     dry_run: bool,
     enable_deletion: bool = False,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
     light: bool = False,

reconcile/terraform_tgw_attachments.py

@@ -37,6 +37,7 @@ from reconcile.typed_queries.terraform_tgw_attachments.aws_accounts import (
 )
 from reconcile.utils import gql
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.extended_early_exit import (
@@ -423,7 +424,7 @@ def setup(
     account_name: str | None,
     desired_state_data_source: DesiredStateDataSource,
     tgw_accounts: list[dict[str, Any]],
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     print_to_file: str | None = None,
 ) -> tuple[SecretReaderBase, AWSApi, Terraform, Terrascript]:
     tgw_clusters = desired_state_data_source.clusters
@@ -500,7 +501,7 @@ def run(
     dry_run: bool,
     print_to_file: str | None = None,
     enable_deletion: bool = False,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     account_name: str | None = None,
     defer: Callable | None = None,
     enable_extended_early_exit: bool = False,

reconcile/terraform_users.py

@@ -16,6 +16,7 @@ from reconcile.utils import (
     gql,
 )
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.secret_reader import SecretReader
@@ -237,7 +238,7 @@ def run(
     dry_run: bool,
     print_to_file: str | None = None,
     enable_deletion: bool = False,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     send_mails: bool = True,
     account_name: str | None = None,
 ):

reconcile/terraform_vpc_peerings.py

@@ -12,6 +12,7 @@ from reconcile.utils import (
     ocm,
 )
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.extended_early_exit import (
     ExtendedEarlyExitRunnerResult,
@@ -566,7 +567,7 @@ def run(
     dry_run: bool,
     print_to_file: bool | None = None,
     enable_deletion: bool = False,
-    thread_pool_size: int = 10,
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     account_name: str | None = None,
     enable_extended_early_exit: bool = False,
     extended_early_exit_cache_ttl_seconds: int = 3600,

reconcile/utils/aws_api_typed/account.py

@@ -1,11 +1,14 @@
+import logging
 from enum import StrEnum
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
     from mypy_boto3_account import AccountClient
+    from mypy_boto3_account.type_defs import AlternateContactTypeDef
 else:
-    AccountClient = object
+    AccountClient = AlternateContactTypeDef = object
 
+import botocore
 from pydantic import BaseModel
 
 
@@ -22,6 +25,9 @@ class Region(BaseModel):
     status: OptStatus
 
 
+log = logging.getLogger(__name__)
+
+
 class AWSApiAccount:
     def __init__(self, client: AccountClient) -> None:
         self.client = client
@@ -30,13 +36,39 @@ class AWSApiAccount:
         self, name: str, title: str, email: str, phone_number: str
     ) -> None:
         """Set the security contact for the account."""
-        self.client.put_alternate_contact(
-            AlternateContactType="SECURITY",
-            EmailAddress=email,
-            Name=name,
-            Title=title,
-            PhoneNumber=phone_number,
-        )
+        try:
+            self.client.put_alternate_contact(
+                AlternateContactType="SECURITY",
+                EmailAddress=email,
+                Name=name,
+                Title=title,
+                PhoneNumber=phone_number,
+            )
+        except botocore.exceptions.ClientError as e:
+            if e.response["Error"]["Code"] != "AccessDenied":
+                raise
+
+            # This exception is raised if the user does not have permission to perform this action.
+            # Let's see if the current security contact is already set to the same values.
+            current_contact = self.get_security_contact()
+            if (
+                not current_contact
+                or current_contact["EmailAddress"] != email
+                or current_contact["Name"] != name
+                or current_contact["Title"] != title
+                or current_contact["PhoneNumber"] != phone_number
+            ):
+                raise
+
+    def get_security_contact(self) -> AlternateContactTypeDef | None:
+        """Get the security contact for the account."""
+        try:
+            return self.client.get_alternate_contact(AlternateContactType="SECURITY")[
+                "AlternateContact"
+            ]
+        except self.client.exceptions.ResourceNotFoundException:
+            log.warning("Security contact not set.")
+            return None
 
     def list_regions(self) -> list[Region]:
         """List all regions in the account."""

reconcile/utils/aws_api_typed/iam.py

@@ -1,5 +1,6 @@
 from typing import TYPE_CHECKING
 
+import botocore
 from pydantic import BaseModel, Field
 
 if TYPE_CHECKING:
@@ -40,10 +41,12 @@ class AWSApiIam:
         try:
             user = self.client.create_user(UserName=user_name)
             return AWSUser(**user["User"])
-        except self.client.exceptions.EntityAlreadyExistsException:
-            raise AWSEntityAlreadyExistsError(
-                f"User {user_name} already exists"
-            ) from None
+        except botocore.exceptions.ClientError as e:
+            if e.response["Error"]["Code"] == "EntityAlreadyExists":
+                raise AWSEntityAlreadyExistsError(
+                    f"User {user_name} already exists"
+                ) from e
+            raise
 
     def attach_user_policy(self, user_name: str, policy_arn: str) -> None:
         """Attach a policy to a user."""
@@ -60,8 +63,15 @@ class AWSApiIam:
         """Set the account alias."""
         try:
             self.client.create_account_alias(AccountAlias=account_alias)
-        except self.client.exceptions.EntityAlreadyExistsException:
-            if self.get_account_alias() != account_alias:
-                raise ValueError(
-                    "Account alias already exists for another AWS account. Choose another one!"
-                ) from None
+        except botocore.exceptions.ClientError as e:
+            if e.response["Error"]["Code"] == "EntityAlreadyExists":
+                if self.get_account_alias() != account_alias:
+                    raise ValueError(
+                        "Account alias already exists for another AWS account. Choose another one!"
+                    ) from e
+            elif e.response["Error"]["Code"] == "AccessDenied":
+                # AccessDeniedException can occur if the user does not have permission to create an account alias.
+                # This can happen if the alias is already set and we don't have permission to change it.
+                # If the existing alias is the one we want, we can ignore the error.
+                if self.get_account_alias() != account_alias:
+                    raise

reconcile/utils/constants.py

@@ -3,3 +3,4 @@
 from pathlib import Path
 
 PROJ_ROOT = (Path(__file__) / ".." / "..").resolve()
+DEFAULT_THREAD_POOL_SIZE = 10