PyPI - qontract-reconcile - Versions diffs - 0.10.2.dev291__py3-none-any.whl → 0.10.2.dev292__py3-none-any.whl - Mend

qontract-reconcile 0.10.2.dev291py3-none-any.whl → 0.10.2.dev292py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev292.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev291
+Version: 0.10.2.dev292
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev292.dist-info}/RECORD RENAMED Viewed

@@ -658,7 +658,7 @@ reconcile/utils/sqs_gateway.py,sha256=XNIf3PY4UCPNufP2Ul0UJj3fKlt5larBba-VTT-41F
 reconcile/utils/state.py,sha256=vCHYIfrWLfPyIWEHSaADWlc4OqhwcOiqM3Egqvw-lfo,16372
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/terraform_client.py,sha256=GoLbfs4d4YItNCeV3NZnrth4sD8ziNYgY2IszruRDpg,37303
-reconcile/utils/terrascript_aws_client.py,sha256=VtJ7jpvAbEi2gS_2ZTuEhBooVjqwmLieSud2mI-XVUk,292501
+reconcile/utils/terrascript_aws_client.py,sha256=jVzh5PmphbCAN7Pog_PFYHoHj7lmQGb6Q4FwT_c8pF8,295634
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=6V15LByFghp-U3k0N4lum6V7qt2EAlRfcAxjy5e-FAU,15146
@@ -796,7 +796,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=uQv2QJAmUXP1g2GPIH30WTlvL9soY6m9lefpZEVDM5w,3965
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev291.dist-info/METADATA,sha256=dLj7pJ4qelVJQbwNLC8fr_wYbPGeJ0nx1qC0hJ3z2Mg,24916
-qontract_reconcile-0.10.2.dev291.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev291.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev291.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev292.dist-info/METADATA,sha256=ihGz58VKwtQQvhSNIkYsi1RwyscQpXOvPCSEIw9DpfM,24916
+qontract_reconcile-0.10.2.dev292.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev292.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev292.dist-info/RECORD,,

reconcile/utils/terrascript_aws_client.py CHANGED Viewed

@@ -190,13 +190,14 @@ from reconcile.utils.terraform import safe_resource_id
 from reconcile.utils.vcs import VCS
 GH_BASE_URL = os.environ.get("GITHUB_API", "https://api.github.com")
-LOGTOES_RELEASE = "repos/app-sre/logs-to-elasticsearch-lambda/releases/latest"
-KINESIS_TO_OS_RELEASE = (
+ROSA_AUTH_LOGTOES_RELEASE = "repos/app-sre/logs-to-elasticsearch-lambda/releases/latest"
+ROSA_AUTH_KINESIS_TO_OS_RELEASE = (
     "https://github.com/app-sre/kinesis-to-opensearch-lambda/releases/latest"
 )
-ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE = (
+ROSA_AUTH_PRE_SIGNUP_RELEASE = (
     "repos/app-sre/cognito-pre-signup-trigger/releases/latest"
 )
+ROSA_AUTH_PRE_TOKEN_RELEASE = "repos/app-sre/cognito-pre-token-trigger/releases/latest"
 # VARIABLE_KEYS are passed to common_values on instantiation of a provider
 VARIABLE_KEYS = [
     "region",
@@ -546,12 +547,14 @@ class TerrascriptClient:
         self.partitions = {
             a["name"]: a.get("partition") or "aws" for a in filtered_accounts
         }
-        self.logtoes_zip = ""
-        self.logtoes_zip_lock = Lock()
-        self.rosa_authenticator_pre_signup_zip = ""
-        self.rosa_authenticator_pre_signup_zip_lock = Lock()
-        self.lambda_zip: dict[str, str] = {}
-        self.lambda_lock = Lock()
+        self.rosa_auth_logtoes_zip = ""
+        self.rosa_auth_logtoes_zip_lock = Lock()
+        self.rosa_auth_pre_signup_zip = ""
+        self.rosa_auth_pre_signup_zip_lock = Lock()
+        self.rosa_auth_pre_token_zip = ""
+        self.rosa_auth_pre_token_zip_lock = Lock()
+        self.rosa_auth_kinesis_to_os_zip: dict[str, str] = {}
+        self.rosa_auth_kinesis_to_os_zip_lock = Lock()
         self.github: Github | None = None
         self.github_lock = Lock()
         self.gitlab: GitLabApi | None = None
@@ -608,15 +611,17 @@ class TerrascriptClient:
             )
         raise ValueError(f"No bucket config found for account {account_name}")
-    def get_lambda_zip(self, release_url: str) -> str:
-        if not self.lambda_zip.get(release_url):
-            with self.lambda_lock:
+    def get_rosa_auth_kinesis_to_os_zip(self, release_url: str) -> str:
+        if not self.rosa_auth_kinesis_to_os_zip.get(release_url):
+            with self.rosa_auth_kinesis_to_os_zip_lock:
                 # this may have already happened, so we check again
-                if not self.lambda_zip.get(release_url):
-                    self.lambda_zip[release_url] = self.download_lambda_zip(release_url)
-        return self.lambda_zip[release_url]
+                if not self.rosa_auth_kinesis_to_os_zip.get(release_url):
+                    self.rosa_auth_kinesis_to_os_zip[release_url] = (
+                        self.download_rosa_auth_kinesis_to_os_zip(release_url)
+                    )
+        return self.rosa_auth_kinesis_to_os_zip[release_url]
-    def download_lambda_zip(self, release_url: str) -> str:
+    def download_rosa_auth_kinesis_to_os_zip(self, release_url: str) -> str:
         github = self.init_github()
         url = release_url.replace("https://", "").split("/")
         repo_name = f"{url[1]}/{url[2]}"
@@ -639,14 +644,16 @@ class TerrascriptClient:
         return zip_file
     def get_logtoes_zip(self, release_url):
-        if not self.logtoes_zip:
-            with self.logtoes_zip_lock:
+        if not self.rosa_auth_logtoes_zip:
+            with self.rosa_auth_logtoes_zip_lock:
                 # this may have already happened, so we check again
-                if not self.logtoes_zip:
+                if not self.rosa_auth_logtoes_zip:
                     self.token = get_default_config()["token"]
-                    self.logtoes_zip = self.download_logtoes_zip(LOGTOES_RELEASE)
-        if release_url == LOGTOES_RELEASE:
-            return self.logtoes_zip
+                    self.rosa_auth_logtoes_zip = self.download_logtoes_zip(
+                        ROSA_AUTH_LOGTOES_RELEASE
+                    )
+        if release_url == ROSA_AUTH_LOGTOES_RELEASE:
+            return self.rosa_auth_logtoes_zip
         return self.download_logtoes_zip(release_url)
     def download_logtoes_zip(self, release_url):
@@ -663,28 +670,57 @@ class TerrascriptClient:
                 f.write(r.content)
         return zip_file
-    def get_rosa_authenticator_zip(self, release_url):
-        if not self.rosa_authenticator_pre_signup_zip:
-            with self.rosa_authenticator_pre_signup_zip_lock:
+    def get_rosa_auth_pre_signup_zip(self, release_url):
+        if not self.rosa_auth_pre_signup_zip:
+            with self.rosa_auth_pre_signup_zip_lock:
                 # this may have already happened, so we check again
-                if not self.rosa_authenticator_pre_signup_zip:
+                if not self.rosa_auth_pre_signup_zip:
                     self.token = get_default_config()["token"]
-                    self.rosa_authenticator_pre_signup_zip = (
-                        self.download_rosa_authenticator_zip(
-                            ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE
+                    self.rosa_auth_pre_signup_zip = (
+                        self.download_rosa_auth_pre_signup_zip(
+                            ROSA_AUTH_PRE_SIGNUP_RELEASE
                         )
                     )
-        if release_url == ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE:
-            return self.rosa_authenticator_pre_signup_zip
-        return self.download_rosa_authenticator_zip(release_url)
+        if release_url == ROSA_AUTH_PRE_SIGNUP_RELEASE:
+            return self.rosa_auth_pre_signup_zip
+        return self.download_rosa_auth_pre_signup_zip(release_url)
-    def download_rosa_authenticator_zip(self, release_url):
+    def download_rosa_auth_pre_signup_zip(self, release_url):
         headers = {"Authorization": "token " + self.token}
         r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
         r.raise_for_status()
         data = r.json()
         zip_url = data["assets"][0]["browser_download_url"]
-        zip_file = "/tmp/RosaAuthenticatorLambda-" + data["tag_name"] + ".zip"
+        zip_file = "/tmp/RosaAuthPreSignUp-" + data["tag_name"] + ".zip"
+        if not os.path.exists(zip_file):
+            r = requests.get(zip_url, timeout=60)
+            r.raise_for_status()
+            with open(zip_file, "wb") as f:
+                f.write(r.content)
+        return zip_file
+    def get_rosa_auth_pre_token_zip(self, release_url):
+        if not self.rosa_auth_pre_token_zip:
+            with self.rosa_auth_pre_token_zip_lock:
+                # this may have already happened, so we check again
+                if not self.rosa_auth_pre_token_zip:
+                    self.token = get_default_config()["token"]
+                    self.rosa_auth_pre_token_zip = (
+                        self.download_rosa_auth_pre_token_zip(
+                            ROSA_AUTH_PRE_TOKEN_RELEASE
+                        )
+                    )
+        if release_url == ROSA_AUTH_PRE_TOKEN_RELEASE:
+            return self.rosa_auth_pre_token_zip
+        return self.download_rosa_auth_pre_token_zip(release_url)
+    def download_rosa_auth_pre_token_zip(self, release_url):
+        headers = {"Authorization": "token " + self.token}
+        r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
+        r.raise_for_status()
+        data = r.json()
+        zip_url = data["assets"][0]["browser_download_url"]
+        zip_file = "/tmp/RosaAuthPreToken-" + data["tag_name"] + ".zip"
         if not os.path.exists(zip_file):
             r = requests.get(zip_url, timeout=60)
             r.raise_for_status()
@@ -3697,7 +3733,7 @@ class TerrascriptClient:
                 data.aws_elasticsearch_domain(es_identifier, **es_domain)
             )
-            release_url = common_values.get("release_url", LOGTOES_RELEASE)
+            release_url = common_values.get("release_url", ROSA_AUTH_LOGTOES_RELEASE)
             zip_file = self.get_logtoes_zip(release_url)
             lambda_identifier = f"{identifier}-lambda"
@@ -4007,8 +4043,10 @@ class TerrascriptClient:
                 data.aws_elasticsearch_domain(es_identifier, **es_domain)
             )
-            release_url = common_values.get("release_url", KINESIS_TO_OS_RELEASE)
-            zip_file = self.get_lambda_zip(release_url)
+            release_url = common_values.get(
+                "release_url", ROSA_AUTH_KINESIS_TO_OS_RELEASE
+            )
+            zip_file = self.get_rosa_auth_kinesis_to_os_zip(release_url)
             lambda_identifier = f"{identifier}-lambda"
             lambda_values = {
@@ -5983,16 +6021,14 @@ class TerrascriptClient:
         tf_resources.append(lambda_iam_role_resource)
         # Setup + manage Lambda resources
-        # pre-signup lambda
-        release_url = common_values.get(
-            "release_url", ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE
-        )
-        zip_file = self.get_rosa_authenticator_zip(release_url)
+        # pre-signup lambda
+        release_url = common_values.get("release_url", ROSA_AUTH_PRE_SIGNUP_RELEASE)
+        zip_file = self.get_rosa_auth_pre_signup_zip(release_url)
         cognito_pre_signup_lambda_resource = aws_lambda_function(
             "cognito_pre_signup",
             function_name=f"ocm-{identifier}-cognito-pre-signup",
-            runtime="nodejs14.x",
+            runtime="nodejs18.x",
             role=f"${{{lambda_iam_role_resource.arn}}}",
             handler="index.handler",
             filename=zip_file,
@@ -6001,6 +6037,21 @@ class TerrascriptClient:
         )
         tf_resources.append(cognito_pre_signup_lambda_resource)
+        # pre-token lambda
+        release_url = common_values.get("release_url", ROSA_AUTH_PRE_TOKEN_RELEASE)
+        zip_file = self.get_rosa_auth_pre_token_zip(release_url)
+        cognito_pre_token_lambda_resource = aws_lambda_function(
+            "cognito_pre_token",
+            function_name=f"ocm-{identifier}-cognito-pre-token",
+            runtime="nodejs18.x",
+            role=f"${{{lambda_iam_role_resource.arn}}}",
+            handler="index.handler",
+            filename=zip_file,
+            source_code_hash='${filebase64sha256("' + zip_file + '")}',
+            tracing_config={"mode": "PassThrough"},
+        )
+        tf_resources.append(cognito_pre_token_lambda_resource)
         # setup s3_client
         # pattern followed from utils/state.py
         # The variable "account" is the name of the AWS account we are reconciling
@@ -6084,7 +6135,8 @@ class TerrascriptClient:
             "pool",
             name=f"ocm-{identifier}-pool",
             lambda_config={
-                "pre_sign_up": f"${{{cognito_pre_signup_lambda_resource.arn}}}"
+                "pre_sign_up": f"${{{cognito_pre_signup_lambda_resource.arn}}}",
+                "pre_token_generation": f"${{{cognito_pre_token_lambda_resource.arn}}}",
             },
             **pool_args,
         )
@@ -6100,6 +6152,16 @@ class TerrascriptClient:
         )
         tf_resources.append(cognito_pre_signup_lambda_permission_resource)
+        # Finish up lambda - pre token
+        cognito_pre_token_lambda_permission_resource = aws_lambda_permission(
+            "cognito_pre_token_permission",
+            action="lambda:InvokeFunction",
+            function_name=cognito_pre_token_lambda_resource.function_name,
+            source_arn=f"${{{cognito_user_pool_resource.arn}}}",
+            principal="cognito-idp.amazonaws.com",
+        )
+        tf_resources.append(cognito_pre_token_lambda_permission_resource)
         # POOL DOMAIN
         cognito_user_pool_domain_resource = aws_cognito_user_pool_domain(
             "userpool_domain",
@@ -6582,7 +6644,7 @@ class TerrascriptClient:
             response_parameters={
                 "method.response.header.Location": f"'{user_pool_url}/oauth2/authorize?client_id="
                 f"${{{cognito_user_pool_client.id}}}\u0026response_type=code"
-                f"\u0026scope=openid+gateway/AccessToken\u0026redirect_uri={bucket_url}/"
+                f"\u0026scope=email+openid+gateway/AccessToken\u0026redirect_uri={bucket_url}/"
                 "token.html'",
             },
             depends_on=["aws_api_gateway_integration.gw_integration_auth"],

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev292.dist-info}/WHEEL RENAMED Viewed

File without changes

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev292.dist-info}/entry_points.txt RENAMED Viewed

File without changes

qontract-reconcile 0.10.2.dev291__py3-none-any.whl → 0.10.2.dev292__py3-none-any.whl

qontract-reconcile 0.10.2.dev291py3-none-any.whl → 0.10.2.dev292py3-none-any.whl