qontract-reconcile 0.10.2.dev291__py3-none-any.whl → 0.10.2.dev293__py3-none-any.whl

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev293.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev291
+Version: 0.10.2.dev293
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev291.dist-info → qontract_reconcile-0.10.2.dev293.dist-info}/RECORD

@@ -213,7 +213,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=d3PMy-mQSbSZdIGAVaZCA2U
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=3GgcqUM6hWhLpo9Yx5Xr9vrdexF-WNevVCNL9bJ0Upc,8162
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=3-WcCYBV8GP1OH1_NLgu9yyXNSNZDJ5_1dZIiTCWhwM,2346833
+reconcile/gql_definitions/introspection.json,sha256=CQAoUjEbdjRlHyYeLjs1PTMiP_RQrPzD0yCj08aYawA,2348381
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=Ygpfl2-VkYLSlJvHgp_dJBfb66K_Rwfdfpsa18w1v1s,4338
@@ -409,8 +409,8 @@ reconcile/gql_definitions/status_board/status_board.py,sha256=BYq-1g_-AjNKHIKmY2
 reconcile/gql_definitions/statuspage/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/statuspage/statuspages.py,sha256=CTRzjiR9k41LqlkgyoNHwC2JERsoD_Run_aK7jw_Ono,5299
 reconcile/gql_definitions/templating/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/templating/template_collection.py,sha256=I9razKZ9BThTn1HZW1AamwF0EKXxLACL30DxGxev-rA,4045
-reconcile/gql_definitions/templating/templates.py,sha256=bV1JWwxDW8opARBOrZ_h5NBsJfM-9aL-povmTZnpTOk,3296
+reconcile/gql_definitions/templating/template_collection.py,sha256=alQA1qLhL0nOFcnA0O2Z7HCuuAviZXM66t6yeur9XWo,4123
+reconcile/gql_definitions/templating/templates.py,sha256=rQ14gs5dMttxVuW5q26p23Y8c5vCNh8dSec9ucTGlKc,3372
 reconcile/gql_definitions/terraform_cloudflare_dns/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_cloudflare_dns/app_interface_cloudflare_dns_settings.py,sha256=eyGX9HcTF6MZbOYZ6Kl6Mg3k6nJTUtwqs9gDxBP_8Dk,1920
 reconcile/gql_definitions/terraform_cloudflare_dns/terraform_cloudflare_zones.py,sha256=dBQ2tyAp-eRZs59mguaTc6-x67JUoSxtZ8mOjbRqDuc,5832
@@ -507,12 +507,12 @@ reconcile/templates/jira-checkpoint-missinginfo.j2,sha256=c_Vvg-lEENsB3tgxm9B6Y9
 reconcile/templates/rosa-classic-cluster-creation.sh.j2,sha256=M-nzp-GtkQNRe8rdoDAndSKJSJhcJwNFKeql-JP2W7M,2094
 reconcile/templates/rosa-hcp-cluster-creation.sh.j2,sha256=eeT7xUhmz7Q_HtJOQALF5snZE8cUPGkIh6WUlcBHhhs,2349
 reconcile/templating/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/templating/renderer.py,sha256=VA_lMMtsyEFc0Cwf0jehQdv3tMEJtfyZMzBgA5us5ME,14856
+reconcile/templating/renderer.py,sha256=YVKhk1piAnk3faT81oeZeMHnFV78Mt-_wgtIC693vtE,14907
 reconcile/templating/validator.py,sha256=5f9f35PCHOOdjb7KZquL2YdabyuAUokPDa4xutSEHIQ,5360
 reconcile/templating/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/templating/lib/merge_request_manager.py,sha256=XwpOR4rVS9ZiJ_Mn8qfCXPZ7CRLMGSJgeIkqD-8Jhgc,5228
 reconcile/templating/lib/model.py,sha256=YVUIXuPny3_kpFgBMSud8q_ndY5o882wKiX0l0A14L4,481
-reconcile/templating/lib/rendering.py,sha256=IzTbXJ5cO0c9mV6P9HrstOo79ovOcoNVtmyc6RgfMe0,6241
+reconcile/templating/lib/rendering.py,sha256=qjs7WAVSvWH4edbBk6Aaql4ZT_OG9W7L8qi_YeJkHVI,6973
 reconcile/terraform_init/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/terraform_init/integration.py,sha256=pPi4YAjbEE8vDaaRizGf-d-PewqqSJmjcLgAsWFS7G0,6236
 reconcile/terraform_init/merge_request.py,sha256=3CYtgSd7Q9zjKg4wsDz437EPCRfGeZZ8fZ0Y-ChKXJY,1475
@@ -658,7 +658,7 @@ reconcile/utils/sqs_gateway.py,sha256=XNIf3PY4UCPNufP2Ul0UJj3fKlt5larBba-VTT-41F
 reconcile/utils/state.py,sha256=vCHYIfrWLfPyIWEHSaADWlc4OqhwcOiqM3Egqvw-lfo,16372
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/terraform_client.py,sha256=GoLbfs4d4YItNCeV3NZnrth4sD8ziNYgY2IszruRDpg,37303
-reconcile/utils/terrascript_aws_client.py,sha256=VtJ7jpvAbEi2gS_2ZTuEhBooVjqwmLieSud2mI-XVUk,292501
+reconcile/utils/terrascript_aws_client.py,sha256=jVzh5PmphbCAN7Pog_PFYHoHj7lmQGb6Q4FwT_c8pF8,295634
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=6V15LByFghp-U3k0N4lum6V7qt2EAlRfcAxjy5e-FAU,15146
@@ -796,7 +796,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=uQv2QJAmUXP1g2GPIH30WTlvL9soY6m9lefpZEVDM5w,3965
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev291.dist-info/METADATA,sha256=dLj7pJ4qelVJQbwNLC8fr_wYbPGeJ0nx1qC0hJ3z2Mg,24916
-qontract_reconcile-0.10.2.dev291.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev291.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev291.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev293.dist-info/METADATA,sha256=1dwm4wJoCGKDdjglqMJw3fdWAvuquaPeE2BIpH7wkUc,24916
+qontract_reconcile-0.10.2.dev293.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev293.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev293.dist-info/RECORD,,

reconcile/gql_definitions/introspection.json

@@ -6451,6 +6451,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "externalOrgId",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "environment",
                             "description": null,
@@ -34178,6 +34190,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "overwrite",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "Boolean",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "patch",
                             "description": null,
@@ -41014,6 +41038,18 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "promtool_version",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,

reconcile/gql_definitions/templating/template_collection.py

@@ -40,6 +40,7 @@ query TemplateCollection_v1($name: String) {
       autoApproved
       condition
       targetPath
+      overwrite
       patch {
         path
         identifier
@@ -92,6 +93,7 @@ class TemplateV1(ConfiguredBaseModel):
     auto_approved: Optional[bool] = Field(..., alias="autoApproved")
     condition: Optional[str] = Field(..., alias="condition")
     target_path: str = Field(..., alias="targetPath")
+    overwrite: Optional[bool] = Field(..., alias="overwrite")
     patch: Optional[TemplatePatchV1] = Field(..., alias="patch")
     template: str = Field(..., alias="template")
     template_render_options: Optional[TemplateRenderOptionsV1] = Field(..., alias="templateRenderOptions")

reconcile/gql_definitions/templating/templates.py

@@ -24,6 +24,7 @@ query Templatev1 {
     name
     autoApproved
     condition
+    overwrite
     patch {
       path
       identifier
@@ -78,6 +79,7 @@ class TemplateV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     auto_approved: Optional[bool] = Field(..., alias="autoApproved")
     condition: Optional[str] = Field(..., alias="condition")
+    overwrite: Optional[bool] = Field(..., alias="overwrite")
     patch: Optional[TemplatePatchV1] = Field(..., alias="patch")
     target_path: str = Field(..., alias="targetPath")
     template: str = Field(..., alias="template")

reconcile/templating/lib/rendering.py

@@ -1,5 +1,6 @@
 import logging
 from abc import ABC, abstractmethod
+from functools import cached_property
 from io import StringIO
 from typing import Any, Protocol
 
@@ -33,6 +34,7 @@ class Template(Protocol):
     condition: str | None
     target_path: str
     template: str
+    overwrite: bool | None
 
     def dict(self) -> dict[str, str]: ...
 
@@ -77,14 +79,28 @@ class Renderer(ABC):
         """
         pass
 
+    @abstractmethod
+    def target_exist(self) -> bool:
+        """
+        if target (file or patch block) already exists.
+        """
+        pass
+
     def render_target_path(self) -> str:
         return self._render_template(self.template.target_path).strip()
 
     def render_condition(self) -> bool:
-        return self._render_template(self.template.condition or "True") == "True"
+        if self._render_template(self.template.condition or "True") != "True":
+            return False
+        if self.template.overwrite:
+            return True
+        return not self.target_exist()
 
 
 class FullRenderer(Renderer):
+    def target_exist(self) -> bool:
+        return self.data.current is not None
+
     def render_output(self) -> str:
         """
         Take the variables from Template Data and render the template with it.
@@ -95,6 +111,12 @@ class FullRenderer(Renderer):
 
 
 class PatchRenderer(Renderer):
+    def target_exist(self) -> bool:
+        if isinstance(self._matched_value, list):
+            dta_identifier = self._get_identifier(self._data_to_add)
+            return self._find_index(self._matched_value, dta_identifier) is not None
+        return True
+
     def render_output(self) -> str:
         """
         Takes the variables from Template Data and render the template with it.
@@ -105,70 +127,69 @@ class PatchRenderer(Renderer):
 
         This method returns the entire file as a string.
         """
-        if self.template.patch is None:  # here to satisfy mypy
-            raise ValueError("PatchRenderer requires a patch")
-
-        p = parse_jsonpath(self._render_template(self.template.patch.path))
-
-        matched_values = [match.value for match in p.find(self.data.current)]
-
-        if len(matched_values) != 1:
-            raise ValueError(
-                f"Expected exactly one match for {self.template.patch.path}, got {len(matched_values)}"
-            )
-        matched_value = matched_values[0]
-
-        data_to_add = self.ruamel_instance.load(
-            self._render_template(self.template.template)
-        )
-
-        if isinstance(matched_value, list):
-
-            def get_identifier(data: dict[str, Any]) -> Any:
-                assert self.template.patch is not None  # mypy
-                if not self.template.patch.identifier:
-                    raise ValueError(
-                        f"Expected identifier in patch for list at {self.template}"
-                    )
-                if self.template.patch.identifier.startswith(
-                    "$"
-                ) and not self.template.patch.identifier.startswith("$ref"):
-                    # jsonpath and list of strings support
-                    if matches := [
-                        match.value
-                        for match in parse_jsonpath(
-                            self.template.patch.identifier
-                        ).find(data)
-                    ]:
-                        return matches[0]
-                    return None
-                return data.get(self.template.patch.identifier)
-
-            dta_identifier = get_identifier(data_to_add)
+        if isinstance(self._matched_value, list):
+            dta_identifier = self._get_identifier(self._data_to_add)
             if not dta_identifier:
+                assert self.template.patch is not None  # mypy
                 raise ValueError(
                     f"Expected identifier {self.template.patch.identifier} in data to add"
                 )
-
-            index = next(
-                (
-                    index
-                    for index, data in enumerate(matched_value)
-                    if get_identifier(data) == dta_identifier
-                ),
-                None,
-            )
-            if index is None:
-                matched_value.append(data_to_add)
+            if (
+                index := self._find_index(self._matched_value, dta_identifier)
+            ) is not None:
+                self._matched_value[index] = self._data_to_add
             else:
-                matched_value[index] = data_to_add
+                self._matched_value.append(self._data_to_add)
         else:
-            matched_value.update(data_to_add)
+            self._matched_value.update(self._data_to_add)
 
         with StringIO() as s:
             self.ruamel_instance.dump(self.data.current, s)
             return s.getvalue()
 
+    @cached_property
+    def _matched_value(self) -> Any:
+        assert self.template.patch is not None  # mypy
+        p = parse_jsonpath(self._render_template(self.template.patch.path))
+        matched_values = [match.value for match in p.find(self.data.current)]
+        if len(matched_values) != 1:
+            raise ValueError(
+                f"Expected exactly one match for {self.template.patch.path}, got {len(matched_values)}"
+            )
+        return matched_values[0]
+
+    @cached_property
+    def _data_to_add(self) -> Any:
+        return self.ruamel_instance.load(self._render_template(self.template.template))
+
+    def _get_identifier(self, data: dict[str, Any]) -> Any:
+        assert self.template.patch is not None  # mypy
+        if not self.template.patch.identifier:
+            raise ValueError(
+                f"Expected identifier in patch for list at {self.template}"
+            )
+        if self.template.patch.identifier.startswith(
+            "$"
+        ) and not self.template.patch.identifier.startswith("$ref"):
+            # jsonpath and list of strings support
+            if matches := [
+                match.value
+                for match in parse_jsonpath(self.template.patch.identifier).find(data)
+            ]:
+                return matches[0]
+            return None
+        return data.get(self.template.patch.identifier)
+
+    def _find_index(
+        self,
+        matched_value: list,
+        dta_identifier: Any,
+    ) -> int | None:
+        for index, data in enumerate(matched_value):
+            if self._get_identifier(data) == dta_identifier:
+                return index
+        return None
+
 
 def create_renderer(
     template: Template,

reconcile/templating/renderer.py

@@ -104,14 +104,17 @@ class LocalFilePersistence(FilePersistence):
     def read(self, path: str) -> str | None:
         return self._read_local_file(join_path(self.app_interface_data_path, path))
 
-    def __exit__(self, exc_type: Any, exc_value: Any, traceback: Any) -> None:
-        if self.dry_run:
-            return
+    def flush(self) -> None:
         for output in self.outputs:
             filepath = Path(join_path(self.app_interface_data_path, output.path))
             filepath.parent.mkdir(parents=True, exist_ok=True)
             filepath.write_text(output.content, encoding="utf-8")
 
+    def __exit__(self, exc_type: Any, exc_value: Any, traceback: Any) -> None:
+        if self.dry_run:
+            return
+        self.flush()
+
 
 class PersistenceTransaction(FilePersistence):
     """

reconcile/utils/terrascript_aws_client.py

@@ -190,13 +190,14 @@ from reconcile.utils.terraform import safe_resource_id
 from reconcile.utils.vcs import VCS
 
 GH_BASE_URL = os.environ.get("GITHUB_API", "https://api.github.com")
-LOGTOES_RELEASE = "repos/app-sre/logs-to-elasticsearch-lambda/releases/latest"
-KINESIS_TO_OS_RELEASE = (
+ROSA_AUTH_LOGTOES_RELEASE = "repos/app-sre/logs-to-elasticsearch-lambda/releases/latest"
+ROSA_AUTH_KINESIS_TO_OS_RELEASE = (
     "https://github.com/app-sre/kinesis-to-opensearch-lambda/releases/latest"
 )
-ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE = (
+ROSA_AUTH_PRE_SIGNUP_RELEASE = (
     "repos/app-sre/cognito-pre-signup-trigger/releases/latest"
 )
+ROSA_AUTH_PRE_TOKEN_RELEASE = "repos/app-sre/cognito-pre-token-trigger/releases/latest"
 # VARIABLE_KEYS are passed to common_values on instantiation of a provider
 VARIABLE_KEYS = [
     "region",
@@ -546,12 +547,14 @@ class TerrascriptClient:
         self.partitions = {
             a["name"]: a.get("partition") or "aws" for a in filtered_accounts
         }
-        self.logtoes_zip = ""
-        self.logtoes_zip_lock = Lock()
-        self.rosa_authenticator_pre_signup_zip = ""
-        self.rosa_authenticator_pre_signup_zip_lock = Lock()
-        self.lambda_zip: dict[str, str] = {}
-        self.lambda_lock = Lock()
+        self.rosa_auth_logtoes_zip = ""
+        self.rosa_auth_logtoes_zip_lock = Lock()
+        self.rosa_auth_pre_signup_zip = ""
+        self.rosa_auth_pre_signup_zip_lock = Lock()
+        self.rosa_auth_pre_token_zip = ""
+        self.rosa_auth_pre_token_zip_lock = Lock()
+        self.rosa_auth_kinesis_to_os_zip: dict[str, str] = {}
+        self.rosa_auth_kinesis_to_os_zip_lock = Lock()
         self.github: Github | None = None
         self.github_lock = Lock()
         self.gitlab: GitLabApi | None = None
@@ -608,15 +611,17 @@ class TerrascriptClient:
             )
         raise ValueError(f"No bucket config found for account {account_name}")
 
-    def get_lambda_zip(self, release_url: str) -> str:
-        if not self.lambda_zip.get(release_url):
-            with self.lambda_lock:
+    def get_rosa_auth_kinesis_to_os_zip(self, release_url: str) -> str:
+        if not self.rosa_auth_kinesis_to_os_zip.get(release_url):
+            with self.rosa_auth_kinesis_to_os_zip_lock:
                 # this may have already happened, so we check again
-                if not self.lambda_zip.get(release_url):
-                    self.lambda_zip[release_url] = self.download_lambda_zip(release_url)
-        return self.lambda_zip[release_url]
+                if not self.rosa_auth_kinesis_to_os_zip.get(release_url):
+                    self.rosa_auth_kinesis_to_os_zip[release_url] = (
+                        self.download_rosa_auth_kinesis_to_os_zip(release_url)
+                    )
+        return self.rosa_auth_kinesis_to_os_zip[release_url]
 
-    def download_lambda_zip(self, release_url: str) -> str:
+    def download_rosa_auth_kinesis_to_os_zip(self, release_url: str) -> str:
         github = self.init_github()
         url = release_url.replace("https://", "").split("/")
         repo_name = f"{url[1]}/{url[2]}"
@@ -639,14 +644,16 @@ class TerrascriptClient:
         return zip_file
 
     def get_logtoes_zip(self, release_url):
-        if not self.logtoes_zip:
-            with self.logtoes_zip_lock:
+        if not self.rosa_auth_logtoes_zip:
+            with self.rosa_auth_logtoes_zip_lock:
                 # this may have already happened, so we check again
-                if not self.logtoes_zip:
+                if not self.rosa_auth_logtoes_zip:
                     self.token = get_default_config()["token"]
-                    self.logtoes_zip = self.download_logtoes_zip(LOGTOES_RELEASE)
-        if release_url == LOGTOES_RELEASE:
-            return self.logtoes_zip
+                    self.rosa_auth_logtoes_zip = self.download_logtoes_zip(
+                        ROSA_AUTH_LOGTOES_RELEASE
+                    )
+        if release_url == ROSA_AUTH_LOGTOES_RELEASE:
+            return self.rosa_auth_logtoes_zip
         return self.download_logtoes_zip(release_url)
 
     def download_logtoes_zip(self, release_url):
@@ -663,28 +670,57 @@ class TerrascriptClient:
                 f.write(r.content)
         return zip_file
 
-    def get_rosa_authenticator_zip(self, release_url):
-        if not self.rosa_authenticator_pre_signup_zip:
-            with self.rosa_authenticator_pre_signup_zip_lock:
+    def get_rosa_auth_pre_signup_zip(self, release_url):
+        if not self.rosa_auth_pre_signup_zip:
+            with self.rosa_auth_pre_signup_zip_lock:
                 # this may have already happened, so we check again
-                if not self.rosa_authenticator_pre_signup_zip:
+                if not self.rosa_auth_pre_signup_zip:
                     self.token = get_default_config()["token"]
-                    self.rosa_authenticator_pre_signup_zip = (
-                        self.download_rosa_authenticator_zip(
-                            ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE
+                    self.rosa_auth_pre_signup_zip = (
+                        self.download_rosa_auth_pre_signup_zip(
+                            ROSA_AUTH_PRE_SIGNUP_RELEASE
                         )
                     )
-        if release_url == ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE:
-            return self.rosa_authenticator_pre_signup_zip
-        return self.download_rosa_authenticator_zip(release_url)
+        if release_url == ROSA_AUTH_PRE_SIGNUP_RELEASE:
+            return self.rosa_auth_pre_signup_zip
+        return self.download_rosa_auth_pre_signup_zip(release_url)
 
-    def download_rosa_authenticator_zip(self, release_url):
+    def download_rosa_auth_pre_signup_zip(self, release_url):
         headers = {"Authorization": "token " + self.token}
         r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
         r.raise_for_status()
         data = r.json()
         zip_url = data["assets"][0]["browser_download_url"]
-        zip_file = "/tmp/RosaAuthenticatorLambda-" + data["tag_name"] + ".zip"
+        zip_file = "/tmp/RosaAuthPreSignUp-" + data["tag_name"] + ".zip"
+        if not os.path.exists(zip_file):
+            r = requests.get(zip_url, timeout=60)
+            r.raise_for_status()
+            with open(zip_file, "wb") as f:
+                f.write(r.content)
+        return zip_file
+
+    def get_rosa_auth_pre_token_zip(self, release_url):
+        if not self.rosa_auth_pre_token_zip:
+            with self.rosa_auth_pre_token_zip_lock:
+                # this may have already happened, so we check again
+                if not self.rosa_auth_pre_token_zip:
+                    self.token = get_default_config()["token"]
+                    self.rosa_auth_pre_token_zip = (
+                        self.download_rosa_auth_pre_token_zip(
+                            ROSA_AUTH_PRE_TOKEN_RELEASE
+                        )
+                    )
+        if release_url == ROSA_AUTH_PRE_TOKEN_RELEASE:
+            return self.rosa_auth_pre_token_zip
+        return self.download_rosa_auth_pre_token_zip(release_url)
+
+    def download_rosa_auth_pre_token_zip(self, release_url):
+        headers = {"Authorization": "token " + self.token}
+        r = requests.get(GH_BASE_URL + "/" + release_url, headers=headers, timeout=60)
+        r.raise_for_status()
+        data = r.json()
+        zip_url = data["assets"][0]["browser_download_url"]
+        zip_file = "/tmp/RosaAuthPreToken-" + data["tag_name"] + ".zip"
         if not os.path.exists(zip_file):
             r = requests.get(zip_url, timeout=60)
             r.raise_for_status()
@@ -3697,7 +3733,7 @@ class TerrascriptClient:
                 data.aws_elasticsearch_domain(es_identifier, **es_domain)
             )
 
-            release_url = common_values.get("release_url", LOGTOES_RELEASE)
+            release_url = common_values.get("release_url", ROSA_AUTH_LOGTOES_RELEASE)
             zip_file = self.get_logtoes_zip(release_url)
 
             lambda_identifier = f"{identifier}-lambda"
@@ -4007,8 +4043,10 @@ class TerrascriptClient:
                 data.aws_elasticsearch_domain(es_identifier, **es_domain)
             )
 
-            release_url = common_values.get("release_url", KINESIS_TO_OS_RELEASE)
-            zip_file = self.get_lambda_zip(release_url)
+            release_url = common_values.get(
+                "release_url", ROSA_AUTH_KINESIS_TO_OS_RELEASE
+            )
+            zip_file = self.get_rosa_auth_kinesis_to_os_zip(release_url)
 
             lambda_identifier = f"{identifier}-lambda"
             lambda_values = {
@@ -5983,16 +6021,14 @@ class TerrascriptClient:
         tf_resources.append(lambda_iam_role_resource)
 
         # Setup + manage Lambda resources
-        # pre-signup lambda
-        release_url = common_values.get(
-            "release_url", ROSA_AUTHENTICATOR_PRE_SIGNUP_RELEASE
-        )
-        zip_file = self.get_rosa_authenticator_zip(release_url)
 
+        # pre-signup lambda
+        release_url = common_values.get("release_url", ROSA_AUTH_PRE_SIGNUP_RELEASE)
+        zip_file = self.get_rosa_auth_pre_signup_zip(release_url)
         cognito_pre_signup_lambda_resource = aws_lambda_function(
             "cognito_pre_signup",
             function_name=f"ocm-{identifier}-cognito-pre-signup",
-            runtime="nodejs14.x",
+            runtime="nodejs18.x",
             role=f"${{{lambda_iam_role_resource.arn}}}",
             handler="index.handler",
             filename=zip_file,
@@ -6001,6 +6037,21 @@ class TerrascriptClient:
         )
         tf_resources.append(cognito_pre_signup_lambda_resource)
 
+        # pre-token lambda
+        release_url = common_values.get("release_url", ROSA_AUTH_PRE_TOKEN_RELEASE)
+        zip_file = self.get_rosa_auth_pre_token_zip(release_url)
+        cognito_pre_token_lambda_resource = aws_lambda_function(
+            "cognito_pre_token",
+            function_name=f"ocm-{identifier}-cognito-pre-token",
+            runtime="nodejs18.x",
+            role=f"${{{lambda_iam_role_resource.arn}}}",
+            handler="index.handler",
+            filename=zip_file,
+            source_code_hash='${filebase64sha256("' + zip_file + '")}',
+            tracing_config={"mode": "PassThrough"},
+        )
+        tf_resources.append(cognito_pre_token_lambda_resource)
+
         # setup s3_client
         # pattern followed from utils/state.py
         # The variable "account" is the name of the AWS account we are reconciling
@@ -6084,7 +6135,8 @@ class TerrascriptClient:
             "pool",
             name=f"ocm-{identifier}-pool",
             lambda_config={
-                "pre_sign_up": f"${{{cognito_pre_signup_lambda_resource.arn}}}"
+                "pre_sign_up": f"${{{cognito_pre_signup_lambda_resource.arn}}}",
+                "pre_token_generation": f"${{{cognito_pre_token_lambda_resource.arn}}}",
             },
             **pool_args,
         )
@@ -6100,6 +6152,16 @@ class TerrascriptClient:
         )
         tf_resources.append(cognito_pre_signup_lambda_permission_resource)
 
+        # Finish up lambda - pre token
+        cognito_pre_token_lambda_permission_resource = aws_lambda_permission(
+            "cognito_pre_token_permission",
+            action="lambda:InvokeFunction",
+            function_name=cognito_pre_token_lambda_resource.function_name,
+            source_arn=f"${{{cognito_user_pool_resource.arn}}}",
+            principal="cognito-idp.amazonaws.com",
+        )
+        tf_resources.append(cognito_pre_token_lambda_permission_resource)
+
         # POOL DOMAIN
         cognito_user_pool_domain_resource = aws_cognito_user_pool_domain(
             "userpool_domain",
@@ -6582,7 +6644,7 @@ class TerrascriptClient:
             response_parameters={
                 "method.response.header.Location": f"'{user_pool_url}/oauth2/authorize?client_id="
                 f"${{{cognito_user_pool_client.id}}}\u0026response_type=code"
-                f"\u0026scope=openid+gateway/AccessToken\u0026redirect_uri={bucket_url}/"
+                f"\u0026scope=email+openid+gateway/AccessToken\u0026redirect_uri={bucket_url}/"
                 "token.html'",
             },
             depends_on=["aws_api_gateway_integration.gw_integration_auth"],