qontract-reconcile 0.10.2.dev345__py3-none-any.whl → 0.10.2.dev408__py3-none-any.whl

reconcile/external_resources/reconciler.py

@@ -70,10 +70,13 @@ class ReconciliationK8sJob(K8sJob, BaseModel, frozen=True):
     dry_run_suffix: str = ""
 
     def name_prefix(self) -> str:
+        identifier = (
+            f"{self.reconciliation.key.provider}-{self.reconciliation.key.identifier}"
+        )
         if self.is_dry_run:
-            return f"er-dry-run-mr-{self.dry_run_suffix}"
+            return f"er-dry-run-mr-{self.dry_run_suffix}-{identifier}"
         else:
-            return "er"
+            return f"er-{identifier}"
 
     def unit_of_work_identity(self) -> Any:
         return self.reconciliation.key

reconcile/external_resources/secrets_sync.py

@@ -3,7 +3,6 @@ import json
 import logging
 from abc import abstractmethod
 from collections.abc import Iterable, Mapping
-from datetime import UTC, datetime
 from hashlib import shake_128
 from typing import Any
 
@@ -18,17 +17,18 @@ from reconcile.external_resources.meta import (
     SECRET_ANN_PROVISION_PROVIDER,
     SECRET_ANN_PROVISIONER,
     SECRET_UPDATED_AT,
-    SECRET_UPDATED_AT_TIMEFORMAT,
 )
 from reconcile.external_resources.model import (
     ExternalResourceKey,
 )
 from reconcile.openshift_base import ApplyOptions, apply_action
 from reconcile.typed_queries.clusters_minimal import get_clusters_minimal
+from reconcile.utils.datetime_util import to_utc_seconds_iso_format, utc_now
 from reconcile.utils.differ import diff_mappings
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
 )
+from reconcile.utils.json import json_dumps
 from reconcile.utils.oc import (
     OCCli,
 )
@@ -154,7 +154,7 @@ class SecretsReconciler:
         annotations[SECRET_ANN_PROVIDER] = spec.provider
         annotations[SECRET_ANN_IDENTIFIER] = spec.identifier
         annotations[SECRET_UPDATED_AT] = spec.metadata[SECRET_UPDATED_AT]
-        spec.resource["annotations"] = json.dumps(annotations)
+        spec.resource["annotations"] = json_dumps(annotations)
 
     def _specs_with_secret(
         self,
@@ -351,9 +351,7 @@ class InClusterSecretsReconciler(SecretsReconciler):
             secret_name = secret["metadata"]["name"]
             spec = secrets_map[secret_name]
             spec.secret = self.output_secrets_formatter.format(secret["data"])
-            spec.metadata[SECRET_UPDATED_AT] = datetime.now(UTC).strftime(
-                SECRET_UPDATED_AT_TIMEFORMAT
-            )
+            spec.metadata[SECRET_UPDATED_AT] = to_utc_seconds_iso_format(utc_now())
 
     def _delete_source_secret(self, spec: ExternalResourceSpec) -> None:
         secret_name = self._get_spec_outputs_secret_name(spec)

reconcile/external_resources/state.py

@@ -1,6 +1,6 @@
 import logging
 from collections.abc import Mapping
-from datetime import UTC, datetime
+from datetime import datetime
 from enum import StrEnum
 from typing import Any
 
@@ -16,6 +16,7 @@ from reconcile.external_resources.model import (
     ResourceStatus,
 )
 from reconcile.utils.aws_api_typed.api import AWSApi
+from reconcile.utils.datetime_util import to_utc_microseconds_iso_format, utc_now
 
 DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ"
 
@@ -41,7 +42,7 @@ class ExternalResourceState(BaseModel):
         self, reconciliation_status: ReconciliationStatus
     ) -> None:
         if self.reconciliation_needs_state_update(reconciliation_status):
-            self.ts = datetime.now()
+            self.ts = utc_now()
             self.resource_status = reconciliation_status.resource_status
 
     def reconciliation_needs_state_update(
@@ -170,7 +171,7 @@ class DynamoDBStateAdapter:
     def serialize(self, state: ExternalResourceState) -> dict[str, Any]:
         return {
             self.ER_KEY_HASH: {"S": state.key.hash()},
-            self.TIMESTAMP: {"S": state.ts.isoformat()},
+            self.TIMESTAMP: {"S": to_utc_microseconds_iso_format(state.ts)},
             self.RESOURCE_STATUS: {"S": state.resource_status.value},
             self.ER_KEY: {
                 "M": {
@@ -271,7 +272,7 @@ class ExternalResourcesStateDynamoDB:
         else:
             return ExternalResourceState(
                 key=key,
-                ts=datetime.now(UTC),
+                ts=utc_now(),
                 resource_status=ResourceStatus.NOT_EXISTS,
                 reconciliation=Reconciliation(key=key),
                 reconciliation_errors=0,

reconcile/gabi_authorized_users.py

@@ -1,4 +1,3 @@
-import json
 import logging
 import sys
 from collections.abc import (
@@ -17,9 +16,11 @@ from reconcile import queries
 from reconcile.status import ExitCodes
 from reconcile.utils.aggregated_list import RunnerError
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import ensure_utc, utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.external_resources import get_external_resource_specs
+from reconcile.utils.json import json_dumps
 from reconcile.utils.openshift_resource import (
     OpenshiftResource,
     ResourceInventory,
@@ -39,12 +40,12 @@ def construct_gabi_oc_resource(
         "kind": "ConfigMap",
         "metadata": {"name": name, "annotations": {"qontract.recycle": "true"}},
         "data": {
-            "config.json": json.dumps(
+            "config.json": json_dumps(
                 {
                     "expiration": str(expiration_date),
                     "users": users,
                 },
-                separators=(",", ":"),
+                compact=True,
             ),
         },
     }
@@ -65,8 +66,10 @@ def fetch_desired_state(
     gabi_instances: Iterable[Mapping], ri: ResourceInventory
 ) -> None:
     for g in gabi_instances:
-        expiration_date = datetime.strptime(g["expirationDate"], "%Y-%m-%d").date()
-        if (expiration_date - date.today()).days > EXPIRATION_DAYS_MAX:
+        expiration_date = ensure_utc(
+            datetime.strptime(g["expirationDate"], "%Y-%m-%d")  # noqa: DTZ007
+        ).date()
+        if (expiration_date - utc_now().date()).days > EXPIRATION_DAYS_MAX:
             raise RunnerError(
                 f"The maximum expiration date of {g['name']} shall not "
                 f"exceed {EXPIRATION_DAYS_MAX} days from today"

reconcile/gitlab_housekeeping.py

@@ -6,7 +6,6 @@ from collections.abc import (
 from contextlib import suppress
 from dataclasses import dataclass
 from datetime import (
-    UTC,
     datetime,
     timedelta,
 )
@@ -30,6 +29,7 @@ from sretoolbox.utils import retry
 
 from reconcile import queries
 from reconcile.change_owners.change_types import ChangeTypePriority
+from reconcile.utils.datetime_util import ensure_utc, from_utc_iso_format, utc_now
 from reconcile.utils.gitlab_api import (
     GitLabApi,
     MRState,
@@ -72,7 +72,6 @@ HOLD_LABELS = [
 ]
 
 QONTRACT_INTEGRATION = "gitlab-housekeeping"
-DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
 EXPIRATION_DATE_FORMAT = "%Y-%m-%d"
 SQUASH_OPTION_ALWAYS = "always"
 
@@ -128,9 +127,7 @@ def _calculate_time_since_approval(approved_at: str) -> float:
     Returns the number of minutes since a MR has been approved.
     :param approved_at: the datetime the MR was approved in format %Y-%m-%dT%H:%M:%S.%fZ
     """
-    time_since_approval = datetime.utcnow() - datetime.strptime(
-        approved_at, DATE_FORMAT
-    )
+    time_since_approval = utc_now() - from_utc_iso_format(approved_at)
     return time_since_approval.total_seconds() / 60
 
 
@@ -138,7 +135,7 @@ def get_timed_out_pipelines(
     pipelines: list[ProjectMergeRequestPipeline],
     pipeline_timeout: int = 60,
 ) -> list[ProjectMergeRequestPipeline]:
-    now = datetime.utcnow()
+    now = utc_now()
 
     pending_pipelines = [
         p
@@ -152,7 +149,7 @@ def get_timed_out_pipelines(
     timed_out_pipelines = []
 
     for p in pending_pipelines:
-        update_time = datetime.strptime(p.updated_at, DATE_FORMAT)
+        update_time = from_utc_iso_format(p.updated_at)
 
         elapsed = (now - update_time).total_seconds()
 
@@ -279,7 +276,7 @@ def handle_stale_items(
 ) -> None:
     LABEL = "stale"  # noqa: N806
 
-    now = datetime.utcnow()
+    now = utc_now()
     for item in items:
         if AUTO_MERGE in item.labels:
             if item.merge_status == MRStatus.UNCHECKED:
@@ -287,7 +284,7 @@ def handle_stale_items(
                 item = gl.get_merge_request(item.iid)
             if item.merge_status == MRStatus.CANNOT_BE_MERGED:
                 close_item(dry_run, gl, enable_closing, item_type, item)
-        update_date = datetime.strptime(item.updated_at, DATE_FORMAT)
+        update_date = from_utc_iso_format(item.updated_at)
 
         # if item is over days_interval
         current_interval = now.date() - update_date.date()
@@ -315,10 +312,9 @@ def handle_stale_items(
             if not cancel_notes:
                 continue
 
-            cancel_notes_dates = [
-                datetime.strptime(item.updated_at, DATE_FORMAT) for note in cancel_notes
-            ]
-            latest_cancel_note_date = max(d for d in cancel_notes_dates)
+            latest_cancel_note_date = max(
+                from_utc_iso_format(note.updated_at) for note in cancel_notes
+            )
             # if the latest cancel note is under
             # days_interval - remove 'stale' label
             current_interval = now.date() - latest_cancel_note_date.date()
@@ -653,8 +649,10 @@ def publish_access_token_expiration_metrics(gl: GitLabApi) -> None:
 
     for pat in pats:
         if pat.active:
-            expiration_date = datetime.strptime(pat.expires_at, EXPIRATION_DATE_FORMAT)
-            days_until_expiration = expiration_date.date() - datetime.now(UTC).date()
+            expiration_date = ensure_utc(
+                datetime.strptime(pat.expires_at, EXPIRATION_DATE_FORMAT)  # noqa: DTZ007
+            )
+            days_until_expiration = expiration_date.date() - utc_now().date()
             gitlab_token_expiration.labels(pat.name).set(days_until_expiration.days)
         else:
             with suppress(KeyError, ValueError):

reconcile/gitlab_mr_sqs_consumer.py

@@ -2,7 +2,6 @@
 SQS Consumer to create Gitlab merge requests.
 """
 
-import json
 import logging
 import sys
 from collections.abc import Callable
@@ -11,6 +10,7 @@ from reconcile import queries
 from reconcile.utils import mr
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.json import json_dumps
 from reconcile.utils.secret_reader import SecretReader
 from reconcile.utils.sqs_gateway import SQSGateway
 
@@ -51,7 +51,7 @@ def run(dry_run: str, gitlab_project_id: str, defer: Callable | None = None) ->
         for m in messages:
             receipt_handle, body = m[0], m[1]
             logging.info(
-                "received message %s with body %s", receipt_handle[:6], json.dumps(body)
+                "received message %s with body %s", receipt_handle[:6], json_dumps(body)
             )
 
             if not dry_run:

reconcile/gitlab_owners.py

@@ -2,12 +2,12 @@ import logging
 from collections.abc import Callable, Mapping
 from typing import Any
 
-from dateutil import parser as dateparser
 from gitlab.v4.objects import ProjectMergeRequest
 from sretoolbox.utils import threaded
 
 from reconcile import queries
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import from_utc_iso_format
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import (
     GitLabApi,
@@ -49,12 +49,14 @@ class MRApproval:
         self.dry_run = dry_run
         self.persistent_lgtm = persistent_lgtm
 
-        # Get the date of the most recent commit (top commit) in the MR, but avoid comparing against None
-        self.top_commit_created_at = dateparser.parse("2000-01-01")
-        commits = self.mr.commits()
-        if commits:
-            top_commit = next(commits)
-            self.top_commit_created_at = dateparser.parse(top_commit.created_at)
+        # Get the date of the most recent commit (top commit) in the MR
+        self.top_commit_created_at = next(
+            (
+                from_utc_iso_format(commit.created_at)
+                for commit in merge_request.commits()
+            ),
+            None,
+        )
 
     def get_change_owners_map(self) -> dict[str, dict[str, list[str]]]:
         """
@@ -95,9 +97,10 @@ class MRApproval:
 
             # Only interested in comments created after the top commit
             # creation time
-            comment_created_at = dateparser.parse(comment.created_at)
+            comment_created_at = from_utc_iso_format(comment.created_at)
             if (
-                comment_created_at < self.top_commit_created_at
+                self.top_commit_created_at is not None
+                and comment_created_at < self.top_commit_created_at
                 and not self.persistent_lgtm
             ):
                 continue
@@ -185,9 +188,10 @@ class MRApproval:
             # If the comment was created before the last commit,
             # it means we had a push after the comment. In this case,
             # we delete the comment and move on.
-            comment_created_at = dateparser.parse(comment.created_at)
+            comment_created_at = from_utc_iso_format(comment.created_at)
             if (
-                comment_created_at < self.top_commit_created_at
+                self.top_commit_created_at is not None
+                and comment_created_at < self.top_commit_created_at
                 and comment.note is not None
             ):
                 # Deleting stale comments

reconcile/gql_definitions/automated_actions/instance.py

@@ -132,6 +132,21 @@ query AutomatedActionsInstances {
           identifier
         }
       }
+      ... on AutomatedActionOpenshiftTriggerCronjob_v1 {
+        openshift_trigger_cronjob_arguments: arguments {
+          namespace {
+            name
+            delete
+            cluster {
+              name
+              disable {
+                integrations
+              }
+            }
+          }
+          cronjob
+        }
+      }
       ... on AutomatedActionOpenshiftWorkloadDelete_v1 {
         openshift_workload_delete_arguments: arguments {
           namespace {
@@ -297,11 +312,35 @@ class DisableClusterAutomationsV1(ConfiguredBaseModel):
     integrations: Optional[list[str]] = Field(..., alias="integrations")
 
 
-class AutomatedActionOpenshiftWorkloadDeleteArgumentV1_NamespaceV1_ClusterV1(ConfiguredBaseModel):
+class AutomatedActionOpenshiftTriggerCronjobArgumentV1_NamespaceV1_ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
 
 
+class AutomatedActionOpenshiftTriggerCronjobArgumentV1_NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster: AutomatedActionOpenshiftTriggerCronjobArgumentV1_NamespaceV1_ClusterV1 = Field(..., alias="cluster")
+
+
+class AutomatedActionOpenshiftTriggerCronjobArgumentV1(ConfiguredBaseModel):
+    namespace: AutomatedActionOpenshiftTriggerCronjobArgumentV1_NamespaceV1 = Field(..., alias="namespace")
+    cronjob: str = Field(..., alias="cronjob")
+
+
+class AutomatedActionOpenshiftTriggerCronjobV1(AutomatedActionV1):
+    openshift_trigger_cronjob_arguments: list[AutomatedActionOpenshiftTriggerCronjobArgumentV1] = Field(..., alias="openshift_trigger_cronjob_arguments")
+
+
+class AutomatedActionOpenshiftWorkloadDeleteArgumentV1_NamespaceV1_ClusterV1_DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class AutomatedActionOpenshiftWorkloadDeleteArgumentV1_NamespaceV1_ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    disable: Optional[AutomatedActionOpenshiftWorkloadDeleteArgumentV1_NamespaceV1_ClusterV1_DisableClusterAutomationsV1] = Field(..., alias="disable")
+
+
 class AutomatedActionOpenshiftWorkloadDeleteArgumentV1_NamespaceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     delete: Optional[bool] = Field(..., alias="delete")
@@ -347,7 +386,7 @@ class AutomatedActionOpenshiftWorkloadRestartV1(AutomatedActionV1):
 class AutomatedActionsInstanceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     deployment: NamespaceV1 = Field(..., alias="deployment")
-    actions: Optional[list[Union[AutomatedActionActionListV1, AutomatedActionExternalResourceFlushElastiCacheV1, AutomatedActionExternalResourceRdsRebootV1, AutomatedActionExternalResourceRdsSnapshotV1, AutomatedActionOpenshiftWorkloadDeleteV1, AutomatedActionOpenshiftWorkloadRestartV1, AutomatedActionV1]]] = Field(..., alias="actions")
+    actions: Optional[list[Union[AutomatedActionActionListV1, AutomatedActionExternalResourceFlushElastiCacheV1, AutomatedActionExternalResourceRdsRebootV1, AutomatedActionExternalResourceRdsSnapshotV1, AutomatedActionOpenshiftTriggerCronjobV1, AutomatedActionOpenshiftWorkloadDeleteV1, AutomatedActionOpenshiftWorkloadRestartV1, AutomatedActionV1]]] = Field(..., alias="actions")
 
 
 class AutomatedActionsInstancesQueryData(ConfiguredBaseModel):

reconcile/gql_definitions/aws_ami_cleanup/aws_accounts.py

@@ -51,6 +51,16 @@ fragment AWSAccountCommon on AWSAccount_v1 {
   deleteKeys
   premiumSupport
   partition
+  organization {
+    ...AWSOrganization
+  }
+}
+
+fragment AWSOrganization on AWSOrganization_v1 {
+  payerAccount {
+    organizationAccountTags
+  }
+  tags
 }
 
 fragment TerraformState on TerraformStateAWS_v1 {

reconcile/gql_definitions/aws_cloudwatch_log_retention/aws_accounts.py

@@ -17,43 +17,38 @@ from pydantic import (  # noqa: F401 # pylint: disable=W0611
     Json,
 )
 
+from reconcile.gql_definitions.fragments.aws_organization import AWSOrganization
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
+
 
 DEFINITION = """
+fragment AWSOrganization on AWSOrganization_v1 {
+  payerAccount {
+    organizationAccountTags
+  }
+  tags
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+  path
+  field
+  version
+  format
+}
+
 query AWSAccountsCloudwatchLogRetentionCleanup {
   accounts: awsaccounts_v1 {
-    path
     name
-    uid
-    terraformUsername
-    consoleUrl
     resourcesDefaultRegion
-    supportedDeploymentRegions
-    providerVersion
-    accountOwners {
-      name
-      email
-    }
     automationToken {
-      path
-      field
-      version
-      format
-    }
-    enableDeletion
-    deletionApprovals {
-      type
-      name
-      expiration
+      ...VaultSecret
     }
     disable {
       integrations
     }
-    deleteKeys
-    premiumSupport
-    ecrs {
-      region
+    organization {
+      ...AWSOrganization
     }
-    partition
     cleanup {
       provider
       ... on AWSAccountCleanupOptionCloudWatch_v1 {
@@ -74,32 +69,10 @@ class ConfiguredBaseModel(BaseModel):
         extra=Extra.forbid
 
 
-class OwnerV1(ConfiguredBaseModel):
-    name: str = Field(..., alias="name")
-    email: str = Field(..., alias="email")
-
-
-class VaultSecretV1(ConfiguredBaseModel):
-    path: str = Field(..., alias="path")
-    field: str = Field(..., alias="field")
-    version: Optional[int] = Field(..., alias="version")
-    q_format: Optional[str] = Field(..., alias="format")
-
-
-class DeletionApprovalV1(ConfiguredBaseModel):
-    q_type: str = Field(..., alias="type")
-    name: str = Field(..., alias="name")
-    expiration: str = Field(..., alias="expiration")
-
-
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
     integrations: Optional[list[str]] = Field(..., alias="integrations")
 
 
-class AWSECRV1(ConfiguredBaseModel):
-    region: str = Field(..., alias="region")
-
-
 class AWSAccountCleanupOptionV1(ConfiguredBaseModel):
     provider: str = Field(..., alias="provider")
 
@@ -112,23 +85,11 @@ class AWSAccountCleanupOptionCloudWatchV1(AWSAccountCleanupOptionV1):
 
 
 class AWSAccountV1(ConfiguredBaseModel):
-    path: str = Field(..., alias="path")
     name: str = Field(..., alias="name")
-    uid: str = Field(..., alias="uid")
-    terraform_username: Optional[str] = Field(..., alias="terraformUsername")
-    console_url: str = Field(..., alias="consoleUrl")
     resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
-    supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
-    provider_version: str = Field(..., alias="providerVersion")
-    account_owners: list[OwnerV1] = Field(..., alias="accountOwners")
-    automation_token: VaultSecretV1 = Field(..., alias="automationToken")
-    enable_deletion: Optional[bool] = Field(..., alias="enableDeletion")
-    deletion_approvals: Optional[list[DeletionApprovalV1]] = Field(..., alias="deletionApprovals")
+    automation_token: VaultSecret = Field(..., alias="automationToken")
     disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
-    delete_keys: Optional[list[str]] = Field(..., alias="deleteKeys")
-    premium_support: bool = Field(..., alias="premiumSupport")
-    ecrs: Optional[list[AWSECRV1]] = Field(..., alias="ecrs")
-    partition: Optional[str] = Field(..., alias="partition")
+    organization: Optional[AWSOrganization] = Field(..., alias="organization")
     cleanup: Optional[list[Union[AWSAccountCleanupOptionCloudWatchV1, AWSAccountCleanupOptionV1]]] = Field(..., alias="cleanup")
 
 

reconcile/gql_definitions/aws_saml_idp/aws_accounts.py

@@ -51,6 +51,16 @@ fragment AWSAccountCommon on AWSAccount_v1 {
   deleteKeys
   premiumSupport
   partition
+  organization {
+    ...AWSOrganization
+  }
+}
+
+fragment AWSOrganization on AWSOrganization_v1 {
+  payerAccount {
+    organizationAccountTags
+  }
+  tags
 }
 
 fragment TerraformState on TerraformStateAWS_v1 {

reconcile/gql_definitions/aws_saml_roles/aws_accounts.py

@@ -51,6 +51,16 @@ fragment AWSAccountCommon on AWSAccount_v1 {
   deleteKeys
   premiumSupport
   partition
+  organization {
+    ...AWSOrganization
+  }
+}
+
+fragment AWSOrganization on AWSOrganization_v1 {
+  payerAccount {
+    organizationAccountTags
+  }
+  tags
 }
 
 fragment TerraformState on TerraformStateAWS_v1 {

reconcile/gql_definitions/common/aws_vpc_requests.py

@@ -21,6 +21,13 @@ from reconcile.gql_definitions.fragments.aws_vpc_request import VPCRequest
 
 
 DEFINITION = """
+fragment AWSOrganization on AWSOrganization_v1 {
+  payerAccount {
+    organizationAccountTags
+  }
+  tags
+}
+
 fragment TerraformState on TerraformStateAWS_v1 {
   provider
   bucket
@@ -53,6 +60,9 @@ fragment VPCRequest on VPCRequest_v1 {
       name
       expiration
     }
+    organization {
+      ...AWSOrganization
+    }
   }
   region
   cidr_block {

reconcile/gql_definitions/common/clusters.py

@@ -207,6 +207,7 @@ query Clusters($name: String) {
       private
       provision_shard_id
       disable_user_workload_monitoring
+      fips
     }
     externalConfiguration {
       labels
@@ -419,6 +420,7 @@ class ClusterSpecV1(ConfiguredBaseModel):
     private: bool = Field(..., alias="private")
     provision_shard_id: Optional[str] = Field(..., alias="provision_shard_id")
     disable_user_workload_monitoring: Optional[bool] = Field(..., alias="disable_user_workload_monitoring")
+    fips: Optional[bool] = Field(..., alias="fips")
 
 
 class ClusterSpecOSDV1(ClusterSpecV1):