qontract-reconcile 0.10.2.dev349__py3-none-any.whl → 0.10.2.dev414__py3-none-any.whl

reconcile/external_resources/model.py

@@ -1,5 +1,4 @@
 import hashlib
-import json
 from abc import (
     ABC,
 )
@@ -23,6 +22,7 @@ from reconcile.gql_definitions.external_resources.external_resources_namespaces
     NamespaceTerraformResourceElastiCacheV1,
     NamespaceTerraformResourceKMSV1,
     NamespaceTerraformResourceMskV1,
+    NamespaceTerraformResourceRDSProxyV1,
     NamespaceTerraformResourceRDSV1,
     NamespaceV1,
 )
@@ -37,6 +37,7 @@ from reconcile.utils.exceptions import FetchResourceError
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
 )
+from reconcile.utils.json import json_dumps
 
 
 class ExternalResourceOrphanedResourcesError(Exception):
@@ -88,9 +89,7 @@ class ExternalResourceKey(BaseModel, frozen=True):
         )
 
     def hash(self) -> str:
-        return hashlib.md5(
-            json.dumps(self.dict(), sort_keys=True).encode("utf-8")
-        ).hexdigest()
+        return hashlib.md5(json_dumps(self.model_dump()).encode("utf-8")).hexdigest()
 
     @property
     def state_path(self) -> str:
@@ -104,6 +103,7 @@ SUPPORTED_RESOURCE_TYPES = (
     | NamespaceTerraformResourceElastiCacheV1
     | NamespaceTerraformResourceKMSV1
     | NamespaceTerraformResourceCloudWatchV1
+    | NamespaceTerraformResourceRDSProxyV1
 )
 
 
@@ -115,7 +115,9 @@ class ExternalResourcesInventory(MutableMapping):
             (rp, ns)
             for ns in namespaces
             for rp in ns.external_resources or []
-            if isinstance(rp, SUPPORTED_RESOURCE_PROVIDERS) and rp.resources
+            if isinstance(rp, SUPPORTED_RESOURCE_PROVIDERS)
+            and rp.resources
+            and ns.managed_external_resources
         ]
 
         desired_specs = [
@@ -136,17 +138,17 @@ class ExternalResourcesInventory(MutableMapping):
     ) -> ExternalResourceSpec:
         spec = ExternalResourceSpec(
             provision_provider=provider.provider,
-            provisioner=provider.provisioner.dict(),
-            resource=resource.dict(
+            provisioner=provider.provisioner.model_dump(),
+            resource=resource.model_dump(
                 exclude={
                     FLAG_RESOURCE_MANAGED_BY_ERV2,
                     FLAG_DELETE_RESOURCE,
                     MODULE_OVERRIDES,
                 }
             ),
-            namespace=namespace.dict(),
+            namespace=namespace.model_dump(by_alias=True),
         )
-        spec.metadata[FLAG_DELETE_RESOURCE] = resource.delete
+        spec.metadata[FLAG_DELETE_RESOURCE] = resource.delete or namespace.delete
         spec.metadata[MODULE_OVERRIDES] = resource.module_overrides
         return spec
 
@@ -385,7 +387,7 @@ class Reconciliation(BaseModel, frozen=True):
     )
     # linked_resources store dependants resources. They will get reconciled
     # every time the parent resource reconciliation finishes.
-    linked_resources: frozenset[ExternalResourceKey] | None
+    linked_resources: frozenset[ExternalResourceKey] | None = None
 
 
 class ReconcileAction(StrEnum):
@@ -438,6 +440,4 @@ class ExternalResource(BaseModel):
     provision: ExternalResourceProvision
 
     def hash(self) -> str:
-        return hashlib.md5(
-            json.dumps(self.data, sort_keys=True).encode("utf-8")
-        ).hexdigest()
+        return hashlib.sha256(json_dumps(self.data).encode("utf-8")).hexdigest()

reconcile/external_resources/reconciler.py

@@ -70,10 +70,13 @@ class ReconciliationK8sJob(K8sJob, BaseModel, frozen=True):
     dry_run_suffix: str = ""
 
     def name_prefix(self) -> str:
+        identifier = (
+            f"{self.reconciliation.key.provider}-{self.reconciliation.key.identifier}"
+        )
         if self.is_dry_run:
-            return f"er-dry-run-mr-{self.dry_run_suffix}"
+            return f"er-dry-run-mr-{self.dry_run_suffix}-{identifier}"
         else:
-            return "er"
+            return f"er-{identifier}"
 
     def unit_of_work_identity(self) -> Any:
         return self.reconciliation.key
@@ -96,10 +99,10 @@ class ReconciliationK8sJob(K8sJob, BaseModel, frozen=True):
             image=self.reconciliation.module_configuration.image_version,
             image_pull_policy="Always",
             resources=V1ResourceRequirements(
-                requests=self.reconciliation.module_configuration.resources.requests.dict(
+                requests=self.reconciliation.module_configuration.resources.requests.model_dump(
                     exclude_none=True
                 ),
-                limits=self.reconciliation.module_configuration.resources.limits.dict(
+                limits=self.reconciliation.module_configuration.resources.limits.model_dump(
                     exclude_none=True
                 ),
             ),

reconcile/external_resources/secrets_sync.py

@@ -3,7 +3,6 @@ import json
 import logging
 from abc import abstractmethod
 from collections.abc import Iterable, Mapping
-from datetime import UTC, datetime
 from hashlib import shake_128
 from typing import Any
 
@@ -18,17 +17,18 @@ from reconcile.external_resources.meta import (
     SECRET_ANN_PROVISION_PROVIDER,
     SECRET_ANN_PROVISIONER,
     SECRET_UPDATED_AT,
-    SECRET_UPDATED_AT_TIMEFORMAT,
 )
 from reconcile.external_resources.model import (
     ExternalResourceKey,
 )
 from reconcile.openshift_base import ApplyOptions, apply_action
 from reconcile.typed_queries.clusters_minimal import get_clusters_minimal
+from reconcile.utils.datetime_util import to_utc_seconds_iso_format, utc_now
 from reconcile.utils.differ import diff_mappings
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
 )
+from reconcile.utils.json import json_dumps
 from reconcile.utils.oc import (
     OCCli,
 )
@@ -46,8 +46,8 @@ class VaultSecret(BaseModel):
 
     path: str
     field: str
-    version: int | None
-    q_format: str | None
+    version: int | None = None
+    q_format: str | None = None
 
 
 class SecretHelper:
@@ -154,7 +154,7 @@ class SecretsReconciler:
         annotations[SECRET_ANN_PROVIDER] = spec.provider
         annotations[SECRET_ANN_IDENTIFIER] = spec.identifier
         annotations[SECRET_UPDATED_AT] = spec.metadata[SECRET_UPDATED_AT]
-        spec.resource["annotations"] = json.dumps(annotations)
+        spec.resource["annotations"] = json_dumps(annotations)
 
     def _specs_with_secret(
         self,
@@ -351,9 +351,7 @@ class InClusterSecretsReconciler(SecretsReconciler):
             secret_name = secret["metadata"]["name"]
             spec = secrets_map[secret_name]
             spec.secret = self.output_secrets_formatter.format(secret["data"])
-            spec.metadata[SECRET_UPDATED_AT] = datetime.now(UTC).strftime(
-                SECRET_UPDATED_AT_TIMEFORMAT
-            )
+            spec.metadata[SECRET_UPDATED_AT] = to_utc_seconds_iso_format(utc_now())
 
     def _delete_source_secret(self, spec: ExternalResourceSpec) -> None:
         secret_name = self._get_spec_outputs_secret_name(spec)

reconcile/external_resources/state.py

@@ -1,7 +1,9 @@
+import json
 import logging
 from collections.abc import Mapping
-from datetime import UTC, datetime
+from datetime import datetime
 from enum import StrEnum
+from hashlib import sha256
 from typing import Any
 
 from pydantic import BaseModel
@@ -16,6 +18,8 @@ from reconcile.external_resources.model import (
     ResourceStatus,
 )
 from reconcile.utils.aws_api_typed.api import AWSApi
+from reconcile.utils.datetime_util import to_utc_microseconds_iso_format, utc_now
+from reconcile.utils.json import json_dumps
 
 DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ"
 
@@ -41,7 +45,7 @@ class ExternalResourceState(BaseModel):
         self, reconciliation_status: ReconciliationStatus
     ) -> None:
         if self.reconciliation_needs_state_update(reconciliation_status):
-            self.ts = datetime.now()
+            self.ts = utc_now()
             self.resource_status = reconciliation_status.resource_status
 
     def reconciliation_needs_state_update(
@@ -169,8 +173,8 @@ class DynamoDBStateAdapter:
 
     def serialize(self, state: ExternalResourceState) -> dict[str, Any]:
         return {
-            self.ER_KEY_HASH: {"S": state.key.hash()},
-            self.TIMESTAMP: {"S": state.ts.isoformat()},
+            self.ER_KEY_HASH: {"S": state.key.state_path},
+            self.TIMESTAMP: {"S": to_utc_microseconds_iso_format(state.ts)},
             self.RESOURCE_STATUS: {"S": state.resource_status.value},
             self.ER_KEY: {
                 "M": {
@@ -258,24 +262,63 @@ class ExternalResourcesStateDynamoDB:
         self._table = table_name
         self.partial_resources = self._get_partial_resources()
 
+    def _new_sha256_hash(self, item: dict) -> str:
+        resource_json = item[self.adapter.RECONC]["M"][self.adapter.RECONC_INPUT]["S"]
+        resource_dict = json.loads(resource_json)
+        data = resource_dict["data"]
+        return sha256(json_dumps(data).encode("utf-8")).hexdigest()
+
     def get_external_resource_state(
-        self, key: ExternalResourceKey
+        self,
+        key: ExternalResourceKey,
+        enable_migration: bool = False,
     ) -> ExternalResourceState:
         data = self.aws_api.dynamodb.boto3_client.get_item(
             TableName=self._table,
             ConsistentRead=True,
-            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
+            Key={self.adapter.ER_KEY_HASH: {"S": key.state_path}},
         )
-        if "Item" in data:
+        item = data.get("Item")
+        if item:
             return self.adapter.deserialize(data["Item"])
-        else:
-            return ExternalResourceState(
-                key=key,
-                ts=datetime.now(UTC),
-                resource_status=ResourceStatus.NOT_EXISTS,
-                reconciliation=Reconciliation(key=key),
-                reconciliation_errors=0,
-            )
+
+        old_data = self.aws_api.dynamodb.boto3_client.get_item(
+            TableName=self._table,
+            ConsistentRead=True,
+            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
+        )
+        old_item = old_data.get("Item")
+        if old_item:
+            old_item[self.adapter.ER_KEY_HASH]["S"] = key.state_path
+            old_item[self.adapter.RECONC]["M"][self.adapter.RECONC_RESOURCE_HASH][
+                "S"
+            ] = self._new_sha256_hash(old_item)
+            if enable_migration:
+                self.aws_api.dynamodb.boto3_client.transact_write_items(
+                    TransactItems=[
+                        {
+                            "Put": {
+                                "TableName": self._table,
+                                "Item": old_item,
+                            }
+                        },
+                        {
+                            "Delete": {
+                                "TableName": self._table,
+                                "Key": {self.adapter.ER_KEY_HASH: {"S": key.hash()}},
+                            }
+                        },
+                    ]
+                )
+            return self.adapter.deserialize(old_item)
+
+        return ExternalResourceState(
+            key=key,
+            ts=utc_now(),
+            resource_status=ResourceStatus.NOT_EXISTS,
+            reconciliation=Reconciliation(key=key),
+            reconciliation_errors=0,
+        )
 
     def set_external_resource_state(
         self,
@@ -288,7 +331,7 @@ class ExternalResourcesStateDynamoDB:
     def del_external_resource_state(self, key: ExternalResourceKey) -> None:
         self.aws_api.dynamodb.boto3_client.delete_item(
             TableName=self._table,
-            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
+            Key={self.adapter.ER_KEY_HASH: {"S": key.state_path}},
         )
 
     def _get_partial_resources(
@@ -330,7 +373,7 @@ class ExternalResourcesStateDynamoDB:
     ) -> None:
         self.aws_api.dynamodb.boto3_client.update_item(
             TableName=self._table,
-            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
+            Key={self.adapter.ER_KEY_HASH: {"S": key.state_path}},
             UpdateExpression="set resource_status=:new_value",
             ExpressionAttributeValues={":new_value": {"S": status.value}},
             ReturnValues="UPDATED_NEW",

reconcile/fleet_labeler/integration.py

@@ -58,7 +58,7 @@ class FleetLabelerIntegration(QontractReconcileIntegration[NoParams]):
         """Return the desired state for early exit."""
         return {
             "version": QONTRACT_INTEGRATION_VERSION,
-            "specs": {spec.name: spec.dict() for spec in get_fleet_label_specs()},
+            "specs": {spec.name: spec.model_dump() for spec in get_fleet_label_specs()},
         }
 
     def run(self, dry_run: bool) -> None:

reconcile/gabi_authorized_users.py

@@ -1,4 +1,3 @@
-import json
 import logging
 import sys
 from collections.abc import (
@@ -17,9 +16,11 @@ from reconcile import queries
 from reconcile.status import ExitCodes
 from reconcile.utils.aggregated_list import RunnerError
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import ensure_utc, utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.external_resources import get_external_resource_specs
+from reconcile.utils.json import json_dumps
 from reconcile.utils.openshift_resource import (
     OpenshiftResource,
     ResourceInventory,
@@ -39,12 +40,12 @@ def construct_gabi_oc_resource(
         "kind": "ConfigMap",
         "metadata": {"name": name, "annotations": {"qontract.recycle": "true"}},
         "data": {
-            "config.json": json.dumps(
+            "config.json": json_dumps(
                 {
                     "expiration": str(expiration_date),
                     "users": users,
                 },
-                separators=(",", ":"),
+                compact=True,
             ),
         },
     }
@@ -65,8 +66,10 @@ def fetch_desired_state(
     gabi_instances: Iterable[Mapping], ri: ResourceInventory
 ) -> None:
     for g in gabi_instances:
-        expiration_date = datetime.strptime(g["expirationDate"], "%Y-%m-%d").date()
-        if (expiration_date - date.today()).days > EXPIRATION_DAYS_MAX:
+        expiration_date = ensure_utc(
+            datetime.strptime(g["expirationDate"], "%Y-%m-%d")  # noqa: DTZ007
+        ).date()
+        if (expiration_date - utc_now().date()).days > EXPIRATION_DAYS_MAX:
             raise RunnerError(
                 f"The maximum expiration date of {g['name']} shall not "
                 f"exceed {EXPIRATION_DAYS_MAX} days from today"

reconcile/gcp_image_mirror.py

@@ -132,7 +132,7 @@ class QuayMirror:
             mirror_creds = None
             pull_credentials = item.mirror.pull_credentials
             if pull_credentials:
-                raw_data = self.secret_reader.read_all(pull_credentials.dict())
+                raw_data = self.secret_reader.read_all(pull_credentials.model_dump())
                 username = raw_data["user"]
                 password = raw_data["token"]
                 mirror_creds = f"{username}:{password}"
@@ -226,7 +226,7 @@ class QuayMirror:
         return False
 
     def _decode_push_secret(self, secret: VaultSecret) -> str:
-        raw_data = self.secret_reader.read_all(secret.dict())
+        raw_data = self.secret_reader.read_all(secret.model_dump())
         token = base64.b64decode(raw_data["token"]).decode()
         return f"{raw_data['user']}:{token}"
 

reconcile/github_org.py

@@ -144,7 +144,7 @@ def get_org_and_teams(
 
 
 @retry()
-def get_members(unit: Organization) -> list[str]:
+def get_members(unit: Organization | Team) -> list[str]:
     return [member.login for member in unit.get_members()]
 
 

reconcile/github_owners.py

@@ -2,6 +2,7 @@ import logging
 import os
 
 import github
+import github.NamedUser
 from github import Github
 from sretoolbox.utils import retry
 
@@ -100,4 +101,7 @@ def run(dry_run: bool) -> None:
 
                 if not dry_run:
                     gh_user = gh.get_user(github_username)
+                    assert isinstance(
+                        gh_user, github.NamedUser.NamedUser
+                    )  # make mypy happy
                     gh_org.add_to_members(gh_user, "admin")

reconcile/gitlab_housekeeping.py

@@ -6,7 +6,6 @@ from collections.abc import (
 from contextlib import suppress
 from dataclasses import dataclass
 from datetime import (
-    UTC,
     datetime,
     timedelta,
 )
@@ -30,6 +29,7 @@ from sretoolbox.utils import retry
 
 from reconcile import queries
 from reconcile.change_owners.change_types import ChangeTypePriority
+from reconcile.utils.datetime_util import ensure_utc, from_utc_iso_format, utc_now
 from reconcile.utils.gitlab_api import (
     GitLabApi,
     MRState,
@@ -72,7 +72,6 @@ HOLD_LABELS = [
 ]
 
 QONTRACT_INTEGRATION = "gitlab-housekeeping"
-DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
 EXPIRATION_DATE_FORMAT = "%Y-%m-%d"
 SQUASH_OPTION_ALWAYS = "always"
 
@@ -128,9 +127,7 @@ def _calculate_time_since_approval(approved_at: str) -> float:
     Returns the number of minutes since a MR has been approved.
     :param approved_at: the datetime the MR was approved in format %Y-%m-%dT%H:%M:%S.%fZ
     """
-    time_since_approval = datetime.utcnow() - datetime.strptime(
-        approved_at, DATE_FORMAT
-    )
+    time_since_approval = utc_now() - from_utc_iso_format(approved_at)
     return time_since_approval.total_seconds() / 60
 
 
@@ -138,7 +135,7 @@ def get_timed_out_pipelines(
     pipelines: list[ProjectMergeRequestPipeline],
     pipeline_timeout: int = 60,
 ) -> list[ProjectMergeRequestPipeline]:
-    now = datetime.utcnow()
+    now = utc_now()
 
     pending_pipelines = [
         p
@@ -152,7 +149,7 @@ def get_timed_out_pipelines(
     timed_out_pipelines = []
 
     for p in pending_pipelines:
-        update_time = datetime.strptime(p.updated_at, DATE_FORMAT)
+        update_time = from_utc_iso_format(p.updated_at)
 
         elapsed = (now - update_time).total_seconds()
 
@@ -279,7 +276,7 @@ def handle_stale_items(
 ) -> None:
     LABEL = "stale"  # noqa: N806
 
-    now = datetime.utcnow()
+    now = utc_now()
     for item in items:
         if AUTO_MERGE in item.labels:
             if item.merge_status == MRStatus.UNCHECKED:
@@ -287,7 +284,7 @@ def handle_stale_items(
                 item = gl.get_merge_request(item.iid)
             if item.merge_status == MRStatus.CANNOT_BE_MERGED:
                 close_item(dry_run, gl, enable_closing, item_type, item)
-        update_date = datetime.strptime(item.updated_at, DATE_FORMAT)
+        update_date = from_utc_iso_format(item.updated_at)
 
         # if item is over days_interval
         current_interval = now.date() - update_date.date()
@@ -315,10 +312,9 @@ def handle_stale_items(
             if not cancel_notes:
                 continue
 
-            cancel_notes_dates = [
-                datetime.strptime(item.updated_at, DATE_FORMAT) for note in cancel_notes
-            ]
-            latest_cancel_note_date = max(d for d in cancel_notes_dates)
+            latest_cancel_note_date = max(
+                from_utc_iso_format(note.updated_at) for note in cancel_notes
+            )
             # if the latest cancel note is under
             # days_interval - remove 'stale' label
             current_interval = now.date() - latest_cancel_note_date.date()
@@ -653,8 +649,10 @@ def publish_access_token_expiration_metrics(gl: GitLabApi) -> None:
 
     for pat in pats:
         if pat.active:
-            expiration_date = datetime.strptime(pat.expires_at, EXPIRATION_DATE_FORMAT)
-            days_until_expiration = expiration_date.date() - datetime.now(UTC).date()
+            expiration_date = ensure_utc(
+                datetime.strptime(pat.expires_at, EXPIRATION_DATE_FORMAT)  # noqa: DTZ007
+            )
+            days_until_expiration = expiration_date.date() - utc_now().date()
             gitlab_token_expiration.labels(pat.name).set(days_until_expiration.days)
         else:
             with suppress(KeyError, ValueError):

reconcile/gitlab_members.py

@@ -44,19 +44,13 @@ class GitlabUser(BaseModel):
     access_level: int
 
 
-class CurrentStateSpec(BaseModel):
+class CurrentStateSpec(BaseModel, arbitrary_types_allowed=True):
     members: dict[str, GroupMember]
 
-    class Config:
-        arbitrary_types_allowed = True
 
-
-class DesiredStateSpec(BaseModel):
+class DesiredStateSpec(BaseModel, arbitrary_types_allowed=True):
     members: dict[str, GitlabUser]
 
-    class Config:
-        arbitrary_types_allowed = True
-
 
 CurrentState = dict[str, CurrentStateSpec]
 DesiredState = dict[str, DesiredStateSpec]
@@ -122,8 +116,8 @@ def build_desired_state_spec(
                     pagerduty_map,
                     get_username_method=lambda u: u.org_username,
                 )
-                for u in usernames_from_pagerduty:
-                    gu = GitlabUser(user=u, access_level=p_access_level)
+                for pu in usernames_from_pagerduty:
+                    gu = GitlabUser(user=pu, access_level=p_access_level)
                     add_or_update_user(desired_state_spec, gu)
     return desired_state_spec
 
@@ -239,6 +233,6 @@ def reconcile_gitlab_members(
 def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
     gqlapi = gql.get_api()
     return {
-        "instance": get_gitlab_instance(gqlapi.query).dict(),
-        "permissions": [p.dict() for p in get_permissions(gqlapi.query)],
+        "instance": get_gitlab_instance(gqlapi.query).model_dump(),
+        "permissions": [p.model_dump() for p in get_permissions(gqlapi.query)],
     }

reconcile/gitlab_mr_sqs_consumer.py

@@ -2,7 +2,6 @@
 SQS Consumer to create Gitlab merge requests.
 """
 
-import json
 import logging
 import sys
 from collections.abc import Callable
@@ -11,6 +10,7 @@ from reconcile import queries
 from reconcile.utils import mr
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.json import json_dumps
 from reconcile.utils.secret_reader import SecretReader
 from reconcile.utils.sqs_gateway import SQSGateway
 
@@ -51,7 +51,7 @@ def run(dry_run: str, gitlab_project_id: str, defer: Callable | None = None) ->
         for m in messages:
             receipt_handle, body = m[0], m[1]
             logging.info(
-                "received message %s with body %s", receipt_handle[:6], json.dumps(body)
+                "received message %s with body %s", receipt_handle[:6], json_dumps(body)
             )
 
             if not dry_run:

reconcile/gitlab_owners.py

@@ -2,12 +2,12 @@ import logging
 from collections.abc import Callable, Mapping
 from typing import Any
 
-from dateutil import parser as dateparser
 from gitlab.v4.objects import ProjectMergeRequest
 from sretoolbox.utils import threaded
 
 from reconcile import queries
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import from_utc_iso_format
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import (
     GitLabApi,
@@ -49,12 +49,14 @@ class MRApproval:
         self.dry_run = dry_run
         self.persistent_lgtm = persistent_lgtm
 
-        # Get the date of the most recent commit (top commit) in the MR, but avoid comparing against None
-        self.top_commit_created_at = dateparser.parse("2000-01-01")
-        commits = self.mr.commits()
-        if commits:
-            top_commit = next(commits)
-            self.top_commit_created_at = dateparser.parse(top_commit.created_at)
+        # Get the date of the most recent commit (top commit) in the MR
+        self.top_commit_created_at = next(
+            (
+                from_utc_iso_format(commit.created_at)
+                for commit in merge_request.commits()
+            ),
+            None,
+        )
 
     def get_change_owners_map(self) -> dict[str, dict[str, list[str]]]:
         """
@@ -95,9 +97,10 @@ class MRApproval:
 
             # Only interested in comments created after the top commit
             # creation time
-            comment_created_at = dateparser.parse(comment.created_at)
+            comment_created_at = from_utc_iso_format(comment.created_at)
             if (
-                comment_created_at < self.top_commit_created_at
+                self.top_commit_created_at is not None
+                and comment_created_at < self.top_commit_created_at
                 and not self.persistent_lgtm
             ):
                 continue
@@ -185,9 +188,10 @@ class MRApproval:
             # If the comment was created before the last commit,
             # it means we had a push after the comment. In this case,
             # we delete the comment and move on.
-            comment_created_at = dateparser.parse(comment.created_at)
+            comment_created_at = from_utc_iso_format(comment.created_at)
             if (
-                comment_created_at < self.top_commit_created_at
+                self.top_commit_created_at is not None
+                and comment_created_at < self.top_commit_created_at
                 and comment.note is not None
             ):
                 # Deleting stale comments

reconcile/gitlab_permissions.py

@@ -94,14 +94,6 @@ class GroupPermissionHandler:
         desired_state: dict[str, GroupSpec],
         current_state: dict[str, GroupSpec],
     ) -> None:
-        # gather list of app-interface managed repos
-        instance = queries.get_gitlab_instance()
-        managed_repos = {
-            f"{instance['url']}/{project_request['group']}/{r}"
-            for project_request in instance.get("projectRequests", [])
-            for r in project_request.get("projects", [])
-        }
-
         # get the diff data
         diff_data = diff_mappings(
             current=current_state,
@@ -112,11 +104,10 @@ class GroupPermissionHandler:
         errors: list[Exception] = []
         for repo in diff_data.add:
             project = self.gl.get_project(repo)
-            if not project and repo in managed_repos:
-                logging.info(
-                    f"New app-interface managed repository {repo} hasn't been created yet - skipping"
-                )
+            if not project:
+                logging.info(f"{repo} hasn't been created yet - skipping")
                 continue
+
             if not self.can_share_project(project):
                 errors.append(
                     GroupAccessLevelError(
@@ -136,8 +127,13 @@ class GroupPermissionHandler:
                     group_id=self.group.id,
                     access_level=self.access_level,
                 )
+
         for repo in diff_data.change:
             project = self.gl.get_project(repo)
+            if not project:
+                logging.info(f"{repo} hasn't been created yet - skipping")
+                continue
+
             if not self.can_share_project(project):
                 errors.append(
                     GroupAccessLevelError(