qontract-reconcile 0.10.2.dev361__py3-none-any.whl → 0.10.2.dev430__py3-none-any.whl

reconcile/aus/version_gates/sts_version_gate_handler.py

@@ -6,6 +6,7 @@ from reconcile.utils.ocm.base import OCMCluster, OCMVersionGate
 from reconcile.utils.ocm_base_client import OCMBaseClient
 from reconcile.utils.rosa.rosa_cli import RosaCliError
 from reconcile.utils.rosa.session import RosaSession
+from reconcile.utils.semver_helper import get_version_prefix
 
 GATE_LABEL = "api.openshift.com/gate-sts"
 
@@ -63,6 +64,24 @@ class STSGateHandler(GateHandler):
             )
             return False
 
+        return self.upgrade_rosa_roles(
+            cluster=cluster,
+            version_raw_id_prefix=gate.version_raw_id_prefix,
+            dry_run=dry_run,
+            ocm_api=ocm_api,
+            ocm_org_id=ocm_org_id,
+        )
+
+    def upgrade_rosa_roles(
+        self,
+        cluster: OCMCluster,
+        version_raw_id_prefix: str,
+        dry_run: bool,
+        ocm_api: OCMBaseClient,
+        ocm_org_id: str,
+    ) -> bool:
+        if not cluster.aws:
+            return False
         rosa = RosaSession(
             aws_account_id=cluster.aws.aws_account_id,
             aws_region=cluster.region.id,
@@ -83,7 +102,7 @@ class STSGateHandler(GateHandler):
                 )
             rosa.upgrade_account_roles(
                 role_prefix=account_role_prefix,
-                minor_version=gate.version_raw_id_prefix,
+                minor_version=version_raw_id_prefix,
                 channel_group=cluster.version.channel_group,
                 dry_run=dry_run,
             )
@@ -98,3 +117,37 @@ class STSGateHandler(GateHandler):
             e.write_logs_to_logger(logging.error)
             return False
         return True
+
+    def upgrade_rosa_roles_v2(
+        self,
+        cluster: OCMCluster,
+        upgrade_version: str,
+        dry_run: bool,
+        ocm_api: OCMBaseClient,
+        ocm_org_id: str,
+    ) -> bool:
+        if not cluster.aws:
+            return False
+        rosa = RosaSession(
+            aws_account_id=cluster.aws.aws_account_id,
+            aws_region=cluster.region.id,
+            aws_iam_role=self.aws_iam_role,
+            ocm_org_id=ocm_org_id,
+            ocm_api=ocm_api,
+            job_controller=self.job_controller,
+            image=self.rosa_job_image,
+            service_account=self.rosa_job_service_account,
+        )
+        policy_version = get_version_prefix(upgrade_version)
+        try:
+            rosa.upgrade_rosa_roles(
+                cluster_name=cluster.name,
+                upgrade_version=upgrade_version,
+                policy_version=policy_version,
+                dry_run=dry_run,
+            )
+        except RosaCliError as e:
+            logging.error(f"Failed to upgrade roles for cluster {cluster.name}: {e}")
+            e.write_logs_to_logger(logging.error)
+            return False
+        return True

reconcile/automated_actions/config/integration.py

@@ -7,7 +7,7 @@ from collections.abc import (
 from typing import Any
 
 import yaml
-from kubernetes.client import (  # type: ignore[attr-defined]
+from kubernetes.client import (
     ApiClient,
     V1ConfigMap,
     V1ObjectMeta,
@@ -20,6 +20,7 @@ from reconcile.gql_definitions.automated_actions.instance import (
     AutomatedActionExternalResourceFlushElastiCacheV1,
     AutomatedActionExternalResourceRdsRebootV1,
     AutomatedActionExternalResourceRdsSnapshotV1,
+    AutomatedActionOpenshiftTriggerCronjobV1,
     AutomatedActionOpenshiftWorkloadDeleteV1,
     AutomatedActionOpenshiftWorkloadRestartArgumentV1,
     AutomatedActionOpenshiftWorkloadRestartV1,
@@ -82,7 +83,7 @@ class AutomatedActionsConfigIntegration(
             query_func = gql.get_api().query
         return {
             "automated_actions_instances": [
-                c.dict() for c in self.get_automated_actions_instances(query_func)
+                c.model_dump() for c in self.get_automated_actions_instances(query_func)
             ]
         }
 
@@ -167,7 +168,7 @@ class AutomatedActionsConfigIntegration(
                 case AutomatedActionActionListV1():
                     # no special handling needed, just dump the values
                     parameters.extend(
-                        arg.dict(exclude_none=True, exclude_defaults=True)
+                        arg.model_dump(exclude_none=True, exclude_defaults=True)
                         for arg in action.action_list_arguments or []
                     )
                 case AutomatedActionExternalResourceFlushElastiCacheV1():
@@ -205,6 +206,17 @@ class AutomatedActionsConfigIntegration(
                                 "account": f"^{rds_snapshot_er.provisioner.name}$",
                                 "identifier": rds_snapshot_arg.identifier,
                             })
+                case AutomatedActionOpenshiftTriggerCronjobV1():
+                    parameters.extend(
+                        {
+                            # all parameter values are regexes in the OPA policy
+                            # therefore, cluster and namespace must be fixed to the current strings
+                            "cluster": f"^{arg.namespace.cluster.name}$",
+                            "namespace": f"^{arg.namespace.name}$",
+                            "cronjob": arg.cronjob,
+                        }
+                        for arg in action.openshift_trigger_cronjob_arguments
+                    )
                 case AutomatedActionOpenshiftWorkloadDeleteV1():
                     parameters.extend(
                         {
@@ -257,7 +269,7 @@ class AutomatedActionsConfigIntegration(
             {
                 "users": {user.username: sorted(user.roles) for user in users},
                 "roles": {
-                    role: [policy.dict() for policy in policies]
+                    role: [policy.model_dump() for policy in policies]
                     for role, policies in roles.items()
                 },
             },

reconcile/aws_account_manager/integration.py

@@ -1,5 +1,4 @@
 from collections.abc import Callable, Iterable
-from datetime import UTC, datetime
 from typing import Any
 
 import jinja2
@@ -26,6 +25,7 @@ from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
 from reconcile.utils import gql, metrics
 from reconcile.utils.aws_api_typed.api import AWSApi, AWSStaticCredentials
 from reconcile.utils.aws_api_typed.iam import AWSAccessKey
+from reconcile.utils.datetime_util import utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.runtime.integration import (
@@ -42,14 +42,14 @@ QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
 
 
 class AwsAccountMgmtIntegrationParams(PydanticRunParams):
-    account_name: str | None
+    account_name: str | None = None
     flavor: str
     organization_account_role: str = "OrganizationAccountAccessRole"
     default_tags: dict[str, str] = {}
     initial_user_name: str = "terraform"
     initial_user_policy_arn: str = "arn:aws:iam::aws:policy/AdministratorAccess"
     initial_user_secret_vault_path: str = (
-        "app-sre-v2/creds/terraform/{account_name}/config"
+        "app-sre-v2/creds/terraform/{account_name}/config"  # noqa: RUF027
     )
     # To avoid the accidental deletion of the resource file, explicitly set the
     # qontract.cli option in the integration extraArgs!
@@ -76,9 +76,9 @@ class AwsAccountMgmtIntegration(
             query_func, account_name=self.params.account_name
         )
         return {
-            "payer_accounts": [account.dict() for account in payer_accounts],
+            "payer_accounts": [account.model_dump() for account in payer_accounts],
             "non_organization_accounts": [
-                account.dict() for account in non_organization_accounts
+                account.model_dump() for account in non_organization_accounts
             ],
         }
 
@@ -98,10 +98,10 @@ class AwsAccountMgmtIntegration(
             lstrip_blocks=True,
             keep_trailing_newline=True,
         ).render({
-            "accountRequest": account_request.dict(by_alias=True),
+            "accountRequest": account_request.model_dump(by_alias=True),
             "uid": uid,
             "settings": settings,
-            "timestamp": int(datetime.now(tz=UTC).timestamp()),
+            "timestamp": int(utc_now().timestamp()),
         })
         return tmpl
 
@@ -187,7 +187,7 @@ class AwsAccountMgmtIntegration(
                     template=account_template,
                     account_request=account_request,
                     uid=uid,
-                    settings=self.params.dict(),
+                    settings=self.params.model_dump(),
                 ),
                 account_request_file_path=f"data/{account_request.path.strip('/')}",
             )

reconcile/aws_account_manager/reconciler.py

@@ -35,7 +35,7 @@ class Quota(Protocol):
     quota_code: str
     value: float
 
-    def dict(self) -> dict[str, Any]: ...
+    def model_dump(self) -> dict[str, Any]: ...
 
 
 class Contact(Protocol):
@@ -44,7 +44,7 @@ class Contact(Protocol):
     email: str
     phone_number: str
 
-    def dict(self) -> dict[str, Any]: ...
+    def model_dump(self) -> dict[str, Any]: ...
 
 
 class AWSReconciler:
@@ -167,7 +167,7 @@ class AWSReconciler:
         self, aws_api: AWSApi, name: str, quotas: Iterable[Quota]
     ) -> list[str] | None:
         """Request service quota changes."""
-        quotas_dict = [q.dict() for q in quotas]
+        quotas_dict = [q.model_dump() for q in quotas]
         with self.state.transaction(
             state_key(name, TASK_REQUEST_SERVICE_QUOTA)
         ) as _state:

reconcile/aws_ami_cleanup/integration.py

@@ -26,6 +26,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
 )
 from reconcile.utils import gql
 from reconcile.utils.aws_api import AWSApi
+from reconcile.utils.datetime_util import from_utc_iso_format, utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.parse_dhms_duration import dhms_to_seconds
 from reconcile.utils.secret_reader import create_secret_reader
@@ -39,15 +40,12 @@ QONTRACT_INTEGRATION = "aws_ami_cleanup"
 MANAGED_TAG = {"Key": "managed_by_integration", "Value": QONTRACT_INTEGRATION}
 
 
-class AWSAmi(BaseModel):
+class AWSAmi(BaseModel, frozen=True):
     name: str
     image_id: str
     creation_date: datetime
     snapshot_ids: list[str]
 
-    class Config:
-        frozen = True
-
 
 def get_aws_amis_from_launch_templates(ec2_client: EC2Client) -> set[str]:
     amis = set()
@@ -77,7 +75,7 @@ def get_aws_amis(
     owner: str,
     regex: str,
     age_in_seconds: int,
-    utc_now: datetime,
+    now: datetime,
 ) -> list[AWSAmi]:
     """Get amis that match regex older than given age"""
 
@@ -89,10 +87,8 @@ def get_aws_amis(
             if not re.search(pattern, image["Name"]):
                 continue
 
-            creation_date = datetime.strptime(
-                image["CreationDate"], "%Y-%m-%dT%H:%M:%S.%fZ"
-            )
-            current_delta = utc_now - creation_date
+            creation_date = from_utc_iso_format(image["CreationDate"])
+            current_delta = now - creation_date
             delete_delta = timedelta(seconds=age_in_seconds)
 
             if current_delta < delete_delta:
@@ -135,7 +131,7 @@ def get_region(
 
 @defer
 def run(dry_run: bool, thread_pool_size: int, defer: Callable | None = None) -> None:
-    utc_now = datetime.utcnow()
+    now = utc_now()
     gqlapi = gql.get_api()
     aws_accounts = aws_accounts_query(gqlapi.query).accounts
 
@@ -177,7 +173,7 @@ def run(dry_run: bool, thread_pool_size: int, defer: Callable | None = None) ->
     # Build AWSApi object. We will use all those accounts listed in ami_accounts since
     # we will also need to look for used AMIs.
     accounts_dicted = [
-        account.dict(by_alias=True)
+        account.model_dump(by_alias=True)
         for account in aws_accounts or []
         if account.name in ami_accounts
     ]
@@ -222,7 +218,7 @@ def run(dry_run: bool, thread_pool_size: int, defer: Callable | None = None) ->
                 owner=account.uid,
                 regex=cleanup_config.regex,
                 age_in_seconds=age_in_seconds,
-                utc_now=utc_now,
+                now=now,
             )
 
             for ami in aws_amis:

reconcile/aws_ami_share.py

@@ -1,17 +1,19 @@
 import logging
+import re
 from collections.abc import (
-    Callable,
     Iterable,
     Mapping,
 )
 from typing import Any
 
 from reconcile import queries
+from reconcile.typed_queries.aws_account_tags import get_aws_account_tags
+from reconcile.typed_queries.external_resources import get_settings
 from reconcile.utils.aws_api import AWSApi
-from reconcile.utils.defer import defer
 
 QONTRACT_INTEGRATION = "aws-ami-share"
-MANAGED_TAG = {"Key": "managed_by_integration", "Value": QONTRACT_INTEGRATION}
+
+MANAGED_TAG = {"managed_by_integration": QONTRACT_INTEGRATION}
 
 
 def filter_accounts(accounts: Iterable[dict[str, Any]]) -> list[dict[str, Any]]:
@@ -37,65 +39,70 @@ def get_region(
     return region
 
 
-@defer
-def run(dry_run: bool, defer: Callable | None = None) -> None:
+def share_ami(
+    dry_run: bool,
+    src_account: Mapping[str, Any],
+    share: Mapping[str, Any],
+    default_tags: dict[str, str],
+    aws_api: AWSApi,
+) -> None:
+    dst_account = share["account"]
+    regex = re.compile(share["regex"])
+    region = get_region(share, src_account, dst_account)
+    src_amis = aws_api.get_amis_details(src_account, src_account, regex, region)
+    dst_amis = aws_api.get_amis_details(dst_account, src_account, regex, region)
+
+    for ami_id, src_ami_tags in src_amis.items():
+        dst_ami_tags = dst_amis.get(ami_id)
+        if dst_ami_tags is None:
+            logging.info([
+                "share_ami",
+                src_account["name"],
+                dst_account["name"],
+                ami_id,
+            ])
+            if not dry_run:
+                aws_api.share_ami(src_account, dst_account["uid"], ami_id, region)
+        dst_account_tags = default_tags | get_aws_account_tags(
+            dst_account.get("organization", None)
+        )
+        desired_tags = src_ami_tags | dst_account_tags | MANAGED_TAG
+        current_tags = dst_ami_tags or {}
+
+        if desired_tags != current_tags:
+            logging.info([
+                "tag_shared_ami",
+                dst_account["name"],
+                ami_id,
+                desired_tags,
+            ])
+            if not dry_run:
+                aws_api.create_tags(dst_account, ami_id, desired_tags)
+
+
+def run(dry_run: bool) -> None:
     accounts = queries.get_aws_accounts(sharing=True)
     sharing_accounts = filter_accounts(accounts)
     settings = queries.get_app_interface_settings()
-    aws_api = AWSApi(1, sharing_accounts, settings=settings, init_users=False)
-    if defer:
-        defer(aws_api.cleanup)
-
-    for src_account in sharing_accounts:
-        sharing = src_account.get("sharing")
-        if not sharing:
-            continue
-        for share in sharing:
-            if share["provider"] != "ami":
-                continue
-            dst_account = share["account"]
-            regex = share["regex"]
-            region = get_region(share, src_account, dst_account)
-            src_amis = aws_api.get_amis_details(src_account, src_account, regex, region)
-            dst_amis = aws_api.get_amis_details(dst_account, src_account, regex, region)
-
-            for src_ami in src_amis:
-                src_ami_id = src_ami["image_id"]
-                found_dst_amis = [d for d in dst_amis if d["image_id"] == src_ami_id]
-                if not found_dst_amis:
-                    logging.info([
-                        "share_ami",
-                        src_account["name"],
-                        dst_account["name"],
-                        src_ami_id,
-                    ])
-                    if not dry_run:
-                        aws_api.share_ami(
-                            src_account, dst_account["uid"], src_ami_id, region
-                        )
-                    # we assume an unshared ami does not have tags
-                    found_dst_amis = [{"image_id": src_ami_id, "tags": []}]
-
-                dst_ami = found_dst_amis[0]
-                dst_ami_id = dst_ami["image_id"]
-                dst_ami_tags = dst_ami["tags"]
-                if MANAGED_TAG not in dst_ami_tags:
-                    logging.info([
-                        "tag_shared_ami",
-                        dst_account["name"],
-                        dst_ami_id,
-                        MANAGED_TAG,
-                    ])
-                    if not dry_run:
-                        aws_api.create_tag(dst_account, dst_ami_id, MANAGED_TAG)
-                src_ami_tags = src_ami["tags"]
-                for src_tag in src_ami_tags:
-                    if src_tag not in dst_ami_tags:
-                        logging.info([
-                            "tag_shared_ami",
-                            dst_account["name"],
-                            dst_ami_id,
-                            src_tag,
-                        ])
-                        if not dry_run:
-                            aws_api.create_tag(dst_account, dst_ami_id, src_tag)
+    try:
+        default_tags = get_settings().default_tags
+    except ValueError:
+        # no external resources settings found
+        default_tags = {}
+
+    with AWSApi(
+        1,
+        sharing_accounts,
+        settings=settings,
+        init_users=False,
+    ) as aws_api:
+        for src_account in sharing_accounts:
+            for share in src_account.get("sharing") or []:
+                if share["provider"] == "ami":
+                    share_ami(
+                        dry_run=dry_run,
+                        src_account=src_account,
+                        share=share,
+                        default_tags=default_tags,
+                        aws_api=aws_api,
+                    )