qontract-reconcile 0.10.2.dev361__py3-none-any.whl → 0.10.2.dev474__py3-none-any.whl

reconcile/utils/terrascript_aws_client.py

@@ -22,7 +22,6 @@ from typing import (
     TYPE_CHECKING,
     Any,
     Self,
-    TypeAlias,
     cast,
 )
 
@@ -152,6 +151,7 @@ from reconcile.github_org import get_default_config
 from reconcile.gql_definitions.terraform_resources.terraform_resources_namespaces import (
     NamespaceTerraformResourceLifecycleV1,
 )
+from reconcile.typed_queries.aws_account_tags import get_aws_account_tags
 from reconcile.utils import gql
 from reconcile.utils.aws_api import (
     AmiTag,
@@ -178,7 +178,10 @@ from reconcile.utils.external_resources import (
 from reconcile.utils.git import is_file_in_git_repo
 from reconcile.utils.gitlab_api import GitLabApi
 from reconcile.utils.jenkins_api import JenkinsApi
-from reconcile.utils.jinja2.utils import process_extracurlyjinja2_template
+from reconcile.utils.jinja2.utils import (
+    process_extracurlyjinja2_template,
+    process_jinja2_template,
+)
 from reconcile.utils.json import json_dumps
 from reconcile.utils.password_validator import (
     PasswordPolicy,
@@ -203,7 +206,7 @@ if TYPE_CHECKING:
     from reconcile.utils.ocm import OCMMap
 
 
-TFResource: TypeAlias = type[
+type TFResource = type[
     Resource | Data | Module | Provider | Variable | Output | Locals | Terraform
 ]
 
@@ -268,6 +271,8 @@ VARIABLE_KEYS = [
     "extra_tags",
     "lifecycle",
     "max_session_duration",
+    "secret_format",
+    "policy",
 ]
 
 EMAIL_REGEX = re.compile(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")
@@ -369,6 +374,10 @@ class aws_s3_bucket_logging(Resource):
     pass
 
 
+class aws_kinesis_resource_policy(Resource):
+    pass
+
+
 class aws_cloudfront_log_delivery_canonical_user_id(Data):
     pass
 
@@ -470,10 +479,10 @@ class TerrascriptClient:
         integration_prefix: str,
         thread_pool_size: int,
         accounts: Iterable[MutableMapping[str, Any]],
+        default_tags: Mapping[str, str] | None,
         settings: Mapping[str, Any] | None = None,
         prefetch_resources_by_schemas: Iterable[str] | None = None,
         secret_reader: SecretReaderBase | None = None,
-        default_tags: Mapping[str, str] | None = None,
     ) -> None:
         self.integration = integration
         self.integration_prefix = integration_prefix
@@ -484,16 +493,11 @@ class TerrascriptClient:
         else:
             self.secret_reader = SecretReader(settings=settings)
         self.configs: dict[str, dict] = {}
+        self.default_tags = default_tags or {"app": "app-sre-infra"}
         self.populate_configs(filtered_accounts)
         self.versions: dict[str, str] = {
             a["name"]: a["providerVersion"] for a in filtered_accounts
         }
-        self.default_tags = {
-            "tags": default_tags
-            or {
-                "app": "app-sre-infra",
-            }
-        }
         tss = {}
         locks = {}
         self.supported_regions = {}
@@ -510,7 +514,7 @@ class TerrascriptClient:
                         region=region,
                         alias=region,
                         skip_region_validation=True,
-                        default_tags=self.default_tags,
+                        default_tags={"tags": config["tags"]},
                     )
 
             # Add default region, which will be in resourcesDefaultRegion
@@ -519,7 +523,7 @@ class TerrascriptClient:
                 secret_key=config["aws_secret_access_key"],
                 region=config["resourcesDefaultRegion"],
                 skip_region_validation=True,
-                default_tags=self.default_tags,
+                default_tags={"tags": config["tags"]},
             )
 
             ts += Terraform(
@@ -802,6 +806,9 @@ class TerrascriptClient:
             config["supportedDeploymentRegions"] = account["supportedDeploymentRegions"]
             config["resourcesDefaultRegion"] = account["resourcesDefaultRegion"]
             config["terraformState"] = account["terraformState"]
+            config["tags"] = dict(self.default_tags) | get_aws_account_tags(
+                account.get("organization", None)
+            )
             self.configs[account_name] = config
 
     def _get_partition(self, account: str) -> str:
@@ -1056,7 +1063,9 @@ class TerrascriptClient:
             ignore_changes = (
                 "all" if "all" in lifecycle.ignore_changes else lifecycle.ignore_changes
             )
-            return lifecycle.dict(by_alias=True) | {"ignore_changes": ignore_changes}
+            return lifecycle.model_dump(by_alias=True) | {
+                "ignore_changes": ignore_changes
+            }
         return None
 
     def populate_additional_providers(
@@ -1071,25 +1080,15 @@ class TerrascriptClient:
             config = self.configs[account_name]
             existing_provider_aliases = {p.get("alias") for p in ts["provider"]["aws"]}
             if alias not in existing_provider_aliases:
-                if assume_role:
-                    ts += provider.aws(
-                        access_key=config["aws_access_key_id"],
-                        secret_key=config["aws_secret_access_key"],
-                        region=region,
-                        alias=alias,
-                        assume_role={"role_arn": assume_role},
-                        skip_region_validation=True,
-                        default_tags=self.default_tags,
-                    )
-                else:
-                    ts += provider.aws(
-                        access_key=config["aws_access_key_id"],
-                        secret_key=config["aws_secret_access_key"],
-                        region=region,
-                        alias=alias,
-                        skip_region_validation=True,
-                        default_tags=self.default_tags,
-                    )
+                ts += provider.aws(
+                    access_key=config["aws_access_key_id"],
+                    secret_key=config["aws_secret_access_key"],
+                    region=region,
+                    alias=alias,
+                    skip_region_validation=True,
+                    default_tags={"tags": config["tags"]},
+                    **{"assume_role": {"role_arn": assume_role}} if assume_role else {},
+                )
 
     def populate_route53(
         self, desired_state: Iterable[Mapping[str, Any]], default_ttl: int = 300
@@ -1432,7 +1431,7 @@ class TerrascriptClient:
             req_account_name = req_account.name
             # Accepter's side of the connection - the cluster's account
             acc_account = accepter.account
-            acc_alias = self.get_provider_alias(acc_account.dict(by_alias=True))
+            acc_alias = self.get_provider_alias(acc_account.model_dump(by_alias=True))
             acc_uid = acc_account.uid
             if acc_account.assume_role:
                 acc_uid = awsh.get_account_uid_from_arn(acc_account.assume_role)
@@ -2218,14 +2217,59 @@ class TerrascriptClient:
         letters_and_digits = string.ascii_letters + string.digits
         return "".join(random.choice(letters_and_digits) for i in range(string_length))
 
-    def populate_tf_resource_s3(self, spec: ExternalResourceSpec) -> aws_s3_bucket:
+    @staticmethod
+    def _build_tf_resource_s3_lifecycle_rules(
+        versioning: bool,
+        common_values: Mapping[str, Any],
+    ) -> list[dict]:
+        lifecycle_rules = common_values.get("lifecycle_rules") or []
+        if versioning and not any(
+            "noncurrent_version_expiration" in lr for lr in lifecycle_rules
+        ):
+            # Add a default noncurrent object expiration rule
+            # if one isn't already set
+            rule = {
+                "id": "expire_noncurrent_versions",
+                "enabled": True,
+                "noncurrent_version_expiration": {"days": 30},
+                "expiration": {"expired_object_delete_marker": True},
+                "abort_incomplete_multipart_upload_days": 3,
+            }
+            lifecycle_rules.append(rule)
+
+        if storage_class := common_values.get("storage_class"):
+            sc = storage_class.upper()
+            days = "1"
+            if sc.endswith("_IA"):
+                # Infrequent Access storage class has minimum 30 days
+                # before transition
+                days = "30"
+            rule = {
+                "id": sc + "_storage_class",
+                "enabled": True,
+                "transition": {"days": days, "storage_class": sc},
+                "noncurrent_version_transition": {"days": days, "storage_class": sc},
+            }
+            lifecycle_rules.append(rule)
+
+        return lifecycle_rules
+
+    def _populate_tf_resource_s3_bucket(
+        self,
+        spec: ExternalResourceSpec,
+        common_values: dict[str, Any],
+    ) -> tuple[aws_s3_bucket, list[TFResource]]:
+        """Create S3 bucket with configuration and notifications.
+
+        Creates aws_s3_bucket with versioning, encryption, lifecycle rules,
+        CORS, logging, and replication. Also creates aws_s3_bucket_notification
+        for SQS/SNS event notifications if configured.
+        """
         account = spec.provisioner_name
         identifier = spec.identifier
-        common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
         tf_resources: list[TFResource] = []
-        self.init_common_outputs(tf_resources, spec)
 
         # s3 bucket
         # Terraform resource reference:
@@ -2257,47 +2301,11 @@ class TerrascriptClient:
         request_payer = common_values.get("request_payer")
         if request_payer:
             values["request_payer"] = request_payer
-        lifecycle_rules = common_values.get("lifecycle_rules")
-        if lifecycle_rules:
-            # common_values['lifecycle_rules'] is a list of lifecycle_rules
+        if lifecycle_rules := self._build_tf_resource_s3_lifecycle_rules(
+            versioning=versioning,
+            common_values=common_values,
+        ):
             values["lifecycle_rule"] = lifecycle_rules
-        if versioning:
-            lrs = values.get("lifecycle_rule", [])
-            expiration_rule = False
-            for lr in lrs:
-                if "noncurrent_version_expiration" in lr:
-                    expiration_rule = True
-                    break
-            if not expiration_rule:
-                # Add a default noncurrent object expiration rule if
-                # if one isn't already set
-                rule = {
-                    "id": "expire_noncurrent_versions",
-                    "enabled": "true",
-                    "noncurrent_version_expiration": {"days": 30},
-                }
-                if len(lrs) > 0:
-                    lrs.append(rule)
-                else:
-                    lrs = rule
-        sc = common_values.get("storage_class")
-        if sc:
-            sc = sc.upper()
-            days = "1"
-            if sc.endswith("_IA"):
-                # Infrequent Access storage class has minimum 30 days
-                # before transition
-                days = "30"
-            rule = {
-                "id": sc + "_storage_class",
-                "enabled": "true",
-                "transition": {"days": days, "storage_class": sc},
-                "noncurrent_version_transition": {"days": days, "storage_class": sc},
-            }
-            if values.get("lifecycle_rule"):
-                values["lifecycle_rule"].append(rule)
-            else:
-                values["lifecycle_rule"] = rule
         cors_rules = common_values.get("cors_rules")
         if cors_rules:
             # common_values['cors_rules'] is a list of cors_rules
@@ -2438,8 +2446,7 @@ class TerrascriptClient:
         output_name = output_prefix + "__endpoint"
         tf_resources.append(Output(output_name, value=endpoint))
 
-        sqs_identifier = common_values.get("sqs_identifier", None)
-        if sqs_identifier is not None:
+        if sqs_identifier := common_values.get("sqs_identifier"):
             sqs_values = {"name": sqs_identifier}
             sqs_provider = values.get("provider")
             if sqs_provider:
@@ -2458,11 +2465,9 @@ class TerrascriptClient:
                     }
                 ],
             }
-            filter_prefix = common_values.get("filter_prefix", None)
-            if filter_prefix is not None:
+            if filter_prefix := common_values.get("filter_prefix"):
                 notification_values["queue"][0]["filter_prefix"] = filter_prefix
-            filter_suffix = common_values.get("filter_suffix", None)
-            if filter_suffix is not None:
+            if filter_suffix := common_values.get("filter_suffix"):
                 notification_values["queue"][0]["filter_suffix"] = filter_suffix
 
             notification_tf_resource = aws_s3_bucket_notification(
@@ -2542,21 +2547,48 @@ class TerrascriptClient:
             )
             tf_resources.append(notification_tf_resource)
 
-        bucket_policy = common_values.get("bucket_policy")
-        if bucket_policy:
-            values = {
-                "bucket": identifier,
-                "policy": bucket_policy,
-                "depends_on": self.get_dependencies([bucket_tf_resource]),
-            }
-            if self._multiregion_account(account):
-                values["provider"] = "aws." + region
-            bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values)
-            tf_resources.append(bucket_policy_tf_resource)
+        return bucket_tf_resource, tf_resources
 
-        # iam resources
-        # Terraform resource reference:
-        # https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
+    def _populate_tf_resource_s3_bucket_policy(
+        self,
+        spec: ExternalResourceSpec,
+        bucket_tf_resource: aws_s3_bucket,
+        policy: str,
+        common_values: dict[str, Any],
+    ) -> list[TFResource]:
+        """Create S3 bucket policy resource.
+
+        Creates aws_s3_bucket_policy with the provided policy document.
+        """
+        account = spec.provisioner_name
+        identifier = spec.identifier
+        region = common_values.get("region") or self.default_regions.get(account)
+        assert region  # make mypy happy
+
+        values: dict[str, Any] = {
+            "bucket": identifier,
+            "policy": policy,
+            "depends_on": self.get_dependencies([bucket_tf_resource]),
+        }
+        if self._multiregion_account(account):
+            values["provider"] = "aws." + region
+        bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values)
+        return [bucket_policy_tf_resource]
+
+    def _populate_tf_resource_s3_iam(
+        self,
+        spec: ExternalResourceSpec,
+        bucket_tf_resource: aws_s3_bucket,
+        common_values: dict[str, Any],
+    ) -> list[TFResource]:
+        """Create IAM resources for S3 bucket access.
+
+        Creates aws_iam_user, aws_iam_access_key, aws_iam_policy,
+        and aws_iam_user_policy_attachment for bucket access.
+        """
+        identifier = spec.identifier
+        output_prefix = spec.output_prefix
+        tf_resources: list[TFResource] = []
 
         # iam user for bucket
         values = {
@@ -2614,6 +2646,32 @@ class TerrascriptClient:
         )
         tf_resources.append(tf_user_policy_attachment)
 
+        return tf_resources
+
+    def populate_tf_resource_s3(self, spec: ExternalResourceSpec) -> aws_s3_bucket:
+        account = spec.provisioner_name
+        common_values = self.init_values(spec)
+
+        tf_resources: list[TFResource] = []
+        self.init_common_outputs(tf_resources, spec)
+
+        bucket_tf_resource, bucket_resources = self._populate_tf_resource_s3_bucket(
+            spec, common_values
+        )
+        tf_resources.extend(bucket_resources)
+
+        bucket_policy = common_values.get("bucket_policy")
+        if bucket_policy:
+            tf_resources.extend(
+                self._populate_tf_resource_s3_bucket_policy(
+                    spec, bucket_tf_resource, bucket_policy, common_values
+                )
+            )
+
+        tf_resources.extend(
+            self._populate_tf_resource_s3_iam(spec, bucket_tf_resource, common_values)
+        )
+
         self.add_resources(account, tf_resources)
 
         return bucket_tf_resource
@@ -3388,42 +3446,53 @@ class TerrascriptClient:
         common_values = self.init_values(spec)
         output_prefix = spec.output_prefix
 
-        bucket_tf_resource = self.populate_tf_resource_s3(spec)
-
         tf_resources: list[TFResource] = []
+        self.init_common_outputs(tf_resources, spec)
+
+        bucket_tf_resource, bucket_resources = self._populate_tf_resource_s3_bucket(
+            spec, common_values
+        )
+        tf_resources.extend(bucket_resources)
+
+        tf_resources.extend(
+            self._populate_tf_resource_s3_iam(spec, bucket_tf_resource, common_values)
+        )
 
         # cloudfront origin access identity
         values = {"comment": f"{identifier}-cf-identity"}
         cf_oai_tf_resource = aws_cloudfront_origin_access_identity(identifier, **values)
         tf_resources.append(cf_oai_tf_resource)
 
-        # bucket policy for cloudfront
-        values_policy: dict[str, Any] = {"bucket": identifier}
-        policy = {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Sid": "Grant access to CloudFront Origin Identity",
-                    "Effect": "Allow",
-                    "Principal": {"AWS": "${" + cf_oai_tf_resource.iam_arn + "}"},
-                    "Action": "s3:GetObject",
-                    "Resource": [
-                        f"arn:aws:s3:::{identifier}/{enable_dir}/*"
-                        for enable_dir in common_values.get(
-                            "get_object_enable_dirs", []
-                        )
-                    ],
-                }
+        # bucket policy for cloudfront - merge custom policy with CloudFront access statement
+        cf_statement = {
+            "Sid": "Grant access to CloudFront Origin Identity",
+            "Effect": "Allow",
+            "Principal": {"AWS": "${" + cf_oai_tf_resource.iam_arn + "}"},
+            "Action": "s3:GetObject",
+            "Resource": [
+                f"arn:aws:s3:::{identifier}/{enable_dir}/*"
+                for enable_dir in common_values.get("get_object_enable_dirs", [])
             ],
         }
-        values_policy["policy"] = json_dumps(policy)
-        values_policy["depends_on"] = self.get_dependencies([bucket_tf_resource])
-        region = common_values.get("region") or self.default_regions.get(account)
-        assert region  # make mypy happy
-        if self._multiregion_account(account):
-            values_policy["provider"] = "aws." + region
-        bucket_policy_tf_resource = aws_s3_bucket_policy(identifier, **values_policy)
-        tf_resources.append(bucket_policy_tf_resource)
+
+        custom_bucket_policy = common_values.get("bucket_policy")
+        if custom_bucket_policy:
+            # if the user specifies a custom bucket policy then we merge their statements with the cloudfront origin identity policy
+            if isinstance(custom_bucket_policy, str):
+                custom_bucket_policy = json.loads(custom_bucket_policy)
+            custom_bucket_policy.setdefault("Statement", []).append(cf_statement)
+            policy = custom_bucket_policy
+        else:
+            policy = {
+                "Version": "2012-10-17",
+                "Statement": [cf_statement],
+            }
+
+        tf_resources.extend(
+            self._populate_tf_resource_s3_bucket_policy(
+                spec, bucket_tf_resource, json_dumps(policy), common_values
+            )
+        )
 
         distribution_config = common_values.get("distribution_config", {})
         # aws_s3_bucket_acl
@@ -4024,6 +4093,22 @@ class TerrascriptClient:
         kinesis_tf_resource = aws_kinesis_stream(identifier, **kinesis_values)
         tf_resources.append(kinesis_tf_resource)
 
+        # kinesis resource policy (optional)
+        # Terraform resource reference:
+        # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_resource_policy
+        if policy := common_values.get("policy"):
+            policy_identifier = f"{identifier}-policy"
+            policy_values: dict[str, Any] = {
+                "resource_arn": "${" + kinesis_tf_resource.arn + "}",
+                "policy": policy,
+            }
+            if provider:
+                policy_values["provider"] = provider
+            kinesis_policy_tf_resource = aws_kinesis_resource_policy(
+                policy_identifier, **policy_values
+            )
+            tf_resources.append(kinesis_policy_tf_resource)
+
         es_identifier = common_values.get("es_identifier", None)
         if es_identifier:
             es_resource = self._find_resource_spec(
@@ -5810,6 +5895,10 @@ class TerrascriptClient:
         assert secret  # make mypy happy
         secret_data = self.secret_reader.read_all(secret)
 
+        secret_format = common_values.get("secret_format")
+        if secret_format is not None:
+            secret_data = self._apply_secret_format(str(secret_format), secret_data)
+
         version_values: dict[str, Any] = {
             "secret_id": "${" + aws_secret_resource.id + "}",
             "secret_string": json_dumps(secret_data),
@@ -5833,6 +5922,66 @@ class TerrascriptClient:
 
         self.add_resources(account, tf_resources)
 
+    @staticmethod
+    def _unflatten_dotted_keys_dict(flat_dict: dict[str, str]) -> dict[str, Any]:
+        """Convert a flat dictionary with dotted keys to a nested dictionary.
+
+        Example:
+            {"db.host": "localhost", "db.port": "5432"} ->
+            {"db": {"host": "localhost", "port": "5432"}}
+
+        Raises:
+            ValueError: If there are conflicting keys (e.g., "a.b" and "a.b.c")
+        """
+        result: dict[str, Any] = {}
+        for key, value in flat_dict.items():
+            parts = key.split(".")
+            current = result
+            for i, part in enumerate(parts[:-1]):
+                if part not in current:
+                    current[part] = {}
+                elif not isinstance(current[part], dict):
+                    # Conflict: trying to traverse through a non-dict value
+                    conflicting_path = ".".join(parts[: i + 1])
+                    raise ValueError(
+                        f"Conflicting keys detected: '{conflicting_path}' is both a "
+                        f"value and a nested path in key '{key}'"
+                    )
+                current = current[part]
+
+            # Check if we're trying to set a value where a dict already exists
+            if parts[-1] in current and isinstance(current[parts[-1]], dict):
+                raise ValueError(
+                    f"Conflicting keys detected: '{key}' conflicts with nested keys"
+                )
+
+            current[parts[-1]] = value
+
+        return result
+
+    @staticmethod
+    def _apply_secret_format(
+        secret_format: str, secret_data: dict[str, str]
+    ) -> dict[str, str]:
+        # Convert flat dict with dotted keys to nested dict for Jinja2
+        nested_secret_data = TerrascriptClient._unflatten_dotted_keys_dict(secret_data)
+        rendered_data = process_jinja2_template(secret_format, nested_secret_data)
+
+        parsed_data = json.loads(rendered_data)
+
+        if not isinstance(parsed_data, dict):
+            raise ValueError("secret_format must be a dictionary")
+
+        # validate secret is a dict[str, str]
+        for k, v in parsed_data.items():
+            if not isinstance(k, str):
+                raise ValueError(f"key '{k}' is not a string")
+
+            if not isinstance(v, str):
+                raise ValueError(f"dictionary value '{v}' under '{k}' is not a string")
+
+        return parsed_data
+
     def get_commit_sha(self, repo_info: Mapping) -> str:
         url = repo_info["url"]
         ref = repo_info["ref"]
@@ -5851,7 +6000,8 @@ class TerrascriptClient:
                 return commit.sha
             case "gitlab":
                 gitlab = self.init_gitlab()
-                project = gitlab.get_project(url)
+                if not (project := gitlab.get_project(url)):
+                    raise ValueError(f"could not find gitlab project for url {url}")
                 commits = project.commits.list(ref_name=ref, per_page=1, page=1)
                 return commits[0].id
             case _:

reconcile/utils/unleash/server.py

@@ -24,30 +24,24 @@ class Environment(BaseModel):
         return self.name == other
 
 
-class FeatureToggle(BaseModel):
+class FeatureToggle(BaseModel, validate_by_name=True, validate_by_alias=True):
     name: str
     type: FeatureToggleType = FeatureToggleType.release
     description: str | None = None
     impression_data: bool = Field(False, alias="impressionData")
     environments: list[Environment]
 
-    class Config:
-        allow_population_by_field_name = True
-
     def __eq__(self, other: object) -> bool:
         if isinstance(other, FeatureToggle):
             return self.name == other.name
         return self.name == other
 
 
-class Project(BaseModel):
+class Project(BaseModel, validate_by_name=True, validate_by_alias=True):
     pk: str = Field(alias="id")
     name: str
     feature_toggles: list[FeatureToggle] = []
 
-    class Config:
-        allow_population_by_field_name = True
-
 
 class TokenAuth(BearerTokenAuth):
     def __call__(self, r: requests.PreparedRequest) -> requests.PreparedRequest:

reconcile/utils/vault.py

@@ -6,7 +6,7 @@ import threading
 import time
 from collections.abc import Mapping
 from functools import lru_cache
-from typing import Any, Self, TypedDict
+from typing import Any, Self
 
 import hvac
 import requests
@@ -48,13 +48,6 @@ class VaultConnectionError(Exception):
     pass
 
 
-class Secret(TypedDict):
-    path: str
-    field: str
-    format: str | None
-    version: str | None
-
-
 SECRET_VERSION_LATEST = "LATEST"
 
 
@@ -197,7 +190,7 @@ class VaultClient:
             self._client.auth_approle(self.role_id, self.secret_id)
 
     @retry()
-    def read_all_with_version(self, secret: Mapping) -> tuple[Mapping, str | None]:
+    def read_all_with_version(self, secret: Mapping) -> tuple[dict, int | None]:
         """Returns a dictionary of keys and values in a Vault secret and the
         version of the secret, for V1 secrets, version will be None.
 
@@ -207,7 +200,7 @@ class VaultClient:
                                a v2 KV engine)
         """
         secret_path = secret["path"]
-        secret_version = secret.get("version")
+        secret_version = secret.get("version") or SECRET_VERSION_LATEST
 
         kv_version = self._get_mount_version_by_secret_path(secret_path)
 
@@ -250,7 +243,7 @@ class VaultClient:
 
     def __read_all_v2(
         self, path: str, version: str | None
-    ) -> tuple[dict[str, Any], str | None]:
+    ) -> tuple[dict[str, Any], int]:
         path_split = path.split("/")
         mount_point = path_split[0]
         read_path = "/".join(path_split[1:])
@@ -294,7 +287,7 @@ class VaultClient:
         return secret["data"]
 
     @retry()
-    def read(self, secret: Secret) -> Any:
+    def read(self, secret: Mapping[str, Any]) -> Any:
         """Returns a value of a key in a Vault secret.
 
         The input secret is a dictionary which contains the following fields: