qontract-reconcile 0.10.2.dev64__py3-none-any.whl → 0.10.2.dev65__py3-none-any.whl

{qontract_reconcile-0.10.2.dev64.dist-info → qontract_reconcile-0.10.2.dev65.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev64
+Version: 0.10.2.dev65
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev64.dist-info → qontract_reconcile-0.10.2.dev65.dist-info}/RECORD

@@ -637,7 +637,7 @@ reconcile/utils/state.py,sha256=az4tBmZ0EdbFcAGiBVUxs3cr2-BVWsuDQiNTvjjQq8s,1637
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=H8frsS370y8xfivKLNBD1dwlBLHvfuR6JSN_syBL5Qc,36033
-reconcile/utils/terrascript_aws_client.py,sha256=HtBl6Agm8b1rsFbanaatMg1EASQy44KaU5gu_lM_zQQ,284878
+reconcile/utils/terrascript_aws_client.py,sha256=hPfWduAsMpVUcYgw1cx7tiAyVmsJ1BdTCqPzyYPTThE,286260
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=aSA8l9cJlPUHpChFGl27nSY-Mpq9FMjBo7Dcgb1BVfM,15036
@@ -777,7 +777,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev64.dist-info/METADATA,sha256=w1DVvEyO9I2lEXPv9LlbxwxJxqO9tZkUhzrD_jC9KE0,24665
-qontract_reconcile-0.10.2.dev64.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev64.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev64.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev65.dist-info/METADATA,sha256=Wv30Cf9UuON-ZNSyiNXTocpDNcpFrLTFSdglYgLe_Vg,24665
+qontract_reconcile-0.10.2.dev65.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev65.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev65.dist-info/RECORD,,

reconcile/utils/terrascript_aws_client.py

@@ -270,6 +270,36 @@ DEFAULT_TAGS = {
     },
 }
 
+AWS_ELB_ACCOUNT_IDS = {
+    "us-east-1": "127311923021",
+    "us-east-2": "033677994240",
+    "us-west-1": "027434742980",
+    "us-west-2": "797873946194",
+    "af-south-1": "098369216593",
+    "ap-east-1": "754344448648",
+    "ap-southeast-3": "589379963580",
+    "ap-south-1": "718504428378",
+    "ap-northeast-3": "383597477331",
+    "ap-northeast-2": "600734575887",
+    "ap-southeast-1": "114774131450",
+    "ap-southeast-2": "783225319266",
+    "ap-northeast-1": "582318560864",
+    "ca-central-1": "985666609251",
+    "eu-central-1": "054676820928",
+    "eu-west-1": "156460612806",
+    "eu-west-2": "652711504416",
+    "eu-south-1": "635631232127",
+    "eu-west-3": "009996457667",
+    "eu-north-1": "897822967062",
+    "me-south-1": "076674570225",
+    "sa-east-1": "507241528517",
+}
+
+AWS_US_GOV_ELB_ACCOUNT_IDS = {
+    "us-gov-west-1": "048591011584",
+    "us-gov-east-1": "190560391635",
+}
+
 
 class OutputResourceNameNotUniqueException(Exception):
     def __init__(self, namespace, duplicates):
@@ -5148,6 +5178,16 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             raise KeyError(f"unknown alb rule condition type {condition_type}")
         return {condition_type_key: {"values": condition[condition_type_key]}}
 
+    @staticmethod
+    def _get_principal_for_s3_bucket_policy(
+        region: str, elb_account_id: str | None
+    ) -> Mapping[str, str]:
+        if region in AWS_ELB_ACCOUNT_IDS:
+            return {"AWS": f"arn:aws:iam::{elb_account_id}:root"}
+        if region in AWS_US_GOV_ELB_ACCOUNT_IDS:
+            return {"AWS": f"arn:aws-us-gov:iam::{elb_account_id}:root"}
+        return {"Service": "logdelivery.elasticloadbalancing.amazonaws.com"}
+
     def populate_tf_resource_alb(self, spec, ocm_map=None):
         account = spec.provisioner_name
         identifier = spec.identifier
@@ -5262,15 +5302,18 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             tf_resources.append(lb_access_logs_s3_bucket_tf_resource)
 
             policy_identifier = f"{identifier}-s3-bucket-policy"
-            # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#access-log-create-bucket
+            region = str(
+                common_values.get("region") or self.default_regions.get(account)
+            )
+            elb_account_id = self._get_elb_account_id(region)
+            principal = self._get_principal_for_s3_bucket_policy(region, elb_account_id)
+
             policy = {
                 "Version": "2012-10-17",
                 "Statement": [
                     {
                         "Effect": "Allow",
-                        "Principal": {
-                            "AWS": f"arn:aws:iam::{self.accounts[account]['uid']}:root"
-                        },
+                        "Principal": principal,
                         "Action": "s3:PutObject",
                         "Resource": f"${{{lb_access_logs_s3_bucket_tf_resource.arn}}}/*",
                     }