qontract-reconcile 0.10.2.dev64__py3-none-any.whl → 0.10.2.dev66__py3-none-any.whl

{qontract_reconcile-0.10.2.dev64.dist-info → qontract_reconcile-0.10.2.dev66.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev64
+Version: 0.10.2.dev66
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev64.dist-info → qontract_reconcile-0.10.2.dev66.dist-info}/RECORD

@@ -637,7 +637,7 @@ reconcile/utils/state.py,sha256=az4tBmZ0EdbFcAGiBVUxs3cr2-BVWsuDQiNTvjjQq8s,1637
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=H8frsS370y8xfivKLNBD1dwlBLHvfuR6JSN_syBL5Qc,36033
-reconcile/utils/terrascript_aws_client.py,sha256=HtBl6Agm8b1rsFbanaatMg1EASQy44KaU5gu_lM_zQQ,284878
+reconcile/utils/terrascript_aws_client.py,sha256=hPfWduAsMpVUcYgw1cx7tiAyVmsJ1BdTCqPzyYPTThE,286260
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=aSA8l9cJlPUHpChFGl27nSY-Mpq9FMjBo7Dcgb1BVfM,15036
@@ -750,7 +750,7 @@ tools/app_sre_tekton_access_reporter.py,sha256=o9prLUgQpwO3msRWc2as1xT1y9OB3znkp
 tools/app_sre_tekton_access_revalidation.py,sha256=66nHEaY-bIqxIhpcmwN8AvQZu6ZXenfkg4Fut0pVZRM,2726
 tools/glitchtip_access_reporter.py,sha256=o01A6b88t3Wie6tj_tJWWVo2J01LxQ_a9giGm4UzEaU,2901
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=HAN-3m8udB8Ea1B4fIpmJoJjLWQERDhIF-9LU9XBCnQ,152477
+tools/qontract_cli.py,sha256=dmCg4SF286H9xgepCe36noYj3hvQPDNFpZNw6jG_AQ0,152870
 tools/sd_app_sre_alert_report.py,sha256=jQpJdXVID68bSNtJNOGDh0-ei1CfEUS4Itr4MAaBNFA,5062
 tools/template_validation.py,sha256=qpKYaTgk0GOPGa2Ct5_5sKdwIHtCAKIBGzsMPuJU5fw,3371
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -777,7 +777,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev64.dist-info/METADATA,sha256=w1DVvEyO9I2lEXPv9LlbxwxJxqO9tZkUhzrD_jC9KE0,24665
-qontract_reconcile-0.10.2.dev64.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev64.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev64.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev66.dist-info/METADATA,sha256=WNn27yZZJD-FxtNtcntxwfwNLSB84rYwJiNuv_YS-Aw,24665
+qontract_reconcile-0.10.2.dev66.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev66.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev66.dist-info/RECORD,,

reconcile/utils/terrascript_aws_client.py

@@ -270,6 +270,36 @@ DEFAULT_TAGS = {
     },
 }
 
+AWS_ELB_ACCOUNT_IDS = {
+    "us-east-1": "127311923021",
+    "us-east-2": "033677994240",
+    "us-west-1": "027434742980",
+    "us-west-2": "797873946194",
+    "af-south-1": "098369216593",
+    "ap-east-1": "754344448648",
+    "ap-southeast-3": "589379963580",
+    "ap-south-1": "718504428378",
+    "ap-northeast-3": "383597477331",
+    "ap-northeast-2": "600734575887",
+    "ap-southeast-1": "114774131450",
+    "ap-southeast-2": "783225319266",
+    "ap-northeast-1": "582318560864",
+    "ca-central-1": "985666609251",
+    "eu-central-1": "054676820928",
+    "eu-west-1": "156460612806",
+    "eu-west-2": "652711504416",
+    "eu-south-1": "635631232127",
+    "eu-west-3": "009996457667",
+    "eu-north-1": "897822967062",
+    "me-south-1": "076674570225",
+    "sa-east-1": "507241528517",
+}
+
+AWS_US_GOV_ELB_ACCOUNT_IDS = {
+    "us-gov-west-1": "048591011584",
+    "us-gov-east-1": "190560391635",
+}
+
 
 class OutputResourceNameNotUniqueException(Exception):
     def __init__(self, namespace, duplicates):
@@ -5148,6 +5178,16 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             raise KeyError(f"unknown alb rule condition type {condition_type}")
         return {condition_type_key: {"values": condition[condition_type_key]}}
 
+    @staticmethod
+    def _get_principal_for_s3_bucket_policy(
+        region: str, elb_account_id: str | None
+    ) -> Mapping[str, str]:
+        if region in AWS_ELB_ACCOUNT_IDS:
+            return {"AWS": f"arn:aws:iam::{elb_account_id}:root"}
+        if region in AWS_US_GOV_ELB_ACCOUNT_IDS:
+            return {"AWS": f"arn:aws-us-gov:iam::{elb_account_id}:root"}
+        return {"Service": "logdelivery.elasticloadbalancing.amazonaws.com"}
+
     def populate_tf_resource_alb(self, spec, ocm_map=None):
         account = spec.provisioner_name
         identifier = spec.identifier
@@ -5262,15 +5302,18 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             tf_resources.append(lb_access_logs_s3_bucket_tf_resource)
 
             policy_identifier = f"{identifier}-s3-bucket-policy"
-            # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#access-log-create-bucket
+            region = str(
+                common_values.get("region") or self.default_regions.get(account)
+            )
+            elb_account_id = self._get_elb_account_id(region)
+            principal = self._get_principal_for_s3_bucket_policy(region, elb_account_id)
+
             policy = {
                 "Version": "2012-10-17",
                 "Statement": [
                     {
                         "Effect": "Allow",
-                        "Principal": {
-                            "AWS": f"arn:aws:iam::{self.accounts[account]['uid']}:root"
-                        },
+                        "Principal": principal,
                         "Action": "s3:PutObject",
                         "Resource": f"${{{lb_access_logs_s3_bucket_tf_resource.arn}}}/*",
                     }

tools/qontract_cli.py

@@ -4271,6 +4271,29 @@ def get_input(ctx: click.Context) -> None:
     print(erv2cli.input_data)
 
 
+def _get_external_resources_credentials(
+    secret_reader: SecretReader,
+    provisioner: str,
+) -> str:
+    return secret_reader.read_with_parameters(
+        path=f"app-sre/external-resources/{provisioner}",
+        field="credentials",
+        format=None,
+        version=None,
+    )
+
+
+@external_resources.command()
+@click.pass_context
+def get_credentials(ctx: click.Context) -> None:
+    """Gets credentials file used in external-resources as AWS_SHARED_CREDENTIALS_FILE"""
+    credentials = _get_external_resources_credentials(
+        secret_reader=ctx.obj["secret_reader"],
+        provisioner=ctx.obj["provisioner"],
+    )
+    print(credentials)
+
+
 @external_resources.command()
 @click.pass_context
 def request_reconciliation(ctx: click.Context) -> None:
@@ -4333,11 +4356,9 @@ def migrate(ctx: click.Context, dry_run: bool, skip_build: bool) -> None:
             # prepare AWS credentials for CDKTF and local terraform
             credentials_file = tempdir / "credentials"
             credentials_file.write_text(
-                ctx.obj["secret_reader"].read_with_parameters(
-                    path=f"app-sre/external-resources/{ctx.obj['provisioner']}",
-                    field="credentials",
-                    format=None,
-                    version=None,
+                _get_external_resources_credentials(
+                    secret_reader=ctx.obj["secret_reader"],
+                    provisioner=ctx.obj["provisioner"],
                 )
             )
         os.environ["AWS_SHARED_CREDENTIALS_FILE"] = str(credentials_file)
@@ -4415,11 +4436,9 @@ def debug_shell(ctx: click.Context) -> None:
             with task(progress, "Preparing environment ..."):
                 credentials_file = tempdir / "credentials"
                 credentials_file.write_text(
-                    ctx.obj["secret_reader"].read_with_parameters(
-                        path=f"app-sre/external-resources/{ctx.obj['provisioner']}",
-                        field="credentials",
-                        format=None,
-                        version=None,
+                    _get_external_resources_credentials(
+                        secret_reader=ctx.obj["secret_reader"],
+                        provisioner=ctx.obj["provisioner"],
                     )
                 )
             os.environ["AWS_SHARED_CREDENTIALS_FILE"] = str(credentials_file)
@@ -4456,11 +4475,9 @@ def force_unlock(ctx: click.Context, lock_id: str) -> None:
             with task(progress, "Preparing environment ..."):
                 credentials_file = tempdir / "credentials"
                 credentials_file.write_text(
-                    ctx.obj["secret_reader"].read_with_parameters(
-                        path=f"app-sre/external-resources/{ctx.obj['provisioner']}",
-                        field="credentials",
-                        format=None,
-                        version=None,
+                    _get_external_resources_credentials(
+                        secret_reader=ctx.obj["secret_reader"],
+                        provisioner=ctx.obj["provisioner"],
                     )
                 )
             os.environ["AWS_SHARED_CREDENTIALS_FILE"] = str(credentials_file)