qontract-reconcile 0.9.1rc298__py3-none-any.whl → 0.10.1.dev1203__py3-none-any.whl

reconcile/utils/terrascript/cloudflare_client.py

@@ -5,10 +5,6 @@ from abc import (
 )
 from collections.abc import Iterable
 from dataclasses import dataclass
-from typing import (
-    Optional,
-    Union,
-)
 
 from terrascript import (
     Backend,
@@ -21,6 +17,7 @@ from terrascript import (
     provider,
 )
 
+from reconcile.cli import TERRAFORM_VERSION
 from reconcile.utils.exceptions import SecretIncompleteError
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
@@ -103,14 +100,23 @@ def create_cloudflare_terrascript(
         }
     }
 
-    terrascript += Terraform(backend=backend, required_providers=required_providers)
-
-    terrascript += provider.cloudflare(
-        api_token=account_config.api_token,
-        account_id=account_config.account_id,  # needed for some resources, see note below
-        rps=provider_rps,
+    terrascript += Terraform(
+        backend=backend,
+        required_providers=required_providers,
+        required_version=TERRAFORM_VERSION[0],
     )
 
+    cloudflare_provider_values = {
+        "api_token": account_config.api_token,
+        "rps": provider_rps,
+    }
+    if provider_version.startswith("3"):
+        cloudflare_provider_values["account_id"] = (
+            account_config.account_id
+        )  # needed for some resources, see note below
+
+    terrascript += provider.cloudflare(**cloudflare_provider_values)
+
     cloudflare_account_values = {
         "name": account_config.name,
         "enforce_twofactor": account_config.enforce_twofactor,
@@ -165,13 +171,15 @@ class TerrascriptCloudflareClient(TerraformConfigClient):
             resources_to_add = create_cloudflare_terrascript_resource(spec)
             self._add_resources(resources_to_add)
 
-    def dump(self, existing_dir: Optional[str] = None) -> str:
+    def dump(self, existing_dir: str | None = None) -> str:
         """Write the Terraform JSON representation of the resources to disk"""
         if existing_dir is None:
             working_dir = tempfile.mkdtemp(prefix=TMP_DIR_PREFIX)
         else:
             working_dir = existing_dir
-        with open(working_dir + "/config.tf.json", "w") as terraform_config_file:
+        with open(
+            working_dir + "/config.tf.json", "w", encoding="locale"
+        ) as terraform_config_file:
             terraform_config_file.write(self.dumps())
 
         return working_dir
@@ -180,9 +188,7 @@ class TerrascriptCloudflareClient(TerraformConfigClient):
         """Return the Terraform JSON representation of the resources"""
         return str(self._terrascript)
 
-    def _add_resources(
-        self, tf_resources: Iterable[Union[Resource, Output, Data]]
-    ) -> None:
+    def _add_resources(self, tf_resources: Iterable[Resource | Output | Data]) -> None:
         for resource in tf_resources:
             self._terrascript.add(resource)
 
@@ -212,6 +218,19 @@ class AccountShardingStrategy(TerraformS3StateNamingStrategy):
         return f"{qr_integration.name}-{self.account.name}.tfstate"
 
 
+class DNSZoneShardingStrategy(TerraformS3StateNamingStrategy):
+    def __init__(self, account: CloudflareAccount, zone_identifier: str):
+        super().__init__()
+        self.account: CloudflareAccount = account
+        self.zone: str = zone_identifier
+
+    def get_object_key(self, qr_integration: Integration) -> str:
+        old_integration_key = qr_integration.name.replace(
+            "-", "_"
+        )  # This is because the state file was already created using this name before the refactoring
+        return f"{old_integration_key}-{self.account.name}-{self.zone}.tfstate"
+
+
 class TerrascriptCloudflareClientFactory:
     @staticmethod
     def _create_backend_config(
@@ -252,9 +271,10 @@ class TerrascriptCloudflareClientFactory:
         cls,
         tf_state_s3: TerraformStateS3,
         cf_acct: CloudflareAccount,
-        sharding_strategy: Optional[TerraformS3StateNamingStrategy],
+        sharding_strategy: TerraformS3StateNamingStrategy | None,
         secret_reader: SecretReaderBase,
         is_managed_account: bool,
+        provider_rps: int = DEFAULT_PROVIDER_RPS,
     ) -> TerrascriptCloudflareClient:
         key = _get_terraform_s3_state_key_name(
             tf_state_s3.integration, sharding_strategy
@@ -265,6 +285,7 @@ class TerrascriptCloudflareClientFactory:
             cf_acct_config,
             backend_config,
             cf_acct.provider_version,
+            provider_rps=provider_rps,
             is_managed_account=is_managed_account,
         )
         client = TerrascriptCloudflareClient(ts_config)
@@ -273,7 +294,7 @@ class TerrascriptCloudflareClientFactory:
 
 def _get_terraform_s3_state_key_name(
     integration: Integration,
-    sharding_strategy: Optional[TerraformS3StateNamingStrategy],
+    sharding_strategy: TerraformS3StateNamingStrategy | None,
 ) -> str:
     if sharding_strategy is None:
         sharding_strategy = Default()

reconcile/utils/terrascript/cloudflare_resources.py

@@ -2,10 +2,7 @@ from collections.abc import (
     Iterable,
     MutableMapping,
 )
-from typing import (
-    Any,
-    Union,
-)
+from typing import Any
 
 from terrascript import (
     Data,
@@ -16,6 +13,7 @@ from terrascript import (
 from terrascript.resource import (
     cloudflare_account_member,
     cloudflare_argo,
+    cloudflare_custom_ssl,
     cloudflare_logpull_retention,
     cloudflare_logpush_job,
     cloudflare_logpush_ownership_challenge,
@@ -89,7 +87,7 @@ class cloudflare_account_roles(Data):
 # TODO: rename to include object?
 def create_cloudflare_terrascript_resource(
     spec: ExternalResourceSpec,
-) -> list[Union[Resource, Output, Data]]:
+) -> list[Resource | Output | Data]:
     """
     Create the required Cloudflare Terrascript resources as defined by the external
     resources spec.
@@ -116,7 +114,7 @@ def create_cloudflare_terrascript_resource(
 class CloudflareWorkerScriptTerrascriptResource(TerrascriptResource):
     """Generate a cloudflare_worker_script resource"""
 
-    def populate(self) -> list[Union[Resource, Output]]:
+    def populate(self) -> list[Resource | Output]:
         values = ResourceValueResolver(self._spec).resolve()
 
         gh_repo = values["content_from_github"]["repo"]
@@ -150,6 +148,7 @@ class CloudflareWorkerScriptTerrascriptResource(TerrascriptResource):
             "name": name,
             "content": f"${{var.{identifier}_content}}",
             "plain_text_binding": values.pop("vars"),
+            "account_id": "${var.account_id}",
         }
         return [
             cloudflare_worker_script(identifier, **worker_script_values),
@@ -162,7 +161,7 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
 
     def _create_cloudflare_certificate_pack(
         self, zone: Resource, zone_certs: Iterable[MutableMapping[str, Any]]
-    ) -> list[Union[Resource, Output]]:
+    ) -> list[Resource | Output]:
         resources = []
         for cert_values in zone_certs:
             identifier = safe_resource_id(cert_values.pop("identifier"))
@@ -186,7 +185,40 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
 
         return resources
 
-    def populate(self) -> list[Union[Resource, Output]]:
+    def _create_cloudflare_custom_ssl_certificates(
+        self,
+        zone: Resource,
+        zone_custom_ssl: Iterable[MutableMapping[str, Any]],
+    ) -> list[Resource | Output]:
+        vault_settings = get_app_interface_vault_settings()
+        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+
+        resources = []
+        for cert_values in zone_custom_ssl:
+            identifier = safe_resource_id(cert_values.pop("identifier"))
+            certificate_secret = cert_values.pop("certificate_secret")
+            certificate = secret_reader.read(certificate_secret.pop("certificate"))
+            key = secret_reader.read(certificate_secret.pop("key"))
+            bundle_method = cert_values.pop("bundle_method") or "ubiquitous"
+            custom_ssl_values: dict[Any, Any] = {
+                "zone_id": f"${{{zone.id}}}",
+                "depends_on": self._get_dependencies([zone]),
+                "custom_ssl_options": {
+                    "bundle_method": bundle_method,
+                    "type": cert_values.pop("type"),
+                    "certificate": certificate,
+                    "private_key": key,
+                },
+            }
+            if cert_values.get("geo_restrictions", None):
+                custom_ssl_values["custom_ssl_options"]["geo_restrictions"] = (
+                    cert_values.get("geo_resrtictions")
+                )
+            custom_ssl = cloudflare_custom_ssl(identifier, **custom_ssl_values)
+            resources.append(custom_ssl)
+        return resources
+
+    def populate(self) -> list[Resource | Output]:
         resources = []
 
         values = ResourceValueResolver(self._spec).resolve()
@@ -202,6 +234,7 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
         zone_records = values.pop("records", [])
         zone_workers = values.pop("workers", [])
         zone_certs = values.pop("certificates", [])
+        zone_custom_ssl = values.pop("custom_ssl_certificates", [])
 
         zone_values = {
             "account_id": "${var.account_id}",
@@ -268,11 +301,16 @@ class CloudflareZoneTerrascriptResource(TerrascriptResource):
 
         resources.extend(self._create_cloudflare_certificate_pack(zone, zone_certs))
 
+        if zone_custom_ssl:
+            resources.extend(
+                self._create_cloudflare_custom_ssl_certificates(zone, zone_custom_ssl)
+            )
+
         return resources
 
 
 class CloudflareAccountMemberTerrascriptResource(TerrascriptResource):
-    def populate(self) -> list[Union[Resource, Output]]:
+    def populate(self) -> list[Resource | Output]:
         resources = []
         values = ResourceValueResolver(self._spec).resolve()
         data_source_cloudflare_account_roles = values.pop("cloudflare_account_roles")
@@ -299,7 +337,7 @@ class CloudflareLogpushJob(TerrascriptResource):
         we are defining this as inner class.
         """
 
-    def populate(self) -> list[Union[Resource, Output, Data]]:
+    def populate(self) -> list[Resource | Output | Data]:
         resources = []
         values = ResourceValueResolver(self._spec).resolve()
         zone = values.pop("zone_name", None)
@@ -310,9 +348,11 @@ class CloudflareLogpushJob(TerrascriptResource):
 
         if zone:
             resources.append(
-                self.cloudflare_zone(zone, name=zone, account_id="${var.account_id}")
+                self.cloudflare_zone(
+                    safe_resource_id(zone), name=zone, account_id="${var.account_id}"
+                )
             )
-            values["zone_id"] = f"${{data.cloudflare_zone.{zone}.id}}"
+            values["zone_id"] = f"${{data.cloudflare_zone.{safe_resource_id(zone)}.id}}"
         else:
             values["account_id"] = "${var.account_id}"
 
@@ -330,19 +370,21 @@ class CloudflareLogpushOwnershipChallengeResource(TerrascriptResource):
         we are defining this as inner class.
         """
 
-    def populate(self) -> list[Union[Resource, Output, Data]]:
+    def populate(self) -> list[Resource | Output | Data]:
         resources = []
         values = ResourceValueResolver(self._spec).resolve()
         destination_conf = values.get("destination_conf")
         zone = values.get("zone_name")
         if zone:
             resources.append(
-                self.cloudflare_zone(zone, name=zone, account_id="${var.account_id}")
+                self.cloudflare_zone(
+                    safe_resource_id(zone), name=zone, account_id="${var.account_id}"
+                )
             )
             resources.append(
                 cloudflare_logpush_ownership_challenge(
                     self._spec.identifier,
-                    zone_id=f"${{data.cloudflare_zone.{zone}.id}}",
+                    zone_id=f"${{data.cloudflare_zone.{safe_resource_id(zone)}.id}}",
                     destination_conf=destination_conf,
                 )
             )
@@ -367,17 +409,24 @@ class CloudflareLogpullRetention(TerrascriptResource):
         we are defining this as inner class.
         """
 
-    def populate(self) -> list[Union[Resource, Output, Data]]:
+    def populate(self) -> list[Resource | Output | Data]:
         resources = []
         values = ResourceValueResolver(self._spec).resolve()
 
         zone = values.get("zone")
+
+        # this is to appease mypy
+        if not zone:
+            return []
+
         resources.append(
-            self.cloudflare_zone(zone, name=zone, account_id="${var.account_id}")
+            self.cloudflare_zone(
+                safe_resource_id(zone), name=zone, account_id="${var.account_id}"
+            )
         )
         cf_logpull_retention = cloudflare_logpull_retention(
             self._spec.identifier,
-            zone_id=f"${{data.cloudflare_zone.{zone}.id}}",
+            zone_id=f"${{data.cloudflare_zone.{safe_resource_id(zone)}.id}}",
             enabled=values.get("enabled_flag"),
         )
         resources.append(cf_logpull_retention)

reconcile/utils/terrascript/models.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from typing import Optional
 
 from reconcile.utils.secret_reader import HasSecret
 
@@ -22,6 +21,6 @@ class TerraformStateS3:
 class CloudflareAccount:
     name: str
     api_credentials: HasSecret
-    enforce_twofactor: Optional[bool]
-    type: Optional[str]
+    enforce_twofactor: bool | None
+    type: str | None
     provider_version: str

reconcile/utils/terrascript/resources.py

@@ -3,7 +3,6 @@ from abc import (
     abstractmethod,
 )
 from collections.abc import Iterable
-from typing import Union
 
 from terrascript import (
     Data,
@@ -40,5 +39,5 @@ class TerrascriptResource(ABC):
         ]
 
     @abstractmethod
-    def populate(self) -> list[Union[Resource, Output, Data]]:
+    def populate(self) -> list[Resource | Output | Data]:
         """Calling this method should return the Terrascript resources to be created."""