diff --git a/src/spaceone/identity/manager/secret_manager.py b/src/spaceone/identity/manager/secret_manager.py index 56f0844b..8d5a17ea 100644 --- a/src/spaceone/identity/manager/secret_manager.py +++ b/src/spaceone/identity/manager/secret_manager.py @@ -42,7 +42,7 @@ def create_trusted_secret(self, params: dict) -> dict: return self.secret_conn.dispatch("TrustedSecret.create", params) def update_trusted_secret_data( - self, trusted_secret_id: str, schema_id: str, data: dict + self, trusted_secret_id: str, schema_id: str, data: dict ) -> None: self.secret_conn.dispatch( "TrustedSecret.update_data", @@ -68,15 +68,22 @@ def list_trusted_secrets(self, params: dict) -> dict: def create_secret(self, params: dict, domain_id: str = None) -> dict: if self.token_type == "SYSTEM_TOKEN": - return self.secret_conn.dispatch("Secret.create", params, x_domain_id=domain_id) + return self.secret_conn.dispatch( + "Secret.create", params, x_domain_id=domain_id + ) else: return self.secret_conn.dispatch("Secret.create", params) def update_secret(self, params: dict) -> dict: return self.secret_conn.dispatch("Secret.update", params) - def delete_secret(self, secret_id: str) -> None: - self.secret_conn.dispatch("Secret.delete", {"secret_id": secret_id}) + def delete_secret(self, secret_id: str, domain_id: str = None) -> None: + if self.token_type == "SYSTEM_TOKEN": + self.secret_conn.dispatch( + "Secret.delete", {"secret_id": secret_id}, x_domain_id=domain_id + ) + else: + self.secret_conn.dispatch("Secret.delete", {"secret_id": secret_id}) def update_secret_data(self, secret_id: str, schema_id: str, data: dict) -> None: self.secret_conn.dispatch( diff --git a/src/spaceone/identity/service/job_service.py b/src/spaceone/identity/service/job_service.py index 1fdc4a18..8941ece3 100644 --- a/src/spaceone/identity/service/job_service.py +++ b/src/spaceone/identity/service/job_service.py @@ -229,8 +229,6 @@ def sync_service_accounts(self, params: dict) -> None: self.job_mgr.change_canceled_status(job_vo) else: self.job_mgr.change_in_progress_status(job_vo) - synced_projects = [] - synced_service_accounts = [] try: # Merge plugin options and trusted_account plugin options @@ -287,8 +285,7 @@ def sync_service_accounts(self, params: dict) -> None: project_group_id=parent_group_id, sync_options=sync_options, ) - synced_projects.append(project_vo) - service_account_vo = self._create_service_account( + self._create_service_account( result, project_vo, trusted_account_id, @@ -296,7 +293,6 @@ def sync_service_accounts(self, params: dict) -> None: provider, sync_options, ) - synced_service_accounts.append(service_account_vo) if self._is_job_failed(job_id, domain_id, job_vo.workspace_id): self.job_mgr.change_canceled_status(job_vo) @@ -313,7 +309,7 @@ def sync_service_accounts(self, params: dict) -> None: self.job_mgr.change_success_status(job_vo) # todo : not yet implemented - self._delete_not_synced_resources() + self._delete_not_synced_resources(domain_id, provider) except Exception as e: self.job_mgr.change_error_status(job_vo, e) @@ -607,16 +603,19 @@ def _create_service_account( service_account_vos = self.service_account_mgr.filter_service_accounts(**params) _LOGGER.debug( - f"[_create_service_account] service_account_vos: {service_account_vos}" + f"[_create_service_account] service_account_vos: {name} {params} count: {len(service_account_vos)}" ) if service_account_vos: service_account_vo = service_account_vos[0] + update_params = {} if service_account_vo.name != result["name"]: + update_params.update({"name": name, "last_syned_at": datetime.utcnow()}) + + if update_params: service_account_vo = ( self.service_account_mgr.update_service_account_by_vo( - {"name": name, "last_syned_at": datetime.utcnow()}, - service_account_vo, + update_params, service_account_vo ) ) else: @@ -634,6 +633,10 @@ def _create_service_account( service_account_vo = self.service_account_mgr.create_service_account(params) if secret_data: + secret_mgr: SecretManager = self.locator.get_manager("SecretManager") + if service_account_vo.secret_id: + secret_mgr.delete_secret(service_account_vo.secret_id, domain_id) + # Check secret_data by schema schema_mgr = SchemaManager() schema_mgr.validate_secret_data_by_schema_id( @@ -643,7 +646,6 @@ def _create_service_account( "TRUSTING_SECRET", ) - secret_mgr: SecretManager = self.locator.get_manager("SecretManager") create_secret_params = { "name": f"{service_account_vo.service_account_id}-secret", "data": secret_data, @@ -661,8 +663,24 @@ def _create_service_account( ) return service_account_vo - def _delete_not_synced_resources(self) -> None: - delete_date = datetime.utcnow() - timedelta(days=2) + def _delete_not_synced_resources(self, domain_id: str, provider: str) -> None: + delete_last_synced_time = datetime.utcnow() - timedelta(days=2) + query = { + "filter": [ + {"k": "last_synced_at", "v": delete_last_synced_time, "o": "lt"}, + {"k": "is_managed", "v": True, "o": "eq"}, + {"k": "domain_id", "v": domain_id, "o": "eq"}, + {"k": "provider", "v": provider, "o": "eq"}, + ] + } + secret_mgr: SecretManager = self.locator.get_manager("SecretManager") + + # Delete service accounts + service_account_vos, _ = self.service_account_mgr.list_service_accounts(query) + for service_account_vo in service_account_vos: + if service_account_vo.secret_id: + secret_mgr.delete_secret(service_account_vo.secret_id, domain_id) + self.service_account_mgr.delete_service_account_by_vo(service_account_vo) @staticmethod def _get_location(result: dict, resource_group: str, sync_options: dict) -> list: