From 67cf1769224d6d0041a9b187e76b04d4123f5d3b Mon Sep 17 00:00:00 2001
From: Nikita Melkozerov <n.melkozerov@gmail.com>
Date: Fri, 29 Nov 2024 13:16:48 +0100
Subject: [PATCH 1/5] Set can_access_account flag to false when updating creds

---
 fixbackend/cloud_accounts/azure_subscription_repo.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fixbackend/cloud_accounts/azure_subscription_repo.py b/fixbackend/cloud_accounts/azure_subscription_repo.py
index 9a2f4c8e..8ef3a564 100644
--- a/fixbackend/cloud_accounts/azure_subscription_repo.py
+++ b/fixbackend/cloud_accounts/azure_subscription_repo.py
@@ -83,6 +83,8 @@ async def upsert(
                 existing.client_id = client_id
                 existing.client_secret = client_secret
                 existing.created_at = utc()  # update to trigger list_created_after
+                existing.updated_at = utc()
+                existing.can_access_azure_account = False
                 model = existing.to_model()
                 await session.commit()
                 return model
@@ -93,6 +95,7 @@ async def upsert(
                 azure_tenant_id=azure_tenant_id,
                 client_id=client_id,
                 client_secret=client_secret,
+                can_access_azure_account=False,
             )
             session.add(entity)
             await session.commit()

From 13da374a4e3fea3d9a0024e85d5a7443d8d4021b Mon Sep 17 00:00:00 2001
From: Nikita Melkozerov <n.melkozerov@gmail.com>
Date: Fri, 29 Nov 2024 12:18:18 +0000
Subject: [PATCH 2/5] test update

---
 tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py b/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py
index ee27f1cc..aa5b7f7c 100644
--- a/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py
+++ b/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py
@@ -34,7 +34,7 @@ async def test_store_azure_subscription(
     client_secret = "foo_bar"
     azure_credentials = await azure_repo.upsert(workspace.id, azure_tenant_id, client_id, client_secret)
 
-    assert azure_credentials.can_access_azure_account is None
+    assert azure_credentials.can_access_azure_account is False
     assert azure_credentials.tenant_id == workspace.id
     assert azure_credentials.azure_tenant_id == azure_tenant_id
     assert azure_credentials.client_id == client_id

From bb402b2d7149ba3e456b1a964a03d11fb6bb19eb Mon Sep 17 00:00:00 2001
From: Nikita Melkozerov <n.melkozerov@gmail.com>
Date: Fri, 29 Nov 2024 13:46:58 +0100
Subject: [PATCH 3/5] move account from deleted to configured when creating

---
 fixbackend/cloud_accounts/service.py | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/fixbackend/cloud_accounts/service.py b/fixbackend/cloud_accounts/service.py
index 3983637b..b44789b8 100644
--- a/fixbackend/cloud_accounts/service.py
+++ b/fixbackend/cloud_accounts/service.py
@@ -903,8 +903,9 @@ async def create_azure_account(
             raise ResourceNotFound("Organization does not exist")
 
         if existing := await self.cloud_account_repository.get_by_account_id(workspace_id, account_id):
-            log.info("Azure account already exists")
-            return existing
+            if not isinstance(existing.state, CloudAccountStates.Deleted):
+                log.info("Azure account already exists")
+                return existing
 
         should_be_enabled = await self._should_be_enabled(workspace)
 
@@ -935,8 +936,26 @@ async def create_azure_account(
             last_degraded_scan_started_at=None,
         )
 
-        result = await self.cloud_account_repository.create(account)
-        log.info(f"Azure cloud Account {account_id} created")
+        if existing:
+
+            def set_state(acc: CloudAccount) -> CloudAccount:
+                return evolve(
+                    acc,
+                    state=CloudAccountStates.Configured(
+                        access=AzureCloudAccess(subscription_credentials_id),
+                        enabled=should_be_enabled,
+                        scan=should_be_enabled,
+                    ),
+                    state_updated_at=utc(),
+                    created_at=created_at,
+                    updated_at=created_at,
+                )
+
+            result = await self.cloud_account_repository.update(existing.id, set_state)
+            log.info(f"Azure cloud Account {account_id} updated from deleted to configured")
+        else:
+            result = await self.cloud_account_repository.create(account)
+            log.info(f"Azure cloud Account {account_id} created")
 
         await self.domain_events.publish(
             CloudAccountConfigured(

From dbf8f02f10684b1f6c432d566a67d7bf174dfb48 Mon Sep 17 00:00:00 2001
From: Nikita Melkozerov <n.melkozerov@gmail.com>
Date: Fri, 29 Nov 2024 13:54:20 +0100
Subject: [PATCH 4/5] early return only on configured

---
 fixbackend/cloud_accounts/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fixbackend/cloud_accounts/service.py b/fixbackend/cloud_accounts/service.py
index b44789b8..0f4473fe 100644
--- a/fixbackend/cloud_accounts/service.py
+++ b/fixbackend/cloud_accounts/service.py
@@ -903,7 +903,7 @@ async def create_azure_account(
             raise ResourceNotFound("Organization does not exist")
 
         if existing := await self.cloud_account_repository.get_by_account_id(workspace_id, account_id):
-            if not isinstance(existing.state, CloudAccountStates.Deleted):
+            if isinstance(existing.state, CloudAccountStates.Configured):
                 log.info("Azure account already exists")
                 return existing
 

From 3c7deffc7f75971ff7daec253967b06b57233e73 Mon Sep 17 00:00:00 2001
From: Nikita Melkozerov <n.melkozerov@gmail.com>
Date: Fri, 29 Nov 2024 14:00:53 +0100
Subject: [PATCH 5/5] fix the gcp idempotency logic

---
 fixbackend/cloud_accounts/service.py | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/fixbackend/cloud_accounts/service.py b/fixbackend/cloud_accounts/service.py
index 0f4473fe..685d5cb8 100644
--- a/fixbackend/cloud_accounts/service.py
+++ b/fixbackend/cloud_accounts/service.py
@@ -838,8 +838,9 @@ async def create_gcp_account(
             raise ResourceNotFound("Organization does not exist")
 
         if existing := await self.cloud_account_repository.get_by_account_id(workspace_id, account_id):
-            log.info("GCP account already exists")
-            return existing
+            if isinstance(existing.state, CloudAccountStates.Configured):
+                log.info("GCP account already exists")
+                return existing
 
         should_be_enabled = await self._should_be_enabled(workspace)
 
@@ -870,8 +871,25 @@ async def create_gcp_account(
             last_degraded_scan_started_at=None,
         )
 
-        result = await self.cloud_account_repository.create(account)
-        log.info(f"GCP cloud Account {account_id} created")
+        if existing:
+
+            def set_state(acc: CloudAccount) -> CloudAccount:
+                return evolve(
+                    acc,
+                    state=CloudAccountStates.Configured(
+                        access=GcpCloudAccess(key_id), enabled=should_be_enabled, scan=should_be_enabled
+                    ),
+                    account_name=account_name,
+                    state_updated_at=utc(),
+                    created_at=created_at,
+                    updated_at=created_at,
+                )
+
+            result = await self.cloud_account_repository.update(existing.id, set_state)
+            log.info(f"GCP cloud Account {account_id} updated from deleted to configured")
+        else:
+            result = await self.cloud_account_repository.create(account)
+            log.info(f"GCP cloud Account {account_id} created")
 
         await self.domain_events.publish(
             CloudAccountConfigured(