edit wizard, skip aws as default for other plugins

- move aws config init to aws plugin configuration
- create/update secrets locally without aws
- new method set_required_secure_text_values()
- upsert_secret method allow refactor operations
- exclude iambic_managed when it is undefined for okta, azure and google ws
- refactor:
    configuration_wizard_google_workspace_add,
    configuration_wizard_azure_ad_organization_add,
    configuration_wizard_okta_organization_add
    run()
- fix: not update okta user status when it is deleted (or it is going to be deleted)

iambic/plugins/v0_1_0/aws/cloud_formation/templates/IambicSpokeRole.yml

@@ -30,6 +30,13 @@ Resources:
           PolicyDocument:
             Version: '2012-10-17'
             Statement:
+              - Effect: Allow
+                Action:
+                  - sqs:DeleteMessage
+                  - sqs:ReceiveMessage
+                  - sqs:GetQueueAttributes
+                Resource:
+                  - 'arn:aws:sqs:us-east-1:*:IAMbicChangeDetectionQueue'
               - Effect: Allow
                 Action:
                   - ec2:Describe*

iambic/plugins/v0_1_0/azure_ad/models.py

@@ -17,7 +17,7 @@
 if TYPE_CHECKING:
     from iambic.plugins.v0_1_0.azure_ad.iambic_plugin import AzureADConfig
 
-    MappingIntStrAny = typing.Mapping[int | str, any]
+    MappingIntStrAny = typing.Mapping[int | str, Any]
     AbstractSetIntStr = typing.AbstractSet[int | str]
 
 
@@ -140,6 +140,8 @@ def dict(
             exclude = required_exclude
         elif isinstance(exclude, set):
             exclude.update(required_exclude)
+        # elif isinstance(exclude, dict):
+        #     exclude.update({i: ... for i in required_exclude})
 
         return super().dict(
             include=include,

iambic/plugins/v0_1_0/google_workspace/iambic_plugin.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
 
 import os
-from typing import Optional
+import typing
+from typing import TYPE_CHECKING, Any, Optional, Union
 
 import googleapiclient.discovery
 from google.oauth2 import service_account
@@ -20,6 +21,10 @@
     load,
 )
 
+if TYPE_CHECKING:
+    MappingIntStrAny = typing.Mapping[int | str, Any]
+    AbstractSetIntStr = typing.AbstractSet[int | str]
+
 
 class GoogleSubject(BaseModel):
     domain: str

iambic/plugins/v0_1_0/okta/iambic_plugin.py

@@ -2,6 +2,7 @@
 
 from typing import Any, Optional
 
+from okta.client import Client as OktaClient
 from pydantic import BaseModel, Extra, Field, SecretStr, validator
 
 from iambic.core.iambic_enum import IambicManaged
@@ -11,7 +12,6 @@
 from iambic.plugins.v0_1_0.okta.group.models import OktaGroupTemplate
 from iambic.plugins.v0_1_0.okta.handlers import import_okta_resources, load
 from iambic.plugins.v0_1_0.okta.user.models import OktaUserTemplate
-from okta.client import Client as OktaClient
 
 
 class OktaOrganization(BaseModel):
@@ -21,7 +21,7 @@ class OktaOrganization(BaseModel):
     request_timeout: int = 60
     client: Any = None  # OktaClient
     iambic_managed: Optional[IambicManaged] = Field(
-        IambicManaged.IMPORT_ONLY,
+        IambicManaged.UNDEFINED,
         description="Controls the directionality of iambic changes",
     )
 

iambic/plugins/v0_1_0/okta/user/models.py

@@ -240,14 +240,18 @@ async def _apply_to_account(
             )
             return change_details
 
-        tasks.extend(
-            [
+        if current_user and not self.deleted:
+            tasks.append(
                 update_user_status(
                     current_user,
                     self.properties.status.value,
                     okta_organization,
                     log_params,
                 ),
+            )
+
+        tasks.extend(
+            [
                 update_user_profile(
                     self,
                     current_user,

iambic/plugins/v0_1_0/okta/user/utils.py

@@ -254,6 +254,9 @@ async def update_user_status(
     current_status: str = user.status.value
     if current_status == new_status:
         return response
+    if user.deleted:
+        return response
+
     response.append(
         ProposedChange(
             change_type=ProposedChangeType.UPDATE,

test/plugins/v0_1_0/azure_ad/test_models.py

@@ -0,0 +1,25 @@
+from pydantic import SecretStr
+import pytest
+
+from iambic.core.iambic_enum import IambicManaged
+from iambic.plugins.v0_1_0.azure_ad.models import AzureADOrganization
+
+
+@pytest.mark.parametrize("exclude", [None, {"other"}])
+def test_organization_to_dict(exclude):
+    organization = AzureADOrganization(
+        idp_name="idp_name",
+        tenant_id="tenant_id",
+        client_id="client_id",
+        client_secret=SecretStr("client_secret"),
+    )  # type: ignore
+
+    assert organization.dict(exclude=exclude) == dict(
+        idp_name="idp_name",
+        tenant_id="tenant_id",
+        client_id="client_id",
+        client_secret=SecretStr("client_secret"),
+        request_timeout=60,
+        iambic_managed=IambicManaged.UNDEFINED,
+        require_user_mfa_on_create=False,
+    )  # type: ignore

test/plugins/v0_1_0/okta/user/test_utils.py

@@ -216,6 +216,44 @@ async def test_update_user_status(
             "proposed_status": transition[1].value,
         }
 
+    @pytest.mark.asyncio
+    async def test_update_user_status_when_deleted(
+        self,
+        mock_okta_organization: OktaOrganization,  # noqa: F811 # intentional for mocks
+        mock_ctx,
+    ):
+
+        username = "example_username"
+        idp_name = "example.org"
+        user_properties = UserProperties(
+            username=username,
+            profile={"login": username},
+            status=UserStatus.deprovisioned.value,
+        )  # type: ignore
+
+        template = OktaUserTemplate(
+            file_path="example",
+            idp_name=idp_name,
+            properties=user_properties,
+            deleted=True,
+        )  # type: ignore
+
+        okta_user = await create_user(
+            template,
+            mock_okta_organization,
+        )
+        okta_user.deleted = True
+
+        mock_ctx(eval_only=True)
+        proposed_changes = await update_user_status(
+            okta_user,
+            UserStatus.provisioned.value,
+            mock_okta_organization,
+            {},
+        )
+
+        assert proposed_changes == []
+
 
 @pytest.mark.asyncio
 async def test_maybe_deprovision_user(