From 5b6fc3fbf94aa0172f01c34d03572ebbdf60ea85 Mon Sep 17 00:00:00 2001 From: hunterkepley Date: Wed, 4 Dec 2024 11:49:10 -0500 Subject: [PATCH] OCM-12871 | feat: Add manual mode for deleting hcp sharedvpc policies [oproles] --- cmd/dlt/accountroles/cmd.go | 41 +++++++++++++++++-------------- cmd/dlt/operatorrole/cmd.go | 49 +++++++++++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 20 deletions(-) diff --git a/cmd/dlt/accountroles/cmd.go b/cmd/dlt/accountroles/cmd.go index 369a8019c..6ae717a0d 100644 --- a/cmd/dlt/accountroles/cmd.go +++ b/cmd/dlt/accountroles/cmd.go @@ -240,7 +240,7 @@ func deleteAccountRoles(r *rosa.Runtime, env string, prefix string, clusters []* policies, err := r.AWSClient.GetPolicyDetailsFromRole(awssdk.String(role)) policiesOutput = append(policiesOutput, policies...) if err != nil { - r.Reporter.Infof("There was an error getting details of policies attached to role '%s': %v", + r.Reporter.Warnf("There was an error getting details of policies attached to role '%s': %v", role, err) } } @@ -320,6 +320,8 @@ func buildCommand(roleNames []string, policyMap map[string][]aws.PolicyDetail, arbitraryPolicyMap map[string][]aws.PolicyDetail, managedPolicies bool, hcpSharedVpcPoliciesOutput []*iam.GetPolicyOutput) string { commands := []string{} + hcpSharedVpcPolicyCommands := make(map[string]string) // Ensures no duplicate delete policy cmds for hcp sharedvpc + for _, roleName := range roleNames { policyDetails := policyMap[roleName] excludedPolicyDetails := arbitraryPolicyMap[roleName] @@ -365,26 +367,29 @@ func buildCommand(roleNames []string, policyMap map[string][]aws.PolicyDetail, Build() commands = append(commands, deleteRole) - if len(hcpSharedVpcPoliciesOutput) > 0 { // Delete HCP shared VPC policies - for _, hcpSharedVpcPolicy := range hcpSharedVpcPoliciesOutput { - hasRhManagedTag := false - hasHcpSharedVpcTag := false - for _, tag := range hcpSharedVpcPolicy.Policy.Tags { - if *tag.Key == tags.RedHatManaged { - hasRhManagedTag = true - } else if *tag.Key == tags.HcpSharedVpc { - hasHcpSharedVpcTag = true - } - } - if hasHcpSharedVpcTag && hasRhManagedTag { - deletePolicy := awscb.NewIAMCommandBuilder(). - SetCommand(awscb.DeletePolicy). - AddParam(awscb.PolicyName, *hcpSharedVpcPolicy.Policy.PolicyName). - Build() - commands = append(commands, deletePolicy) + // Delete HCP shared VPC policies + for _, hcpSharedVpcPolicy := range hcpSharedVpcPoliciesOutput { + hasRhManagedTag := false + hasHcpSharedVpcTag := false + for _, tag := range hcpSharedVpcPolicy.Policy.Tags { + if *tag.Key == tags.RedHatManaged { + hasRhManagedTag = true + } else if *tag.Key == tags.HcpSharedVpc { + hasHcpSharedVpcTag = true } } + if hasHcpSharedVpcTag && hasRhManagedTag { + deletePolicy := awscb.NewIAMCommandBuilder(). + SetCommand(awscb.DeletePolicy). + AddParam(awscb.PolicyArn, *hcpSharedVpcPolicy.Policy.Arn). + Build() + hcpSharedVpcPolicyCommands[*hcpSharedVpcPolicy.Policy.PolicyName] = deletePolicy + } } } + + for _, command := range hcpSharedVpcPolicyCommands { + commands = append(commands, command) + } return awscb.JoinCommands(commands) } diff --git a/cmd/dlt/operatorrole/cmd.go b/cmd/dlt/operatorrole/cmd.go index 004c1a824..7eca1af96 100644 --- a/cmd/dlt/operatorrole/cmd.go +++ b/cmd/dlt/operatorrole/cmd.go @@ -22,12 +22,15 @@ import ( "strings" "time" + awssdk "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/briandowns/spinner" "github.com/spf13/cobra" errors "github.com/zgalor/weberr" "github.com/openshift/rosa/pkg/aws" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" + "github.com/openshift/rosa/pkg/aws/tags" "github.com/openshift/rosa/pkg/interactive" "github.com/openshift/rosa/pkg/interactive/confirm" "github.com/openshift/rosa/pkg/ocm" @@ -270,7 +273,22 @@ func run(cmd *cobra.Command, _ []string) { r.Reporter.Errorf("There was an error getting the policy: %v", err) os.Exit(1) } - commands := buildCommand(r, foundOperatorRoles, policyMap, arbitraryPolicyMap, managedPolicies) + + // Get HCP shared vpc policy details if the user is deleting roles related to HCP shared vpc + policiesOutput := make([]*iam.GetPolicyOutput, 0) + if roles.CheckIfRolesAreHcpSharedVpc(r, foundOperatorRoles) && + confirm.Prompt(true, "Create commands to delete Hosted CP shared VPC policies?") { + for _, role := range foundOperatorRoles { + policies, err := r.AWSClient.GetPolicyDetailsFromRole(awssdk.String(role)) + policiesOutput = append(policiesOutput, policies...) + if err != nil { + r.Reporter.Warnf("There was an error getting details of policies attached to role '%s': %v", + role, err) + } + } + } + + commands := buildCommand(r, foundOperatorRoles, policyMap, arbitraryPolicyMap, managedPolicies, policiesOutput) if r.Reporter.IsTerminal() { r.Reporter.Infof("Run the following commands to delete the Operator roles and policies:\n") } @@ -282,8 +300,11 @@ func run(cmd *cobra.Command, _ []string) { } func buildCommand(r *rosa.Runtime, roleNames []string, policyMap map[string][]string, - arbitraryPolicyMap map[string][]string, managedPolicies bool) string { + arbitraryPolicyMap map[string][]string, managedPolicies bool, + hcpSharedVpcPoliciesOutput []*iam.GetPolicyOutput) string { commands := []string{} + hcpSharedVpcPolicyCommands := make(map[string]string) // Ensures no duplicate delete policy cmds for hcp sharedvpc + for _, roleName := range roleNames { policyARN := policyMap[roleName] arbitraryPolicyARN := arbitraryPolicyMap[roleName] @@ -341,6 +362,30 @@ func buildCommand(r *rosa.Runtime, roleNames []string, policyMap map[string][]st AddParam(awscb.RoleName, roleName). Build() commands = append(commands, deleteRole) + + // Delete HCP shared VPC policies + for _, hcpSharedVpcPolicy := range hcpSharedVpcPoliciesOutput { + hasRhManagedTag := false + hasHcpSharedVpcTag := false + for _, tag := range hcpSharedVpcPolicy.Policy.Tags { + if *tag.Key == tags.RedHatManaged { + hasRhManagedTag = true + } else if *tag.Key == tags.HcpSharedVpc { + hasHcpSharedVpcTag = true + } + } + if hasHcpSharedVpcTag && hasRhManagedTag { + deletePolicy := awscb.NewIAMCommandBuilder(). + SetCommand(awscb.DeletePolicy). + AddParam(awscb.PolicyArn, *hcpSharedVpcPolicy.Policy.Arn). + Build() + hcpSharedVpcPolicyCommands[*hcpSharedVpcPolicy.Policy.PolicyName] = deletePolicy + } + } + } + + for _, command := range hcpSharedVpcPolicyCommands { + commands = append(commands, command) } return strings.Join(commands, "\n") }