From 68b4066561af6abf3b3764484c107837ba28fdd1 Mon Sep 17 00:00:00 2001 From: aaraj Date: Tue, 25 Jun 2024 08:41:01 +0530 Subject: [PATCH] OCM-9152 | test: automate id:74556,74408,74433 create/edit cluster with additional allowed principals --- go.mod | 2 +- go.sum | 4 +- tests/ci/data/profiles/rosa-hcp.yaml | 5 ++ tests/e2e/hcp_cluster_test.go | 78 +++++++++++++++++++ tests/e2e/test_rosacli_cluster.go | 33 ++++++++ tests/e2e/test_rosacli_cluster_post.go | 23 ++++++ tests/utils/config/cluster.go | 1 + tests/utils/exec/rosacli/cluster_service.go | 1 + tests/utils/profilehandler/data_cleaner.go | 12 +++ .../utils/profilehandler/data_preparation.go | 27 +++++++ tests/utils/profilehandler/interface.go | 24 +++--- tests/utils/profilehandler/profile_handler.go | 46 +++++++++-- .../ocm-common/pkg/aws/aws_client/role.go | 19 +++++ vendor/modules.txt | 2 +- 14 files changed, 254 insertions(+), 23 deletions(-) diff --git a/go.mod b/go.mod index 43e4108271..d0377591e4 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/nathan-fiscaletti/consolesize-go v0.0.0-20210105204122-a87d9f614b9d github.com/onsi/ginkgo/v2 v2.17.1 github.com/onsi/gomega v1.30.0 - github.com/openshift-online/ocm-common v0.0.6 + github.com/openshift-online/ocm-common v0.0.7 github.com/openshift-online/ocm-sdk-go v0.1.428 github.com/pkg/errors v0.9.1 github.com/robfig/cron/v3 v3.0.1 diff --git a/go.sum b/go.sum index 535a53bba3..47febc3f6e 100644 --- a/go.sum +++ b/go.sum @@ -275,8 +275,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8 github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= -github.com/openshift-online/ocm-common v0.0.6 h1:Il9vZ58fHdPu79K8a04rrq0DFhpjWGNQZjNHID5DyMI= -github.com/openshift-online/ocm-common v0.0.6/go.mod h1:gsBWQYLZB0w0ZRR+NLASuTr29uFo5nekEODasFKxESc= +github.com/openshift-online/ocm-common v0.0.7 h1:2/3G7W4gIyAZ1RyqbC+IUOHlf52Rd1Sf+MqmbQ2FYGk= +github.com/openshift-online/ocm-common v0.0.7/go.mod h1:gsBWQYLZB0w0ZRR+NLASuTr29uFo5nekEODasFKxESc= github.com/openshift-online/ocm-sdk-go v0.1.428 h1:HIgQ9FkkgNEMyLsP75JU17nZjYV1Q9M9FrpO/Df2SSg= github.com/openshift-online/ocm-sdk-go v0.1.428/go.mod h1:CiAu2jwl3ITKOxkeV0Qnhzv4gs35AmpIzVABQLtcI2Y= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/tests/ci/data/profiles/rosa-hcp.yaml b/tests/ci/data/profiles/rosa-hcp.yaml index b60a6602c2..080390ee96 100644 --- a/tests/ci/data/profiles/rosa-hcp.yaml +++ b/tests/ci/data/profiles/rosa-hcp.yaml @@ -10,6 +10,7 @@ profiles: sts: true byo_vpc: true private_link: false + additional_principals: false private: false etcd_encryption: true autoscale: true @@ -41,6 +42,7 @@ profiles: sts: true byo_vpc: true private: true + additional_principals: true etcd_encryption: false autoscale: false kms_key: false @@ -64,6 +66,7 @@ profiles: sts: true byo_vpc: true private: false + additional_principals: false etcd_encryption: true autoscale: false kms_key: true @@ -97,6 +100,7 @@ profiles: sts: true byo_vpc: true private_link: false + additional_principals: false private: false etcd_encryption: true autoscale: false @@ -126,6 +130,7 @@ profiles: byo_vpc: true private_link: false private: false + additional_principals: false etcd_encryption: true autoscale: false kms_key: true diff --git a/tests/e2e/hcp_cluster_test.go b/tests/e2e/hcp_cluster_test.go index 87e8cfed7c..8de9a57693 100644 --- a/tests/e2e/hcp_cluster_test.go +++ b/tests/e2e/hcp_cluster_test.go @@ -1,12 +1,16 @@ package e2e import ( + "fmt" + . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + ciConfig "github.com/openshift/rosa/tests/ci/config" "github.com/openshift/rosa/tests/ci/labels" "github.com/openshift/rosa/tests/utils/config" "github.com/openshift/rosa/tests/utils/exec/rosacli" + "github.com/openshift/rosa/tests/utils/profilehandler" ) var _ = Describe("HCP cluster testing", @@ -19,6 +23,7 @@ var _ = Describe("HCP cluster testing", rosaClient *rosacli.Client clusterService rosacli.ClusterService clusterConfig *config.ClusterConfig + profile *profilehandler.Profile ) BeforeEach(func() { @@ -29,6 +34,7 @@ var _ = Describe("HCP cluster testing", By("Init the client") rosaClient = rosacli.NewClient() clusterService = rosaClient.Cluster + profile = profilehandler.LoadProfileYamlFileByENV() var err error clusterConfig, err = config.ParseClusterProfile() Expect(err).ToNot(HaveOccurred()) @@ -182,4 +188,76 @@ var _ = Describe("HCP cluster testing", Should(ContainSubstring( "ERR: Listing identity providers is not supported for clusters with external authentication configured")) }) + + It("can edit ROSA HCP cluster with additional allowed principals - [id:74556]", + labels.High, labels.Runtime.Day2, + func() { + By("Check the help message of 'rosa edit cluster -h'") + helpOutput, err := clusterService.EditCluster("", "-h") + Expect(err).To(BeNil()) + Expect(helpOutput.String()).To(ContainSubstring("--additional-allowed-principals")) + + By("Check if cluster profile is enabled with additional allowed principals") + if !profile.ClusterConfig.AdditionalPrincipals { + SkipTestOnFeature("additional allowed principals") + } + + output, err := clusterService.DescribeClusterAndReflect(clusterID) + Expect(err).ToNot(HaveOccurred()) + Expect(output.AdditionalPrincipals).To(ContainSubstring(clusterConfig.AdditionalPrincipals)) + + By("Get the installer role arn") + rosaClient.Runner.JsonFormat() + jsonOutput, err := clusterService.DescribeCluster(clusterID) + Expect(err).To(BeNil()) + rosaClient.Runner.UnsetFormat() + jsonData := rosaClient.Parser.JsonData.Input(jsonOutput).Parse() + installRoleArn := jsonData.DigString("aws", "sts", "role_arn") + + By("Get additional principal credentials") + awsSharedCredentialFile := ciConfig.Test.GlobalENV.SVPC_CREDENTIALS_FILE + + By("Create additional account roles") + accrolePrefix := "arPrefix74556" + + additionalPrincipalRoleName := fmt.Sprintf("%s-%s", accrolePrefix, "additional-principal-role") + additionalPrincipalRoleArn, err := profilehandler.PrepareAdditionalPrincipalsRole( + additionalPrincipalRoleName, + installRoleArn, + profile.Region, awsSharedCredentialFile) + Expect(err).To(BeNil()) + defer func() { + By("Delete the additional principal account-roles") + err = profilehandler.DeleteAdditionalPrincipalsRole(additionalPrincipalRoleName, + true, profile.Region, awsSharedCredentialFile) + Expect(err).To(BeNil()) + }() + + additionalPrincipalsFlag := fmt.Sprintf( + "%s,%s", clusterConfig.AdditionalPrincipals, additionalPrincipalRoleArn) + + By("Edit the cluster with additional allowed principals") + out, err := clusterService.EditCluster(clusterID, + "--additional-allowed-principals", + additionalPrincipalsFlag) + Expect(err).ToNot(HaveOccurred()) + textData := rosaClient.Parser.TextData.Input(out).Parse().Tip() + Expect(textData).To(ContainSubstring("Updated cluster '%s'", clusterID)) + + By("Confirm additional principals is edited successfully") + output, err = clusterService.DescribeClusterAndReflect(clusterID) + Expect(err).To(BeNil()) + Expect(output.AdditionalPrincipals). + To( + ContainSubstring( + "%s,%s", clusterConfig.AdditionalPrincipals, additionalPrincipalRoleArn)) + + By("Edit the cluster with additional allowed principals") + out, err = clusterService.EditCluster(clusterID, + "--additional-allowed-principals", + clusterConfig.AdditionalPrincipals) + Expect(err).ToNot(HaveOccurred()) + textData = rosaClient.Parser.TextData.Input(out).Parse().Tip() + Expect(textData).To(ContainSubstring("Updated cluster '%s'", clusterID)) + }) }) diff --git a/tests/e2e/test_rosacli_cluster.go b/tests/e2e/test_rosacli_cluster.go index 88045b3be4..7410c2800d 100644 --- a/tests/e2e/test_rosacli_cluster.go +++ b/tests/e2e/test_rosacli_cluster.go @@ -1190,6 +1190,39 @@ var _ = Describe("HCP cluster creation negative testing", ContainSubstring( "ERR: 'ec2-metadata-http-tokens' is not available for Hosted Control Plane clusters")) }) + + It("expose additional allowed principals for HCP negative - [id:74433]", + labels.Medium, labels.Runtime.Day1Negative, + func() { + By("Create hcp cluster using --additional-allowed-principals and invalid formatted arn") + clusterName := "ocp-74408" + replacingFlags := map[string]string{ + "-c": clusterName, + "--cluster-name": clusterName, + "--domain-prefix": clusterName, + } + + By("Create cluster with invalid additional allowed principals") + rosalCommand.ReplaceFlagValue(replacingFlags) + if rosalCommand.CheckFlagExist("--additional-allowed-principals") { + rosalCommand.DeleteFlag("--additional-allowed-principals", true) + } + rosalCommand.AddFlags("--dry-run", "--additional-allowed-principals", "zzzz", "-y") + out, err := rosaClient.Runner.RunCMD(strings.Split(rosalCommand.GetFullCommand(), " ")) + Expect(err).To(HaveOccurred()) + Expect(out.String()). + To( + ContainSubstring( + "ERR: Expected valid ARNs for additional allowed principals list: Invalid ARN: arn: invalid prefix")) + + By("Create classic cluster with additional allowed principals") + output, err := clusterService.CreateDryRun(clusterName, "--additional-allowed-principals", "zzzz", "-y") + Expect(err).To(HaveOccurred()) + Expect(rosaClient.Parser.TextData.Input(output).Parse().Tip()). + To( + ContainSubstring( + "ERR: Additional Allowed Principals is supported only for Hosted Control Planes")) + }) }) var _ = Describe("Create cluster with availability zones testing", diff --git a/tests/e2e/test_rosacli_cluster_post.go b/tests/e2e/test_rosacli_cluster_post.go index d526a5de2b..c69ee4425e 100644 --- a/tests/e2e/test_rosacli_cluster_post.go +++ b/tests/e2e/test_rosacli_cluster_post.go @@ -27,6 +27,7 @@ var _ = Describe("Healthy check", clusterService rosacli.ClusterService machinePoolService rosacli.MachinePoolService clusterConfig *config.ClusterConfig + profile *profilehandler.Profile ) BeforeEach(func() { @@ -40,6 +41,7 @@ var _ = Describe("Healthy check", machinePoolService = rosaClient.MachinePool var err error clusterConfig, err = config.ParseClusterProfile() + profile = profilehandler.LoadProfileYamlFileByENV() Expect(err).ToNot(HaveOccurred()) }) @@ -230,6 +232,27 @@ var _ = Describe("Healthy check", Expect(clusterConfig.Encryption.KmsKeyArn).To(Equal(kmsKey)) }) + It("additional allowed principals work on cluster creation - [id:74408]", + labels.Critical, labels.Runtime.Day1Post, + func() { + By("Confirm current cluster profile uses additional allowed principals") + if !profile.ClusterConfig.AdditionalPrincipals { + SkipTestOnFeature("additional allowed principals") + } + + By("Check the help message of 'rosa create cluster -h'") + output, err := clusterService.CreateDryRun(clusterID, "-h") + Expect(err).To(BeNil()) + Expect(output.String()). + To( + ContainSubstring("--additional-allowed-principals")) + + By("Confirm additional principals is present") + out, err := clusterService.DescribeClusterAndReflect(clusterID) + Expect(err).To(BeNil()) + Expect(out.AdditionalPrincipals).To(ContainSubstring(clusterConfig.AdditionalPrincipals)) + }) + It("etcd encryption works on cluster creation - [id:42188]", labels.Critical, labels.Runtime.Day1Post, func() { diff --git a/tests/utils/config/cluster.go b/tests/utils/config/cluster.go index d3f57b995c..9fed5571c2 100644 --- a/tests/utils/config/cluster.go +++ b/tests/utils/config/cluster.go @@ -119,6 +119,7 @@ type ClusterConfig struct { WorkerDiskSize string `json:"worker_disk_size,omitempty"` DomainPrefix string `json:"domain_prefix,omitempty"` BillingAccount string `json:"billing_account,omitempty"` + AdditionalPrincipals string `json:"additional_principals,omitempty"` AdditionalSecurityGroups *AdditionalSecurityGroups `json:"additional_sgs,omitempty"` Autoscaling *Autoscaling `json:"autoscaling,omitempty"` Aws *AWS `json:"aws,omitempty"` diff --git a/tests/utils/exec/rosacli/cluster_service.go b/tests/utils/exec/rosacli/cluster_service.go index db491801d9..76d2a979d7 100644 --- a/tests/utils/exec/rosacli/cluster_service.go +++ b/tests/utils/exec/rosacli/cluster_service.go @@ -58,6 +58,7 @@ type ClusterDescription struct { OpenshiftVersion string `yaml:"OpenShift Version,omitempty"` ChannelGroup string `yaml:"Channel Group,omitempty"` DNS string `yaml:"DNS,omitempty"` + AdditionalPrincipals string `yaml:"Additional Principals,omitempty"` AWSAccount string `yaml:"AWS Account,omitempty"` AWSBillingAccount string `yaml:"AWS Billing Account,omitempty"` APIURL string `yaml:"API URL,omitempty"` diff --git a/tests/utils/profilehandler/data_cleaner.go b/tests/utils/profilehandler/data_cleaner.go index d33bb74b00..09d84ffff4 100644 --- a/tests/utils/profilehandler/data_cleaner.go +++ b/tests/utils/profilehandler/data_cleaner.go @@ -45,6 +45,18 @@ func DeleteSharedVPCRole(sharedVPCRoleName string, managedPolicy bool, region st return err } +func DeleteAdditionalPrincipalsRole(additionalPrincipalRoleName string, + managedPolicy bool, region string, + awsSharedCredentialFile string) error { + awsClient, err := aws_client.CreateAWSClient("", region, awsSharedCredentialFile) + if err != nil { + return err + } + + err = awsClient.DeleteRoleAndPolicy(additionalPrincipalRoleName, managedPolicy) + return err +} + func DeleteSharedVPCChain(vpcID string, region string, awsSharedCredentialFile string) error { vpcClient, err := vpc_client.GenerateVPCByID(vpcID, region, awsSharedCredentialFile) if err != nil { diff --git a/tests/utils/profilehandler/data_preparation.go b/tests/utils/profilehandler/data_preparation.go index 5ebdb85fe2..74ab236aa0 100644 --- a/tests/utils/profilehandler/data_preparation.go +++ b/tests/utils/profilehandler/data_preparation.go @@ -468,6 +468,33 @@ func PrepareSharedVPCRole(sharedVPCRolePrefix string, installerRoleArn string, i return roleName, sharedVPCRoleArn, err } +func PrepareAdditionalPrincipalsRole(roleName string, installerRoleArn string, + region string, awsSharedCredentialFile string) (string, error) { + awsClient, err := aws_client.CreateAWSClient("", region, awsSharedCredentialFile) + if err != nil { + return "", err + } + policyArn := "arn:aws:iam::aws:policy/service-role/ROSAControlPlaneOperatorPolicy" + if installerRoleArn == "" { + log.Logger.Errorf("Can not create additional principal role due to no installer role.") + return "", err + } + roleArn, err := awsClient.CreateRoleForAdditionalPrincipals(roleName, installerRoleArn) + additionalPrincipalRoleArn := aws.ToString(roleArn.Arn) + if err != nil { + log.Logger.Errorf("Error happens when prepare additional principal role: %s", err.Error()) + return additionalPrincipalRoleArn, err + } + log.Logger.Infof("Create a new role for Additional Principal: %s", additionalPrincipalRoleArn) + err = awsClient.AttachIAMPolicy(roleName, policyArn) + if err != nil { + log.Logger.Errorf( + "Error happens when attach control plane operator policy %s to role %s: %s", policyArn, + additionalPrincipalRoleArn, err.Error()) + } + return additionalPrincipalRoleArn, err +} + func PrepareDNSDomain(client *rosacli.Client) (string, error) { var dnsDomain string var output bytes.Buffer diff --git a/tests/utils/profilehandler/interface.go b/tests/utils/profilehandler/interface.go index f9d584dc17..5280021651 100644 --- a/tests/utils/profilehandler/interface.go +++ b/tests/utils/profilehandler/interface.go @@ -31,6 +31,7 @@ type ClusterConfig struct { NameLegnth int `default:"15" yaml:"name_length,omitempty" json:"name_length,omitempty"` VolumeSize int `yaml:"volume_size,omitempty" json:"volume_size,omitempty"` WorkerPoolReplicas int `yaml:"replicas,omitempty" json:"replicas,omitempty"` + AdditionalPrincipals bool `yaml:"additional_principals,omitempty" json:"additional_principals,omitempty"` AdminEnabled bool `yaml:"admin_enabled,omitempty" json:"admin_enabled,omitempty"` AuditLogForward bool `yaml:"auditlog_forward,omitempty" json:"auditlog_forward,omitempty"` Autoscale bool `yaml:"autoscale,omitempty" json:"autoscale,omitempty"` @@ -60,17 +61,18 @@ type ClusterConfig struct { // UserData will record the user data prepared for resource clean up type UserData struct { - AccountRolesPrefix string `json:"account_roles_prefix,omitempty"` - AuditLogArn string `json:"audit_log,omitempty"` - DNSDomain string `json:"dns_domain,omitempty"` - EtcdKMSKey string `json:"etcd_kms_key,omitempty"` - HostedZoneID string `json:"hosted_zone_id,omitempty"` - KMSKey string `json:"kms_key,omitempty"` - OperatorRolesPrefix string `json:"operator_roles_prefix,omitempty"` - OIDCConfigID string `json:"oidc_config_id,omitempty"` - ResourceShareArn string `json:"resource_share,omitempty"` - SharedVPCRole string `json:"shared_vpc_role,omitempty"` - VpcID string `json:"vpc_id,omitempty"` + AccountRolesPrefix string `json:"account_roles_prefix,omitempty"` + AdditionalPrincipals string `json:"additional_principals,omitempty"` + AuditLogArn string `json:"audit_log,omitempty"` + DNSDomain string `json:"dns_domain,omitempty"` + EtcdKMSKey string `json:"etcd_kms_key,omitempty"` + HostedZoneID string `json:"hosted_zone_id,omitempty"` + KMSKey string `json:"kms_key,omitempty"` + OperatorRolesPrefix string `json:"operator_roles_prefix,omitempty"` + OIDCConfigID string `json:"oidc_config_id,omitempty"` + ResourceShareArn string `json:"resource_share,omitempty"` + SharedVPCRole string `json:"shared_vpc_role,omitempty"` + VpcID string `json:"vpc_id,omitempty"` } // ClusterDetail will record basic cluster info to support other team's testing diff --git a/tests/utils/profilehandler/profile_handler.go b/tests/utils/profilehandler/profile_handler.go index 74adf14efd..5e87a7321e 100644 --- a/tests/utils/profilehandler/profile_handler.go +++ b/tests/utils/profilehandler/profile_handler.go @@ -119,6 +119,7 @@ func GenerateClusterCreateFlags(profile *Profile, client *rosacli.Client) ([]str sharedVPCRoleArn := "" sharedVPCRolePrefix := "" awsSharedCredentialFile := "" + envVariableErrMsg := "'SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE' env is not set or empty, it is: %s" defer func() { // Record userdata @@ -218,10 +219,8 @@ func GenerateClusterCreateFlags(profile *Profile, client *rosacli.Client) ([]str if profile.ClusterConfig.SharedVPC { awsSharedCredentialFile = config.Test.GlobalENV.SVPC_CREDENTIALS_FILE if awsSharedCredentialFile == "" { - log.Logger.Errorf("SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE env is not set or empty, "+ - "it is: %s", awsSharedCredentialFile) - panic(fmt.Errorf("SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE env is not set or empty, "+ - "it is: %s", awsSharedCredentialFile)) + log.Logger.Errorf(envVariableErrMsg, awsSharedCredentialFile) + panic(fmt.Errorf(envVariableErrMsg, awsSharedCredentialFile)) } sharedVPCRolePrefix = accountRolePrefix @@ -285,7 +284,27 @@ func GenerateClusterCreateFlags(profile *Profile, client *rosacli.Client) ([]str flags = append(flags, "--audit-log-arn", auditRoleArn) } + + if profile.ClusterConfig.AdditionalPrincipals { + awsSharedCredentialFile = config.Test.GlobalENV.SVPC_CREDENTIALS_FILE + if awsSharedCredentialFile == "" { + log.Logger.Errorf(envVariableErrMsg, awsSharedCredentialFile) + panic(fmt.Errorf(envVariableErrMsg, awsSharedCredentialFile)) + } + installRoleArn := accRoles.InstallerRole + additionalPrincipalRolePrefix := accountRolePrefix + additionalPrincipalRoleName := fmt.Sprintf("%s-%s", additionalPrincipalRolePrefix, "additional-principal-role") + additionalPrincipalRoleArn, err := PrepareAdditionalPrincipalsRole(additionalPrincipalRoleName, installRoleArn, + profile.Region, awsSharedCredentialFile) + if err != nil { + return flags, err + } + flags = append(flags, "--additional-allowed-principals", additionalPrincipalRoleArn) + clusterConfiguration.AdditionalPrincipals = additionalPrincipalRoleArn + userData.AdditionalPrincipals = additionalPrincipalRoleName + } } + // Put this part before the BYOVPC preparation so the subnets is prepared based on PrivateLink if profile.ClusterConfig.Private { flags = append(flags, "--private") @@ -895,7 +914,7 @@ func DestroyCluster(client *rosacli.Client) (*ClusterDetail, []error) { } func DestroyPreparedUserData(client *rosacli.Client, clusterID string, region string, isSTS bool, - isSharedVPC bool) []error { + isSharedVPC bool, isAdditionalPrincipalAllowed bool) []error { var ( ud *UserData @@ -905,7 +924,7 @@ func DestroyPreparedUserData(client *rosacli.Client, clusterID string, region st ocmResourceService = client.OCMResource awsSharedCredentialFile := "" - if isSharedVPC { + if isSharedVPC || isAdditionalPrincipalAllowed { awsSharedCredentialFile = config.Test.GlobalENV.SVPC_CREDENTIALS_FILE } @@ -1009,6 +1028,15 @@ func DestroyPreparedUserData(client *rosacli.Client, clusterID string, region st ud.SharedVPCRole = "" } } + // delete additional principal role + if ud.AdditionalPrincipals != "" { + log.Logger.Infof("Find prepared additional principal role: %s", ud.AdditionalPrincipals) + err = DeleteAdditionalPrincipalsRole(ud.AdditionalPrincipals, true, region, awsSharedCredentialFile) + success := destroyLog(err, "additional principal role") + if success { + ud.AdditionalPrincipals = "" + } + } // delete operator roles if ud.OperatorRolesPrefix != "" { log.Logger.Infof("Find prepared operator roles with prefix: %s", ud.OperatorRolesPrefix) @@ -1044,7 +1072,7 @@ func DestroyPreparedUserData(client *rosacli.Client, clusterID string, region st } // delete account roles if ud.AccountRolesPrefix != "" { - log.Logger.Infof("Find prepared accout roles with prefix: %s", ud.AccountRolesPrefix) + log.Logger.Infof("Find prepared account roles with prefix: %s", ud.AccountRolesPrefix) _, err = ocmResourceService.DeleteAccountRole("--mode", "auto", "--prefix", ud.AccountRolesPrefix, "-y") success := destroyLog(err, "account roles") if success { @@ -1071,7 +1099,9 @@ func DestroyResourceByProfile(profile *Profile, client *rosacli.Client) (errors region := profile.Region isSTS := profile.ClusterConfig.STS isSharedVPC := profile.ClusterConfig.SharedVPC - errDestroyUserData := DestroyPreparedUserData(client, clusterId, region, isSTS, isSharedVPC) + isAdditionalPrincipalAllowed := profile.ClusterConfig.AdditionalPrincipals + errDestroyUserData := DestroyPreparedUserData(client, clusterId, region, isSTS, isSharedVPC, + isAdditionalPrincipalAllowed) if len(errDestroyUserData) > 0 { errors = append(errors, errDestroyUserData) } diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/aws/aws_client/role.go b/vendor/github.com/openshift-online/ocm-common/pkg/aws/aws_client/role.go index 3a10619cf3..6324115c2d 100644 --- a/vendor/github.com/openshift-online/ocm-common/pkg/aws/aws_client/role.go +++ b/vendor/github.com/openshift-online/ocm-common/pkg/aws/aws_client/role.go @@ -440,3 +440,22 @@ func (client *AWSClient) CreatePolicyForSharedVPC(policyName string) (string, er } return client.CreatePolicy(policyName, statement) } + +func (client *AWSClient) CreateRoleForAdditionalPrincipals(roleName string, installerRoleArn string) (types.Role, error) { + statement := map[string]interface{}{ + "Sid": "Statement1", + "Effect": "Allow", + "Principal": map[string]interface{}{ + "AWS": []string{installerRoleArn}, + }, + "Action": "sts:AssumeRole", + } + + assumeRolePolicyDocument, err := completeRolePolicyDocument(statement) + if err != nil { + log.LogError("Failed to convert Role Policy Document into JSON: %s", err.Error()) + return types.Role{}, err + } + + return client.CreateRole(roleName, string(assumeRolePolicyDocument), "", make(map[string]string), "/") +} diff --git a/vendor/modules.txt b/vendor/modules.txt index ebe251042e..3deff9a3f0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -416,7 +416,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/openshift-online/ocm-common v0.0.6 +# github.com/openshift-online/ocm-common v0.0.7 ## explicit; go 1.21 github.com/openshift-online/ocm-common/pkg/aws/aws_client github.com/openshift-online/ocm-common/pkg/aws/consts