Merge pull request #4371 from patrickdillon/bz-1888464-aws-tag-perms

Bug 1888464: add tag:UnTagResource perm for aws shared networks
openshift · Nov 17, 2020 · eb9c2ce · eb9c2ce
2 parents 8d9d7cb + dfd32e4
commit eb9c2ce
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go
@@ -25,6 +25,9 @@ const (
 
 	// PermissionDeleteNetworking is a set of permissions required when the installer destroys networking resources.
 	PermissionDeleteNetworking PermissionGroup = "delete-networking"
+
+	// PermissionDeleteSharedNetworking is a set of permissions required when the installer destroys resources from a shared-network cluster.
+	PermissionDeleteSharedNetworking PermissionGroup = "delete-shared-networking"
 )
 
 var permissions = map[PermissionGroup][]string{
@@ -215,6 +218,10 @@ var permissions = map[PermissionGroup][]string{
 		"ec2:DisassociateRouteTable",
 		"ec2:ReplaceRouteTableAssociation",
 	},
+	// Permissions required for deleting a cluster with shared network resources
+	PermissionDeleteSharedNetworking: {
+		"tag:UnTagResources",
+	},
 }
 
 // ValidateCreds will try to create an AWS session, and also verify that the current credentials

diff --git a/pkg/asset/installconfig/platformpermscheck.go b/pkg/asset/installconfig/platformpermscheck.go
@@ -48,10 +48,21 @@ func (a *PlatformPermsCheck) Generate(dependencies asset.Parents) error {
 	platform := ic.Config.Platform.Name()
 	switch platform {
 	case aws.Name:
-		permissionGroups := []awsconfig.PermissionGroup{awsconfig.PermissionCreateBase, awsconfig.PermissionDeleteBase}
-		// If subnets are not provided in install-config.yaml, include network permissions
-		if len(ic.Config.AWS.Subnets) == 0 {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionCreateNetworking, awsconfig.PermissionDeleteNetworking)
+		permissionGroups := []awsconfig.PermissionGroup{awsconfig.PermissionCreateBase}
+		usingExistingVPC := len(ic.Config.AWS.Subnets) != 0
+
+		if !usingExistingVPC {
+			permissionGroups = append(permissionGroups, awsconfig.PermissionCreateNetworking)
+		}
+
+		// Add delete permissions for non-C2S installs.
+		if !aws.C2SRegions.Has(ic.Config.AWS.Region) {
+			permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteBase)
+			if usingExistingVPC {
+				permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteSharedNetworking)
+			} else {
+				permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteNetworking)
+			}
 		}
 
 		ssn, err := ic.AWS.Session(ctx)