remove the option to detach policies

Signed-off-by: marcolan018 <llan@redhat.com>
openshift · May 7, 2024 · e1b14b6 · e1b14b6
1 parent d3911a5
commit e1b14b6
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 160 deletions.
diff --git a/cmd/upgrade/roles/cmd.go b/cmd/upgrade/roles/cmd.go
@@ -265,7 +265,7 @@ func run(cmd *cobra.Command, argv []string) {
 		spin.Stop()
 	}
 
-	rolePolicyBindings, err := ocmClient.ListRolePolicyBindings(args.clusterID, true)
+	rolePolicyBindings, err := ocmClient.ListRolePolicyBindings(cluster.ID(), true)
 	if err != nil {
 		reporter.Errorf("Failed to get rolePolicyBinding: %s", err)
 		os.Exit(1)
@@ -476,7 +476,7 @@ func run(cmd *cobra.Command, argv []string) {
 	}
 
 	if isUpgradeNeedForAccountRolePolicies && mode == interactive.ModeAuto || isOperatorPolicyUpgradeNeeded {
-		newRolePolicyBindings, err := ocmClient.ListRolePolicyBindings(args.clusterID, true)
+		newRolePolicyBindings, err := ocmClient.ListRolePolicyBindings(cluster.ID(), true)
 		if err != nil {
 			reporter.Warnf("Failed to get rolePolicyBindings after upgrade," +
 				" please check the attached policies on upgraded roles")
@@ -516,65 +516,32 @@ func handleAccountRolePolicyARN(
 	mode string,
 	awsClient aws.Client,
 	roleName string,
+	prefix string,
 	rolePath string,
 	partition string,
 	accountID string,
 	policiesDetails []aws.PolicyDetail,
-) (string, []string, error) {
+) (string, error) {
 	attachedPoliciesDetail := aws.FindAllAttachedPolicyDetails(policiesDetails)
 
 	generatedPolicyARN := aws.GetPolicyARN(partition, accountID, roleName, rolePath)
 	if len(attachedPoliciesDetail) == 0 {
-		return generatedPolicyARN, nil, nil
+		return generatedPolicyARN, nil
 	}
 
 	if len(attachedPoliciesDetail) == 1 {
 		policyDetail := attachedPoliciesDetail[0]
-		return policyDetail.PolicyArn, nil, nil
+		return policyDetail.PolicyArn, nil
 	}
 
-	promptString := fmt.Sprintf("More than one policy attached to account role '%s'.\n"+
-		"\tWould you like to detach current policies and setup a new one ?", roleName)
-	if !confirm.Prompt(true, promptString) {
-
-		attachedPoliciesArns := make([]string, len(attachedPoliciesDetail))
-		for _, attachedPolicyDetail := range attachedPoliciesDetail {
-			attachedPoliciesArns = append(attachedPoliciesArns, attachedPolicyDetail.PolicyArn)
-		}
-		chosenPolicyARN, err := interactive.GetOption(interactive.Input{
-			Question: "Choose Policy ARN to upgrade",
-			Options:  attachedPoliciesArns,
-			Default:  attachedPoliciesArns[0],
-			Required: true,
-		})
-		if err != nil {
-			return "", nil, err
-		}
-		return chosenPolicyARN, nil, nil
+	policyArn, err := awsClient.GetAccountRoleDefaultPolicy(roleName, prefix)
+	if err != nil {
+		return "", err
 	}
-
-	switch mode {
-	case interactive.ModeAuto:
-		err := awsClient.DetachRolePolicies(roleName)
-		if err != nil {
-			return "", nil, err
-		}
-		return generatedPolicyARN, nil, nil
-	case interactive.ModeManual:
-		commands := make([]string, 0)
-		for _, policyDetail := range attachedPoliciesDetail {
-			detachManagedPoliciesCommand := awscbRoles.ManualCommandsForDetachRolePolicy(
-				awscbRoles.ManualCommandsForDetachRolePolicyInput{
-					RoleName:  roleName,
-					PolicyARN: policyDetail.PolicyArn,
-				},
-			)
-			commands = append(commands, detachManagedPoliciesCommand)
-		}
-		return generatedPolicyARN, commands, nil
-	default:
-		return "", nil, weberr.Errorf("Invalid mode. Allowed values are %s", interactive.Modes)
+	if policyArn == "" {
+		return generatedPolicyARN, nil
 	}
+	return policyArn, nil
 }
 
 func upgradeAccountRolePoliciesFromCluster(
@@ -618,7 +585,7 @@ func upgradeAccountRolePoliciesFromCluster(
 		}
 		filename := fmt.Sprintf("sts_%s_permission_policy", file)
 
-		policyARN, _, err := handleAccountRolePolicyARN(mode, awsClient, roleName, rolePath,
+		policyARN, err := handleAccountRolePolicyARN(mode, awsClient, roleName, prefix, rolePath,
 			partition, accountID, rolePolicyDetails[roleName])
 		if err != nil {
 			return err
@@ -645,11 +612,6 @@ func upgradeAccountRolePoliciesFromCluster(
 		if err != nil {
 			return err
 		}
-		//Delete if present else continue
-		err = awsClient.DeleteInlineRolePolicies(roleName)
-		if err != nil {
-			reporter.Debugf("Error deleting inline role policy %s : %s", policyARN, err)
-		}
 		reporterString := fmt.Sprintf("Upgraded policy with ARN '%s' to version '%s'", policyARN, policyVersion)
 		reporter.Infof(reporterString)
 		err = awsClient.UpdateTag(roleName, policyVersion)
@@ -686,10 +648,11 @@ func buildAccountRoleCommandsFromCluster(
 				return "", err
 			}
 
-			policyARN, detachPoliciesCommands, err := handleAccountRolePolicyARN(
+			policyARN, err := handleAccountRolePolicyARN(
 				mode,
 				awsClient,
 				accRoleName,
+				prefix,
 				rolePath,
 				partition,
 				accountID,
@@ -699,8 +662,6 @@ func buildAccountRoleCommandsFromCluster(
 				return "", err
 			}
 
-			commands = append(commands, detachPoliciesCommands...)
-
 			accountPolicyPath, err := aws.GetPathFromARN(policyARN)
 			if err != nil {
 				return "", err
@@ -710,22 +671,17 @@ func buildAccountRoleCommandsFromCluster(
 			policyName := aws.GetPolicyName(accRoleName)
 			_, err = awsClient.IsRolePolicyExists(accRoleName, policyName)
 			hasInlinePolicy := err == nil
-			hasDetachPolicyCommandsForExpectedPolicy := checkHasDetachPolicyCommandsForExpectedPolicy(
-				detachPoliciesCommands,
-				policyARN,
-			)
 			upgradeAccountPolicyCommands := awscbRoles.ManualCommandsForUpgradeAccountRolePolicy(
 				awscbRoles.ManualCommandsForUpgradeAccountRolePolicyInput{
-					DefaultPolicyVersion:                     defaultPolicyVersion,
-					RoleName:                                 accRoleName,
-					HasPolicy:                                hasPolicy,
-					Prefix:                                   prefix,
-					File:                                     file,
-					PolicyName:                               policyName,
-					AccountPolicyPath:                        accountPolicyPath,
-					PolicyARN:                                policyARN,
-					HasInlinePolicy:                          hasInlinePolicy,
-					HasDetachPolicyCommandsForExpectedPolicy: hasDetachPolicyCommandsForExpectedPolicy,
+					DefaultPolicyVersion: defaultPolicyVersion,
+					RoleName:             accRoleName,
+					HasPolicy:            hasPolicy,
+					Prefix:               prefix,
+					File:                 file,
+					PolicyName:           policyName,
+					AccountPolicyPath:    accountPolicyPath,
+					PolicyARN:            policyARN,
+					HasInlinePolicy:      hasInlinePolicy,
 				},
 			)
 			commands = append(commands, upgradeAccountPolicyCommands...)
@@ -862,7 +818,7 @@ func upgradeOperatorRolePoliciesFromCluster(
 			if err != nil {
 				return err
 			}
-			policyARN, _, err = handleOperatorRolePolicyARN(
+			policyARN, err = handleOperatorRolePolicyARN(
 				mode,
 				awsClient,
 				operatorRoleName,
@@ -936,7 +892,6 @@ func buildOperatorRoleCommandsFromCluster(
 	for credrequest, operator := range credRequests {
 		policyARN := ""
 		operatorPolicyPath := generalPath
-		hasDetachPolicyCommandsForExpectedPolicy := false
 		operatorRoleARN := aws.FindOperatorRoleBySTSOperator(operatorRoles, operator)
 		operatorRoleName := ""
 		if operatorRoleARN == "" {
@@ -953,7 +908,7 @@ func buildOperatorRoleCommandsFromCluster(
 			if err != nil {
 				return "", err
 			}
-			foundPolicyARN, detachPoliciesCommands, err := handleOperatorRolePolicyARN(
+			foundPolicyARN, err := handleOperatorRolePolicyARN(
 				mode,
 				awsClient,
 				operatorRoleName,
@@ -967,12 +922,7 @@ func buildOperatorRoleCommandsFromCluster(
 			if err != nil {
 				return "", err
 			}
-			hasDetachPolicyCommandsForExpectedPolicy = checkHasDetachPolicyCommandsForExpectedPolicy(
-				detachPoliciesCommands,
-				foundPolicyARN,
-			)
 
-			commands = append(commands, detachPoliciesCommands...)
 			operatorPolicyPath, err = aws.GetPathFromARN(foundPolicyARN)
 			if err != nil {
 				return "", err
@@ -993,17 +943,16 @@ func buildOperatorRoleCommandsFromCluster(
 
 		upgradePoliciesCommands := awscbRoles.ManualCommandsForUpgradeOperatorRolePolicy(
 			awscbRoles.ManualCommandsForUpgradeOperatorRolePolicyInput{
-				HasPolicy:                                hasPolicy,
-				OperatorRolePolicyPrefix:                 operatorRolePolicyPrefix,
-				Operator:                                 operator,
-				CredRequest:                              credrequest,
-				OperatorPolicyPath:                       operatorPolicyPath,
-				PolicyARN:                                policyARN,
-				DefaultPolicyVersion:                     defaultPolicyVersion,
-				PolicyName:                               policyName,
-				HasDetachPolicyCommandsForExpectedPolicy: hasDetachPolicyCommandsForExpectedPolicy,
-				OperatorRoleName:                         operatorRoleName,
-				FileName:                                 fileName,
+				HasPolicy:                hasPolicy,
+				OperatorRolePolicyPrefix: operatorRolePolicyPrefix,
+				Operator:                 operator,
+				CredRequest:              credrequest,
+				OperatorPolicyPath:       operatorPolicyPath,
+				PolicyARN:                policyARN,
+				DefaultPolicyVersion:     defaultPolicyVersion,
+				PolicyName:               policyName,
+				OperatorRoleName:         operatorRoleName,
+				FileName:                 fileName,
 			},
 		)
 		commands = append(commands, upgradePoliciesCommands...)
@@ -1021,7 +970,7 @@ func handleOperatorRolePolicyARN(
 	partition string,
 	accountID string,
 	policiesDetails []aws.PolicyDetail,
-) (string, []string, error) {
+) (string, error) {
 	generatedPolicyARN := aws.GetOperatorPolicyARN(
 		partition,
 		accountID,
@@ -1033,54 +982,22 @@ func handleOperatorRolePolicyARN(
 	attachedPoliciesDetails := aws.FindAllAttachedPolicyDetails(policiesDetails)
 
 	if len(attachedPoliciesDetails) == 0 {
-		return generatedPolicyARN, nil, nil
+		return generatedPolicyARN, nil
 	}
 
 	if len(attachedPoliciesDetails) == 1 {
 		policyDetail := attachedPoliciesDetails[0]
-		return policyDetail.PolicyArn, nil, nil
+		return policyDetail.PolicyArn, nil
 	}
 
-	promptString := fmt.Sprintf("More than one policy attached to operator role '%s'.\n"+
-		"\tWould you like to detach current policies and setup a new one ?", operatorRoleName)
-	if !confirm.Prompt(true, promptString) {
-		attachedPoliciesArns := make([]string, len(attachedPoliciesDetails))
-		for _, attachedPolicyDetail := range attachedPoliciesDetails {
-			attachedPoliciesArns = append(attachedPoliciesArns, attachedPolicyDetail.PolicyArn)
-		}
-		chosenPolicyARN, err := interactive.GetOption(interactive.Input{
-			Question: "Choose Policy ARN to upgrade",
-			Options:  attachedPoliciesArns,
-			Default:  attachedPoliciesArns[0],
-			Required: true,
-		})
-		if err != nil {
-			return "", nil, err
-		}
-		return chosenPolicyARN, nil, nil
+	policyArn, err := awsClient.GetOperatorRoleDefaultPolicy(operatorRoleName)
+	if err != nil {
+		return "", err
 	}
-	switch mode {
-	case interactive.ModeAuto:
-		err := awsClient.DetachRolePolicies(operatorRoleName)
-		if err != nil {
-			return "", nil, err
-		}
-		return generatedPolicyARN, nil, nil
-	case interactive.ModeManual:
-		commands := make([]string, 0)
-		for _, policyDetail := range policiesDetails {
-			detachManagedPoliciesCommand := awscbRoles.ManualCommandsForDetachRolePolicy(
-				awscbRoles.ManualCommandsForDetachRolePolicyInput{
-					RoleName:  operatorRoleName,
-					PolicyARN: policyDetail.PolicyArn,
-				},
-			)
-			commands = append(commands, detachManagedPoliciesCommand)
-		}
-		return generatedPolicyARN, commands, nil
-	default:
-		return "", nil, weberr.Errorf("Invalid mode. Allowed values are %s", interactive.Modes)
+	if policyArn == "" {
+		return generatedPolicyARN, nil
 	}
+	return policyArn, nil
 }
 
 func createOperatorRole(

diff --git a/pkg/aws/client.go b/pkg/aws/client.go
@@ -212,6 +212,8 @@ type Client interface {
 	GetSecurityGroupIds(vpcId string) ([]ec2types.SecurityGroup, error)
 	FetchPublicSubnetMap(subnets []ec2types.Subnet) (map[string]bool, error)
 	GetIAMServiceQuota(quotaCode string) (*servicequotas.GetServiceQuotaOutput, error)
+	GetAccountRoleDefaultPolicy(roleName string, prefix string) (string, error)
+	GetOperatorRoleDefaultPolicy(roleName string) (string, error)
 }
 
 type AccessKeyGetter interface {

diff --git a/pkg/aws/commandbuilder/helper/roles/roles.go b/pkg/aws/commandbuilder/helper/roles/roles.go
@@ -51,17 +51,16 @@ func ManualCommandsForMissingOperatorRole(input ManualCommandsForMissingOperator
 }
 
 type ManualCommandsForUpgradeOperatorRolePolicyInput struct {
-	HasPolicy                                bool
-	OperatorRolePolicyPrefix                 string
-	Operator                                 *cmv1.STSOperator
-	CredRequest                              string
-	OperatorPolicyPath                       string
-	PolicyARN                                string
-	DefaultPolicyVersion                     string
-	PolicyName                               string
-	HasDetachPolicyCommandsForExpectedPolicy bool
-	OperatorRoleName                         string
-	FileName                                 string
+	HasPolicy                bool
+	OperatorRolePolicyPrefix string
+	Operator                 *cmv1.STSOperator
+	CredRequest              string
+	OperatorPolicyPath       string
+	PolicyARN                string
+	DefaultPolicyVersion     string
+	PolicyName               string
+	OperatorRoleName         string
+	FileName                 string
 }
 
 func ManualCommandsForUpgradeOperatorRolePolicy(input ManualCommandsForUpgradeOperatorRolePolicyInput) []string {
@@ -83,14 +82,6 @@ func ManualCommandsForUpgradeOperatorRolePolicy(input ManualCommandsForUpgradeOp
 			Build()
 		commands = append(commands, createPolicy)
 	} else {
-		if input.HasDetachPolicyCommandsForExpectedPolicy {
-			attachRolePolicy := awscb.NewIAMCommandBuilder().
-				SetCommand(awscb.AttachRolePolicy).
-				AddParam(awscb.RoleName, input.OperatorRoleName).
-				AddParam(awscb.PolicyArn, input.PolicyARN).
-				Build()
-			commands = append(commands, attachRolePolicy)
-		}
 		policyTags := map[string]string{
 			common.OpenShiftVersion: input.DefaultPolicyVersion,
 		}
@@ -113,16 +104,15 @@ func ManualCommandsForUpgradeOperatorRolePolicy(input ManualCommandsForUpgradeOp
 }
 
 type ManualCommandsForUpgradeAccountRolePolicyInput struct {
-	DefaultPolicyVersion                     string
-	RoleName                                 string
-	HasPolicy                                bool
-	Prefix                                   string
-	File                                     string
-	PolicyName                               string
-	AccountPolicyPath                        string
-	PolicyARN                                string
-	HasInlinePolicy                          bool
-	HasDetachPolicyCommandsForExpectedPolicy bool
+	DefaultPolicyVersion string
+	RoleName             string
+	HasPolicy            bool
+	Prefix               string
+	File                 string
+	PolicyName           string
+	AccountPolicyPath    string
+	PolicyARN            string
+	HasInlinePolicy      bool
 }
 
 func ManualCommandsForUpgradeAccountRolePolicy(input ManualCommandsForUpgradeAccountRolePolicyInput) []string {
@@ -167,9 +157,6 @@ func ManualCommandsForUpgradeAccountRolePolicy(input ManualCommandsForUpgradeAcc
 		}
 		commands = append(commands, createPolicy, attachRolePolicy, tagRole)
 	} else {
-		if input.HasDetachPolicyCommandsForExpectedPolicy {
-			commands = append(commands, attachRolePolicy)
-		}
 		createPolicyVersion := awscb.NewIAMCommandBuilder().
 			SetCommand(awscb.CreatePolicyVersion).
 			AddParam(awscb.PolicyArn, input.PolicyARN).