OCM-23781 | fix: Adding better logic for setting rosa_region tag

[jerichokeyne]

PR Summary

Updating the logic when creating the osdCcsAdmin user to always set the same value for the rosa_region tag regardless of whether or not the user already exists. Also, adding a bit of logic to change the value if running in FedRAMP and the value is set to a non-Govcloud region

There's also some included changes that were necessary to fix linting issues since I'm updating files that haven't been touched in a while

Detailed Description of the Issue

There's an issue where if the user was running in FedRAMP, and already had a osdCcsAdmin user created, but that user was missing the rosa_region tag, then when they ran rosa init it would set the rosa_region tag to us-east-1. That would then prevent the user from creating clusters as we default to running in that region if that user and tag exist.

Slack threads:

• https://redhat-internal.slack.com/archives/C096LQMAXA7/p1776116505044729?thread_ts=1775841383.565369&cid=C096LQMAXA7
• https://redhat-internal.slack.com/archives/C0A8S4L99C2/p1776192008488119

Related Issues and PRs

• Jira: OCM-23781

Type of Change

• feat - adds a new user-facing capability.
• fix - resolves an incorrect behavior or bug.
• docs - updates documentation only.
• style - formatting or naming changes with no logic impact.
• refactor - code restructuring with no behavior change.
• test - adds or updates tests only.
• chore - maintenance work (tooling, housekeeping, non-product code).
• build - changes build system, packaging, or dependencies for build output.
• ci - changes CI pipelines, jobs, or automation workflows.
• perf - improves performance without changing intended behavior.

Previous Behavior

When the user ran rosa init and created the osdCcsAdmin user it was a bit of a toss up as to what the rosa_region value would be set to. If the user already existed, but did not have that tag set, then it would always be set to us-east-1. If the user already existed, and the tag was set, then it doesn't update the tag. If the user did not already exist, then it would be set to whatever value the user passed as --region

Behavior After This Change

Now things have been more unified. In either case of when the rosa_region tag needs to be updated, it will be set to the same value. The new way to determine the value is:

• If the user provides a region with --region, then use that value
• If the user doesn't provide a region, then check if they're in FedRAMP:
  • If they are, then set it to a default value of us-gov-east-1
  • Otherwise set it to the default value of us-east-1

I also added a check for if the user is in FedRAMP, and for some reason the tag is set to the old default of us-east-1, then it will update the tag to the new value as specified above

If the user and tag already exist, then there is still no change (except for the previous exception)

How to Test (Step-by-Step)

Preconditions

Test Steps

1. Make sure there's no osdCcsAdmin user in the AWS account
2. Run rosa init, and check the created osdCcsAdmin and the rosa_region tag on the user. It should be set to us-east-1
3. Run rosa init --region us-west-2, and check that the rosa_region tag hasn't been updated
4. Delete the rosa_region tag
5. Run rosa init --region us-west-2, and check that the rosa_region tag has been set to us-west-2
6. In FedRAMP:
   1. Repeat the previous steps, but with us-gov-east-1 and us-gov-west-1
   2. Modify the rosa_region tag to be set to us-east-1
   3. Run rosa init --region us-gov-west-1, and check that the rosa_region tag has been set to us-gov-west-1

Proof of the Fix

• Screenshots:
• Videos:
• Logs/CLI output:
• Other artifacts:

Running the modified test cases locally

TEST_PROFILE="rosa-advanced" ginkgo run --timeout 2h --focus "id:38770" tests/e2e
Running Suite: ROSA CLI e2e tests suite - /home/jericho/work/repos/rosa/tests/e2e
=================================================================================
Random Seed: 1776286919

Will run 1 of 282 specs
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 282 Specs in 226.049 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 281 Skipped
PASS

Ginkgo ran 1 suite in 3m48.939664017s
Test Suite Passed

TEST_PROFILE="rosa-advanced" ginkgo run --timeout 2h --focus "id:72174" tests/e2e
Running Suite: ROSA CLI e2e tests suite - /home/jericho/work/repos/rosa/tests/e2e
=================================================================================
Random Seed: 1776287533

Will run 1 of 282 specs
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 282 Specs in 141.790 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 281 Skipped
PASS

Ginkgo ran 1 suite in 2m24.898423605s
Test Suite Passed

Breaking Changes

• No breaking changes
• Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

Developer Verification Checklist

• Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• make install-hooks has been run in this clone.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make test passes.
• make lint passes.
• make rosa passes.
• Documentation or repo-local agent guidance was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• New Features

  • Added FedRAMP-aware region selection that automatically chooses between govcloud and standard AWS regions based on compliance configuration.

• Improvements

  • Updated region validation and error messaging for consistency across the CLI.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jerichokeyne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jerichokeyne]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces FedRAMP-aware region selection throughout the codebase. A new constant DefaultGovcloudRegion is added for the GovCloud region identifier. The CloudFormation stack operations now select between GovCloud and standard regions based on FedRAMP enablement status when the AWS region is unspecified. Region filtering in the regions list is updated to query database regions with a FedRAMP-aware search filter. Error message formatting is normalized to lowercase across multiple functions. Test expectations are updated to align with the new message formats and region selection behavior. No control flow or error handling logic is altered beyond the region selection and filtering additions.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding better logic for setting the rosa_region tag, and includes the Jira ticket reference.
Description check	✅ Passed	The PR description covers all major required sections: summary, detailed issue description, related Jira ticket, type of change, previous/new behavior, testing steps, and verification checklist completion.
Stable And Deterministic Test Names	✅ Passed	PR modifications to test files only update test expectations and assertions within test bodies, not test titles. Ginkgo test declarations remain stable and deterministic without dynamic information.
Test Structure And Quality	✅ Passed	Test changes are minimal and do not introduce violations of custom check requirements. Error message updates, lint directives, and variable type inference changes maintain existing test structure without worsening pre-existing issues.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e test blocks were added; only existing test assertions and error messages were updated.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; modifications are limited to error message updates and linter directives on pre-existing tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only ROSA CLI AWS integration code with no Kubernetes manifests, operator code, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes detected. Modified files contain only constant additions, function implementations, and test updates without entry-point functions.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests; only modifies existing test assertions and error message validations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/ocm/regions.go`:
- Around line 100-101: In pkg/ocm/regions.go replace fmt.Errorf calls that
format wrapped errors with %v or %s to use %w so callers can use errors.Is/As;
specifically update the error returns whose messages start with "error creating
AWS client", and the other fmt.Errorf occurrences in the same file (the ones
that currently interpolate err with %v/%s around the AWS client and related
error messages) to use %w and pass the original err as the last argument,
leaving the rest of the message intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: df62408d-e907-41c1-a4b7-206a9956c84d

📥 Commits

Reviewing files that changed from the base of the PR and between c6c95de and 97164d9.

📒 Files selected for processing (5)

• pkg/aws/client.go
• pkg/aws/cloudformation.go
• pkg/ocm/regions.go
• tests/e2e/test_rosacli_cluster.go
• tests/e2e/test_rosacli_region.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify remaining non-wrapping fmt.Errorf(err) patterns in this file.
rg -nP --type=go 'fmt\.Errorf\(".*%(v|s)".*,\s*err\)' pkg/ocm/regions.go

Repository: openshift/rosa

Length of output: 375

---

Use %w for error formatting to enable errors.Is/As unwrapping.

Lines 100, 107, 117, and 155 use %v/%s with error values, preventing callers from using errors.Is/As to check the underlying error types. Change these to %w for proper error chain handling.

Suggested patch

-			return nil, fmt.Errorf("error creating AWS client: %v", err)
+			return nil, fmt.Errorf("error creating AWS client: %w", err)
@@
-			return nil, fmt.Errorf("failed to get local AWS credentials: %v", err)
+			return nil, fmt.Errorf("failed to get local AWS credentials: %w", err)
@@
-		return nil, fmt.Errorf("failed to build AWS credentials for user '%s': %v", aws.AdminUserName, err)
+		return nil, fmt.Errorf("failed to build AWS credentials for user '%s': %w", aws.AdminUserName, err)
@@
-		err = fmt.Errorf("failed to retrieve AWS regions: %s", err)
+		err = fmt.Errorf("failed to retrieve AWS regions: %w", err)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return nil, fmt.Errorf("error creating AWS client: %v", err)
	}
	return nil, fmt.Errorf("error creating AWS client: %w", err)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/ocm/regions.go` around lines 100 - 101, In pkg/ocm/regions.go replace
fmt.Errorf calls that format wrapped errors with %v or %s to use %w so callers
can use errors.Is/As; specifically update the error returns whose messages start
with "error creating AWS client", and the other fmt.Errorf occurrences in the
same file (the ones that currently interpolate err with %v/%s around the AWS
client and related error messages) to use %w and pass the original err as the
last argument, leaving the rest of the message intact.