Merge pull request #2437 from yingzhanredhat/ying-auto

OCM-10674 | test: automated ids:59547,62161

tests/e2e/test_rosacli_cluster.go

@@ -2461,6 +2461,82 @@ var _ = Describe("HCP cluster creation negative testing",
  "ERR: Expected a valid value for audit log arn matching ^arn:aws"))
  })
 
+ It("to validate role's managed policy when creating hcp cluster - [id:59547]",
+ labels.Medium, labels.Runtime.Day1Negative,
+ func() {
+ By("Create managed account-roles and make sure some ones are not attached the managed policies.")
+ clusterService = rosaClient.Cluster
+ ocmResourceService := rosaClient.OCMResource
+ var arbitraryPolicyService rosacli.PolicyService
+ accountRolePrefix := "test-59547"
+ _, err := ocmResourceService.CreateAccountRole(
+ "--mode", "auto",
+ "--prefix", accountRolePrefix,
+ "--hosted-cp",
+ "-y")
+ Expect(err).To(BeNil())
+ defer func() {
+ if accountRolePrefix != "" {
+ By("Delete the account-roles")
+ rosaClient.Runner.UnsetArgs()
+ _, err := ocmResourceService.DeleteAccountRole("--mode", "auto",
+ "--hosted-cp",
+ "--prefix", accountRolePrefix,
+ "-y")
+ Expect(err).To(BeNil())
+ }
+ }()
+
+ arl, _, err := ocmResourceService.ListAccountRole()
+ Expect(err).To(BeNil())
+ ar := arl.DigAccountRoles(accountRolePrefix, true)
+
+ By("Create cluster with the account roles ")
+ clusterName := common.GenerateRandomName("ocp-59547", 2)
+ replacingFlags := map[string]string{
+ "-c": clusterName,
+ "--cluster-name": clusterName,
+ "--domain-prefix": clusterName,
+ "--role-arn": ar.InstallerRole,
+ "--support-role-arn": ar.SupportRole,
+ "--worker-iam-role": ar.WorkerRole,
+ }
+ var accountRoles = make(map[string]string)
+ arnPrefix := "arn:aws:iam::aws:policy/service-role"
+ for _, r := range arl.AccountRoles(accountRolePrefix) {
+ switch r.RoleType {
+ case "Installer":
+ accountRoles[r.RoleName] = fmt.Sprintf("%s/ROSAInstallerPolicy",
+ arnPrefix)
+ case "Support":
+ accountRoles[r.RoleName] = fmt.Sprintf("%s/ROSASRESupportPolicy",
+ arnPrefix)
+ case "Worker": // nolint:goconst
+ accountRoles[r.RoleName] = fmt.Sprintf("%s/ROSAWorkerInstancePolicy",
+ arnPrefix)
+ }
+ }
+
+ arbitraryPolicyService = rosaClient.Policy
+ for r, p := range accountRoles {
+ _, err := arbitraryPolicyService.DetachPolicy(r, []string{p}, "--mode", "auto")
+ Expect(err).To(BeNil())
+ By("Create cluster with the account roles")
+ rosalCommand.ReplaceFlagValue(replacingFlags)
+
+ out, err := rosaClient.Runner.RunCMD(strings.Split(rosalCommand.GetFullCommand(), " "))
+ Expect(err).To(HaveOccurred())
+ Expect(out.String()).
+ To(
+ ContainSubstring(
+ fmt.Sprintf("Failed while validating account roles: role"+
+ " '%s' is missing the attached managed policy '%s'", r, p)))
+
+ By("Attach the deleted managed policies")
+ _, err = arbitraryPolicyService.AttachPolicy(r, []string{p}, "--mode", "auto")
+ Expect(err).To(BeNil())
+ }
+ })
  })
 
 var _ = Describe("Create cluster with availability zones testing",

tests/e2e/test_rosacli_upgrade.go

@@ -891,6 +891,82 @@ var _ = Describe("ROSA HCP cluster upgrade",
  ContainSubstring("INFO: Successfully canceled scheduled upgrade on cluster '%s'",
  clusterID))
  })
+
+ It("to validate role's policy when upgrade hcp cluster - [id:62161]",
+ labels.Medium, labels.Runtime.Day2, labels.Runtime.Upgrade,
+ func() {
+ By("update operator-roles for hcp cluster")
+ ocmResourceService := rosaClient.OCMResource
+ output, err := ocmResourceService.UpgradeOperatorRoles(
+ "--cluster", clusterID,
+ "--mode", "auto",
+ "-y",
+ )
+ Expect(err).To(BeNil())
+ Expect(output.String()).To(ContainSubstring("operator roles have attached managed policies. " +
+ "An upgrade isn't needed"))
+
+ var arbitraryPolicyService rosacli.PolicyService
+ output, err = clusterService.DescribeCluster(clusterID)
+ Expect(err).To(BeNil())
+ CD, err := clusterService.ReflectClusterDescription(output)
+ Expect(err).To(BeNil())
+
+ awsClient, err := aws_client.CreateAWSClient("", "")
+ Expect(err).To(BeNil())
+ var rolePolicyMap = make(map[string]string)
+ roles := []string{CD.STSRoleArn, CD.SupportRoleARN, CD.InstanceIAMRoles[0]["Worker"]}
+ for _, policyArn := range roles {
+ _, accountRoleName, err := common.ParseRoleARN(policyArn)
+ Expect(err).To(BeNil())
+ attachedPolicy, err := awsClient.ListAttachedRolePolicies(accountRoleName)
+ Expect(err).To(BeNil())
+ rolePolicyMap[accountRoleName] = *attachedPolicy[0].PolicyArn
+ }
+
+ for _, policyArn := range CD.OperatorIAMRoles {
+ _, operatorRoleName, err := common.ParseRoleARN(policyArn)
+ Expect(err).To(BeNil())
+ attachedPolicy, err := awsClient.ListAttachedRolePolicies(operatorRoleName)
+ Expect(err).To(BeNil())
+ rolePolicyMap[operatorRoleName] = *attachedPolicy[0].PolicyArn
+ }
+
+ By("detach managed policies from account role and operator role and update cluster")
+ arbitraryPolicyService = rosaClient.Policy
+ upgradeVersion := zStreamVersion
+ if zStreamVersion == "" {
+ upgradeVersion = yStreamVersion
+ }
+ for r, p := range rolePolicyMap {
+ _, err := arbitraryPolicyService.DetachPolicy(r, []string{p}, "--mode", "auto")
+ Expect(err).To(BeNil())
+ defer arbitraryPolicyService.AttachPolicy(r, []string{p}, "--mode", "auto")
+
+ By("upgrade cluster with account roles which is detached managed policies")
+ scheduledDate := time.Now().Format("2006-01-02")
+ scheduledTime := time.Now().Add(10 * time.Minute).UTC().Format("15:04")
+ output, err = upgradeService.Upgrade(
+ "-c", clusterID,
+ "--version", upgradeVersion,
+ "--schedule-date", scheduledDate,
+ "--schedule-time", scheduledTime,
+ "--control-plane",
+ "--mode", "manual",
+ "-y",
+ )
+ Expect(err).To(HaveOccurred())
+ Expect(output.String()).
+ To(
+ ContainSubstring(
+ fmt.Sprintf("Failed while validating managed policies: role"+
+ " '%s' is missing the attached managed policy '%s'", r, p)))
+
+ By("Attach the deleted managed policies")
+ _, err = arbitraryPolicyService.AttachPolicy(r, []string{p}, "--mode", "auto")
+ Expect(err).To(BeNil())
+ }
+ })
  })
 
 func FindUpperYStreamVersion(v rosacli.VersionService, channelGroup string, clusterVersion string) (string, string,