SPLAT-2743: aws/ccm - remove inline iam policy patch#8835
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@mtulio: This pull request references SPLAT-2743 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Skipping CI for Draft Pull Request. |
|
/test ? |
📝 WalkthroughWalkthrough
🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/test e2e-conformance e2e-aws-ovn-conformance-techpreview |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mtulio The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
3f8f85d to
69b4008
Compare
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
cmd/infra/aws/iam.go (1)
938-987: 🎯 Functional Correctness | 🟠 MajorRemove the CCM inline policy entirely.
Action: []is not a valid IAM statement, soPutRolePolicywill reject this document; the shared-role path still writes the same invalid policy, so this patch needs to drop the CCM branch instead of emitting an empty statement.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/infra/aws/iam.go` around lines 938 - 987, The CCM inline policy in the role policy setup is invalid because it uses an empty Action list, so the current CCM branch in iam.go will be rejected by IAM. Remove the CCM policy creation path entirely from the shared-role and separate-role handling around the ccmPolicyStatement / ccmRoleName logic, and keep only the ingress role policy updates via PutRolePolicy. Make sure any references to the CCM policy document are deleted so no empty-statement policy is emitted.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@cmd/infra/aws/iam.go`:
- Around line 938-987: The CCM inline policy in the role policy setup is invalid
because it uses an empty Action list, so the current CCM branch in iam.go will
be rejected by IAM. Remove the CCM policy creation path entirely from the
shared-role and separate-role handling around the ccmPolicyStatement /
ccmRoleName logic, and keep only the ingress role policy updates via
PutRolePolicy. Make sure any references to the CCM policy document are deleted
so no empty-statement policy is emitted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 4a06ce93-7fc9-48bf-877c-eec094f9d472
📒 Files selected for processing (1)
cmd/infra/aws/iam.go
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8835 +/- ##
==========================================
- Coverage 43.01% 43.01% -0.01%
==========================================
Files 766 766
Lines 94769 94746 -23
==========================================
- Hits 40765 40751 -14
+ Misses 51185 51176 -9
Partials 2819 2819
... and 1 file with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Removing patch on shared inline policy as managed policy ROSAKubeControllerPolicy has been updated to AWS with those permissions: Related: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html https://redhat.atlassian.net/browse/ROSAENG-21795 https://redhat.atlassian.net/browse/SPLAT-2743
69b4008 to
518ffaf
Compare
|
this PR is waiting for updates on #8401 /hold |
|
I now have the complete picture. Here is the analysis: Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryBoth Codecov check failures are caused by a single uncovered line in the PR diff. The PR modifies Root CauseThe root cause is lack of unit test coverage for the modified code path, not a product bug or test regression. The PR changes one executable line — the codecov/patch failure: The patch coverage target is 43.01% (matching project baseline). The diff achieves 0%, failing the threshold. codecov/project failure: The PR removes 10 lines (some covered) and adds 1 uncovered line. Net effect: 23 fewer lines, 14 fewer hits, 9 fewer misses → overall coverage drops by 0.01% from 43.02% to 43.01%. The project check fails because coverage decreased relative to the base commit This is a cosmetic/configuration-level failure. The change is a trivial policy string modification (emptying an Action array), and the function it lives in requires AWS API mocking to test — it has never been covered by unit tests. Recommendations
Evidence
|
What this PR does / why we need it:
This PR removes inline policies added when the managed policies were not updated, now AWS has published the policy we don't need those permissions anymore. References:
Which issue(s) this PR fixes:
Fixes
Special notes for your reviewer:
Checklist:
Summary by CodeRabbit