From c03b4f61ab749f90ab2d6fd4c14aa94d61b253ce Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Tue, 9 Sep 2025 23:29:12 -0300 Subject: [PATCH 1/5] Do not try to delete dns record if no domain --- k8s/scope/networking/dns/manage_dns | 6 ++++++ k8s/scope/networking/dns/route53/manage_route | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/k8s/scope/networking/dns/manage_dns b/k8s/scope/networking/dns/manage_dns index a2ab62e3..eed162f9 100755 --- a/k8s/scope/networking/dns/manage_dns +++ b/k8s/scope/networking/dns/manage_dns @@ -5,6 +5,12 @@ set -euo pipefail echo "Managing DNS records" echo "DNS Type: $DNS_TYPE" echo "Action: $ACTION" +echo "Scope Domain: $SCOPE_DOMAIN" + +if [[ "$ACTION" == "DELETE" ]] && [[ -z "${SCOPE_DOMAIN:-}" || "${SCOPE_DOMAIN:-}" == "To be defined" ]]; then + echo "Skipping route53 action as the scope has no domain" + return 0 +fi case "$DNS_TYPE" in route53) diff --git a/k8s/scope/networking/dns/route53/manage_route b/k8s/scope/networking/dns/route53/manage_route index c9ecd9e1..dcc51acf 100644 --- a/k8s/scope/networking/dns/route53/manage_route +++ b/k8s/scope/networking/dns/route53/manage_route @@ -74,12 +74,12 @@ for ZONE_ID in "${HOSTED_ZONES[@]}"; do } ] }" 2>&1) || { - echo "ERROR: Failed to create Route53 record" + echo "ERROR: Failed to $ACTION Route53 record" echo "Zone ID: $ZONE_ID" echo "AWS Error: $ROUTE53_OUTPUT" echo "This often happens when the agent lacks Route53 permissions" exit 1 } - echo "Successfully created Route53 record" + echo "Successfully $ACTION Route53 record" done From 002b73313e216a91c4edb76b5c60319e0f74a727 Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Tue, 9 Sep 2025 23:38:28 -0300 Subject: [PATCH 2/5] Do not fail if Route53 Record does not exist when deleting scope --- k8s/scope/networking/dns/route53/manage_route | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/scope/networking/dns/route53/manage_route b/k8s/scope/networking/dns/route53/manage_route index dcc51acf..de92c25c 100644 --- a/k8s/scope/networking/dns/route53/manage_route +++ b/k8s/scope/networking/dns/route53/manage_route @@ -74,6 +74,12 @@ for ZONE_ID in "${HOSTED_ZONES[@]}"; do } ] }" 2>&1) || { + + if [[ "$ACTION" == "DELETE" ]] && [[ "$ROUTE53_OUTPUT" == *"InvalidChangeBatch"* ]] && [[ "$ROUTE53_OUTPUT" == *"but it was not found"* ]]; then + echo "Route53 record for $SCOPE_DOMAIN was already deleted or never created in zone $ZONE_ID" + continue + fi + echo "ERROR: Failed to $ACTION Route53 record" echo "Zone ID: $ZONE_ID" echo "AWS Error: $ROUTE53_OUTPUT" From e769d39e906d7ddd5be2c9d11a285daf63ccb8b6 Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Tue, 9 Sep 2025 23:40:24 -0300 Subject: [PATCH 3/5] Enable IAM for tests --- k8s/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/values.yaml b/k8s/values.yaml index 8acb9f34..64d4fe73 100644 --- a/k8s/values.yaml +++ b/k8s/values.yaml @@ -22,7 +22,7 @@ configuration: # VAULT_ADDR: "http://localhost:8200" # VAULT_TOKEN: "myroot" IAM: - ENABLED: false + ENABLED: true # PREFIX: nullplatform-scopes # ROLE: # POLICIES: From effc3b69ffb5ed0c22ec65d2b5f6ce0e0443a5bd Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Tue, 9 Sep 2025 23:50:50 -0300 Subject: [PATCH 4/5] Skip role deletion if it does not exist --- k8s/scope/iam/build_service_account | 5 +++++ k8s/scope/iam/delete_role | 12 ++++++++++++ k8s/scope/networking/dns/route53/manage_route | 2 +- k8s/scope/workflows/create.yaml | 2 ++ k8s/scope/workflows/delete.yaml | 2 ++ 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/k8s/scope/iam/build_service_account b/k8s/scope/iam/build_service_account index 15c820ed..b3f52676 100644 --- a/k8s/scope/iam/build_service_account +++ b/k8s/scope/iam/build_service_account @@ -23,6 +23,11 @@ SERVICE_ACCOUNT_NAME=$(echo "$IAM" | jq -r .PREFIX)-"$SCOPE_ID" echo "Looking for IAM role: $SERVICE_ACCOUNT_NAME" ROLE_ARN=$(aws iam get-role --role-name "$SERVICE_ACCOUNT_NAME" --query 'Role.Arn' --output text 2>&1) || { + if [[ "${ACTION:-}" == "delete" ]] && [[ "$ROLE_ARN" == *"NoSuchEntity"* ]] && [[ "$ROLE_ARN" == *"cannot be found"* ]]; then + echo "IAM role '$SERVICE_ACCOUNT_NAME' does not exist, skipping service account deletion" + return 0 + fi + echo "ERROR: Failed to find IAM role '$SERVICE_ACCOUNT_NAME'" echo "AWS Error: $ROLE_ARN" echo "Make sure the role exists and you have IAM permissions" diff --git a/k8s/scope/iam/delete_role b/k8s/scope/iam/delete_role index 08bfc678..3a9eb826 100755 --- a/k8s/scope/iam/delete_role +++ b/k8s/scope/iam/delete_role @@ -11,6 +11,18 @@ if [[ "$IAM_ENABLED" == "false" || "$IAM_ENABLED" == "null" ]]; then return fi +ROLE_ARN=$(aws iam get-role --role-name "$SERVICE_ACCOUNT_NAME" --query 'Role.Arn' --output text 2>&1) || { + if [[ "$ROLE_ARN" == *"NoSuchEntity"* ]] && [[ "$ROLE_ARN" == *"cannot be found"* ]]; then + echo "IAM role '$SERVICE_ACCOUNT_NAME' does not exist, skipping role deletion" + return 0 + fi + + echo "ERROR: Failed to find IAM role '$SERVICE_ACCOUNT_NAME'" + echo "AWS Error: $ROLE_ARN" + echo "Make sure the role exists and you have IAM permissions" + exit 1 +} + ROLE_NAME=$(echo "$IAM" | jq -r .PREFIX)-"$SCOPE_ID" echo "Detaching managed policies..." diff --git a/k8s/scope/networking/dns/route53/manage_route b/k8s/scope/networking/dns/route53/manage_route index de92c25c..5a415b65 100644 --- a/k8s/scope/networking/dns/route53/manage_route +++ b/k8s/scope/networking/dns/route53/manage_route @@ -76,7 +76,7 @@ for ZONE_ID in "${HOSTED_ZONES[@]}"; do }" 2>&1) || { if [[ "$ACTION" == "DELETE" ]] && [[ "$ROUTE53_OUTPUT" == *"InvalidChangeBatch"* ]] && [[ "$ROUTE53_OUTPUT" == *"but it was not found"* ]]; then - echo "Route53 record for $SCOPE_DOMAIN was already deleted or never created in zone $ZONE_ID" + echo "Route53 record for $SCOPE_DOMAIN does not exist in zone $ZONE_ID, skipping deletion" continue fi diff --git a/k8s/scope/workflows/create.yaml b/k8s/scope/workflows/create.yaml index e8f19841..c57caa2a 100644 --- a/k8s/scope/workflows/create.yaml +++ b/k8s/scope/workflows/create.yaml @@ -22,6 +22,8 @@ steps: - name: build service account type: script file: "$SERVICE_PATH/scope/iam/build_service_account" + configuration: + ACTION: create output: - name: SERVICE_ACCOUNT_TEMPLATE_PATH type: file diff --git a/k8s/scope/workflows/delete.yaml b/k8s/scope/workflows/delete.yaml index 6022c44f..541f53ad 100644 --- a/k8s/scope/workflows/delete.yaml +++ b/k8s/scope/workflows/delete.yaml @@ -36,6 +36,8 @@ steps: - name: build service account type: script file: "$SERVICE_PATH/scope/iam/build_service_account" + configuration: + ACTION: delete output: - name: SERVICE_ACCOUNT_TEMPLATE_PATH type: file From 5d935ae59bb642cba5a556f4ae85ae4d657fdecf Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Tue, 9 Sep 2025 23:52:25 -0300 Subject: [PATCH 5/5] Disable IAM role --- k8s/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/values.yaml b/k8s/values.yaml index 64d4fe73..8acb9f34 100644 --- a/k8s/values.yaml +++ b/k8s/values.yaml @@ -22,7 +22,7 @@ configuration: # VAULT_ADDR: "http://localhost:8200" # VAULT_TOKEN: "myroot" IAM: - ENABLED: true + ENABLED: false # PREFIX: nullplatform-scopes # ROLE: # POLICIES: