Closed shivpathak closed 3 years ago
@shivpathak I'm not sure what we can do about that on operator side? Of course we cannot delete a Policy
before a PolicyAttachment
. But the user has to be aware of that order. Right now the operator should give an error, if you try to delete in the wrong order. Is this not the case?
I think the operator should throw an error if you're trying to delete in the wrong order, and once you delete the right object, it should finish deletion.
Here we check for existing Attachments: https://github.com/redradrat/aws-iam-operator/blob/54e6ee578c70905a8312aa20102a25b0fcb04358/controllers/policy_controller.go#L160-L175
Here we fail if there was a "cleanup" error: https://github.com/redradrat/aws-iam-operator/blob/54e6ee578c70905a8312aa20102a25b0fcb04358/controllers/policy_controller.go#L89-L114
So as soon as the PolicyAttachment
is gone, the deletion should cascade.
Oh I see the issue,
the reconcile filter filters out the actual re-reuns after failing, due to the generation already being increased. Will move the generation increase to after the reconcile went OK.
Currently iam object should be deleted in following order in order to get them cleaned properly in k8s cluster-
If we shuffle the above mentioned objects order in deletion it stuck and we have to patch the
finalizer
and have to remove manually iam objects e.g role/user in AWS Console.