What happened? Destroy a cluster in us-east-2, but destroyer also tries to search resources in us-east-1: time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}" time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}" time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}" time="2021-06-08T04:15:12-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}" this issue also affects on AWS China regions, destroy a cluster in cn-north-1, but it also searches resources in cn-northwest-1 OCP version: 4.8.0-0.nightly-2021-06-08-005718 What did you expect to happen? destroyer should not search resources in other region.
For the public AWS partition, this is the correct behavior. The us-east-1 region must be searched in order to find non-region resources. The resourcetaggingapi requires that the region be set to us-east-1 for those resources. For the China AWS partition, it is incorrect to search in cn-northwest-1 when the installed region is cn-north-1. Those two regions are really separate partitions rather than simply separate regions. There are no resources that are span those regions.
Needs prioritized.
verify failed. OCP version: 4.9.0-0.nightly-2021-08-25-231643 destroyer was trying to search resources on us-east-1 while destroying a cluster on cn-northwest-1, is it correct? 08-26 13:57:46.943 level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"} 08-26 13:57:49.567 level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"openshiftClusterID":"86c849bb-4ecb-4d55-9e79-57cf4642ec50"} 08-26 13:57:49.842 level=debug msg=search for matching resources by tag in us-east-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"}
verified. PASS. OCP version: 4.9.0-0.nightly-2021-08-29-010334
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759
Hi Team, Sorry to re-open this BZ, but we have a customer who is facing the same issue with the 4.9.18 installer. Cluster is installed in ap-southeast-1 region, but the installer failed to destroy the cluster as it try to access some resources from us-east-1 ~~~ time="2022-02-19T14:26:32+08:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/<customerclusterid-abc123>\":\"owned\"}" time="2022-02-19T14:26:33+08:00" level=info msg="get tagged resources: AccessDeniedException: User: arn:aws:iam::<IAM_ID>:user/ocp_user is not authorized to perform: tag:GetResources with an explicit deny in a service control policy\n\tstatus code: 400, request id: <id>" ~~~ The customer doesn't have any permission in us-east-1.
@vlours 1. Do not re-open a BZ that has already been closed and added to errata. If you feel that the issue addressed by the BZ still exists, open a new BZ. 2. The issue that your customer is facing is not the same issue as this BZ. Morevoer, the issue that your customer is facing is the expected behavior and not a bug.