| 1965 | } |
| 1966 | |
| 1967 | func ListIAMRoles(cloud fi.Cloud, vpcID, clusterName string) ([]*resources.Resource, error) { |
| 1968 | ctx := context.TODO() |
| 1969 | c := cloud.(awsup.AWSCloud) |
| 1970 | |
| 1971 | var resourceTrackers []*resources.Resource |
| 1972 | // Find roles owned by the cluster |
| 1973 | { |
| 1974 | ownershipTag := "kubernetes.io/cluster/" + clusterName |
| 1975 | request := &iam.ListRolesInput{} |
| 1976 | paginator := iam.NewListRolesPaginator(c.IAM(), request) |
| 1977 | for paginator.HasMorePages() { |
| 1978 | page, err := paginator.NextPage(ctx) |
| 1979 | if err != nil { |
| 1980 | return nil, fmt.Errorf("error listing IAM roles: %v", err) |
| 1981 | } |
| 1982 | for _, r := range page.Roles { |
| 1983 | name := aws.ToString(r.RoleName) |
| 1984 | |
| 1985 | getRequest := &iam.GetRoleInput{RoleName: r.RoleName} |
| 1986 | roleOutput, err := c.IAM().GetRole(ctx, getRequest) |
| 1987 | if err != nil { |
| 1988 | if awsup.IsIAMNoSuchEntityException(err) { |
| 1989 | klog.Warningf("could not find role %q. Resource may already have been deleted: %v", name, err) |
| 1990 | continue |
| 1991 | } else if awsup.AWSErrorCode(err) == "403" { |
| 1992 | klog.Warningf("failed to determine ownership of %q: %v", name, err) |
| 1993 | continue |
| 1994 | } |
| 1995 | return nil, fmt.Errorf("calling IAM GetRole on %s: %w", name, err) |
| 1996 | } |
| 1997 | for _, tag := range roleOutput.Role.Tags { |
| 1998 | if fi.ValueOf(tag.Key) == ownershipTag && fi.ValueOf(tag.Value) == "owned" { |
| 1999 | resourceTracker := &resources.Resource{ |
| 2000 | Name: name, |
| 2001 | ID: name, |
| 2002 | Type: "iam-role", |
| 2003 | Deleter: DeleteIAMRole, |
| 2004 | } |
| 2005 | resourceTrackers = append(resourceTrackers, resourceTracker) |
| 2006 | } |
| 2007 | } |
| 2008 | } |
| 2009 | } |
| 2010 | } |
| 2011 | |
| 2012 | return resourceTrackers, nil |
| 2013 | } |
| 2014 | |
| 2015 | func DeleteIAMInstanceProfile(cloud fi.Cloud, r *resources.Resource) error { |
| 2016 | ctx := context.TODO() |