aws-load-balancer: pre-install-rosa - create unique WAF ACLs (openshi…

…ft#59728)
yingzhanredhat · Dec 24, 2024 · 848cb24 · 848cb24
1 parent b1eb783
commit 848cb24
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/...istry/aws-load-balancer/post-install-rosa/aws-load-balancer-post-install-rosa-commands.sh b/...istry/aws-load-balancer/post-install-rosa/aws-load-balancer-post-install-rosa-commands.sh
@@ -1,13 +1,11 @@
 #!/bin/bash
 
 set -o nounset
-set -o errexit
-set -o pipefail
 
 AWSCRED="${CLUSTER_PROFILE_DIR}/.awscred"
 REGION="${LEASED_RESOURCE}"
 E2E_INPUT_DIR="${SHARED_DIR}"
-E2E_WAFV2_WEB_ACL_NAME="echoserver-acl"
+E2E_WAFV2_WEB_ACL_NAME="echoserver-acl-${UNIQUE_HASH}"
 
 echo "=> configuring aws"
 if [ -f "${AWSCRED}" ]; then
@@ -20,9 +18,12 @@ fi
 if [ -f "${E2E_INPUT_DIR}/wafv2-webacl" ]; then
     E2E_WAFV2_WEB_ACL_ARN="$(cat ${E2E_INPUT_DIR}/wafv2-webacl)"
     E2E_WAFV2_WEB_ACL_ID="${E2E_WAFV2_WEB_ACL_ARN##*/}"
-    echo "=> deleting e2e wafv2 web acl: ${E2E_WAFV2_WEB_ACL_ARN}"
+    echo "=> getting lock token for e2e wafv2 web acl named ${E2E_WAFV2_WEB_ACL_NAME} with id ${E2E_WAFV2_WEB_ACL_ID}"
     LOCK_TOKEN=$(aws wafv2 get-web-acl --name "${E2E_WAFV2_WEB_ACL_NAME}" --id "${E2E_WAFV2_WEB_ACL_ID}" --scope=REGIONAL --output json | jq -r .LockToken)
-    aws wafv2 delete-web-acl --name "${E2E_WAFV2_WEB_ACL_NAME}" --id "${E2E_WAFV2_WEB_ACL_ID}" --scope=REGIONAL --lock-token "${LOCK_TOKEN}"
+    if [ -n "${LOCK_TOKEN}" ]; then
+        echo "=> deleting e2e wafv2 web acl named ${E2E_WAFV2_WEB_ACL_NAME} with id ${E2E_WAFV2_WEB_ACL_ID}"
+        aws wafv2 delete-web-acl --name "${E2E_WAFV2_WEB_ACL_NAME}" --id "${E2E_WAFV2_WEB_ACL_ID}" --scope=REGIONAL --lock-token "${LOCK_TOKEN}"
+    fi
 else
     echo "=> nothing to do for e2e wafv2 web acl"
 fi
@@ -31,9 +32,12 @@ if [ -f "${E2E_INPUT_DIR}/waf-webacl" ]; then
     # it's possible to create webacls with duplicate name using wafregional,
     # we have to take this case into account
     for id in $(cat "${E2E_INPUT_DIR}/waf-webacl"); do
-        echo "=> deleting e2e wafregional web acl: ${id}"
+        echo "=> getting change token for e2e wafregional web acl: ${id}"
         CHANGE_TOKEN=$(aws waf-regional get-change-token --output json | jq -r .ChangeToken)
-        aws waf-regional delete-web-acl --web-acl-id "${id}" --change-token "${CHANGE_TOKEN}"
+        if [ -n "${CHANGE_TOKEN}" ]; then
+            echo "=> deleting e2e wafregional web acl: ${id}"
+            aws waf-regional delete-web-acl --web-acl-id "${id}" --change-token "${CHANGE_TOKEN}" || true
+        fi
     done
 else
     echo "=> nothing to do for e2e wafregional web acl"

diff --git a/...egistry/aws-load-balancer/pre-install-rosa/aws-load-balancer-pre-install-rosa-commands.sh b/...egistry/aws-load-balancer/pre-install-rosa/aws-load-balancer-pre-install-rosa-commands.sh
@@ -22,8 +22,8 @@ E2E_INPUT_WAFV2_WEBACL="wafv2-webacl"
 E2E_INPUT_WAF_WEBACL="waf-webacl"
 E2E_INPUT_OPERATOR_ROLE_ARN="operator-role-arn"
 E2E_INPUT_CONTROLLER_ROLE_ARN="controller-role-arn"
-E2E_WAFV2_WEB_ACL_NAME="echoserver-acl"
-E2E_WAF_WEB_ACL_NAME="echoserverclassicacl"
+E2E_WAFV2_WEB_ACL_NAME="echoserver-acl-${UNIQUE_HASH}"
+E2E_WAF_WEB_ACL_NAME="echoserverclassicacl${UNIQUE_HASH}"
 
 if [ -f "${AWSCRED}" ]; then
     echo "=> configuring aws"