OCM-4667 | feat: added new warnings to account-role checks and validation for the red-hat-managed tag

olucasfreitas · hunterkepley · commit 16ccc522c783 · 2025-04-22T14:45:09.000-04:00
diff --git a/cmd/create/cluster/cmd.go b/cmd/create/cluster/cmd.go
@@ -1448,6 +1448,8 @@ func run(cmd *cobra.Command, _ []string) {
 			os.Exit(1)
 		}
 
+		r.Reporter.Warnf("Account roles not created by ROSA CLI cannot be listed, updated, or upgraded.")
+
 		if len(roleARNs) > 1 {
 			defaultRoleARN := roleARNs[0]
 			// Prioritize roles with the default prefix
@@ -1497,13 +1499,18 @@ func run(cmd *cobra.Command, _ []string) {
 			if isHostedCP {
 				createAccountRolesCommand = createAccountRolesCommand + " " + hostedCPFlag
 			}
-			r.Reporter.Warnf(fmt.Sprintf("No compatible account roles with version '%s' found. "+
-				"You will need to manually set them in the next steps or run '%s' to create them first.",
-				minor, createAccountRolesCommand))
+			r.Reporter.Warnf("No suitable account with ROSA CLI-created account roles were found. "+
+				"You can manually set them in the next steps or run '%s' to create them first.", createAccountRolesCommand)
 			interactive.Enable()
 		}
 
 		if roleARN != "" {
+			// Check if role has red-hat-managed tag
+			hasTag := roles.CheckHasRedHatManagedTag(roleARN, awsClient)
+			if !hasTag {
+				r.Reporter.Warnf("The role '%s' is not a Red Hat managed role", roleARN)
+			}
+
 			// check if role has hosted cp policy via AWS tag value
 			hostedCPPolicies, err := awsClient.HasHostedCPPolicies(roleARN)
 			if err != nil {
@@ -1559,13 +1566,18 @@ func run(cmd *cobra.Command, _ []string) {
 					if isHostedCP {
 						createAccountRolesCommand = createAccountRolesCommand + " " + hostedCPFlag
 					}
-					r.Reporter.Warnf(fmt.Sprintf("No compatible '%s' account roles with version '%s' found. "+
-						"You will need to manually set them in the next steps or run '%s' to create them first.",
-						role.Name, minor, createAccountRolesCommand))
+					r.Reporter.Warnf("No suitable accounts with ROSA CLI-created account roles were found. "+
+						"You can manually set them in the next steps or run '%s' to create them first.", createAccountRolesCommand)
 					interactive.Enable()
 					hasRoles = false
 					break
 				}
+
+				// Check if role has red-hat-managed tag
+				hasTag := roles.CheckHasRedHatManagedTag(selectedARN, awsClient)
+				if !hasTag {
+					r.Reporter.Warnf("The role '%s' is not a Red Hat managed role", selectedARN)
+				}
 				if !output.HasFlag() || r.Reporter.IsTerminal() {
 					r.Reporter.Infof("Using %s for the %s role", selectedARN, role.Name)
 				}
diff --git a/pkg/helper/roles/helpers.go b/pkg/helper/roles/helpers.go
@@ -43,6 +43,22 @@ func GetOperatorRoleName(cluster *cmv1.Cluster, missingOperator *cmv1.STSOperato
 	return awsCommonUtils.TruncateRoleName(role)
 }
 
+func CheckHasRedHatManagedTag(arn string, awsClient aws.Client) bool {
+	roleName, err := awsClient.GetRoleByARN(arn)
+	if err != nil {
+		return false
+	}
+
+	roleTags := roleName.Tags
+	for _, tag := range roleTags {
+		if *tag.Key == tags.RedHatManaged {
+			return true
+		}
+	}
+
+	return false
+}
+
 func BuildMissingOperatorRoleCommand(
 	missingRoles map[string]*cmv1.STSOperator,
 	cluster *cmv1.Cluster,
