Merge pull request #74557 from jneczypor/OSDOCS-10187

OSDOCS-10187: Add how to delete a ROSA HCP cluster

Author: michaelryanpeter

_topic_maps/_topic_map_rosa.yml

@@ -229,6 +229,8 @@ Topics:
   File: rosa-hcp-aws-private-creating-cluster
 - Name: Using the Node Tuning Operator on ROSA with HCP
   File: rosa-tuning-config
+- Name: Deleting a ROSA with HCP cluster
+  File: rosa-hcp-deleting-cluster
 ---
 Name: Install ROSA Classic clusters
 Dir: rosa_install_access_delete_clusters

modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc

@@ -1,6 +1,11 @@
 // Module included in the following assemblies:
 //
 // * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
+// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
+
+ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
+:hcp:
+endif::[]
 
 ifeval::["{context}" == "rosa-sts-deleting-cluster"]
 :sts:
@@ -10,16 +15,37 @@ endif::[]
 [id="rosa-deleting-account-wide-iam-roles-and-policies_{context}"]
 = Deleting the account-wide IAM roles and policies
 
-This section provides steps to delete the account-wide IAM roles and policies that you created for ROSA with STS deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the {product-title} (ROSA) with AWS Security Token Services (STS) clusters that depend on them.
+This section provides steps to delete the account-wide IAM roles and policies that you created for 
+ifdef::sts[]
+ROSA with STS 
+endif::sts[]
+ifdef::hcp[]
+{hcp-title} 
+endif::hcp[] 
+deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the 
+ifdef::sts[]
+{product-title} (ROSA) with AWS Security Token Services (STS) 
+endif::sts[]
+ifdef::hcp[]
+{hcp-title} 
+endif::hcp[]
+clusters that depend on them.
 
 [IMPORTANT]
 ====
-The account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
+The account-wide IAM roles and policies might be used by other 
+ifdef::sts[]
+ROSA clusters 
+endif::sts[]
+ifdef::hcp[]
+{product-title} 
+endif::hcp[]
+in the same AWS account. Only remove the roles if they are not required by other clusters.
 ====
 
 .Prerequisites
 
-* You have installed a ROSA cluster.
+* You have account-wide IAM roles that you want to delete.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
 
 .Procedure
@@ -33,6 +59,7 @@ $ rosa list account-roles
 ----
 +
 .Example output
+ifdef::sts[]
 [source,terminal]
 ----
 I: Fetching account roles
@@ -42,6 +69,17 @@ ManagedOpenShift-Installer-Role     Installer      arn:aws:iam::<aws_account_id>
 ManagedOpenShift-Support-Role       Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role       4.10
 ManagedOpenShift-Worker-Role        Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role        4.10
 ----
+endif::sts[]
+ifdef::hcp[]
+[source,terminal]
+----
+I: Fetching account roles
+ROLE NAME                                 ROLE TYPE      ROLE ARN                                                                 OPENSHIFT VERSION  AWS Managed
+ManagedOpenShift-HCP-ROSA-Installer-Role  Installer      arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role  4.15               Yes
+ManagedOpenShift-HCP-ROSA-Support-Role    Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role    4.15               Yes
+ManagedOpenShift-HCP-ROSA-Worker-Role     Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role     4.15               Yes
+----
+endif::hcp[]
 .. Delete the account-wide roles:
 +
 [source,terminal]
@@ -52,9 +90,25 @@ $ rosa delete account-roles --prefix <prefix> --mode auto <1>
 +
 [IMPORTANT]
 ====
-The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
+The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
 ====
-
++
+ifdef::hcp[]
+.Example output
+[source,terminal]
+----
+W: There are no classic account roles to be deleted
+I: Deleting hosted CP account roles
+? Delete the account role 'delete-rosa-HCP-ROSA-Installer-Role'? Yes
+I: Deleting account role 'delete-rosa-HCP-ROSA-Installer-Role'
+? Delete the account role 'delete-rosa-HCP-ROSA-Support-Role'? Yes
+I: Deleting account role 'delete-rosa-HCP-ROSA-Support-Role'
+? Delete the account role 'delete-rosa-HCP-ROSA-Worker-Role'? Yes
+I: Deleting account role 'delete-rosa-HCP-ROSA-Worker-Role'
+I: Successfully deleted the hosted CP account roles
+----
+endif::hcp[]
++
 . Delete the account-wide in-line and Operator policies:
 .. Under the *Policies* page in the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console], filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.
 +
@@ -67,5 +121,12 @@ If you did not specify a custom prefix when you created the account-wide roles,
 +
 [IMPORTANT]
 ====
-The account-wide in-line and Operator IAM policies might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
+The account-wide in-line and Operator IAM policies might be used by other 
+ifdef::sts[]
+ROSA clusters 
+endif::sts[]
+ifdef::hcp[]
+{hcp-title} 
+endif::hcp[]
+in the same AWS account. Only remove the roles if they are not required by other clusters.
 ====

modules/rosa-deleting-sts-iam-resources-account-wide.adoc

@@ -1,18 +1,58 @@
 // Module included in the following assemblies:
 //
 // * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
+// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
+
+ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
+:hcp:
+endif::[]
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-deleting-sts-resources-account-wide_{context}"]
 = Deleting the account-wide IAM resources
 
-After you have deleted all {product-title} (ROSA) with AWS Security Token Services (STS) clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.
+After you have deleted all 
+ifndef::hcp[]
+{product-title} (ROSA) with AWS Security Token Services (STS) 
+endif::hcp[]
+ifdef::hcp[]
+{hcp-title-first} 
+endif::hcp[]
+clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.
 
-If you no longer need to install a ROSA with STS cluster by using {cluster-manager-first}, you can also delete the {cluster-manager} and user IAM roles.
+If you no longer need to install a 
+ifndef::hcp[]
+ROSA with STS 
+endif::hcp[]
+ifdef::hcp[]
+{hcp-title} 
+endif::hcp[]
+cluster by using {cluster-manager-first}, you can also delete the {cluster-manager} and user IAM roles.
 
 [IMPORTANT]
 ====
-The account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+The account-wide IAM roles and policies might be used by other 
+ifndef::hcp[]
+ROSA 
+endif::hcp[]
+ifdef::hcp[]
+{hcp-title} 
+endif::hcp[]
+clusters in the same AWS account. Only remove the resources if they are not required by other clusters.
 
-The {cluster-manager} and user IAM roles are required if you want to install, manage, and delete other ROSA clusters in the same AWS account by using {cluster-manager}. You must only remove the roles if you no longer need to install ROSA clusters in your account by using {cluster-manager}. See the "Additional resources" section for information on repairing your cluster if these roles are removed prior to deletion.
-====
+The {cluster-manager} and user IAM roles are required if you want to install, manage, and delete other 
+ifndef::hcp[]
+ROSA 
+endif::hcp[]
+ifdef::hcp[]
+{product-title} 
+endif::hcp[]
+clusters in the same AWS account by using {cluster-manager}. Only remove the roles if you no longer need to install 
+ifndef::hcp[]
+ROSA 
+endif::hcp[]
+ifdef::hcp[]
+{product-title} 
+endif::hcp[]
+clusters in your account by using {cluster-manager}. For more information about repairing your cluster if these roles are removed before deletion, see "Repairing a cluster that cannot be deleted" in _Troubleshooting cluster deployments_.
+====

modules/rosa-hcp-deleting-cluster.adoc

@@ -0,0 +1,130 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-deleting-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-deleting-cluster_{context}"]
+= Deleting a {hcp-title} cluster and the cluster-specific IAM resources
+
+You can delete a {hcp-title} cluster by using the ROSA command line interface (CLI) (`rosa`) or {cluster-manager-first}.
+
+After deleting the cluster, you can clean up the cluster-specific Identity and Access Management (IAM) resources in your AWS account by using the ROSA CLI. The cluster-specific resources include the Operator roles and the OpenID Connect (OIDC) provider.
+
+[NOTE]
+====
+The cluster deletion must complete before you remove the IAM resources, because the resources are used in the cluster deletion and clean up processes.
+====
+
+If add-ons are installed, the cluster deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.
+
+.Prerequisites
+
+* You have installed a {hcp-title} cluster.
+* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
+
+.Procedure
+
+. Get the cluster ID, the Amazon Resource Names (ARNs) for the cluster-specific Operator roles, and the endpoint URL for the OIDC provider by running the following command:
++
+[source,terminal]
+----
+$ rosa describe cluster --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+Name:                       test_cluster
+Domain Prefix:              test_cluster
+Display Name:               test_cluster
+ID:                         <cluster_id> <1>
+External ID:                <external_id>
+Control Plane:              ROSA Service Hosted
+OpenShift Version:          4.15.0
+Channel Group:              stable
+DNS:                        test_cluster.l3cn.p3.openshiftapps.com
+AWS Account:                <AWS_id>
+AWS Billing Account:        <AWS_id>
+API URL:                    https://api.test_cluster.l3cn.p3.openshiftapps.com:443
+Console URL:                
+Region:                     us-east-1
+Availability:
+ - Control Plane:           MultiAZ
+ - Data Plane:              SingleAZ
+
+Nodes:
+ - Compute (desired):       2
+ - Compute (current):       0
+Network:
+ - Type:                    OVNKubernetes
+ - Service CIDR:            172.30.0.0/16
+ - Machine CIDR:            10.0.0.0/16
+ - Pod CIDR:                10.128.0.0/14
+ - Host Prefix:             /23
+ - Subnets:                 <subnet_ids>
+EC2 Metadata Http Tokens:   optional
+Role (STS) ARN:             arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Installer-Role
+Support Role ARN:           arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Support-Role
+Instance IAM Roles:
+ - Worker:                  arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Worker-Role
+Operator IAM Roles: <2>
+ - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cloud-network-config-controller-cloud-crede
+ - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-image-registry-installer-cloud-credentials
+ - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-ingress-operator-cloud-credentials
+ - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-kube-controller-manager
+ - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-capa-controller-manager
+ - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-control-plane-operator
+ - arn:aws:iam::<AWS_id>:role/hcpcluster-kube-system-kms-provider
+ - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
+Managed Policies:           Yes
+State:                      ready 
+Private:                    No
+Created:                    Apr 16 2024 20:32:06 UTC
+User Workload Monitoring:   Enabled
+Details Page:               https://console.redhat.com/openshift/details/s/<cluster_id>
+OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/<cluster_id> (Managed) <3>
+Audit Log Forwarding:       Disabled
+External Authentication:    Disabled
+----
+<1> Lists the cluster ID.
+<2> Specifies the ARNs for the cluster-specific Operator roles. For example, in the sample output the ARN for the role required by the Machine Config Operator is `arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-machine-api-aws-cloud-credentials`.
+<3> Displays the endpoint URL for the cluster-specific OIDC provider.
++
+[IMPORTANT]
+====
+After the cluster is deleted, you need the cluster ID to delete the cluster-specific STS resources using the ROSA CLI.
+====
+
+. Delete the cluster by using either the {cluster-manager} or the ROSA CLI (`rosa`):
+** To delete the cluster by using the {cluster-manager}:
+.. Navigate to the {cluster-manager-url}.
+.. Click the Options menu {kebab} next to your cluster and select *Delete cluster*.
+.. Type the name of your cluster into the prompt and click *Delete*.
+** To delete the cluster using the ROSA CLI:
+.. Run the following command, replacing `<cluster_name>` with the name or ID of your cluster:
++
+[source,terminal]
+----
+$ rosa delete cluster --cluster=<cluster_name> --watch
+----
++
+[IMPORTANT]
+====
+You must wait for cluster deletion to complete before you remove the Operator roles and the OIDC provider.
+====
+
+. Delete the cluster-specific Operator IAM roles by running the following command:
++
+[source,terminal]
+----
+$ rosa delete operator-roles --prefix <operator_role_prefix>
+----
+
+.  Delete the OIDC provider by running the following command:
++
+[source,terminal]
+----
+$ rosa delete oidc-provider --oidc-config-id <oidc_config_id>
+----
+
+//If reusing, porting, or separating this content, make sure to grab the "Troubleshooting" section from the assembly. It could not be included in the module because of xrefs.