updated cleanup steps

Taniya Mathur · Taniya Mathur · commit 9d38018255f9 · 2025-09-24T23:00:11.000Z
diff --git a/scripts/sdlc/cfn/codepipeline-s3.yml b/scripts/sdlc/cfn/codepipeline-s3.yml
@@ -155,7 +155,10 @@ Resources:
                 - export IDP_CFN_PREFIX=$(make cfn-prefix) || { echo "CFN prefix generation failed"; exit 1; }
                 - make install -e IDP_CFN_PREFIX=$IDP_CFN_PREFIX
                 - make smoketest -e IDP_CFN_PREFIX=$IDP_CFN_PREFIX
-                - make uninstall -e IDP_CFN_PREFIX=$IDP_CFN_PREFIX
+            post_build:
+              commands:
+                - echo "Running cleanup regardless of build result..."
+                - make uninstall -e IDP_CFN_PREFIX=$IDP_CFN_PREFIX || echo "Cleanup failed but continuing"
 
   DeploymentPipeline:
     Type: 'AWS::CodePipeline::Pipeline'
diff --git a/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py b/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py
@@ -196,46 +196,6 @@ def cleanup_failed_stack(self, stack_name):
             logger.error(f"Failed to cleanup stack {stack_name}: {e}")
             return False
 
-    def get_service_role_arn(self):
-        """
-        Check if CloudFormation service role stack exists and return its ARN.
-        
-        Returns:
-            str: The ARN of the existing service role, or None if not found
-        """
-        service_role_stack_name = f"{self.cfn_prefix}-cloudformation-service-role"
-        
-        try:
-            describe_cmd = [
-                'aws', 'cloudformation', 'describe-stacks',
-                '--region', self.region,
-                '--stack-name', service_role_stack_name,
-                '--query', 'Stacks[0].Outputs[?OutputKey==`ServiceRoleArn`].OutputValue',
-                '--output', 'text'
-            ]
-
-            process = subprocess.run(
-                describe_cmd,
-                check=True,
-                text=True,
-                stdout=subprocess.PIPE,
-                stderr=subprocess.PIPE
-            )
-
-            service_role_arn = process.stdout.strip()
-            if service_role_arn and service_role_arn != "None":
-                logger.info(f"Found existing service role: {service_role_arn}")
-                return service_role_arn
-            else:
-                return None
-
-        except subprocess.CalledProcessError:
-            logger.debug(f"Service role stack {service_role_stack_name} not found")
-            return None
-        except Exception as e:
-            logger.error(f"Error checking for existing service role: {e}")
-            return None
-
     def deploy_service_role(self):
         """
         Deploy the CloudFormation service role stack.
@@ -247,12 +207,6 @@ def deploy_service_role(self):
         service_role_template = 'iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml'
         
         try:
-            # Check if the service role is managed by a different stack
-            existing_stack_name = self._find_managing_stack()
-            if existing_stack_name and existing_stack_name != service_role_stack_name:
-                logger.info(f"Service role managed by different stack: {existing_stack_name}. Using existing stack for deployment.")
-                service_role_stack_name = existing_stack_name
-            
             # Verify template file exists
             template_path = os.path.join(self.abs_cwd, service_role_template)
             if not os.path.exists(template_path):
@@ -284,7 +238,7 @@ def deploy_service_role(self):
             if process.stderr:
                 logger.debug(f"Service role deploy stderr: {process.stderr}")
 
-            # Get the service role ARN - use the actual deployed stack name
+            # Get the service role ARN from the deployed stack
             service_role_arn = self._get_service_role_arn_from_stack(service_role_stack_name)
             if service_role_arn:
                 logger.info(f"Successfully deployed service role: {service_role_arn}")
@@ -309,50 +263,6 @@ def deploy_service_role(self):
             logger.error(f"Unexpected error during service role deployment: {e}")
             return None
 
-    def _find_managing_stack(self):
-        """
-        Find which CloudFormation stack manages the IDPAcceleratorCloudFormationServiceRole.
-        
-        Returns:
-            str: Stack name that manages the service role, or None if not found
-        """
-        try:
-            # List all stacks that might contain the service role
-            list_stacks_cmd = [
-                'aws', 'cloudformation', 'list-stacks',
-                '--region', self.region,
-                '--stack-status-filter', 'CREATE_COMPLETE', 'UPDATE_COMPLETE',
-                '--query', 'StackSummaries[?contains(StackName, `cloudformation-service-role`)].StackName',
-                '--output', 'text'
-            ]
-            
-            process = subprocess.run(
-                list_stacks_cmd,
-                check=True,
-                text=True,
-                stdout=subprocess.PIPE,
-                stderr=subprocess.PIPE
-            )
-            
-            stack_names = process.stdout.strip().split() if process.stdout.strip() else []
-            
-            # Check each stack to see if it has the ServiceRoleArn output
-            for stack_name in stack_names:
-                try:
-                    service_role_arn = self._get_service_role_arn_from_stack(stack_name)
-                    if service_role_arn:
-                        logger.debug(f"Found service role managed by stack: {stack_name}")
-                        return stack_name
-                        
-                except Exception:
-                    continue
-                    
-            return None
-            
-        except Exception as e:
-            logger.error(f"Error finding managing stack: {e}")
-            return None
-
     def _get_service_role_arn_from_stack(self, stack_name):
         """
         Get service role ARN from a specific stack.
@@ -390,52 +300,36 @@ def _get_service_role_arn_from_stack(self, stack_name):
             return None
 
     def create_permission_boundary_policy(self):
-        """Create an 'allow everything' permission boundary policy if it doesn't exist"""
+        """Create an 'allow everything' permission boundary policy"""
         
         policy_name = "IDPPermissionBoundary"
         iam = boto3.client('iam')
         
         try:
-            # First, check if the policy already exists
-            account_id = boto3.client('sts').get_caller_identity()['Account']
-            policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
+            policy_document = {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": "*",
+                        "Resource": "*"
+                    }
+                ]
+            }
+            
+            response = iam.create_policy(
+                PolicyName=policy_name,
+                PolicyDocument=json.dumps(policy_document),
+                Description="Permission boundary for IDP deployment - allows all actions"
+            )
             
-            # Try to get the existing policy
-            iam.get_policy(PolicyArn=policy_arn)
-            logger.info(f"Permission boundary policy already exists: {policy_arn}")
+            policy_arn = response['Policy']['Arn']
+            logger.info(f"Created permission boundary policy: {policy_arn}")
             return policy_arn
             
-        except ClientError as e:
-            if e.response['Error']['Code'] == 'NoSuchEntity':
-                # Policy doesn't exist, create it
-                policy_document = {
-                    "Version": "2012-10-17",
-                    "Statement": [
-                        {
-                            "Effect": "Allow",
-                            "Action": "*",
-                            "Resource": "*"
-                        }
-                    ]
-                }
-                
-                try:
-                    response = iam.create_policy(
-                        PolicyName=policy_name,
-                        PolicyDocument=json.dumps(policy_document),
-                        Description="Permission boundary for IDP deployment - allows all actions"
-                    )
-                    
-                    policy_arn = response['Policy']['Arn']
-                    logger.info(f"Created permission boundary policy: {policy_arn}")
-                    return policy_arn
-                    
-                except ClientError as create_error:
-                    logger.error(f"Error creating permission boundary policy: {create_error}")
-                    return None
-            else:
-                logger.error(f"Error checking for existing permission boundary policy: {e}")
-                return None
+        except ClientError as create_error:
+            logger.error(f"Error creating permission boundary policy: {create_error}")
+            return None
 
     def validate_permission_boundary(self, stack_name, boundary_arn):
         """Validate that all IAM roles in the stack and nested stacks have the permission boundary"""
diff --git a/scripts/sdlc/idp-cli/src/idp_cli/service/uninstall_service.py b/scripts/sdlc/idp-cli/src/idp_cli/service/uninstall_service.py
@@ -2,7 +2,9 @@
 # SPDX-License-Identifier: MIT-0
 
 import os
+import boto3
 from typing import Any, Dict, Optional
+from botocore.exceptions import ClientError
 from idp_cli.util.cfn_util import CfnUtil
 from idp_cli.util.s3_util import S3Util
 from loguru import logger
@@ -54,8 +56,48 @@ def delete_stack(self, wait=True):
         response = CfnUtil.delete_stack(stack_name=self.stack_name, wait=wait)
         logger.debug(response)
 
+    def delete_service_role_stack(self):
+        """Delete the CloudFormation service role stack if it exists"""
+        service_role_stack_name = f"{self.cfn_prefix}-cloudformation-service-role"
+        
+        try:
+            logger.info(f"Attempting to delete service role stack: {service_role_stack_name}")
+            response = CfnUtil.delete_stack(stack_name=service_role_stack_name, wait=True)
+            logger.info(f"Successfully deleted service role stack: {service_role_stack_name}")
+            logger.debug(response)
+        except Exception as e:
+            if "does not exist" in str(e):
+                logger.debug(f"Service role stack {service_role_stack_name} does not exist, skipping")
+            else:
+                logger.error(f"Failed to delete service role stack {service_role_stack_name}: {e}")
+
+    def delete_permission_boundary_policy(self):
+        """Delete the permission boundary policy if it exists"""
+        policy_name = "IDPPermissionBoundary"
+        
+        try:
+            iam = boto3.client('iam')
+            account_id = boto3.client('sts').get_caller_identity()['Account']
+            policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
+            
+            logger.info(f"Attempting to delete permission boundary policy: {policy_arn}")
+            iam.delete_policy(PolicyArn=policy_arn)
+            logger.info(f"Successfully deleted permission boundary policy: {policy_arn}")
+            
+        except ClientError as e:
+            if e.response['Error']['Code'] == 'NoSuchEntity':
+                logger.debug(f"Permission boundary policy {policy_name} does not exist, skipping")
+            elif e.response['Error']['Code'] == 'DeleteConflict':
+                logger.warning(f"Permission boundary policy {policy_name} is still attached to resources, skipping deletion")
+            else:
+                logger.error(f"Failed to delete permission boundary policy {policy_name}: {e}")
+        except Exception as e:
+            logger.error(f"Unexpected error deleting permission boundary policy {policy_name}: {e}")
+
     def uninstall(self):
         self.get_outputs()
         self.delete_stack(wait=True)
         self.get_buckets()
-        self.delete_buckets()
+        self.delete_buckets()
+        self.delete_service_role_stack()
+        self.delete_permission_boundary_policy()
