no-jira: Hardening the GCP destroy code to attempt to delete dependent resources

The destroy process sporadically runs into ResourceInUseByAnotherResource error, but sometimes
the dependent resource is not found by the cluster uninstaller. Now these resources will be
removed when the error is found.

Author: barbacbd

pkg/destroy/gcp/address.go

@@ -15,21 +15,43 @@ const (
 	regionalAddressResource = "regionaddress"
 )
 
+func (o *ClusterUninstaller) deleteAddressByName(ctx context.Context, resourceName, location string) error {
+	typeName := globalAddressResource
+	if location != string(global) {
+		typeName = regionalAddressResource
+	}
+	items, err := o.listAddressesWithFilter(ctx, typeName, "items(name,labels),nextPageToken", func(item *compute.Address) bool {
+		// Address should have labels, but none observed
+		return item.Name == resourceName
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list address by name : %w", err)
+	}
+	for _, item := range items {
+		if err := o.deleteAddress(ctx, item); err != nil {
+			return fmt.Errorf("failed to delete address by name: %w", err)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) listAddresses(ctx context.Context, typeName string) ([]cloudResource, error) {
-	return o.listAddressesWithFilter(ctx, typeName, "items(name,region,addressType),nextPageToken", o.isClusterResource)
+	return o.listAddressesWithFilter(ctx, typeName, "items(name,region,addressType,labels),nextPageToken", func(item *compute.Address) bool {
+		return o.isClusterResource(item.Name) && !o.isSharedResource(item.Labels)
+	})
 }
 
 // listAddressesWithFilter lists addresses in the project that satisfy the filter criteria.
 // The fields parameter specifies which fields should be returned in the result, the filter string contains
 // a filter string passed to the API to filter results.
-func (o *ClusterUninstaller) listAddressesWithFilter(ctx context.Context, typeName, fields string, filterFunc resourceFilterFunc) ([]cloudResource, error) {
+func (o *ClusterUninstaller) listAddressesWithFilter(ctx context.Context, typeName, fields string, filterFunc func(item *compute.Address) bool) ([]cloudResource, error) {
 	o.Logger.Debugf("Listing addresses")
 	result := []cloudResource{}
 
 	pagesFunc := func(list *compute.AddressList) error {
 		for _, item := range list.Items {
 			o.Logger.Debugf("Found address (%s): %s", typeName, item.Name)
-			if filterFunc(item.Name) {
+			if filterFunc(item) {
 				var quota []gcp.QuotaUsage
 				if item.AddressType == "INTERNAL" {
 					quota = []gcp.QuotaUsage{{

pkg/destroy/gcp/backendservice.go

@@ -15,6 +15,25 @@ const (
 	regionBackendServiceResource = "regionbackendservice"
 )
 
+func (o *ClusterUninstaller) deleteBackendServiceByName(ctx context.Context, resourceName, location string) error {
+	typeName := globalBackendServiceResource
+	if location != string(global) {
+		typeName = regionBackendServiceResource
+	}
+	items, err := o.listBackendServicesWithFilter(ctx, typeName, "items(name),nextPageToken", func(item *compute.BackendService) bool {
+		return item.Name == resourceName
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list backend services by name : %w", err)
+	}
+	for _, item := range items {
+		if err := o.deleteBackendService(ctx, item); err != nil {
+			return fmt.Errorf("failed to delete backend service by name: %w", err)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) listBackendServices(ctx context.Context, typeName string) ([]cloudResource, error) {
 	return o.listBackendServicesWithFilter(ctx, typeName, "items(name),nextPageToken",
 		func(item *compute.BackendService) bool {

pkg/destroy/gcp/cloudcontroller.go

@@ -50,7 +50,6 @@ func (o *ClusterUninstaller) listCloudControllerBackendServices(ctx context.Cont
 
 			fwList, err := o.computeSvc.Firewalls.List(o.ProjectID).Fields(googleapi.Field("items(name,targetTags),nextPageToken")).Context(ctx).Do()
 			if err != nil {
-				o.Logger.Debugf("failed to list firewall rules associated with backend service %s: %v", item.Name, err)
 				return false
 			}
 			for _, fw := range fwList.Items {
@@ -103,9 +102,7 @@ func (o *ClusterUninstaller) listCloudControllerTargetPools(ctx context.Context,
 						break
 					}
 				}
-
 				if !foundClusterResource {
-					o.Logger.Debugf("Skipping target pool instance %s because it is not a cluster resource", item.Name)
 					return false
 				}
 			}
@@ -121,7 +118,10 @@ func (o *ClusterUninstaller) discoverCloudControllerLoadBalancerResources(ctx co
 	loadBalancerFilterFunc := o.createLoadBalancerFilterFunc(loadBalancerName)
 
 	// Discover associated addresses: loadBalancerName
-	found, err := o.listAddressesWithFilter(ctx, regionalAddressResource, "items(name),nextPageToken", loadBalancerFilterFunc)
+	found, err := o.listAddressesWithFilter(ctx, regionalAddressResource, "items(name),nextPageToken", func(item *compute.Address) bool {
+		// address should have labels but none observed
+		return strings.HasPrefix(item.Name, loadBalancerName)
+	})
 	if err != nil {
 		return err
 	}
@@ -160,7 +160,12 @@ func (o *ClusterUninstaller) discoverCloudControllerLoadBalancerResources(ctx co
 	o.insertPendingItems(firewallResourceName, found)
 
 	// Discover associated forwarding rules: loadBalancerName
-	found, err = o.listForwardingRulesWithFilter(ctx, regionForwardingRuleResource, "items(name),nextPageToken", loadBalancerFilterFunc)
+	found, err = o.listForwardingRulesWithFilter(ctx, regionForwardingRuleResource, "items(name,labels),nextPageToken", func(item *compute.ForwardingRule) bool {
+		// The forwarding rule should be checked for labels to ensure that
+		// it is owned and not shared. However, the forwarding rules associated with
+		// load balancers do not have these labels.
+		return strings.HasPrefix(item.Name, loadBalancerName)
+	})
 	if err != nil {
 		return err
 	}
@@ -203,7 +208,6 @@ func (o *ClusterUninstaller) discoverCloudControllerLoadBalancerResources(ctx co
 // For each of those backend services, resources like forwarding rules, firewalls, health checks and
 // backend services are added to pendingItems
 func (o *ClusterUninstaller) discoverCloudControllerResources(ctx context.Context) error {
-	o.Logger.Debugf("Discovering cloud controller resources")
 	errs := []error{}
 
 	// Instance group related items
@@ -222,7 +226,6 @@ func (o *ClusterUninstaller) discoverCloudControllerResources(ctx context.Contex
 			return err
 		}
 		for _, backend := range backends {
-			o.Logger.Debugf("Discovering cloud controller resources for %s", backend.name)
 			err := o.discoverCloudControllerLoadBalancerResources(ctx, backend.name)
 			if err != nil {
 				errs = append(errs, err)
@@ -244,7 +247,6 @@ func (o *ClusterUninstaller) discoverCloudControllerResources(ctx context.Contex
 		return err
 	}
 	for _, pool := range pools {
-		o.Logger.Debugf("Discovering cloud controller resources for %s", pool.name)
 		err := o.discoverCloudControllerLoadBalancerResources(ctx, pool.name)
 		if err != nil {
 			errs = append(errs, err)

pkg/destroy/gcp/firewall.go

@@ -2,6 +2,7 @@ package gcp
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -15,6 +16,19 @@ const (
 	firewallResourceName = "firewall"
 )
 
+func (o *ClusterUninstaller) deleteFirewallByName(ctx context.Context, resourceName string) error {
+	items, err := o.listFirewallsWithFilter(ctx, "items(name),nextPageToken", func(item string) bool { return strings.Contains(item, resourceName) })
+	if err != nil {
+		return fmt.Errorf("failed to list firewall by name: %w", err)
+	}
+	for _, item := range items {
+		if err := o.deleteFirewall(ctx, item); err != nil {
+			return fmt.Errorf("failed to delete firewall by name: %w", err)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) listFirewalls(ctx context.Context) ([]cloudResource, error) {
 	// The firewall rules that the destroyer is searching for here include a
 	// pattern before and after the cluster ID. Use a regular expression that allows

pkg/destroy/gcp/forwardingrule.go

@@ -16,15 +16,36 @@ const (
 	regionForwardingRuleResource = "regionalforwardingrule"
 )
 
+func (o *ClusterUninstaller) deleteForwardingRuleByName(ctx context.Context, resourceName, location string) error {
+	typeName := regionForwardingRuleResource
+	if location == string(global) {
+		typeName = globalForwardingRuleResource
+	}
+	items, err := o.listForwardingRulesWithFilter(ctx, typeName, "items(name,labels),nextPageToken", func(item *compute.ForwardingRule) bool {
+		return item.Name == resourceName && o.isOwnedResource(item.Labels)
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list forwarding rules by name: %w", err)
+	}
+	for _, item := range items {
+		if err := o.deleteForwardingRule(ctx, item); err != nil {
+			return fmt.Errorf("failed to delete forwarding rule by name: %w", err)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) listForwardingRules(ctx context.Context, typeName string) ([]cloudResource, error) {
-	return o.listForwardingRulesWithFilter(ctx, typeName, "items(name,region,loadBalancingScheme),nextPageToken", o.isClusterResource)
+	return o.listForwardingRulesWithFilter(ctx, typeName, "items(name,region,loadBalancingScheme,labels),nextPageToken", func(item *compute.ForwardingRule) bool {
+		return o.isClusterResource(item.Name) && o.isOwnedResource(item.Labels)
+	})
 }
 
 // listForwardingRulesWithFilter lists forwarding rules in the project that satisfy the filter criteria.
 // The fields parameter specifies which fields should be returned in the result, the filter string contains
 // a filter string passed to the API to filter results. The filterFunc is a client-side filtering function
 // that determines whether a particular result should be returned or not.
-func (o *ClusterUninstaller) listForwardingRulesWithFilter(ctx context.Context, typeName, fields string, filterFunc resourceFilterFunc) ([]cloudResource, error) {
+func (o *ClusterUninstaller) listForwardingRulesWithFilter(ctx context.Context, typeName, fields string, filterFunc func(item *compute.ForwardingRule) bool) ([]cloudResource, error) {
 	o.Logger.Debugf("Listing forwarding rules")
 	ctx, cancel := context.WithTimeout(ctx, defaultTimeout)
 	defer cancel()
@@ -33,7 +54,7 @@ func (o *ClusterUninstaller) listForwardingRulesWithFilter(ctx context.Context,
 
 	pagesFunc := func(list *compute.ForwardingRuleList) error {
 		for _, item := range list.Items {
-			if filterFunc(item.Name) {
+			if filterFunc(item) {
 				logrus.Debugf("Found forwarding rule: %s", item.Name)
 				var quota []gcp.QuotaUsage
 				if item.LoadBalancingScheme == "EXTERNAL" {

pkg/destroy/gcp/gcp.go

@@ -45,6 +45,8 @@ const (
 
 	// DONE represents the done status for a compute service operation.
 	DONE = "DONE"
+
+	alreadyInUseStr = "is already being used by "
 )
 
 // ClusterUninstaller holds the various options for the cluster we want to delete
@@ -441,6 +443,72 @@ func operationErrorMessage(op *compute.Operation) string {
 	return strings.Join(errs, ", ")
 }
 
+func (o *ClusterUninstaller) handleDependentResourceError(ctx context.Context, op *compute.Operation, err error) error {
+	errorCode := 0
+	errMsg := ""
+	switch {
+	case op != nil:
+		errorCode = int(op.HttpErrorStatusCode)
+		errMsg = operationErrorMessage(op)
+	case err != nil:
+		var apiErr *googleapi.Error
+		if errors.As(err, &apiErr) {
+			errorCode = apiErr.Code
+			errMsg = apiErr.Message
+		} else {
+			errMsg = err.Error()
+		}
+	default:
+		return fmt.Errorf("failed to extract information from operation or error")
+	}
+
+	if errorCode == 400 && strings.Contains(errMsg, alreadyInUseStr) {
+		splitDetails := strings.Split(errMsg, alreadyInUseStr)
+		resource := strings.ReplaceAll(
+			strings.ReplaceAll(
+				strings.ReplaceAll(splitDetails[len(splitDetails)-1], "\"", ""),
+				"'", "",
+			), ", resourceInUseByAnotherResource", "",
+		)
+		splitResource := strings.Split(resource, "/")
+
+		if len(splitResource) > 6 || len(splitResource) < 5 {
+			return fmt.Errorf("dependent resource information unable to be parsed: %s", resource)
+		}
+		// global -> ex: projects/xxxxxxxxxxxxxxxx/global/resource-type/resource-name
+		// regional -> ex: projects/xxxxxxxxxxxxxx/region/region-name/resource-type/resource-name
+		location, resourceType, resourceName := splitResource[len(splitResource)-3], splitResource[len(splitResource)-2], splitResource[len(splitResource)-1]
+		o.Logger.Debugf("found dependent resource information: %s, %s, %s", location, resourceType, resourceName)
+
+		var deleteErr error
+		switch resourceType {
+		case "backendServices":
+			deleteErr = o.deleteBackendServiceByName(ctx, resourceName, location)
+		case "firewalls":
+			deleteErr = o.deleteFirewallByName(ctx, resourceName)
+		case "forwardingRules":
+			deleteErr = o.deleteForwardingRuleByName(ctx, resourceName, location)
+		case "subnetworks":
+			deleteErr = o.deleteSubnetworkByName(ctx, resourceName)
+		case "routers":
+			deleteErr = o.deleteRouterByName(ctx, resourceName)
+		case "addresses":
+			deleteErr = o.deleteAddressByName(ctx, resourceName, location)
+		case "targetPools":
+			deleteErr = o.deleteTargetPoolByName(ctx, resourceName)
+		case "targetTcpProxies":
+			deleteErr = o.deleteTargetTCPProxyByName(ctx, resourceName)
+		default:
+			deleteErr = fmt.Errorf("failed to find resource type: %s for %s", resourceType, resourceName)
+		}
+
+		if deleteErr != nil {
+			return fmt.Errorf("failed to delete dependent resource: %w", deleteErr)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) handleOperation(ctx context.Context, op *compute.Operation, err error, item cloudResource, resourceType string) error {
 	identifier := []string{item.typeName, item.name}
 	if item.zone != "" {
@@ -452,14 +520,22 @@ func (o *ClusterUninstaller) handleOperation(ctx context.Context, op *compute.Op
 			o.Logger.Debugf("No operation found for %s %s", resourceType, item.name)
 			return nil
 		}
+
+		err = o.handleDependentResourceError(ctx, op, err)
+		if err != nil {
+			o.Logger.Debugf("failed to handle dependent resource error: %v", err)
+		}
 		o.resetRequestID(identifier...)
 		return fmt.Errorf("failed to delete %s %s: %w", resourceType, item.name, err)
 	}
 
 	// wait for operation to complete before checking any further
 	op, err = o.waitFor(ctx, op, item)
-
 	if op != nil && op.Status == DONE && isErrorStatus(op.HttpErrorStatusCode) {
+		err = o.handleDependentResourceError(ctx, op, err)
+		if err != nil {
+			o.Logger.Debugf("failed to handle dependent resource error: %v", err)
+		}
 		o.resetRequestID(identifier...)
 		return fmt.Errorf("failed to delete %s %s with error: %s", resourceType, item.name, operationErrorMessage(op))
 	}

pkg/destroy/gcp/image.go

@@ -15,22 +15,24 @@ const (
 )
 
 func (o *ClusterUninstaller) listImages(ctx context.Context) ([]cloudResource, error) {
-	return o.listImagesWithFilter(ctx, "items(name),nextPageToken", o.isClusterResource)
+	return o.listImagesWithFilter(ctx, "items(name,labels),nextPageToken", func(item *compute.Image) bool {
+		return o.isClusterResource(item.Name) && !o.isSharedResource(item.Labels)
+	})
 }
 
 // listImagesWithFilter lists addresses in the project that satisfy the filter criteria.
 // The fields parameter specifies which fields should be returned in the result, the filter string contains
 // a filter string passed to the API to filter results. The filterFunc is a client-side filtering function
 // that determines whether a particular result should be returned or not.
-func (o *ClusterUninstaller) listImagesWithFilter(ctx context.Context, fields string, filterFunc resourceFilterFunc) ([]cloudResource, error) {
+func (o *ClusterUninstaller) listImagesWithFilter(ctx context.Context, fields string, filterFunc func(item *compute.Image) bool) ([]cloudResource, error) {
 	o.Logger.Debugf("Listing images")
 	ctx, cancel := context.WithTimeout(ctx, defaultTimeout)
 	defer cancel()
 	result := []cloudResource{}
 	req := o.computeSvc.Images.List(o.ProjectID).Fields(googleapi.Field(fields))
 	err := req.Pages(ctx, func(list *compute.ImageList) error {
 		for _, item := range list.Items {
-			if filterFunc(item.Name) {
+			if filterFunc(item) {
 				o.Logger.Debugf("Found image: %s\n", item.Name)
 				result = append(result, cloudResource{
 					key:      item.Name,

pkg/destroy/gcp/router.go

@@ -2,6 +2,7 @@ package gcp
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/pkg/errors"
 	"google.golang.org/api/compute/v1"
@@ -14,6 +15,19 @@ const (
 	routerResourceName = "router"
 )
 
+func (o *ClusterUninstaller) deleteRouterByName(ctx context.Context, resourceName string) error {
+	items, err := o.listRoutersWithFilter(ctx, "items(name),nextPageToken", func(item string) bool { return item == resourceName })
+	if err != nil {
+		return fmt.Errorf("failed to list router by name: %w", err)
+	}
+	for _, item := range items {
+		if err := o.deleteRouter(ctx, item); err != nil {
+			return fmt.Errorf("failed to delete router by name: %w", err)
+		}
+	}
+	return nil
+}
+
 func (o *ClusterUninstaller) listRouters(ctx context.Context) ([]cloudResource, error) {
 	return o.listRoutersWithFilter(ctx, "items(name),nextPageToken", o.isClusterResource)
 }