OCM-7957 | ci: Support rosa-shared-vpc profile creation in new day1

vivekgupta87 · Jul 9, 2024 · bdde65a · bdde65a
1 parent 2142bf7
commit bdde65a
Show file tree

Hide file tree

Showing 90 changed files with 27,179 additions and 304 deletions.
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.2.15
 	github.com/Masterminds/semver v1.5.0
 	github.com/PuerkitoBio/goquery v1.8.1
-	github.com/aws/aws-sdk-go-v2 v1.26.1
+	github.com/aws/aws-sdk-go-v2 v1.30.0
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
 	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.50.0
@@ -32,7 +32,7 @@ require (
 	github.com/nathan-fiscaletti/consolesize-go v0.0.0-20210105204122-a87d9f614b9d
 	github.com/onsi/ginkgo/v2 v2.17.1
 	github.com/onsi/gomega v1.30.0
-	github.com/openshift-online/ocm-common v0.0.4
+	github.com/openshift-online/ocm-common v0.0.5
 	github.com/openshift-online/ocm-sdk-go v0.1.428
 	github.com/pkg/errors v0.9.1
 	github.com/robfig/cron/v3 v3.0.1
@@ -47,7 +47,10 @@ require (
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 )
 
-require github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+require (
+	github.com/aws/aws-sdk-go-v2/service/ram v1.26.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+)
 
 require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
@@ -57,8 +60,8 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.1 // indirect

diff --git a/go.sum b/go.sum
@@ -20,8 +20,8 @@ github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsVi
 github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
 github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU=
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
-github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
-github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
+github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
 github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
@@ -30,10 +30,10 @@ github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHH
 github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
@@ -60,6 +60,8 @@ github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 h1:yl7wcqbisxPzknJVfWTLnK83McUv
 github.com/aws/aws-sdk-go-v2/service/kms v1.31.0/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ=
 github.com/aws/aws-sdk-go-v2/service/organizations v1.27.3 h1:CnPWlONzFX9/yO6IGuKg9sWUE8WhKztYRFbhmOHXjJI=
 github.com/aws/aws-sdk-go-v2/service/organizations v1.27.3/go.mod h1:hUHSXe9HFEmLfHrXndAX5e69rv0nBsg22VuNQYl0JLM=
+github.com/aws/aws-sdk-go-v2/service/ram v1.26.1 h1:1UcUsMsHB7ZnpcUYNwBTX90hFjIZrhf8Xu00R9Vo+Kg=
+github.com/aws/aws-sdk-go-v2/service/ram v1.26.1/go.mod h1:e/3wE+afnOAeolpqyg8fKAQK/kKya+ycDW62/X4vjK8=
 github.com/aws/aws-sdk-go-v2/service/route53 v1.40.4 h1:ZZKiHm4cN8IDDZ2kh8DTk+YnYBjVsiFdwf5FwVs//IQ=
 github.com/aws/aws-sdk-go-v2/service/route53 v1.40.4/go.mod h1:RTfjFUctf+Zyq8e4rgLXmz43+0kIoIXbENvrFtilumI=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc=
@@ -273,8 +275,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8
 github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
 github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
-github.com/openshift-online/ocm-common v0.0.4 h1:omkT+OoInkIY5H6mXs5UlkLyonajWaYsUaUMr9FG0d0=
-github.com/openshift-online/ocm-common v0.0.4/go.mod h1:jN6cL4H/fni6faK+Z8S4Lo0lkZphx4VkylGObfYHW7Y=
+github.com/openshift-online/ocm-common v0.0.5 h1:ISZzSZhsHPUdzkYMLTkDCMVUHX9JxwTcDbjlzBxL8hw=
+github.com/openshift-online/ocm-common v0.0.5/go.mod h1:gsBWQYLZB0w0ZRR+NLASuTr29uFo5nekEODasFKxESc=
 github.com/openshift-online/ocm-sdk-go v0.1.428 h1:HIgQ9FkkgNEMyLsP75JU17nZjYV1Q9M9FrpO/Df2SSg=
 github.com/openshift-online/ocm-sdk-go v0.1.428/go.mod h1:CiAu2jwl3ITKOxkeV0Qnhzv4gs35AmpIzVABQLtcI2Y=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/tests/ci/config/config.go b/tests/ci/config/config.go
@@ -50,6 +50,7 @@ type GlobalENVVariables struct {
 	NamePrefix            string `env:"NAME_PREFIX"`
 	ClusterWaitingTime    int    `env:"CLUSTER_TIMEOUT" default:"60"`
 	WaitSetupClusterReady bool   `env:"WAIT_SETUP_CLUSTER_READY" default:"true"`
+	SVPC_CREDENTIALS_FILE string `env:"SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE" default:""`
 }
 
 func init() {
@@ -101,6 +102,7 @@ func init() {
 		Region:                os.Getenv("REGION"),
 		ProvisionShard:        os.Getenv("PROVISION_SHARD"),
 		NamePrefix:            os.Getenv("NAME_PREFIX"),
+		SVPC_CREDENTIALS_FILE: os.Getenv("SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE"),
 		ClusterWaitingTime:    waitingTime,
 		WaitSetupClusterReady: waitSetupClusterReady,
 	}

diff --git a/tests/ci/data/profiles/rosa-classic.yaml b/tests/ci/data/profiles/rosa-classic.yaml
@@ -69,7 +69,7 @@ profiles:
   account-role:
     path: "/test/"
     permission_boundary: "arn:aws:iam::aws:policy/AdministratorAccess"
-- as: rosa-shared-vpc # TODO it is not supported right now.
+- as: rosa-shared-vpc
   version: latest
   channel_group: candidate
   region: "us-east-1"
@@ -83,22 +83,22 @@ profiles:
     private: false
     etcd_encryption: true
     fips: true
-    autoscale: false
+    autoscale: true
     kms_key: true
     networking: false
-    proxy_enabled: true
-    label_enabled: true
-    tag_enabled: true
+    proxy_enabled: false
+    label_enabled: false
+    tag_enabled: false
     zones: ""
     imdsv2: "required"
     shared_vpc: true
     oidc_config: managed
     admin_enabled: false
     volume_size: 512
-    autoscaler_enabled: true
+    autoscaler_enabled: false
     disable_uwm: true
-    additional_sg_number: 1
-    long_name: true
+    additional_sg_number: 0
+    long_name: false
   account-role:
     path: ""
     permission_boundary: ""  

diff --git a/tests/e2e/dummy_test.go b/tests/e2e/dummy_test.go
@@ -50,7 +50,7 @@ var _ = Describe("ROSA CLI Test", func() {
 	})
 	Describe("ocm-common test", func() {
 		It("VPCClientTesting", func() {
-			vpcClient, err := profilehandler.PrepareVPC("us-east-1", "xueli-test", "10.0.0.0/16")
+			vpcClient, err := profilehandler.PrepareVPC("us-east-1", "xueli-test", "10.0.0.0/16", "")
 			Expect(err).ToNot(HaveOccurred())
 			defer vpcClient.DeleteVPCChain(true)
 			subnets, err := profilehandler.PrepareSubnets(vpcClient, "us-east-1", []string{}, true)

diff --git a/tests/e2e/test_rosacli_policy.go b/tests/e2e/test_rosacli_policy.go
@@ -350,6 +350,12 @@ var _ = Describe("Validation testing",
 			By("Delete the testing role")
 			if len(testingRolesToClean) > 0 {
 				for _, roleName := range testingRolesToClean {
+					attachedPolicy, err := awsClient.ListRoleAttachedPolicies(roleName)
+					Expect(err).To(BeNil())
+					if len(attachedPolicy) > 0 {
+						err = awsClient.DetachRolePolicies(roleName)
+						Expect(err).To(BeNil())
+					}
 					err = awsClient.DeleteRole(roleName)
 					Expect(err).To(BeNil())
 				}
@@ -364,133 +370,123 @@ var _ = Describe("Validation testing",
 				}
 				By("Prepare a role wihtout red-hat-managed=true label for testing")
 				notRHManagedRoleName := fmt.Sprintf("ocmqe-role-%s", common.GenerateRandomString(3))
-				_, err := awsClient.CreateRegularRole(notRHManagedRoleName)
-				Expect(err).To(BeNil())
-				testingRolesToClean = append(testingRolesToClean, notRHManagedRoleName)
 
-				By("Prepare 10 arbitrary policies for testing")
-				awsClient, err = aws_client.CreateAWSClient("", "")
-				Expect(err).To(BeNil())
 				statement := map[string]interface{}{
 					"Effect":   "Allow",
 					"Action":   "*",
 					"Resource": "*",
 				}
+				notRHManagedRolePolicy, err := awsClient.CreatePolicy(
+					fmt.Sprintf("%s-policy", notRHManagedRoleName),
+					statement,
+				)
+				Expect(err).To(BeNil())
+				_, err = awsClient.CreateRegularRole(notRHManagedRoleName, notRHManagedRolePolicy)
+				Expect(err).To(BeNil())
+				testingRolesToClean = append(testingRolesToClean, notRHManagedRoleName)
+
+				By("Prepare 10 arbitrary policies for testing")
+				awsClient, err = aws_client.CreateAWSClient("", "")
+				Expect(err).To(BeNil())
+
 				for i := 0; i < 10; i++ {
 					arn, err := awsClient.CreatePolicy(
 						fmt.Sprintf("ocmqe-arpolicy-%s-%d", common.GenerateRandomString(3), i),
 						statement,
 					)
 					Expect(err).To(BeNil())
 					arbitraryPoliciesToClean = append(arbitraryPoliciesToClean, arn)
+				}
 
-					By("Prepare 10 arbitrary policies for testing")
-					awsClient, err = aws_client.CreateAWSClient("", "")
-					Expect(err).To(BeNil())
-					statement := map[string]interface{}{
-						"Effect":   "Allow",
-						"Action":   "*",
-						"Resource": "*",
-					}
-					for i := 0; i < 10; i++ {
-						arn, err := awsClient.CreatePolicy(
-							fmt.Sprintf("ocmqe-arpolicy-%s-%d", common.GenerateRandomString(3), i),
-							statement,
-						)
-						Expect(err).To(BeNil())
-						arbitraryPoliciesToClean = append(arbitraryPoliciesToClean, arn)
-					}
+				By("Get one managed role for testing,using support role in this case")
+				output, err := clusterService.DescribeCluster(clusterID)
+				Expect(err).To(BeNil())
+				CD, err := clusterService.ReflectClusterDescription(output)
+				Expect(err).To(BeNil())
+				supportRoleARN := CD.SupportRoleARN
+				_, supportRoleName, err := common.ParseRoleARN(supportRoleARN)
+				Expect(err).To(BeNil())
 
-					By("Get one managed role for testing,using support role in this case")
-					output, err := clusterService.DescribeCluster(clusterID)
-					Expect(err).To(BeNil())
-					CD, err := clusterService.ReflectClusterDescription(output)
-					Expect(err).To(BeNil())
-					supportRoleARN := CD.SupportRoleARN
-					_, supportRoleName, err := common.ParseRoleARN(supportRoleARN)
-					Expect(err).To(BeNil())
+				By("policy arn with invalid format when attach")
+				policyArnsWithOneInValidFormat := []string{
+					"arn:aws:polict:invalidformat",
+					arbitraryPoliciesToClean[0],
+					arbitraryPoliciesToClean[1],
+				}
+				out, err := arbitraryPolicyService.AttachPolicy(
+					supportRoleName,
+					policyArnsWithOneInValidFormat,
+					"--mode", "auto",
+				)
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("Invalid policy arn"))
 
-					By("policy arn with invalid format when attach")
-					policyArnsWithOneInValidFormat := []string{
-						"arn:aws:polict:invalidformat",
-						arbitraryPoliciesToClean[0],
-						arbitraryPoliciesToClean[1],
-					}
-					out, err := arbitraryPolicyService.AttachPolicy(
-						supportRoleName,
-						policyArnsWithOneInValidFormat,
-						"--mode", "auto",
-					)
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("Invalid policy arn"))
-
-					By("not-existed policies arn when attach")
-					policyArnsWithNotExistedOne := []string{
-						"arn:aws:iam::123456789012:policy/ocmqe-arpolicy-rta-0",
-						arbitraryPoliciesToClean[0],
-						arbitraryPoliciesToClean[1],
-					}
-					out, err = arbitraryPolicyService.AttachPolicy(
-						supportRoleName,
-						policyArnsWithNotExistedOne,
-						"--mode", "auto",
-					)
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("not found"))
-
-					By("not-existed role name when attach")
-					notExistedRoleName := "notExistedRoleName"
-					policyArns := []string{
-						arbitraryPoliciesToClean[0],
-						arbitraryPoliciesToClean[1],
-					}
-					out, err = arbitraryPolicyService.AttachPolicy(notExistedRoleName, policyArns, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("role with name %s cannot be found", notExistedRoleName))
-
-					By("number of the attaching policies exceed the quote (L-0DA4ABF3) when attach")
-					policyArnsWithTen := arbitraryPoliciesToClean[0:10]
-					out, err = arbitraryPolicyService.AttachPolicy(supportRoleName, policyArnsWithTen, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("Failed to attach policies due to quota limitations (total limit: 10"))
-
-					By("role has no red-hat-managed=true tag when attach")
-					out, err = arbitraryPolicyService.AttachPolicy(notRHManagedRoleName, policyArns, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("Cannot attach/detach policies to non-ROSA roles"))
-
-					By("empry string in the policy-arn when attach")
-					policyArnsWithEmptyString := []string{""}
-					out, err = arbitraryPolicyService.AttachPolicy(supportRoleName, policyArnsWithEmptyString, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("expected a valid policy"))
-
-					By("policy arn with invalid format when detach")
-
-					out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithOneInValidFormat, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("Invalid policy arn"))
-
-					By("not-existed policies arn when detach")
-					out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithNotExistedOne, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("not found"))
-
-					By("not-existed role name when detach")
-					out, err = arbitraryPolicyService.DetachPolicy(notExistedRoleName, policyArns, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("role with name %s cannot be found", notExistedRoleName))
-
-					By("role has no red-hat-managed=true tag when detach")
-					out, err = arbitraryPolicyService.DetachPolicy(notRHManagedRoleName, policyArns, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("Cannot attach/detach policies to non-ROSA roles"))
-
-					By("empry string in the policy-arn when detach")
-					out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithEmptyString, "--mode", "auto")
-					Expect(err).NotTo(BeNil())
-					Expect(out.String()).To(ContainSubstring("expected a valid policy"))
+				By("not-existed policies arn when attach")
+				policyArnsWithNotExistedOne := []string{
+					"arn:aws:iam::123456789012:policy/ocmqe-arpolicy-rta-0",
+					arbitraryPoliciesToClean[0],
+					arbitraryPoliciesToClean[1],
+				}
+				out, err = arbitraryPolicyService.AttachPolicy(
+					supportRoleName,
+					policyArnsWithNotExistedOne,
+					"--mode", "auto",
+				)
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("not found"))
+
+				By("not-existed role name when attach")
+				notExistedRoleName := "notExistedRoleName"
+				policyArns := []string{
+					arbitraryPoliciesToClean[0],
+					arbitraryPoliciesToClean[1],
 				}
+				out, err = arbitraryPolicyService.AttachPolicy(notExistedRoleName, policyArns, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("role with name %s cannot be found", notExistedRoleName))
+
+				By("number of the attaching policies exceed the quote (L-0DA4ABF3) when attach")
+				policyArnsWithTen := arbitraryPoliciesToClean[0:10]
+				out, err = arbitraryPolicyService.AttachPolicy(supportRoleName, policyArnsWithTen, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("Failed to attach policies due to quota limitations (total limit: 10"))
+
+				By("role has no red-hat-managed=true tag when attach")
+				out, err = arbitraryPolicyService.AttachPolicy(notRHManagedRoleName, policyArns, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("Cannot attach/detach policies to non-ROSA roles"))
+
+				By("empry string in the policy-arn when attach")
+				policyArnsWithEmptyString := []string{""}
+				out, err = arbitraryPolicyService.AttachPolicy(supportRoleName, policyArnsWithEmptyString, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("expected a valid policy"))
+
+				By("policy arn with invalid format when detach")
+
+				out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithOneInValidFormat, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("Invalid policy arn"))
+
+				By("not-existed policies arn when detach")
+				out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithNotExistedOne, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("not found"))
+
+				By("not-existed role name when detach")
+				out, err = arbitraryPolicyService.DetachPolicy(notExistedRoleName, policyArns, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("role with name %s cannot be found", notExistedRoleName))
+
+				By("role has no red-hat-managed=true tag when detach")
+				out, err = arbitraryPolicyService.DetachPolicy(notRHManagedRoleName, policyArns, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("Cannot attach/detach policies to non-ROSA roles"))
+
+				By("empry string in the policy-arn when detach")
+				out, err = arbitraryPolicyService.DetachPolicy(supportRoleName, policyArnsWithEmptyString, "--mode", "auto")
+				Expect(err).NotTo(BeNil())
+				Expect(out.String()).To(ContainSubstring("expected a valid policy"))
 			})
 	})