OCPBUGS-77355: fix wavelength zone name regex

[tthvo]

The correct regex should check for segment -wlz, which is common for all "known" wavelength zones.

One example where the old regex wl\d\-.*$ would fail is us-east-1-foe-wlz-1a. See failed job.

References

https://docs.aws.amazon.com/wavelength/latest/developerguide/available-wavelength-zones.html

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-77355, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The correct regex should check for segment -wlz, which is common for all "known" wavelength zones.

One example where the old regex wl\d\-.*$ would fail is us-east-1-foe-wlz-1a. See failed job.

References

https://docs.aws.amazon.com/wavelength/latest/developerguide/available-wavelength-zones.html

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/cc @yunjiang29

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-77355, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @liweinan

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liweinan]

Relative test: altinfra-e2e-aws-ovn-wavelengthzones

[liweinan]

@tthvo I suggest to add unit test for this PR, wdyt? https://github.com/openshift/installer/compare/main...liweinan:installer:OCPBUGS-77355-add-tests?expand=1

[liweinan]

btw I'm testing with this install-config and report my test result later:

additionalTrustBundlePolicy: Proxyonly
apiVersion: v1
baseDomain: qe.devcluster.openshift.com
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform:
    aws:
      zones:
      - us-east-1a
      - us-east-1b
      - us-east-1c
  replicas: 3
# Edge pool with NEW FORMAT Wavelength Zone (OCPBUGS-77355 fix target)
- architecture: amd64
  hyperthreading: Enabled
  name: edge
  platform:
    aws:
      zones:
      - us-east-1-foe-wlz-1a
  replicas: 0
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  platform:
    aws:
      zones:
      - us-east-1a
      - us-east-1b
      - us-east-1c
  replicas: 3
metadata:
  name: weli-test-new-wlz
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
platform:
  aws:
    region: us-east-1
publish: External
...

[liweinan]

It seems my own account has the CarrierGateway permissions, so it can't be used for testing:

weli@192 ~/works/oc-swarm/installer/bin (OCPBUGS-77355-add-tests)
❯ aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::301721915996:user/weli --action-names ec2:DeleteCarrierGateway --resource-arns 'arn:aws:ec2:us-east-1:*:carrier-gateway/*' --query 'EvaluationResults[0].EvalDecision' --output text
allowed
weli@192 ~/works/oc-swarm/installer/bin (OCPBUGS-77355-add-tests)
❯ aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::301721915996:user/weli --action-names ec2:CreateCarrierGateway --resource-arns 'arn:aws:ec2:us-east-1:*:carrier-gateway/*' --query 'EvaluationResults[0].EvalDecision' --output text
allowed

Even if I use the older version of the installer, the installation with the above configuration can still pass. I need to create a test account first, without the CarrierGateway permissions, and then do the verification:

    {
      "Sid": "DenyCarrierGatewayPermissions",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateCarrierGateway",
        "ec2:DeleteCarrierGateway",
        "ec2:DescribeCarrierGateways"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }

@tthvo wdyt?

[liweinan]

I created an IAM user without the CarrierGateway permissions as shown above and used it for testing:

export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_DEFAULT_REGION=us-east-1

And did an installation using the config as shown above, and here is the result:

bash-5.3$ ./openshift-install create cluster
INFO ipFamily is not specified in install-config; defaulting to "IPv4"
WARNING Release Image Architecture not detected. Release Image Architecture is unknown
INFO Credentials loaded from the AWS config using "EnvConfigCredentials" provider
INFO Credentials loaded from default AWS environment variables
INFO Successfully populated MCS CA cert information: root-ca 2036-02-24T16:15:26Z 2026-02-26T16:15:26Z
INFO Successfully populated MCS TLS cert information: root-ca 2036-02-24T16:15:26Z 2026-02-26T16:15:26Z
INFO Consuming Install Config from target directory
WARNING Action not allowed with tested creds          action=ec2:AllocateAddress
WARNING Action not allowed with tested creds          action=ec2:AssociateAddress
WARNING Action not allowed with tested creds          action=ec2:AssociateDhcpOptions
WARNING Action not allowed with tested creds          action=ec2:AssociateRouteTable
WARNING Action not allowed with tested creds          action=ec2:AttachInternetGateway
WARNING Action not allowed with tested creds          action=ec2:AttachNetworkInterface
WARNING Action not allowed with tested creds          action=ec2:AuthorizeSecurityGroupEgress
WARNING Action not allowed with tested creds          action=ec2:AuthorizeSecurityGroupIngress
WARNING Action not allowed with tested creds          action=ec2:CopyImage
WARNING Action not allowed with tested creds          action=ec2:CreateCarrierGateway
WARNING Action not allowed with tested creds          action=ec2:CreateDhcpOptions
WARNING Action not allowed with tested creds          action=ec2:CreateInternetGateway
WARNING Action not allowed with tested creds          action=ec2:CreateNatGateway
WARNING Action not allowed with tested creds          action=ec2:CreateNetworkInterface
WARNING Action not allowed with tested creds          action=ec2:CreateRoute
WARNING Action not allowed with tested creds          action=ec2:CreateRouteTable
WARNING Action not allowed with tested creds          action=ec2:CreateSecurityGroup
WARNING Action not allowed with tested creds          action=ec2:CreateSubnet
WARNING Action not allowed with tested creds          action=ec2:CreateTags
WARNING Action not allowed with tested creds          action=ec2:CreateVolume
WARNING Action not allowed with tested creds          action=ec2:CreateVpc
WARNING Action not allowed with tested creds          action=ec2:CreateVpcEndpoint
WARNING Action not allowed with tested creds          action=ec2:DeleteCarrierGateway
WARNING Action not allowed with tested creds          action=ec2:DeleteDhcpOptions
WARNING Action not allowed with tested creds          action=ec2:DeleteInternetGateway
WARNING Action not allowed with tested creds          action=ec2:DeleteNatGateway
WARNING Action not allowed with tested creds          action=ec2:DeleteNetworkInterface
WARNING Action not allowed with tested creds          action=ec2:DeletePlacementGroup
WARNING Action not allowed with tested creds          action=ec2:DeleteRoute
WARNING Action not allowed with tested creds          action=ec2:DeleteRouteTable
WARNING Action not allowed with tested creds          action=ec2:DeleteSecurityGroup
WARNING Action not allowed with tested creds          action=ec2:DeleteSnapshot
WARNING Action not allowed with tested creds          action=ec2:DeleteSubnet
WARNING Action not allowed with tested creds          action=ec2:DeleteTags
WARNING Action not allowed with tested creds          action=ec2:DeleteVolume
WARNING Action not allowed with tested creds          action=ec2:DeleteVpc
WARNING Action not allowed with tested creds          action=ec2:DeleteVpcEndpoints
WARNING Action not allowed with tested creds          action=ec2:DeregisterImage
WARNING Action not allowed with tested creds          action=ec2:DescribeCarrierGateways
WARNING Action not allowed with tested creds          action=ec2:DescribeDhcpOptions
WARNING Action not allowed with tested creds          action=ec2:DescribeInstanceAttribute
WARNING Action not allowed with tested creds          action=ec2:DescribeInstanceCreditSpecifications
WARNING Action not allowed with tested creds          action=ec2:DescribeKeyPairs
WARNING Action not allowed with tested creds          action=ec2:DescribeNetworkAcls
WARNING Action not allowed with tested creds          action=ec2:DescribePrefixLists
WARNING Action not allowed with tested creds          action=ec2:DescribeVpcAttribute
WARNING Action not allowed with tested creds          action=ec2:DescribeVpcClassicLink
WARNING Action not allowed with tested creds          action=ec2:DescribeVpcClassicLinkDnsSupport
WARNING Action not allowed with tested creds          action=ec2:DescribeVpcEndpoints
WARNING Action not allowed with tested creds          action=ec2:DetachInternetGateway
WARNING Action not allowed with tested creds          action=ec2:DisassociateRouteTable
WARNING Action not allowed with tested creds          action=ec2:GetConsoleOutput
WARNING Action not allowed with tested creds          action=ec2:GetEbsDefaultKmsKeyId
WARNING Action not allowed with tested creds          action=ec2:ModifyInstanceAttribute
WARNING Action not allowed with tested creds          action=ec2:ModifyNetworkInterfaceAttribute
WARNING Action not allowed with tested creds          action=ec2:ModifySubnetAttribute
WARNING Action not allowed with tested creds          action=ec2:ModifyVpcAttribute
WARNING Action not allowed with tested creds          action=ec2:ReleaseAddress
WARNING Action not allowed with tested creds          action=ec2:ReplaceRoute
WARNING Action not allowed with tested creds          action=ec2:ReplaceRouteTableAssociation
WARNING Action not allowed with tested creds          action=ec2:RevokeSecurityGroupEgress
WARNING Action not allowed with tested creds          action=ec2:RevokeSecurityGroupIngress
WARNING Action not allowed with tested creds          action=ec2:RunInstances
WARNING Action not allowed with tested creds          action=ec2:TerminateInstances
WARNING Action not allowed with tested creds          action=elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
WARNING Action not allowed with tested creds          action=elasticloadbalancing:AttachLoadBalancerToSubnets
WARNING Action not allowed with tested creds          action=elasticloadbalancing:ConfigureHealthCheck
WARNING Action not allowed with tested creds          action=elasticloadbalancing:CreateLoadBalancerListeners
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DeregisterInstancesFromLoadBalancer
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DescribeInstanceHealth
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DescribeLoadBalancerAttributes
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DescribeTags
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DescribeTargetGroupAttributes
WARNING Action not allowed with tested creds          action=elasticloadbalancing:DescribeTargetHealth
WARNING Action not allowed with tested creds          action=elasticloadbalancing:ModifyTargetGroupAttributes
WARNING Action not allowed with tested creds          action=elasticloadbalancing:RegisterInstancesWithLoadBalancer
WARNING Action not allowed with tested creds          action=elasticloadbalancing:SetLoadBalancerPoliciesOfListener
WARNING Action not allowed with tested creds          action=iam:AddRoleToInstanceProfile
WARNING Action not allowed with tested creds          action=iam:CreateInstanceProfile
WARNING Action not allowed with tested creds          action=iam:CreateRole
WARNING Action not allowed with tested creds          action=iam:DeleteAccessKey
WARNING Action not allowed with tested creds          action=iam:DeleteInstanceProfile
WARNING Action not allowed with tested creds          action=iam:DeleteRole
WARNING Action not allowed with tested creds          action=iam:DeleteRolePolicy
WARNING Action not allowed with tested creds          action=iam:DeleteUser
WARNING Action not allowed with tested creds          action=iam:GetInstanceProfile
WARNING Action not allowed with tested creds          action=iam:GetRolePolicy
WARNING Action not allowed with tested creds          action=iam:ListAttachedRolePolicies
WARNING Action not allowed with tested creds          action=iam:ListInstanceProfiles
WARNING Action not allowed with tested creds          action=iam:ListInstanceProfilesForRole
WARNING Action not allowed with tested creds          action=iam:ListRolePolicies
WARNING Action not allowed with tested creds          action=iam:ListUserPolicies
WARNING Action not allowed with tested creds          action=iam:ListUsers
WARNING Action not allowed with tested creds          action=iam:PassRole
WARNING Action not allowed with tested creds          action=iam:PutRolePolicy
WARNING Action not allowed with tested creds          action=iam:RemoveRoleFromInstanceProfile
WARNING Action not allowed with tested creds          action=iam:TagInstanceProfile
WARNING Action not allowed with tested creds          action=iam:TagRole
WARNING Action not allowed with tested creds          action=route53:ListHostedZonesByName
WARNING Action not allowed with tested creds          action=route53:UpdateHostedZoneComment
WARNING Action not allowed with tested creds          action=s3:CreateBucket
WARNING Action not allowed with tested creds          action=s3:DeleteBucket
WARNING Action not allowed with tested creds          action=s3:DeleteObject
WARNING Action not allowed with tested creds          action=s3:GetAccelerateConfiguration
WARNING Action not allowed with tested creds          action=s3:GetBucketAcl
WARNING Action not allowed with tested creds          action=s3:GetBucketCors
WARNING Action not allowed with tested creds          action=s3:GetBucketLogging
WARNING Action not allowed with tested creds          action=s3:GetBucketObjectLockConfiguration
WARNING Action not allowed with tested creds          action=s3:GetBucketPolicy
WARNING Action not allowed with tested creds          action=s3:GetBucketRequestPayment
WARNING Action not allowed with tested creds          action=s3:GetBucketTagging
WARNING Action not allowed with tested creds          action=s3:GetBucketVersioning
WARNING Action not allowed with tested creds          action=s3:GetBucketWebsite
WARNING Action not allowed with tested creds          action=s3:GetEncryptionConfiguration
WARNING Action not allowed with tested creds          action=s3:GetLifecycleConfiguration
WARNING Action not allowed with tested creds          action=s3:GetObject
WARNING Action not allowed with tested creds          action=s3:GetObjectAcl
WARNING Action not allowed with tested creds          action=s3:GetObjectTagging
WARNING Action not allowed with tested creds          action=s3:GetObjectVersion
WARNING Action not allowed with tested creds          action=s3:GetReplicationConfiguration
WARNING Action not allowed with tested creds          action=s3:ListBucketVersions
WARNING Action not allowed with tested creds          action=s3:PutBucketAcl
WARNING Action not allowed with tested creds          action=s3:PutBucketPolicy
WARNING Action not allowed with tested creds          action=s3:PutBucketTagging
WARNING Action not allowed with tested creds          action=s3:PutEncryptionConfiguration
WARNING Action not allowed with tested creds          action=s3:PutObject
WARNING Action not allowed with tested creds          action=s3:PutObjectAcl
WARNING Action not allowed with tested creds          action=s3:PutObjectTagging
WARNING Action not allowed with tested creds          action=tag:GetResources
WARNING Tested creds not able to perform all requested actions
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation

From the above log output, I can see the permissions are checked:

WARNING Action not allowed with tested creds          action=ec2:CreateCarrierGateway
WARNING Action not allowed with tested creds          action=ec2:DeleteCarrierGateway
WARNING Action not allowed with tested creds          action=ec2:DescribeCarrierGateways

So I'll mark this PR as verified.

(test user and relative policy + key deleted after testing.)

[liweinan]

/verified by liweinan

[openshift-ci-robot]

@liweinan: This PR has been marked as verified by liweinan.

Details

In response to this:

/verified by liweinan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

@tthvo I suggest to add unit test for this PR, wdyt? https://github.com/openshift/installer/compare/main...liweinan:installer:OCPBUGS-77355-add-tests?expand=1

Yes @liweinan, this is a great idea. Let me put in your commit here.

It seems my own account has the CarrierGateway permissions, so it can't be used for testing:
I created an IAM user without the CarrierGateway permissions as shown above and used it for testing:

Thanks for the testing! Though, I think the goal is that the minimal permission policy created by the installer should allows CarrierGateway management. I believe the flow would be:

1. Use us-east-1-foe-wlz-1a as edge zone
2. Generate the permission policy.

   $ openshift-install create permissions-policy --dir=<dir>
   

3. Check the generated policy document if it has:

   // Needed by CAPA to create Carrier Gateways
   "ec2:DescribeCarrierGateways"
   "ec2:CreateCarrierGateway"
   // Needed to delete Carrier Gateways
   "ec2:DeleteCarrierGateway"
   

That's all. I can add the unit tests you suggested, and it should also serve as a verification evidence :D

[tthvo]

/test golint

[tthvo]

/test e2e-aws-ovn-edge-zones

[liweinan]

@tthvo Thanks for providing the simplified testing method and adding the unit test! I'll verify it again soon today :D

[liweinan]

OCPBUGS-77355 Verification Report: Permissions Policy Generation

Executive Summary

Test Date: 2026-02-27
Test Method: Permissions Policy Generation Comparison
Test Focus: Verify that new Wavelength Zone format (us-east-1-foe-wlz-1a) triggers Carrier Gateway permission inclusion in generated IAM policies
Result: ✅ PASSED - PR #10338 successfully fixes the regex pattern and generates correct permissions

---

Key Findings

Actual Test Results

New Version (commit df25352) - With PR #10338 Fix:

$ jq '.Statement[] | select(.Sid == "PermissionCreateCarrierGateway")' \
    /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json
{
  "Sid": "PermissionCreateCarrierGateway",
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeCarrierGateways",
    "ec2:CreateCarrierGateway",
    "ec2:DeleteCarrierGateway"
  ],
  "Resource": ["*"]
}

$ jq '.Statement | length' /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json
12

✅ Result: Carrier Gateway permissions present in generated policy

---

Old Version (4.21.0-ec.1) - Without Fix:

$ jq '.Statement[] | select(.Sid == "PermissionCreateCarrierGateway")' \
    /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json
(no output - statement does not exist)

$ jq '.Statement | length' /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json
11

❌ Result: Carrier Gateway permissions missing from generated policy (see Test Procedure for full Sid list)

Impact

Version	Policy Statements	Has CAGW Permissions?	Cluster Install Would...
New (with fix)	12	✅ Yes	Succeed (with proper AWS perms)
Old (without fix)	11	❌ No	Fail after 5-7 minutes

Difference: New version adds 1 additional permission statement (PermissionCreateCarrierGateway)

---

Test Objective

Verify that the OpenShift installer correctly:

1. Recognizes the new Wavelength Zone naming format (-wlz suffix)
2. Includes Carrier Gateway permissions in the generated IAM policy
3. Maintains backward compatibility with traditional WLZ format

Bug: OCPBUGS-77355
Fix PR: openshift/installer#10338

---

Test Environment

Installer Versions

New Version (with fix):

./openshift-install v1.4.21-pre-209-gdf253528567ecb0249b9820dcf91db1bca0b9eb1
built from commit df253528567ecb0249b9820dcf91db1bca0b9eb1
release image registry.ci.openshift.org/origin/release:4.21

Old Version (without fix):

openshift-install 4.21.0-ec.1
built from commit ba3e1a916114c1bca58d786109979cf93f1e2733

Test Configuration

Install Config: install-config-new-wlz-format.yaml

Key configuration excerpt:

compute:
- name: edge
  platform:
    aws:
      zones:
      - us-east-1-foe-wlz-1a  # New WLZ format
  replicas: 0
platform:
  aws:
    region: us-east-1

Zone Format: us-east-1-foe-wlz-1a (new Wavelength Zone naming convention with -wlz suffix)

---

Test Procedure

Step 1: Test New Version (With Fix)

1.1 Prepare Test Directory

mkdir -p /tmp/test-new-permissions-policy
cp install-config-new-wlz-format.yaml /tmp/test-new-permissions-policy/install-config.yaml

Output:

✅ Created test directory for new version

1.2 Generate Permissions Policy

./openshift-install create permissions-policy --dir /tmp/test-new-permissions-policy

Output:

level=info msg=ipFamily is not specified in install-config; defaulting to "IPv4"
level=warning msg=Release Image Architecture not detected. Release Image Architecture is unknown
level=info msg=Credentials loaded from the AWS config using "SharedConfigCredentials: /Users/weli/.aws/credentials" provider
level=info msg=Consuming Install Config from target directory
level=info msg=Permissions-Policy created in: /tmp/test-new-permissions-policy

Execution Time: ~5 seconds

1.3 Verify Generated Files

ls -la /tmp/test-new-permissions-policy/

Output:

total 72
drwxr-xr-x@  5 weli  wheel    160 Feb 27 11:13 .
drwxrwxrwt  21 root  wheel    672 Feb 27 11:13 ..
-rw-r-----@  1 weli  wheel  22430 Feb 27 11:13 .openshift_install_state.json
-rw-r--r--@  1 weli  wheel   2157 Feb 27 11:13 .openshift_install.log
-rw-r-----@  1 weli  wheel   6114 Feb 27 11:13 aws-permissions-policy-creds.json

Key File: aws-permissions-policy-creds.json - Contains the generated IAM policy

1.4 Check for Carrier Gateway Permissions

Note: grep -q is quiet mode - no output means success ✅ (see Appendix for details)

Verification commands:

grep -q "ec2:CreateCarrierGateway" /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ CreateCarrierGateway permission found" || \
  echo "❌ CreateCarrierGateway permission missing"

grep -q "ec2:DeleteCarrierGateway" /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ DeleteCarrierGateway permission found" || \
  echo "❌ DeleteCarrierGateway permission missing"

grep -q "ec2:DescribeCarrierGateways" /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ DescribeCarrierGateways permission found" || \
  echo "❌ DescribeCarrierGateways permission missing"

Output:

✅ CreateCarrierGateway permission found
✅ DeleteCarrierGateway permission found
✅ DescribeCarrierGateways permission found

1.5 Extract Carrier Gateway Permission Group (Recommended)

Using jq for clear, formatted output:

jq '.Statement[] | select(.Sid == "PermissionCreateCarrierGateway")' \
  /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json

Output:

{
  "Sid": "PermissionCreateCarrierGateway",
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeCarrierGateways",
    "ec2:CreateCarrierGateway",
    "ec2:DeleteCarrierGateway"
  ],
  "Resource": [
    "*"
  ]
}

✅ Result: New version successfully includes Carrier Gateway permissions

---

Step 2: Test Old Version (Without Fix)

2.1 Prepare Test Directory

mkdir -p /tmp/test-old-permissions-policy
cp install-config-new-wlz-format.yaml /tmp/test-old-permissions-policy/install-config.yaml

Output:

✅ Created test directory for old version

2.2 Generate Permissions Policy

~/works/oc-swarm/openshift-versions/4.21.0-ec.1/openshift-install create permissions-policy \
  --dir /tmp/test-old-permissions-policy

Output:

level=info msg=Credentials loaded from the "default" profile in file "/Users/weli/.aws/credentials"
level=info msg=Consuming Install Config from target directory
level=info msg=Permissions-Policy created in: /tmp/test-old-permissions-policy

Execution Time: ~5 seconds

2.3 Check for Carrier Gateway Permissions

Using grep with echo (shows clear result):

grep -q "ec2:CreateCarrierGateway" /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ CreateCarrierGateway permission found" || \
  echo "❌ CreateCarrierGateway permission missing"

grep -q "ec2:DeleteCarrierGateway" /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ DeleteCarrierGateway permission found" || \
  echo "❌ DeleteCarrierGateway permission missing"

grep -q "ec2:DescribeCarrierGateways" /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json && \
  echo "✅ DescribeCarrierGateways permission found" || \
  echo "❌ DescribeCarrierGateways permission missing"

Output:

❌ CreateCarrierGateway permission missing
❌ DeleteCarrierGateway permission missing
❌ DescribeCarrierGateways permission missing

2.4 Attempt to Extract Carrier Gateway Permission Group

Using jq to search for the permission group:

jq '.Statement[] | select(.Sid == "PermissionCreateCarrierGateway")' \
  /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json

Output:

(empty - no output, statement does not exist)

Analyze policy structure:

# Count total permission statements
jq '.Statement | length' /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json

# List all statement Sids
jq '.Statement[].Sid' /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json

Output:

11

"CreateBase"
"CreateNetworking"
"CreateHostedZone"
"DeleteBase"
"DeleteNetworking"
"DeleteHostedZone"
"DeleteIgnitionObjects"
"CreateInstanceRole"
"CreateInstanceProfile"
"PermissionEdgeDefaultInstance"
"PermissionMintCreds"

Note: "PermissionCreateCarrierGateway" is missing from the old version ❌

❌ Result: Old version does NOT include Carrier Gateway permissions

---

Step 3: Compare Policy Statement Counts

echo "NEW version total statements: $(jq '.Statement | length' /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json)"
echo "OLD version total statements: $(jq '.Statement | length' /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json)"

Output:

NEW version total statements: 12
OLD version total statements: 11

Difference: The new version has 1 additional permission statement (Carrier Gateway)

---

Verification Logic

Regex Pattern Analysis

Old Regex Pattern (before PR #10338):

isWLZoneRegex := regexp.Compile(`wl\d\-.*`)

Test Against: us-east-1-foe-wlz-1a

• Pattern expects: wl + digit + - + anything
• Actual zone: foe-wlz-1a (ends with -wlz, not starts with wl\d-)
• Match Result: ❌ Does NOT match
• Consequence: Zone not recognized as Wavelength Zone → No CAGW permissions added

---

New Regex Pattern (with PR #10338):

isWLZoneRegex := regexp.Compile(`wl\d\-.*|-wlz`)

Test Against: us-east-1-foe-wlz-1a

• Pattern expects: (wl + digit + - + anything) OR (ends with -wlz)
• Actual zone: foe-wlz-1a (matches the |-wlz alternative)
• Match Result: ✅ Matches
• Consequence: Zone recognized as Wavelength Zone → CAGW permissions added

---

Permission Generation Flow

Install Config with WLZ zone
  ↓
installer analyzes compute pools
  ↓
calls includesWavelengthZones()
  ↓
applies regex: wl\d\-.*|-wlz
  ↓
us-east-1-foe-wlz-1a matches |-wlz pattern
  ↓
returns TRUE
  ↓
adds PermissionCarrierGateway to policy
  ↓
generates aws-permissions-policy-creds.json with CAGW permissions

Expected Permissions for Wavelength Zones

When Wavelength Zones are detected, the installer must include:

1. ec2:CreateCarrierGateway - Create Carrier Gateway for Wavelength Zone public subnets
2. ec2:DeleteCarrierGateway - Clean up Carrier Gateway during cluster destruction
3. ec2:DescribeCarrierGateways - Query existing Carrier Gateways

Why these are needed: Wavelength Zones require Carrier Gateways (not Internet Gateways) for public internet connectivity. Without these permissions, cluster installation will fail when ClusterAPI attempts to create networking infrastructure.

---

What This Test Validates

✅ Core Fix Validation

1. Regex Pattern Fixed

   • New pattern wl\d\-.*|-wlz correctly matches both traditional and new WLZ formats
   • Traditional format: us-west-2-wl1-sea-wlz-1 (matches wl\d\-.*)
   • New format: us-east-1-foe-wlz-1a (matches |-wlz)

2. Permission Generation Logic

   • When WLZ detected → Carrier Gateway permissions included
   • When WLZ not detected → Carrier Gateway permissions omitted

3. Policy Document Correctness

   • Generated policy contains all three required CAGW actions
   • Sid naming convention followed: PermissionCreateCarrierGateway
   • Resource scope appropriate: * (Carrier Gateways are regional resources)

✅ Backward Compatibility

The fix maintains compatibility with:

• Traditional WLZ format zones (e.g., us-west-2-wl1-sea-wlz-1)
• Non-WLZ zones (regular availability zones)
• Existing install-config patterns

✅ User Experience Impact

Scenario	Old Version	New Version
Policy Generation	Missing CAGW permissions	✅ Includes CAGW permissions
Installation Failure	After 5-7 minutes (during CAGW creation)	❌→✅ Early (or succeeds)
Error Message	Generic 403 UnauthorizedOperation	Clear permission requirement
User Confusion	"But I used installer-generated policy!"	Policy is correct from start

---

Test Scope

This test validates: Policy generation correctness (regex pattern → CAGW permissions included)

For additional validation, see complementary test methods:

• Runtime permission checking: SAFE-TESTING-GUIDE.md (negative permission test)
• Full cluster deployment: End-to-end installation test with actual Wavelength Zones

---

Test Evidence Files

All test artifacts are preserved for review:

Generated Policy Files

New Version:

Location: /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json
Size: 6114 bytes
Statements: 12
Contains CAGW: ✅ Yes

Old Version:

Location: /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json
Size: ~5.8KB (smaller)
Statements: 11
Contains CAGW: ❌ No

Test Configuration

Install Config:

Source: /Users/weli/works/oc-swarm/installer/bin/install-config-new-wlz-format.yaml
Test Copy (new): /tmp/test-new-permissions-policy/install-config.yaml
Test Copy (old): /tmp/test-old-permissions-policy/install-config.yaml

Verification Commands

To reproduce or verify the results:

# Verify new version includes CAGW permissions
jq '.Statement[] | select(.Action[]? | contains("CreateCarrierGateway"))' \
  /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json

# Verify old version lacks CAGW permissions (should output nothing)
jq '.Statement[] | select(.Action[]? | contains("CreateCarrierGateway"))' \
  /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json

# Compare statement counts
echo "New: $(jq '.Statement | length' /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json)"
echo "Old: $(jq '.Statement | length' /tmp/test-old-permissions-policy/aws-permissions-policy-creds.json)"

---

Conclusion

Test Result: ✅ PASSED

PR #10338 successfully fixes OCPBUGS-77355 by:

1. Updating the regex pattern from wl\d\-.* to wl\d\-.*|-wlz

   • Now correctly matches new WLZ naming format (us-east-1-foe-wlz-1a)
   • Maintains backward compatibility with traditional format

2. Generating correct IAM policies

   • Includes all three required Carrier Gateway permissions
   • Policy document structure follows installer conventions

3. Improving user experience

   • Users can now generate correct IAM policies for new WLZ zones
   • Prevents silent permission gaps that cause late installation failures

Verification Evidence

• ✅ New version generates policy with CAGW permissions (12 statements)
• ✅ Old version does not include CAGW permissions (11 statements)
• ✅ Regex pattern change validated through policy generation behavior
• ✅ Test reproducible with preserved artifacts

Recommendation

This PR is ready for merge based on:

• ✅ Unit tests cover regex pattern changes
• ✅ Permissions policy test validates policy generation correctness
• ✅ No backward compatibility issues identified
• ✅ Fix directly addresses root cause in OCPBUGS-77355

Related Documentation

• Test Plan: TEST-PLAN-PERMISSIONS-POLICY.md
• Alternative Test Method: SAFE-TESTING-GUIDE.md (negative permission testing)
• Complete Analysis: ../release/docs/OCPBUGS-77355-wavelength-zone-complete-analysis.md
• Behavior Comparison: BEHAVIOR-COMPARISON-OLD-VS-NEW.md
• Test Results Summary: permissions-policy-test-results.txt

---

Verification Date: 2026-02-27
Verified By: OpenShift Installer QE
Verification Method: Permissions Policy Generation Comparison
Test Status: ✅ PASSED
PR Status: Ready for Merge

---

Appendix: Technical Details

Code Changes in PR #10338

File: pkg/asset/installconfig/aws/permissions.go

Before:

isWLZoneRegex := regexp.Compile(`wl\d\-.*`)

After:

isWLZoneRegex := regexp.Compile(`wl\d\-.*|-wlz`)

Impact: This single-line change enables the installer to recognize both traditional (wl1-sea-wlz-1) and new (foe-wlz-1a) Wavelength Zone formats. See Verification Logic section for detailed regex pattern analysis.

---

Appendix: Understanding grep -q Behavior

Why "No Output" Means Success

When running the test manually, users may be confused by grep -q producing no output:

$ grep -q "ec2:CreateCarrierGateway" /tmp/test-new-permissions-policy/aws-permissions-policy-creds.json
$
(returns to prompt with no output)

This is CORRECT behavior! ✅

How grep -q Works

The -q flag means "quiet" or "silent" mode:

Condition	Exit Code	Output	Meaning
Match found	0	(none)	✅ Success
No match	1	(none)	❌ Failure
File error	2	Error message	⚠️ Problem

Checking the Result

Method 1: Use && and || operators

grep -q "ec2:CreateCarrierGateway" file.json && \
  echo "✅ Found" || \
  echo "❌ Not found"

Method 2: Check exit code

grep -q "ec2:CreateCarrierGateway" file.json
echo $?  # 0 = found, 1 = not found

Method 3: Use jq (recommended - most clear)

jq '.Statement[] | select(.Sid == "PermissionCreateCarrierGateway")' file.json
# If permission exists, shows formatted JSON
# If permission missing, shows nothing

Common Mistake

❌ Assuming no output means failure

$ grep -q "something" file.json
$
# User thinks: "No output, must have failed!"
# Reality: No output with exit code 0 = SUCCESS

✅ Correct interpretation

$ grep -q "something" file.json
$ echo $?
0
# Exit code 0 = match found ✅

---

Reproducibility

This test can be reproduced on any system with:

Requirements:

• OpenShift installer binaries (both old and new versions)
• Valid AWS credentials (any credentials - no special permissions needed)
• jq tool for JSON parsing
• Install-config with new WLZ format zone

Time Required: ~2 minutes

AWS Resources Created: None

Cost: $0

This makes it ideal for CI automation and repeated verification.

---

For the CI test job to be created later, I plan to use the restricted IAM user approach combined with the actual cluster installation, which can validate real-world installation scenarios.

[liweinan]

/verified by liweinan

[openshift-ci-robot]

@liweinan: This PR has been marked as verified by liweinan.

Details

In response to this:

/verified by liweinan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

For the CI test job to be created later, I plan to use the restricted IAM user approach combined with the actual cluster installation, which can validate real-world installation scenarios.

@liweinan The job ci/prow/e2e-aws-ovn-edge-zones should already do that. That's why it failed in the first place :D We should be good in this front.

[liweinan]

@tthvo Cool!

[patrickdillon]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/cherry-pick release-4.21

[openshift-cherrypick-robot]

@tthvo: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tthvo]

/retest-required

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups	df25352	link	false	/test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/e2e-aws-ovn-imdsv2	df25352	link	false	/test e2e-aws-ovn-imdsv2
ci/prow/e2e-aws-ovn-heterogeneous	df25352	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-edge-zones	df25352	link	false	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

/retest-required

[openshift-ci-robot]

@tthvo: Jira Issue Verification Checks: Jira Issue OCPBUGS-77355
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77355 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

The correct regex should check for segment -wlz, which is common for all "known" wavelength zones.

One example where the old regex wl\d\-.*$ would fail is us-east-1-foe-wlz-1a. See failed job.

References

https://docs.aws.amazon.com/wavelength/latest/developerguide/available-wavelength-zones.html

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@tthvo: new pull request created: #10343

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.