OSDOCS-2847 - Updating the ROSA STS cluster delete section

modules/rosa-deleting-aws-resources-cli.adoc

@@ -1,100 +0,0 @@
-// Module included in the following assemblies:
-//
-// * rosa_getting_started_sts/rosa-sts-deleting-cluster.adoc
-
-[id="rosa-deleting-aws-resources-cli_{context}"]
-= Deleting the AWS resources by using the CLI
-
-After deleting a {product-title} (ROSA) cluster, you can delete the AWS Security Token Service (STS) resources by using the CLI.
-
-[IMPORTANT]
-====
-Account-wide Identity Access Management (IAM) roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
-====
-
-.Prerequisites
-
-* You have installed and configured the latest AWS CLI on your installation host.
-* You have deleted your ROSA cluster. For more information, see the _Deleting a cluster_ section.
-+
-[IMPORTANT]
-====
-You must delete the cluster before you remove the IAM roles and policies. The account-wide roles and policies are required to delete the resources created by the installer. The Operator roles and policies are required to clean-up the resources created by the OpenShift Operators.
-====
-
-.Procedure
-
-. Delete the OpenID Connect (OIDC) provider that you created for Operator authentication in your cluster:
-+
-[source,terminal]
-----
-$ aws iam delete-open-id-connect-provider --open-id-connect-provider-arn <oidc_provider_arn> <1>
-----
-<1> Replace `<oidc_provider_arn>` with the Amazon Resource Name (ARN) of the OpenID Connect (OIDC) resource that you created to authenticate the cluster Operators. You can run `$ aws iam list-open-id-connect-providers` to list the OIDC providers in your account.
-
-. Delete the cluster-specific Operator IAM roles:
-.. List the account-wide Operator policy that is attached to one of the cluster-specific IAM roles:
-+
-[source,terminal]
-----
-$ aws iam list-attached-role-policies --role-name <operator_role_name> <1>
-----
-<1> Replace `<operator_role_name>` with the name of a cluster-specific Operator role that you created for the cluster. Specify the role name and not the full ARN. You can run `$ aws iam list-roles` to list the roles in your account.
-+
-[TIP]
-====
-The IAM role and policy names include the role prefix that is specified when the STS resources are created. The default prefix is `ManagedOpenShift`.
-====
-+
-.. Detach the policy from role:
-+
-[source,terminal]
-----
-$ aws iam detach-role-policy --role-name <operator_role_name> --policy-arn <operator_policy_arn> <1>
-----
-<1> Replace `<operator_policy_arn>` with the ARN of the attached Operator policy.
-+
-.. Delete the role:
-+
-[source,terminal]
-----
-$ aws iam delete-role --role-name <operator_role_name>
-----
-+
-.. Repeat the steps to delete each of the cluster-specific Operator roles for the cluster.
-
-. Delete the account-wide Operator policies that you created for ROSA deployments that use STS. The following command deletes a single policy:
-+
-[source,terminal]
-----
-$ aws iam delete-policy --policy-arn <operator_policy_arn>  <1>
-----
-<1> Replace `<operator_policy_arn>` with the ARN of one of the Operator policies. You can list the policies in your account by running `$ aws iam list-policies`.
-+
-Repeat this step to delete each of the Operator policies.
-
-. Delete the account-wide IAM roles and inline policies that you created for ROSA deployments that use STS:
-.. List the inline policy for one of the account-wide IAM roles:
-+
-[source,terminal]
-----
-$ aws iam list-role-policies --role-name <account_wide_role_name> <1>
-----
-<1> Replace `<account_wide_role_name>` with the name of one of the account-wide IAM roles. Specify the role name and not the full ARN. You can run `$ aws iam list-roles` to list the roles in your account.
-+
-.. Delete the inline policy:
-+
-[source,terminal]
-----
-$ aws iam delete-role-policy --role-name <account_wide_role_name> --policy-name <inline_role_policy_name><1>
-----
-<1> Replace `<inline_role_policy_name>` with the policy name that is included in the output of the preceding command.
-+
-.. Delete the role:
-+
-[source,terminal]
-----
-$ aws iam delete-role --role-name <account_wide_role_name>
-----
-+
-.. Repeat the steps to delete each of the account-wide roles.

modules/rosa-deleting-cluster.adoc

@@ -10,10 +10,19 @@ endif::[]
 [id="rosa-deleting-cluster_{context}"]
 = Deleting a cluster
 
-You can delete an {product-title} cluster using the `rosa` CLI.
+You can delete an {product-title} cluster using the `rosa` CLI. 
+
+ifdef::sts[]
+You can also use the `rosa` CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. The cluster deletion must complete before you remove the IAM resources, because the resources are used in the cluster deletion and clean-up processes.
 
 If add-ons are installed, the deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.
 
+[IMPORTANT]
+====
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+====
+endif::sts[]
+
 .Procedure
 
 . Enter the following command to delete a cluster and watch the logs, replacing `<cluster_name>` with the name or ID of your cluster:
@@ -22,6 +31,13 @@ If add-ons are installed, the deletion takes longer because add-ons are uninstal
 ----
 $ rosa delete cluster --cluster=<cluster_name> --watch
 ----
+ifdef::sts[]
++
+[IMPORTANT]
+====
+You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.
+====
+endif::sts[]
 
 ifndef::sts[]
 . To clean up your CloudFormation stack, enter the following command:
@@ -32,6 +48,44 @@ $ rosa init --delete-stack
 ----
 endif::sts[]
 
+ifdef::sts[]
+.  Delete the OIDC provider that the cluster Operators use to authenticate:
++
+[source,terminal]
+----
+$ rosa delete oidc-provider -c <cluster_id> --mode auto <1>
+----
+<1> Replace `<cluster_id>` with the ID of the cluster.
++
+[NOTE]
+====
+You can use the `-y` option to automatically answer yes to the prompts.
+====
+
+. Delete the cluster-specific Operator IAM roles:
++
+[source,terminal]
+----
+$ rosa delete operator-roles -c <cluster_id> --mode auto <1>
+----
+<1> Replace `<cluster_id>` with the ID of the cluster.
+
+. Delete the account-wide roles:
++
+[source,terminal]
+----
+$ rosa delete account-roles --prefix <prefix> --mode auto <1>
+----
+<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
++
+[IMPORTANT]
+====
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+====
+
+. Use the AWS IAM Console to delete the account-wide inline and Operator policies. For detailed steps, see the _Deleting the AWS resources by using the AWS IAM Console_ section.
+endif::sts[]
+
 ifeval::["{context}" == "rosa-sts-deleting-cluster"]
 :!sts:
 endif::[]

rosa_getting_started_sts/rosa-sts-deleting-cluster.adoc

@@ -8,5 +8,4 @@ toc::[]
 Delete a {product-title} (ROSA) cluster using the `rosa` command-line.
 
 include::modules/rosa-deleting-cluster.adoc[leveloffset=+1]
-include::modules/rosa-deleting-aws-resources-cli.adoc[leveloffset=+1]
 include::modules/rosa-deleting-aws-resources-aws-console.adoc[leveloffset=+1]