OCPBUGS-85352: aws: fix Route 53 resource leak during cluster destroy in China regions

[tthvo]

When destroying a cluster in cn-north-1, the installer was not searching cn-northwest-1 for tagged resources. Since Route 53 is a global service within the aws-cn partition, hosted zones need to be discovered via the cn-northwest-1 region regardless of which China region was used for installation. See AWS docs.

This adds cross-region tag client search for China regions (mirroring the existing GovCloud pattern) and also adds the aws-cn partition case to the shared hosted zone tag region resolution.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced resource tagging consistency during cluster destruction in AWS China regions. The system now ensures comprehensive tag discovery across both cn-north-1 and cn-northwest-1 regions, improving the reliability and completeness of resource cleanup operations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c23ab497-b3a3-4833-ba56-26f872fe9523

📥 Commits

Reviewing files that changed from the base of the PR and between e71ff06 and bc69601.

📒 Files selected for processing (1)

• pkg/destroy/aws/aws.go

---

Walkthrough

Updated AWS-China region handling in the cluster destroy workflow. When creating the cross-account Resource Groups Tagging API client, the code now maps AwsCnPartitionID to cn-northwest-1 and conditionally adds an additional tagging client to ensure consistent tag discovery across China regions.

Changes

Cohort / File(s)	Summary
AWS China Region Handling pkg/destroy/aws/aws.go	Updated region-specific logic for Resource Groups Tagging API client initialization to support AWS-China partitions. Maps AwsCnPartitionID to cn-northwest-1 and conditionally adds a secondary tagging client when operating in cn-north-1 or cn-northwest-1 regions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the main fix: Route 53 resource leak during cluster destroy in China regions, which is the core issue addressed in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only production code (pkg/destroy/aws/aws.go) and does not add or modify any Ginkgo test files. The custom check for stable test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	The check requires reviewing Ginkgo test code. This PR contains only production code changes to aws.go for China region Route 53 handling, with no test files. The check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. It only modifies pkg/destroy/aws/aws.go for Route 53 resource handling in China regions. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. Changes are only to pkg/destroy/aws/aws.go infrastructure code with no test declarations or test framework imports.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only AWS cleanup code (pkg/destroy/aws/aws.go). No manifests, operators, or scheduling constraints introduced. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	Changes are in pkg/destroy/aws/aws.go, a business logic library for cluster destruction. No test setup code, no stdout writes detected (only fmt.Sprintf and fmt.Errorf for internal use).
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. Changes are to pkg/destroy/aws/aws.go (AWS cluster destroy logic), not e2e test code. The IPv6/disconnected network check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tthvo]

/tide refresh
/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-85352, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/tide refresh
/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/test verify-deps verify-codegen okd-scos-images images artifacts-images

[tthvo]

/cc @patrickdillon @barbacbd

[tthvo]

/test e2e-aws-ovn e2e-aws-eusc-techpreview

[tthvo]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-5.0-aws-ipi-shared-phz-f14

[openshift-ci]

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-5.0-aws-ipi-shared-phz-f14

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/fc526cb0-4d62-11f1-81ac-0ba587b1f030-0

[tthvo]

/verified by @tthvo in aws-cn and CI (for other partitions)

[openshift-ci-robot]

@tthvo: This PR has been marked as verified by @tthvo in aws-cn and CI (for other partitions).

Details

In response to this:

/verified by @tthvo in aws-cn and CI (for other partitions)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@tthvo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-eusc-techpreview	bc69601	link	false	/test e2e-aws-eusc-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

/test e2e-aws-eusc-techpreview