From 823459d83416f6d3b063ac9496be4879141ed66d Mon Sep 17 00:00:00 2001
From: David Mather <dmather@mux.com>
Date: Fri, 8 Apr 2022 14:11:06 -0700
Subject: [PATCH 1/2] Only attempt to delete bootstrap data secret if
 InsecureSkipSecretsManager isn't set

---
 controllers/awsmachine_controller.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/controllers/awsmachine_controller.go b/controllers/awsmachine_controller.go
index 7178c7d4d6..7c57be3f2a 100644
--- a/controllers/awsmachine_controller.go
+++ b/controllers/awsmachine_controller.go
@@ -733,8 +733,10 @@ func (r *AWSMachineReconciler) ignitionUserData(scope *scope.MachineScope, objec
 }
 
 func (r *AWSMachineReconciler) deleteBootstrapData(machineScope *scope.MachineScope, clusterScope cloud.ClusterScoper, objectStoreScope scope.S3Scope) error {
-	if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
-		return err
+	if !machineScope.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager {
+		if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
+			return err
+		}
 	}
 
 	if objectStoreScope != nil {

From d15f9bcf27caa1f7157b0f7d17127a49b8dea261 Mon Sep 17 00:00:00 2001
From: David Mather <dmather@mux.com>
Date: Fri, 8 Apr 2022 14:36:05 -0700
Subject: [PATCH 2/2] add unit test

---
 controllers/awsmachine_controller_unit_test.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/controllers/awsmachine_controller_unit_test.go b/controllers/awsmachine_controller_unit_test.go
index 3ebea82996..0cf6729841 100644
--- a/controllers/awsmachine_controller_unit_test.go
+++ b/controllers/awsmachine_controller_unit_test.go
@@ -1079,6 +1079,20 @@ func TestAWSMachineReconciler(t *testing.T) {
 				ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()
 				_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
 			})
+			t.Run("should not attempt to delete the secret if InsecureSkipSecretsManager is set on CloudInit", func(t *testing.T) {
+				g := NewWithT(t)
+				awsMachine := getAWSMachine()
+				setup(t, g, awsMachine)
+				defer teardown(t, g)
+				setNodeRef(t, g)
+
+				ms.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager = true
+
+				secretSvc.EXPECT().Delete(gomock.Any()).Return(nil).Times(0)
+				ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()
+
+				_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
+			})
 		})
 
 		t.Run("Secrets management lifecycle when there's only a secret ARN and no node ref", func(t *testing.T) {