Deleted default egress rule upon SG creation (#135)

LikithaVemulapalli · web-flow · commit c3e4352a6cf5 · 2023-04-25T17:04:23.000+02:00
Issue #, if available: aws-controllers-k8s/community#1766 Description of changes: As per the current functionality, default Egress Rule is attached automatically upon creation of Security Group. Modified code to delete the default egress rule that's created even if user doesn't specify any egress rule. Modified the e2e tests to match this requirement. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2023-02-09T23:51:42Z"
+  build_date: "2023-04-25T13:24:38Z"
   build_hash: d0f3d78cbea8061f822cbceac3786128f091efe6
-  go_version: go1.19
+  go_version: go1.19.6
   version: v0.24.2
 api_directory_checksum: 6e86aa4f26729ce014485b1096286db654459af7
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:
-  file_checksum: d9d0156fc1156be66ef8542caa31686764629ad7
+  file_checksum: cc2c6590c6e77a6125d5eec82ff5f693109d4f99
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
@@ -419,7 +419,6 @@ resources:
         custom_field:
           list_of: IpPermission
       EgressRules:
-        late_initialize: {}
         custom_field:
           list_of: IpPermission
       Rules:
diff --git a/generator.yaml b/generator.yaml
@@ -419,7 +419,6 @@ resources:
         custom_field:
           list_of: IpPermission
       EgressRules:
-        late_initialize: {}
         custom_field:
           list_of: IpPermission
       Rules:
diff --git a/helm/crds/services.k8s.aws_adoptedresources.yaml b/helm/crds/services.k8s.aws_adoptedresources.yaml
@@ -145,7 +145,10 @@ spec:
                             blockOwnerDeletion:
                               description: If true, AND if the owner has the "foregroundDeletion"
                                 finalizer, then the owner cannot be deleted from the
-                                key-value store until this reference is removed. Defaults
+                                key-value store until this reference is removed. See
+                                https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                                for how the garbage collector interacts with this
+                                field and enforces the foreground deletion. Defaults
                                 to false. To set this field, a user needs "delete"
                                 permission of the owner, otherwise 422 (Unprocessable
                                 Entity) will be returned.
diff --git a/pkg/resource/security_group/manager.go b/pkg/resource/security_group/manager.go
diff --git a/pkg/resource/security_group/sdk.go b/pkg/resource/security_group/sdk.go
diff --git a/templates/hooks/security_group/sdk_create_post_set_output.go.tpl b/templates/hooks/security_group/sdk_create_post_set_output.go.tpl
@@ -3,11 +3,9 @@
 		return nil, ackerr.NotFound
 	}
 
-	// if user defines any egress rule, then remove the default egress rule
-	if len(desired.ko.Spec.EgressRules) > 0 {
-		if err = rm.deleteDefaultSecurityGroupRule(ctx, &resource{ko}); err != nil {
-			return nil, err
-		}
+	// Delete the default egress rule
+	if err = rm.deleteDefaultSecurityGroupRule(ctx, &resource{ko}); err != nil {
+		return nil, err
 	}
 
 	if err = rm.syncSGRules(ctx, &resource{ko}, nil); err != nil {
diff --git a/test/e2e/tests/test_security_group.py b/test/e2e/tests/test_security_group.py
@@ -159,33 +159,18 @@ def test_create_delete(self, ec2_client, simple_security_group):
         # Check Security Group no longer exists in AWS
         ec2_validator.assert_security_group(resource_id, exists=False)
 
-    def test_create_with_vpc_egress_dups_default_delete(self, ec2_client, security_group_with_vpc):
+    def test_create_with_vpc_add_egress_rule(self, ec2_client, security_group_with_vpc):
         (ref, cr) = security_group_with_vpc
         resource_id = cr["status"]["id"]
 
-        # Check resource is late initialized successfully (sets default egress rule)
+        # Check resource is synced successfully
         assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=5)
 
         # Check Security Group exists in AWS
         ec2_validator = EC2Validator(ec2_client)
         ec2_validator.assert_security_group(resource_id)
 
-        # Hook code should update Spec rules using data from ReadOne resp
-        assert len(cr["spec"]["egressRules"]) == 1
-
-        # Check default egress rule present
-        # default egress rule will be present iff user has NOT specified their own egress rules
-        assert len(cr["status"]["rules"]) == 1
-        sg_group = ec2_validator.get_security_group(resource_id)
-        egress_rules = sg_group["IpPermissionsEgress"]
-        assert len(egress_rules) == 1
-        logging.debug(f"Default Egress rule: {str(egress_rules[0])}")
-
-        # Check default egress rule data
-        assert egress_rules[0]["IpProtocol"] == "-1"
-        assert egress_rules[0]["IpRanges"][0]["CidrIp"] == "0.0.0.0/0"
-
-        # Add a new Egress rule that "duplicates" the default via patch
+        # Add a new Egress rule via patch
         new_egress_rule = {
                         "ipProtocol": "-1",
                         "ipRanges": [{
@@ -210,7 +195,7 @@ def test_create_with_vpc_egress_dups_default_delete(self, ec2_client, security_g
         assert len(sg_group["IpPermissions"]) == 0
         assert len(sg_group["IpPermissionsEgress"]) == 1
 
-        # Check egress rule data (i.e. ensure default egress rule removed)
+        # Check egress rule data
         assert sg_group["IpPermissionsEgress"][0]["IpProtocol"] == "-1"
         assert len(sg_group["IpPermissionsEgress"][0]["IpRanges"]) == 1
         ip_range = sg_group["IpPermissionsEgress"][0]["IpRanges"][0]
@@ -239,7 +224,7 @@ def test_rules_create_update_delete(self, ec2_client, simple_security_group):
         (ref, cr) = simple_security_group
         resource_id = cr["status"]["id"]
     
-        # Check resource is late initialized successfully (sets default egress rule)
+        # Check resource is synced successfully
         assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=5)
 
         # Check Security Group exists in AWS
@@ -248,18 +233,11 @@ def test_rules_create_update_delete(self, ec2_client, simple_security_group):
 
         # Hook code should update Spec rules using data from ReadOne resp
         assert len(cr["spec"]["ingressRules"]) == 1
-        assert len(cr["spec"]["egressRules"]) == 1
 
-        # Check ingress rule added and default egress rule present
-        # default egress rule will be present iff user has NOT specified their own egress rules
-        assert len(cr["status"]["rules"]) == 2
+        # Check ingress rule added
+        assert len(cr["status"]["rules"]) == 1
         sg_group = ec2_validator.get_security_group(resource_id)
         assert len(sg_group["IpPermissions"]) == 1
-        assert len(sg_group["IpPermissionsEgress"]) == 1
-
-        # Check default egress rule data
-        assert sg_group["IpPermissionsEgress"][0]["IpProtocol"] == "-1"
-        assert sg_group["IpPermissionsEgress"][0]["IpRanges"][0]["CidrIp"] == "0.0.0.0/0"
 
         # Add Egress rule via patch
         new_egress_rule = {
@@ -269,7 +247,7 @@ def test_rules_create_update_delete(self, ec2_client, simple_security_group):
                         "ipRanges": [
                             {
                                 "cidrIP": "172.31.0.0/16",
-                                "description": "test egress update"
+                                "description": "test egress"
                             }
                         ]
         }
@@ -282,16 +260,15 @@ def test_rules_create_update_delete(self, ec2_client, simple_security_group):
         assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=5)
 
         # Check ingress and egress rules exist
-        assert len(cr["status"]["rules"]) == 2
         sg_group = ec2_validator.get_security_group(resource_id)
         assert len(sg_group["IpPermissions"]) == 1
         assert len(sg_group["IpPermissionsEgress"]) == 1
         
-        # Check egress rule data (i.e. ensure default egress rule removed)
+        # Check egress rule data
         assert sg_group["IpPermissionsEgress"][0]["IpProtocol"] == "tcp"
         assert sg_group["IpPermissionsEgress"][0]["FromPort"] == 25
         assert sg_group["IpPermissionsEgress"][0]["ToPort"] == 25
-        assert sg_group["IpPermissionsEgress"][0]["IpRanges"][0]["Description"] == "test egress update"
+        assert sg_group["IpPermissionsEgress"][0]["IpRanges"][0]["Description"] == "test egress"
 
         # Remove Ingress rule
         patch = {"spec": {"ingressRules":[]}}

Original file line number	Diff line number	Diff line change
`@@ -3,11 +3,9 @@`
`3`	`3`	`return nil, ackerr.NotFound`
`4`	`4`	`}`
`5`	`5`
`6`		`- // if user defines any egress rule, then remove the default egress rule`
`7`		`- if len(desired.ko.Spec.EgressRules) > 0 {`
`8`		`- if err = rm.deleteDefaultSecurityGroupRule(ctx, &resource{ko}); err != nil {`
`9`		`- return nil, err`
`10`		`- }`
	`6`	`+ // Delete the default egress rule`
	`7`	`+ if err = rm.deleteDefaultSecurityGroupRule(ctx, &resource{ko}); err != nil {`
	`8`	`+ return nil, err`
`11`	`9`	`}`
`12`	`10`
`13`	`11`	`if err = rm.syncSGRules(ctx, &resource{ko}, nil); err != nil {`