fixing dropping of secondary cidr blocks on first apply of VPC (#139)

Issue aws-controllers-k8s/community#1816


Description of changes:
Added the fix for a bug where Secondary VPC CIDR blocks are getting dropped in the first apply of VPC resource.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: nishant221

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,9 +1,9 @@
 ack_generate_info:
-  build_date: "2023-06-14T17:05:27Z"
-  build_hash: e04fca8e1fa32e988ff4dd9425d758ecc8a2a178
-  go_version: go1.20.3
-  version: v0.26.1-6-ge04fca8
-api_directory_checksum: a930caa16911411d04c5e7c14b27e077993d93a1
+  build_date: "2023-06-17T15:45:55Z"
+  build_hash: e9b68590da73ce9143ba1e4361cebdc1d876c81e
+  go_version: go1.19
+  version: v0.26.1-7-ge9b6859
+api_directory_checksum: 9452be5c34acba71fcd740b2acf4d053f2eb221b
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:

helm/values.yaml

@@ -110,7 +110,7 @@ deletionPolicy: delete
 # controller reconciliation configurations
 reconcile:
   # The default duration, in seconds, to wait before resyncing desired state of custom resources.
-  defaultResyncPeriod: 0
+  defaultResyncPeriod: 36000 # 10 Hours
   # An object representing the reconcile resync configuration for each specific resource.
   resourceResyncPeriods: {}
 

pkg/resource/vpc/hooks.go

@@ -148,7 +148,7 @@ func computeStringPDifference(a, b []*string) (aNotB, bNotA []*string) {
 		}
 	}
 	for _, elemB := range b {
-		if _, found := mapOfB[*elemB]; !found {
+		if _, found := mapOfA[*elemB]; !found {
 			bNotA = append(bNotA, elemB)
 		}
 	}
@@ -172,9 +172,11 @@ func (rm *resourceManager) syncCIDRBlocks(
 	latestCIDRs := latest.ko.Spec.CIDRBlocks
 	latestCIDRStates := latest.ko.Status.CIDRBlockAssociationSet
 	toAddCIDRs, toDeleteCIDRs := computeStringPDifference(desiredCIDRs, latestCIDRs)
+	cidrblockassociationset := []*svcapitypes.VPCCIDRBlockAssociation{}
 
 	// extract associationID for the DisassociateVpcCidr request
 	for _, cidr := range toDeleteCIDRs {
+
 		input := &svcsdk.DisassociateVpcCidrBlockInput{}
 		for _, cidrAssociation := range latestCIDRStates {
 			if *cidr == *cidrAssociation.CIDRBlock {
@@ -184,6 +186,8 @@ func (rm *resourceManager) syncCIDRBlocks(
 				if err != nil {
 					return err
 				}
+			} else {
+				cidrblockassociationset = append(cidrblockassociationset, cidrAssociation)
 			}
 		}
 	}
@@ -193,11 +197,39 @@ func (rm *resourceManager) syncCIDRBlocks(
 			VpcId:     latest.ko.Status.VPCID,
 			CidrBlock: cidr,
 		}
-		_, err = rm.sdkapi.AssociateVpcCidrBlockWithContext(ctx, input)
+		var res *svcsdk.AssociateVpcCidrBlockOutput
+		cidrblockassociation := &svcapitypes.VPCCIDRBlockAssociation{}
+		res, err = rm.sdkapi.AssociateVpcCidrBlockWithContext(ctx, input)
 		rm.metrics.RecordAPICall("UPDATE", "AssociateVpcCidrBlock", err)
 		if err != nil {
 			return err
 		}
+		if res.CidrBlockAssociation != nil {
+			if res.CidrBlockAssociation.AssociationId != nil {
+				cidrblockassociation.AssociationID = res.CidrBlockAssociation.AssociationId
+			}
+			if res.CidrBlockAssociation.CidrBlock != nil {
+				cidrblockassociation.CIDRBlock = res.CidrBlockAssociation.CidrBlock
+			}
+			if res.CidrBlockAssociation.CidrBlockState != nil {
+				cidrblockstate := &svcapitypes.VPCCIDRBlockState{}
+				if res.CidrBlockAssociation.CidrBlockState.State != nil {
+					cidrblockstate.State = res.CidrBlockAssociation.CidrBlockState.State
+				}
+				if res.CidrBlockAssociation.CidrBlockState.StatusMessage != nil {
+					cidrblockstate.StatusMessage = res.CidrBlockAssociation.CidrBlockState.StatusMessage
+				}
+			}
+			cidrblockassociationset = append(cidrblockassociationset, cidrblockassociation)
+		}
+	}
+	if cidrblockassociationset != nil {
+		if toDeleteCIDRs != nil {
+			latest.ko.Status.CIDRBlockAssociationSet = cidrblockassociationset
+		} else {
+			latest.ko.Status.CIDRBlockAssociationSet = append(latest.ko.Status.CIDRBlockAssociationSet, cidrblockassociationset...)
+		}
+
 	}
 
 	return nil
@@ -257,6 +289,7 @@ func (rm *resourceManager) customUpdateVPC(
 			return nil, err
 		}
 	}
+	updated.ko.Status.CIDRBlockAssociationSet = latest.ko.Status.CIDRBlockAssociationSet
 
 	if delta.DifferentAt("Spec.EnableDNSSupport") {
 		if err := rm.syncDNSSupportAttribute(ctx, desired); err != nil {

pkg/resource/vpc/sdk.go

@@ -1,3 +1,9 @@
+    if resp.Vpc.CidrBlock != nil {
+    ko.Spec.CIDRBlocks = make([]*string, 1)
+    ko.Spec.CIDRBlocks[0] = resp.Vpc.CidrBlock
+    }
+    rm.syncCIDRBlocks(ctx, desired, &resource{ko})
+
     rm.setSpecCIDRs(ko)
     err = rm.createAttributes(ctx, &resource{ko})
     if err != nil {

templates/hooks/vpc/sdk_create_post_set_output.go.tpl

@@ -0,0 +1,13 @@
+apiVersion: ec2.services.k8s.aws/v1alpha1
+kind: VPC
+metadata:
+  name: $VPC_NAME
+spec:
+  cidrBlocks: 
+  - $PRIMARY_CIDR_BLOCK
+  - $SECONDARY_CIDR_BLOCK
+  enableDNSSupport: $ENABLE_DNS_SUPPORT
+  enableDNSHostnames: $ENABLE_DNS_HOSTNAMES
+  tags:
+    - key: $TAG_KEY
+      value: $TAG_VALUE

test/e2e/resources/vpc_multicidr.yaml

@@ -264,4 +264,114 @@ def test_terminal_condition_invalid_parameter_value(self):
         # An error occurred (InvalidParameterValue) when calling the CreateVpc operation:
         # Value (dsfre) for parameter cidrBlock is invalid.
         # This is not a valid CIDR block.
-        assert expected_msg in terminal_condition['message']
+        assert expected_msg in terminal_condition['message']
+    
+    def test_vpc_creation_multiple_cidr(self,ec2_client):
+        resource_name = random_suffix_name("vpc-ack-multicidr", 24)
+        replacements = REPLACEMENT_VALUES.copy()
+        replacements["VPC_NAME"] = resource_name
+        replacements["PRIMARY_CIDR_BLOCK"] = PRIMARY_CIDR_DEFAULT
+        replacements["SECONDARY_CIDR_BLOCK"] = "10.2.0.0/16"
+        replacements["ENABLE_DNS_SUPPORT"] = "False"
+        replacements["ENABLE_DNS_HOSTNAMES"] = "False"
+
+        # Load VPC CR
+        resource_data = load_ec2_resource(
+            "vpc_multicidr",
+            additional_replacements=replacements,
+        )
+        logging.debug(resource_data)
+
+        # Create k8s resource
+        ref = k8s.CustomResourceReference(
+            CRD_GROUP, CRD_VERSION, RESOURCE_PLURAL,
+            resource_name, namespace="default",
+        )
+        k8s.create_custom_resource(ref, resource_data)
+        time.sleep(CREATE_WAIT_AFTER_SECONDS)
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        assert cr is not None
+
+        resource_id = cr["status"]["vpcID"]
+
+        # Check VPC exists in AWS
+        ec2_validator = EC2Validator(ec2_client)
+        ec2_validator.assert_vpc(resource_id)
+
+        # Validate CIDR Block
+        vpc = ec2_validator.get_vpc(resource_id)
+        assert len(vpc['CidrBlockAssociationSet']) == 2
+        assert vpc['CidrBlockAssociationSet'][0]['CidrBlock'] == PRIMARY_CIDR_DEFAULT
+        assert vpc['CidrBlockAssociationSet'][1]['CidrBlock'] == "10.2.0.0/16"
+
+        # Delete k8s resource
+        _, deleted = k8s.delete_custom_resource(ref, 3, 10)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check VPC no longer exists in AWS
+        ec2_validator.assert_vpc(resource_id, exists=False)
+
+    def test_vpc_updation_multiple_cidr(self,ec2_client):
+        resource_name = random_suffix_name("vpc-ack-multicidr", 24)
+        replacements = REPLACEMENT_VALUES.copy()
+        replacements["VPC_NAME"] = resource_name
+        replacements["PRIMARY_CIDR_BLOCK"] = PRIMARY_CIDR_DEFAULT
+        replacements["SECONDARY_CIDR_BLOCK"] = "10.2.0.0/16"
+        replacements["ENABLE_DNS_SUPPORT"] = "False"
+        replacements["ENABLE_DNS_HOSTNAMES"] = "False"
+
+        # Load VPC CR
+        resource_data = load_ec2_resource(
+            "vpc_multicidr",
+            additional_replacements=replacements,
+        )
+        logging.debug(resource_data)
+
+        # Create k8s resource
+        ref = k8s.CustomResourceReference(
+            CRD_GROUP, CRD_VERSION, RESOURCE_PLURAL,
+            resource_name, namespace="default",
+        )
+        k8s.create_custom_resource(ref, resource_data)
+        time.sleep(CREATE_WAIT_AFTER_SECONDS)
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        assert cr is not None
+
+        resource_id = cr["status"]["vpcID"]
+
+        # Check VPC exists in AWS
+        ec2_validator = EC2Validator(ec2_client)
+        ec2_validator.assert_vpc(resource_id)
+
+        # Validate CIDR Block
+        vpc = ec2_validator.get_vpc(resource_id)
+        assert len(vpc['CidrBlockAssociationSet']) == 2
+        assert vpc['CidrBlockAssociationSet'][0]['CidrBlock'] == PRIMARY_CIDR_DEFAULT
+        assert vpc['CidrBlockAssociationSet'][1]['CidrBlock'] == "10.2.0.0/16"
+
+
+        # Remove SECONDARY_CIDR_BLOCK
+        updates = {
+            "spec": {"cidrBlocks": [PRIMARY_CIDR_DEFAULT]}
+        }
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        # Re-Validate CIDR Blocks State
+        vpc = ec2_validator.get_vpc(resource_id)
+        assert vpc['CidrBlockAssociationSet'][0]['CidrBlockState']['State'] == "associated"
+        assert vpc['CidrBlockAssociationSet'][1]['CidrBlockState']['State'] == "disassociated"
+
+
+        # Delete k8s resource
+        _, deleted = k8s.delete_custom_resource(ref, 3, 10)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check VPC no longer exists in AWS
+        ec2_validator.assert_vpc(resource_id, exists=False)