🐛: securitygroup: fix comparison of ingress rules sets.

r4f4 · r4f4 · commit 7a083173b42b · 2024-06-13T21:37:43.000+02:00
We are comparing sets that are not compatible, so rules will always be
revoked and authorized during reconciliation. We need to expand the
rules from the spec so there is one rule for each item in
cidrBlock/sourceSecurityGroupIds.
diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -160,10 +160,12 @@ func (s *Service) ReconcileSecurityGroups() error {
 		}
 		current := sg.IngressRules
 
-		want, err := s.getSecurityGroupIngressRules(role)
+		specRules, err := s.getSecurityGroupIngressRules(role)
 		if err != nil {
 			return err
 		}
+		// Duplicate rules with multiple cidr blocks/source security groups so that we are comparing similar sets.
+		want := expandIngressRules(specRules)
 
 		toRevoke := current.Difference(want)
 		if len(toRevoke) > 0 {
@@ -197,6 +199,47 @@ func (s *Service) ReconcileSecurityGroups() error {
 	return nil
 }
 
+// expandIngressRules expand the given ingress rules so that it's compatible with the list generated by
+// ingressRulesFromSDKType.
+// We assume that processIngressRulesSGs has been already called on the input, so the SourceSecurityGroupRoles have
+// been translated into Security Group IDs.
+func expandIngressRules(rules infrav1.IngressRules) infrav1.IngressRules {
+	res := make(infrav1.IngressRules, 0, len(rules))
+	for _, rule := range rules {
+		base := infrav1.IngressRule{
+			Description: rule.Description,
+			Protocol:    rule.Protocol,
+			FromPort:    rule.FromPort,
+			ToPort:      rule.ToPort,
+		}
+
+		// Nothing to expand
+		if len(rule.CidrBlocks) == 0 && len(rule.IPv6CidrBlocks) == 0 && len(rule.SourceSecurityGroupIDs) == 0 {
+			res = append(res, base)
+			continue
+		}
+
+		for _, src := range rule.CidrBlocks {
+			rcopy := base
+			rcopy.CidrBlocks = []string{src}
+			res = append(res, rcopy)
+		}
+
+		for _, src := range rule.IPv6CidrBlocks {
+			rcopy := base
+			rcopy.IPv6CidrBlocks = []string{src}
+			res = append(res, rcopy)
+		}
+
+		for _, src := range rule.SourceSecurityGroupIDs {
+			rcopy := base
+			rcopy.SourceSecurityGroupIDs = []string{src}
+			res = append(res, rcopy)
+		}
+	}
+	return res
+}
+
 func (s *Service) securityGroupIsAnOverride(securityGroupID string) bool {
 	for _, overrideID := range s.scope.SecurityGroupOverrides() {
 		if overrideID == securityGroupID {
