@@ -595,10 +595,11 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
595595 return fmt .Errorf ("failed to associate control plane VMs with external load balancer: %w" , err )
596596 }
597597
598+ sshRuleName := fmt .Sprintf ("%s_ssh_in" , in .InfraID )
598599 if err = addSecurityGroupRule (ctx , & securityGroupInput {
599600 resourceGroupName : p .ResourceGroupName ,
600601 securityGroupName : fmt .Sprintf ("%s-nsg" , in .InfraID ),
601- securityRuleName : "ssh_in" ,
602+ securityRuleName : sshRuleName ,
602603 securityRulePort : "22" ,
603604 securityRulePriority : 220 ,
604605 networkClientFactory : p .NetworkClientFactory ,
@@ -626,7 +627,7 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
626627 resourceGroupName : p .ResourceGroupName ,
627628 loadBalancerName : loadBalancerName ,
628629 frontendIPConfigID : frontendIPConfigID ,
629- inboundNatRuleName : "ssh_in" ,
630+ inboundNatRuleName : sshRuleName ,
630631 inboundNatRulePort : 22 ,
631632 networkClientFactory : p .NetworkClientFactory ,
632633 })
@@ -639,7 +640,7 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
639640 bootstrapNicName : fmt .Sprintf ("%s-bootstrap-nic" , in .InfraID ),
640641 frontendIPConfigID : frontendIPConfigID ,
641642 inboundNatRuleID : * inboundNatRule .ID ,
642- inboundNatRuleName : "ssh_in" ,
643+ inboundNatRuleName : sshRuleName ,
643644 inboundNatRulePort : 22 ,
644645 networkClientFactory : p .NetworkClientFactory ,
645646 })
@@ -673,26 +674,41 @@ func (p *Provider) PostDestroy(ctx context.Context, in clusterapi.PostDestroyerI
673674 return fmt .Errorf ("error creating network client factory: %w" , err )
674675 }
675676
676- // XXX: why is in.Metadata.Azure.ResourceGroupName empty?
677- err = deleteSecurityGroupRule (ctx , & securityGroupInput {
678- resourceGroupName : fmt .Sprintf ("%s-rg" , in .Metadata .InfraID ),
679- securityGroupName : fmt .Sprintf ("%s-nsg" , in .Metadata .InfraID ),
680- securityRuleName : "ssh_in" ,
681- securityRulePort : "22" ,
682- networkClientFactory : networkClientFactory ,
683- })
684- if err != nil {
685- return fmt .Errorf ("failed to delete security rule: %w" , err )
686- }
677+ resourceGroupName := fmt .Sprintf ("%s-rg" , in .Metadata .InfraID )
678+ securityGroupName := fmt .Sprintf ("%s-nsg" , in .Metadata .InfraID )
679+ sshRuleName := fmt .Sprintf ("%s_ssh_in" , in .Metadata .InfraID )
687680
688- err = deleteInboundNatRule (ctx , & inboundNatRuleInput {
689- resourceGroupName : fmt .Sprintf ("%s-rg" , in .Metadata .InfraID ),
690- loadBalancerName : in .Metadata .InfraID ,
691- inboundNatRuleName : "ssh_in" ,
692- networkClientFactory : networkClientFactory ,
693- })
694- if err != nil {
695- return fmt .Errorf ("failed to delete inbound nat rule: %w" , err )
681+ // See if a security group rule exists with the name ${InfraID}_ssh_in.
682+ // If it does, this is a private cluster. If it does not, this is a
683+ // public cluster and we need to delete the SSH forward rule and
684+ // security group rule.
685+ _ , err = networkClientFactory .NewSecurityRulesClient ().Get (ctx ,
686+ resourceGroupName ,
687+ securityGroupName ,
688+ sshRuleName ,
689+ nil ,
690+ )
691+ if err == nil {
692+ err = deleteSecurityGroupRule (ctx , & securityGroupInput {
693+ resourceGroupName : resourceGroupName ,
694+ securityGroupName : securityGroupName ,
695+ securityRuleName : sshRuleName ,
696+ securityRulePort : "22" ,
697+ networkClientFactory : networkClientFactory ,
698+ })
699+ if err != nil {
700+ return fmt .Errorf ("failed to delete security rule: %w" , err )
701+ }
702+
703+ err = deleteInboundNatRule (ctx , & inboundNatRuleInput {
704+ resourceGroupName : resourceGroupName ,
705+ loadBalancerName : in .Metadata .InfraID ,
706+ inboundNatRuleName : sshRuleName ,
707+ networkClientFactory : networkClientFactory ,
708+ })
709+ if err != nil {
710+ return fmt .Errorf ("failed to delete inbound nat rule: %w" , err )
711+ }
696712 }
697713
698714 return nil
0 commit comments