Drop unwanted SGs when calling attachSecurityGroupsToNetworkInterface

Before this, attachSecurityGroupsToNetworkInterface was re-applying existing SGs not specified in user intent. It's up to the caller to choose the right list of SG ids as in https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/3ebf018bbfc5345fbd9d9598ea9392b2a349ed6c/controllers/awsmachine_security_groups.go#L57-L64 so then attachSecurityGroupsToNetworkInterface just applies what is given.
kubernetes-sigs · Jun 30, 2023 · c7062cb · c7062cb
1 parent eaa3eca
commit c7062cb
Showing 1 changed file with 3 additions and 32 deletions.
diff --git a/pkg/cloud/services/ec2/instances.go b/pkg/cloud/services/ec2/instances.go
@@ -912,34 +912,15 @@ func (s *Service) getNetworkInterfaceSecurityGroups(interfaceID string) ([]strin
 }
 
 func (s *Service) attachSecurityGroupsToNetworkInterface(groups []string, interfaceID string) error {
-	existingGroups, err := s.getNetworkInterfaceSecurityGroups(interfaceID)
-	if err != nil {
-		return errors.Wrapf(err, "failed to look up network interface security groups: %+v", err)
-	}
-
-	totalGroups := make([]string, len(existingGroups))
-	copy(totalGroups, existingGroups)
-
-	for _, group := range groups {
-		if !containsGroup(existingGroups, group) {
-			totalGroups = append(totalGroups, group)
-		}
-	}
-
-	// no new groups to attach
-	if len(existingGroups) == len(totalGroups) {
-		return nil
-	}
-
-	s.scope.Info("Updating security groups", "groups", totalGroups)
+	s.scope.Info("Updating security groups", "groups", groups)
 
 	input := &ec2.ModifyNetworkInterfaceAttributeInput{
 		NetworkInterfaceId: aws.String(interfaceID),
-		Groups:             aws.StringSlice(totalGroups),
+		Groups:             aws.StringSlice(groups),
 	}
 
 	if _, err := s.EC2Client.ModifyNetworkInterfaceAttribute(input); err != nil {
-		return errors.Wrapf(err, "failed to modify interface %q to have security groups %v", interfaceID, totalGroups)
+		return errors.Wrapf(err, "failed to modify interface %q to have security groups %v", interfaceID, groups)
 	}
 	return nil
 }
@@ -1016,16 +997,6 @@ func filterGroups(list []string, strToFilter string) (newList []string) {
 	return
 }
 
-// containsGroup returns true if a list contains a string.
-func containsGroup(list []string, strToSearch string) bool {
-	for _, item := range list {
-		if item == strToSearch {
-			return true
-		}
-	}
-	return false
-}
-
 func getInstanceMarketOptionsRequest(spotMarketOptions *infrav1.SpotMarketOptions) *ec2.InstanceMarketOptionsRequest {
 	if spotMarketOptions == nil {
 		// Instance is not a Spot instance