@@ -77,23 +77,24 @@ func (r *defaultSecurityGroupReconciler) ReconcileIngress(ctx context.Context, s
77
77
return err
78
78
}
79
79
sgInfo := sgInfoByID [sgID ]
80
- if err := r .reconcileIngressWithSGInfo (ctx , sgInfo , desiredPermissions , reconcileOpts ); err != nil {
80
+
81
+ if err := r .reconcileIngressWithSGInfo (ctx , sgInfo , desiredPermissions , false , reconcileOpts ); err != nil {
81
82
if ! r .shouldRetryWithoutCache (err ) {
82
83
return err
83
84
}
85
+ revokeFirst := r .shouldRemoveSGRulesFirst (err )
86
+ r .logger .Info ("Retrying ReconcileIngress without using cache" , "revokeFirst" , revokeFirst )
84
87
sgInfoByID , err := r .sgManager .FetchSGInfosByID (ctx , []string {sgID }, WithReloadIgnoringCache ())
85
88
if err != nil {
86
89
return err
87
90
}
88
91
sgInfo := sgInfoByID [sgID ]
89
- if err := r .reconcileIngressWithSGInfo (ctx , sgInfo , desiredPermissions , reconcileOpts ); err != nil {
90
- return err
91
- }
92
+ return r .reconcileIngressWithSGInfo (ctx , sgInfo , desiredPermissions , revokeFirst , reconcileOpts )
92
93
}
93
94
return nil
94
95
}
95
96
96
- func (r * defaultSecurityGroupReconciler ) reconcileIngressWithSGInfo (ctx context.Context , sgInfo SecurityGroupInfo , desiredPermissions []IPPermissionInfo , reconcileOpts SecurityGroupReconcileOptions ) error {
97
+ func (r * defaultSecurityGroupReconciler ) reconcileIngressWithSGInfo (ctx context.Context , sgInfo SecurityGroupInfo , desiredPermissions []IPPermissionInfo , revokeFirst bool , reconcileOpts SecurityGroupReconcileOptions ) error {
97
98
extraPermissions := diffIPPermissionInfos (sgInfo .Ingress , desiredPermissions )
98
99
permissionsToRevoke := make ([]IPPermissionInfo , 0 , len (extraPermissions ))
99
100
for _ , permission := range extraPermissions {
@@ -102,24 +103,46 @@ func (r *defaultSecurityGroupReconciler) reconcileIngressWithSGInfo(ctx context.
102
103
}
103
104
}
104
105
permissionsToGrant := diffIPPermissionInfos (desiredPermissions , sgInfo .Ingress )
105
- if len (permissionsToRevoke ) > 0 && ! reconcileOpts .AuthorizeOnly {
106
- if err := r .sgManager .RevokeSGIngress (ctx , sgInfo .SecurityGroupID , permissionsToRevoke ); err != nil {
107
- return err
106
+
107
+ if revokeFirst {
108
+ if len (permissionsToRevoke ) > 0 && ! reconcileOpts .AuthorizeOnly {
109
+ if err := r .sgManager .RevokeSGIngress (ctx , sgInfo .SecurityGroupID , permissionsToRevoke ); err != nil {
110
+ return err
111
+ }
108
112
}
109
113
}
114
+
110
115
if len (permissionsToGrant ) > 0 {
111
116
if err := r .sgManager .AuthorizeSGIngress (ctx , sgInfo .SecurityGroupID , permissionsToGrant ); err != nil {
112
117
return err
113
118
}
114
119
}
120
+
121
+ if ! revokeFirst {
122
+ if len (permissionsToRevoke ) > 0 && ! reconcileOpts .AuthorizeOnly {
123
+ if err := r .sgManager .RevokeSGIngress (ctx , sgInfo .SecurityGroupID , permissionsToRevoke ); err != nil {
124
+ return err
125
+ }
126
+ }
127
+ }
128
+
115
129
return nil
116
130
}
117
131
118
132
// shouldRetryWithoutCache tests whether we should retry SecurityGroup rules reconcile without cache.
119
133
func (r * defaultSecurityGroupReconciler ) shouldRetryWithoutCache (err error ) bool {
120
134
var apiErr smithy.APIError
121
135
if errors .As (err , & apiErr ) {
122
- return apiErr .ErrorCode () == "InvalidPermission.Duplicate" || apiErr .ErrorCode () == "InvalidPermission.NotFound"
136
+ return apiErr .ErrorCode () == "InvalidPermission.Duplicate" || apiErr .ErrorCode () == "InvalidPermission.NotFound" || apiErr .ErrorCode () == "RulesPerSecurityGroupLimitExceeded"
137
+ }
138
+ return false
139
+ }
140
+
141
+ // shouldRemoveSGRulesFirst tests whether we should retry SecurityGroup rules reconcile but revoking rules prior to adding new rules.
142
+ func (r * defaultSecurityGroupReconciler ) shouldRemoveSGRulesFirst (err error ) bool {
143
+ var apiErr smithy.APIError
144
+ if errors .As (err , & apiErr ) {
145
+ return apiErr .ErrorCode () == "RulesPerSecurityGroupLimitExceeded"
123
146
}
124
147
return false
125
148
}
0 commit comments