Skip to content

Commit c8acc55

Browse files
authored
Ec2: Network ACL CR should support deletion when subnet association is present (#154)
Issue #, if available: Description of changes: Currently, when network acl cr has subnet association configured, we can not delete the cr. subnet association needs to be removed first and then cr can be deleted. This PR addresses this issue. When network acl CR is being deleted, the new change deletes subnet association from aws first and then deletes network acl from aws. This allows CR deletion to happen without any problem. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
1 parent 94ec5c8 commit c8acc55

File tree

8 files changed

+78
-6
lines changed

8 files changed

+78
-6
lines changed
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
ack_generate_info:
2-
build_date: "2024-09-17T17:53:28Z"
2+
build_date: "2024-09-17T19:14:20Z"
33
build_hash: f8f98563404066ac3340db0a049d2e530e5c51cc
44
go_version: go1.22.6
55
version: v0.38.1
66
api_directory_checksum: 585098fc7c99c27ca523f83e860107d22aaa5a10
77
api_version: v1alpha1
88
aws_sdk_go_version: v1.44.93
99
generator_config_info:
10-
file_checksum: 976d1b5c435aeb198caa71b29c1449eb3c378c6f
10+
file_checksum: e2492ec6f4965b990edb66e08a625d990b8f8f30
1111
original_file_name: generator.yaml
1212
last_modification:
1313
reason: API generation

apis/v1alpha1/generator.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -609,6 +609,8 @@ resources:
609609
template_path: hooks/network_acl/sdk_file_end.go.tpl
610610
sdk_create_post_set_output:
611611
template_path: hooks/network_acl/sdk_create_post_set_output.go.tpl
612+
sdk_delete_pre_build_request:
613+
template_path: hooks/network_acl/sdk_delete_pre_build_request.go.tpl
612614
update_operation:
613615
custom_method_name: customUpdateNetworkAcl
614616
Subnet:

generator.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -609,6 +609,8 @@ resources:
609609
template_path: hooks/network_acl/sdk_file_end.go.tpl
610610
sdk_create_post_set_output:
611611
template_path: hooks/network_acl/sdk_create_post_set_output.go.tpl
612+
sdk_delete_pre_build_request:
613+
template_path: hooks/network_acl/sdk_delete_pre_build_request.go.tpl
612614
update_operation:
613615
custom_method_name: customUpdateNetworkAcl
614616
Subnet:

pkg/resource/network_acl/hooks.go

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,15 @@ func (rm *resourceManager) deleteOldAssociations(
167167
latest *resource,
168168
toDelete map[string]string,
169169
) (err error) {
170+
var vpcID *string
171+
var aclID *string
172+
if desired != nil {
173+
vpcID = desired.ko.Spec.VPCID
174+
aclID = desired.ko.Status.ID
175+
} else {
176+
vpcID = latest.ko.Spec.VPCID
177+
aclID = latest.ko.Status.ID
178+
}
170179
naclList := &svcsdk.DescribeNetworkAclsInput{
171180
Filters: []*svcsdk.Filter{
172181
{
@@ -175,7 +184,7 @@ func (rm *resourceManager) deleteOldAssociations(
175184
},
176185
{
177186
Name: lo.ToPtr("vpc-id"),
178-
Values: []*string{desired.ko.Spec.VPCID},
187+
Values: []*string{vpcID},
179188
},
180189
},
181190
}
@@ -204,7 +213,7 @@ func (rm *resourceManager) deleteOldAssociations(
204213
Filters: []*svcsdk.Filter{
205214
{
206215
Name: lo.ToPtr("network-acl-id"),
207-
Values: []*string{desired.ko.Status.ID},
216+
Values: []*string{aclID},
208217
},
209218
{
210219
Name: lo.ToPtr("association.subnet-id"),

pkg/resource/network_acl/sdk.go

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
2+
if r.ko.Spec.Associations != nil {
3+
if err := rm.syncAssociation(ctx, nil, r); err != nil {
4+
return nil, err
5+
}
6+
}
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: ec2.services.k8s.aws/v1alpha1
2+
kind: NetworkACL
3+
metadata:
4+
name: $NETWORK_ACL_NAME
5+
spec:
6+
associations:
7+
- subnetID: $SUBNET_ID
8+
entries:
9+
- cidrBlock: $CIDR_BLOCK
10+
egress: true
11+
portRange:
12+
from: 80
13+
to: 443
14+
protocol: "6"
15+
ruleAction: allow
16+
ruleNumber: 100
17+
vpcID: $VPC_ID
18+
tags:
19+
- key: $TAG_KEY
20+
value: $TAG_VALUE

test/e2e/tests/test_network_acl.py

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ def network_acl_exists(ec2_client, network_acl_id: str) -> bool:
4040
@pytest.fixture
4141
def simple_network_acl(request):
4242
resource_name = random_suffix_name("network-acl-test", 24)
43+
resource_file = "network_acl"
4344
resources = get_bootstrap_resources()
4445

4546
replacements = REPLACEMENT_VALUES.copy()
@@ -48,6 +49,7 @@ def simple_network_acl(request):
4849
replacements["CIDR_BLOCK"] = "192.168.1.0/24"
4950
replacements["TAG_KEY"] = "initialtagkey"
5051
replacements["TAG_VALUE"] = "initialtagvalue"
52+
replacements["SUBNET_ID"] = resources.SharedTestVPC.public_subnets.subnet_ids[0]
5153

5254
marker = request.node.get_closest_marker("resource_data")
5355
if marker is not None:
@@ -60,10 +62,12 @@ def simple_network_acl(request):
6062
replacements["TAG_KEY"] = data['tag_key']
6163
if 'tag_value' in data:
6264
replacements["TAG_VALUE"] = data['tag_value']
65+
if 'resource_file' in data:
66+
resource_file = data['resource_file']
6367

6468
# Load NetworkACL CR
6569
resource_data = load_ec2_resource(
66-
"network_acl",
70+
resource_file,
6771
additional_replacements=replacements,
6872
)
6973
logging.debug(resource_data)
@@ -188,7 +192,6 @@ def test_crud_entry(self, ec2_client, simple_network_acl):
188192
# Check Association exist in AWS
189193
ec2_validator.assert_association(network_acl_id, subnet_id)
190194

191-
192195
# Removing association so that nacl can be deleted
193196
updates = {
194197
"spec": {"associations": []},
@@ -208,6 +211,29 @@ def test_crud_entry(self, ec2_client, simple_network_acl):
208211
# Check Network ACL no longer exists in AWS
209212
ec2_validator.assert_network_acl(network_acl_id, exists=False)
210213

214+
@pytest.mark.resource_data({'resource_file': 'network_acl_with_subnet_assoc'})
215+
def test_create_delete_with_subnet_assoc(self, ec2_client, simple_network_acl):
216+
(ref, cr) = simple_network_acl
217+
network_acl_id = cr["status"]["id"]
218+
219+
# Check Route Table exists in AWS
220+
ec2_validator = EC2Validator(ec2_client)
221+
ec2_validator.assert_network_acl(network_acl_id)
222+
223+
assocs = cr["spec"]["associations"]
224+
subnet_id = assocs[0]["subnetID"]
225+
# Check Association exist in AWS
226+
ec2_validator.assert_association(network_acl_id, subnet_id)
227+
228+
# Delete Network ACL
229+
_, deleted = k8s.delete_custom_resource(ref)
230+
assert deleted is True
231+
232+
time.sleep(DELETE_WAIT_AFTER_SECONDS)
233+
234+
# Check Network ACL no longer exists in AWS
235+
ec2_validator.assert_network_acl(network_acl_id, exists=False)
236+
211237
def test_crud_tags(self, ec2_client, simple_network_acl):
212238
(ref, cr) = simple_network_acl
213239

0 commit comments

Comments
 (0)