Ec2: Network ACL CR should support deletion when subnet association is present (#154)

nnbu · web-flow · commit c8acc556ed3c · 2024-09-17T21:17:10.000Z
Issue #, if available:

Description of changes:
Currently, when network acl cr has subnet association configured, we can not delete the cr. subnet association needs to be removed first and then cr can be deleted. This PR addresses this issue. When network acl CR is being deleted, the new change deletes subnet association from aws first and then deletes network acl from aws. This allows CR deletion to happen without any problem.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2024-09-17T17:53:28Z"
+  build_date: "2024-09-17T19:14:20Z"
   build_hash: f8f98563404066ac3340db0a049d2e530e5c51cc
   go_version: go1.22.6
   version: v0.38.1
 api_directory_checksum: 585098fc7c99c27ca523f83e860107d22aaa5a10
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:
-  file_checksum: 976d1b5c435aeb198caa71b29c1449eb3c378c6f
+  file_checksum: e2492ec6f4965b990edb66e08a625d990b8f8f30
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
@@ -609,6 +609,8 @@ resources:
         template_path: hooks/network_acl/sdk_file_end.go.tpl
       sdk_create_post_set_output:
         template_path: hooks/network_acl/sdk_create_post_set_output.go.tpl
+      sdk_delete_pre_build_request:
+        template_path: hooks/network_acl/sdk_delete_pre_build_request.go.tpl
     update_operation:
       custom_method_name: customUpdateNetworkAcl
   Subnet:
diff --git a/generator.yaml b/generator.yaml
@@ -609,6 +609,8 @@ resources:
         template_path: hooks/network_acl/sdk_file_end.go.tpl
       sdk_create_post_set_output:
         template_path: hooks/network_acl/sdk_create_post_set_output.go.tpl
+      sdk_delete_pre_build_request:
+        template_path: hooks/network_acl/sdk_delete_pre_build_request.go.tpl
     update_operation:
       custom_method_name: customUpdateNetworkAcl
   Subnet:
diff --git a/pkg/resource/network_acl/hooks.go b/pkg/resource/network_acl/hooks.go
@@ -167,6 +167,15 @@ func (rm *resourceManager) deleteOldAssociations(
 	latest *resource,
 	toDelete map[string]string,
 ) (err error) {
+	var vpcID *string
+	var aclID *string
+	if desired != nil {
+		vpcID = desired.ko.Spec.VPCID
+		aclID = desired.ko.Status.ID
+	} else {
+		vpcID = latest.ko.Spec.VPCID
+		aclID = latest.ko.Status.ID
+	}
 	naclList := &svcsdk.DescribeNetworkAclsInput{
 		Filters: []*svcsdk.Filter{
 			{
@@ -175,7 +184,7 @@ func (rm *resourceManager) deleteOldAssociations(
 			},
 			{
 				Name:   lo.ToPtr("vpc-id"),
-				Values: []*string{desired.ko.Spec.VPCID},
+				Values: []*string{vpcID},
 			},
 		},
 	}
@@ -204,7 +213,7 @@ func (rm *resourceManager) deleteOldAssociations(
 				Filters: []*svcsdk.Filter{
 					{
 						Name:   lo.ToPtr("network-acl-id"),
-						Values: []*string{desired.ko.Status.ID},
+						Values: []*string{aclID},
 					},
 					{
 						Name:   lo.ToPtr("association.subnet-id"),
diff --git a/pkg/resource/network_acl/sdk.go b/pkg/resource/network_acl/sdk.go
diff --git a/templates/hooks/network_acl/sdk_delete_pre_build_request.go.tpl b/templates/hooks/network_acl/sdk_delete_pre_build_request.go.tpl
@@ -0,0 +1,6 @@
+
+	if r.ko.Spec.Associations != nil {
+		if err := rm.syncAssociation(ctx, nil, r); err != nil {
+			return nil, err
+		}
+	}
diff --git a/test/e2e/resources/network_acl_with_subnet_assoc.yaml b/test/e2e/resources/network_acl_with_subnet_assoc.yaml
@@ -0,0 +1,20 @@
+apiVersion: ec2.services.k8s.aws/v1alpha1
+kind: NetworkACL
+metadata:
+  name: $NETWORK_ACL_NAME
+spec:
+  associations:
+  - subnetID: $SUBNET_ID
+  entries:
+  - cidrBlock: $CIDR_BLOCK
+    egress: true
+    portRange:
+      from: 80
+      to: 443
+    protocol: "6"
+    ruleAction: allow
+    ruleNumber: 100
+  vpcID: $VPC_ID
+  tags:
+    - key: $TAG_KEY
+      value: $TAG_VALUE
diff --git a/test/e2e/tests/test_network_acl.py b/test/e2e/tests/test_network_acl.py
@@ -40,6 +40,7 @@ def network_acl_exists(ec2_client, network_acl_id: str) -> bool:
 @pytest.fixture
 def simple_network_acl(request):
     resource_name = random_suffix_name("network-acl-test", 24)
+    resource_file = "network_acl"
     resources = get_bootstrap_resources()
 
     replacements = REPLACEMENT_VALUES.copy()
@@ -48,6 +49,7 @@ def simple_network_acl(request):
     replacements["CIDR_BLOCK"] = "192.168.1.0/24"
     replacements["TAG_KEY"] = "initialtagkey"
     replacements["TAG_VALUE"] = "initialtagvalue"
+    replacements["SUBNET_ID"] = resources.SharedTestVPC.public_subnets.subnet_ids[0]
 
     marker = request.node.get_closest_marker("resource_data")
     if marker is not None:
@@ -60,10 +62,12 @@ def simple_network_acl(request):
             replacements["TAG_KEY"] = data['tag_key']
         if 'tag_value' in data:
             replacements["TAG_VALUE"] = data['tag_value']
+        if 'resource_file' in data:
+            resource_file = data['resource_file']
 
     # Load NetworkACL CR
     resource_data = load_ec2_resource(
-        "network_acl",
+        resource_file,
         additional_replacements=replacements,
     )
     logging.debug(resource_data)
@@ -188,7 +192,6 @@ def test_crud_entry(self, ec2_client, simple_network_acl):
         # Check Association exist in AWS
         ec2_validator.assert_association(network_acl_id, subnet_id)
 
-
         # Removing association so that nacl can be deleted
         updates = {
             "spec": {"associations": []},
@@ -208,6 +211,29 @@ def test_crud_entry(self, ec2_client, simple_network_acl):
         # Check Network ACL no longer exists in AWS
         ec2_validator.assert_network_acl(network_acl_id, exists=False)
 
+    @pytest.mark.resource_data({'resource_file': 'network_acl_with_subnet_assoc'})
+    def test_create_delete_with_subnet_assoc(self, ec2_client, simple_network_acl):
+        (ref, cr) = simple_network_acl
+        network_acl_id = cr["status"]["id"]
+
+        # Check Route Table exists in AWS
+        ec2_validator = EC2Validator(ec2_client)
+        ec2_validator.assert_network_acl(network_acl_id)
+
+        assocs = cr["spec"]["associations"]
+        subnet_id = assocs[0]["subnetID"]
+        # Check Association exist in AWS
+        ec2_validator.assert_association(network_acl_id, subnet_id)
+
+        # Delete Network ACL
+        _, deleted = k8s.delete_custom_resource(ref)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check Network ACL no longer exists in AWS
+        ec2_validator.assert_network_acl(network_acl_id, exists=False)
+
     def test_crud_tags(self, ec2_client, simple_network_acl):
         (ref, cr) = simple_network_acl
 
