Provide better explanation of failure to find a security group

johngmyers · johngmyers · commit a806430bb0c2 · 2023-08-22T19:46:25.000-07:00
diff --git a/pkg/ingress/model_build_load_balancer_test.go b/pkg/ingress/model_build_load_balancer_test.go
@@ -817,6 +817,10 @@ var (
 				Key:   awssdk.String("tagtest"),
 				Value: awssdk.String("1"),
 			},
+			{
+				Key:   awssdk.String("tagother"),
+				Value: awssdk.String("1"),
+			},
 			{
 				Key:   awssdk.String("kubernetes.io/cluster/other-cluster"),
 				Value: awssdk.String("shared"),
@@ -1540,6 +1544,36 @@ func Test_defaultModelBuildTask_buildLoadBalancerSecurityGroups(t *testing.T) {
 			},
 			want: []string{"sg-15"},
 		},
+		{
+			name: "classparams all tagged other cluster",
+			fields: fields{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "awesome-ns", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{
+								ObjectMeta: metav1.ObjectMeta{
+									Namespace: "awesome-ns",
+									Name:      "ing-1",
+								},
+							},
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										SecurityGroups: &v1beta1.SecurityGroupSelector{
+											Tags: map[string][]string{
+												"tagother": {"1"},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: "unable to resolve at least one security group (1 match VPC and tags, 1 tagged for other cluster)",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/networking/security_group_resolver.go b/pkg/networking/security_group_resolver.go
@@ -113,6 +113,7 @@ func (r *defaultSecurityGroupResolver) splitIntoSgNameAndIDs(sgNameOrIDs []strin
 func (r *defaultSecurityGroupResolver) ResolveViaSelector(ctx context.Context, selector *v1beta1.SecurityGroupSelector) ([]string, error) {
 	var chosenSGs []*ec2sdk.SecurityGroup
 	var err error
+	var explanation string
 	if selector.IDs != nil {
 		req := &ec2sdk.DescribeSecurityGroupsInput{
 			GroupIds: make([]*string, 0, len(selector.IDs)),
@@ -148,12 +149,19 @@ func (r *defaultSecurityGroupResolver) ResolveViaSelector(ctx context.Context, s
 		if err != nil {
 			return nil, err
 		}
+		explanation = fmt.Sprintf("%d match VPC and tags", len(allSGs))
 		var filteredSGs []*ec2sdk.SecurityGroup
+		taggedOtherCluster := 0
 		for _, sg := range allSGs {
 			if r.checkSecurityGroupIsNotTaggedForOtherClusters(sg) {
 				filteredSGs = append(filteredSGs, sg)
+			} else {
+				taggedOtherCluster += 1
 			}
 		}
+		if taggedOtherCluster > 0 {
+			explanation += fmt.Sprintf(", %d tagged for other cluster", taggedOtherCluster)
+		}
 		for _, sg := range filteredSGs {
 			if r.checkSecurityGroupHasClusterTag(sg) {
 				chosenSGs = append(chosenSGs, sg)
@@ -164,7 +172,7 @@ func (r *defaultSecurityGroupResolver) ResolveViaSelector(ctx context.Context, s
 		}
 	}
 	if len(chosenSGs) == 0 {
-		return nil, errors.New("unable to resolve at least one security group")
+		return nil, fmt.Errorf("unable to resolve at least one security group (%s)", explanation)
 	}
 	resolvedSGIDs := make([]string, 0, len(chosenSGs))
 	for _, sg := range chosenSGs {
