SecurityGroup `groupName` setting from UserIdGroupPair spec not working as expected

[adriananeci]

Describe the bug

We are creating/grouping multiple SecurityGroups ACK objects into a single helm chart, along with other ACK objects (VPC, Subnets, etc). Some of these SGs need to be referenced in other SGs that are part of the same chart. Based on https://aws-controllers-k8s.github.io/community/reference/ec2/v1alpha1/securitygroup/ there are few options via userIDGroupPairs when a SG needs to be referenced in another SG: groupID or groupName. Given the SG ID is not known beforehand the only option left in this case is groupName. During our testing we found out that this option doesn't work as expected and we started getting errors like:

- lastTransitionTime: "2024-04-19T20:41:14Z"
  status: "True"
  type: ACK.ReferencesResolved
- message: "InvalidParameterCombination: An IP permission for a VPC security group may only include a group ID, not a group name.\n\tstatus code: 400, request id: de0f7840-4f3d-4b8d-8e38-d7107e9a318f"
  status: "True"
  type: ACK.Recoverable
- lastTransitionTime: "2024-04-19T20:41:15Z"
  message: Unable to determine if desired resource state matches latest observed state
  reason: "InvalidParameterCombination: An IP permission for a VPC security group may only include a group ID, not a group name.\n\tstatus code: 400, request id: de0f7840-4f3d-4b8d-8e38-d7107e9a318f"
  status: Unknown
  type: ACK.ResourceSynced

or

- lastTransitionTime: "2024-04-19T20:41:15Z"
  status: "True"
  type: ACK.ReferencesResolved
- message: "VPCIdNotSpecified: No default VPC for this user\n\tstatus code: 400, request id: 1ae9d2e2-a5dc-439f-b323-909a12bfea29"
  status: "True"
  type: ACK.Recoverable
- lastTransitionTime: "2024-04-19T20:41:16Z"
  message: Unable to determine if desired resource state matches latest observed state
  reason: "VPCIdNotSpecified: No default VPC for this user\n\tstatus code: 400, request id: 1ae9d2e2-a5dc-439f-b323-909a12bfea29"
  status: Unknown
  type: ACK.ResourceSynced

Steps to reproduce
Create a security group object like:

❯ k get securitygroup ci-sbx -oyaml | k neat
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  annotations:
    services.k8s.aws/region: us-west-2
  name: ci-sbx
spec:
  description: Applied to all instances
  egressRules:
  - fromPort: 1
    ipProtocol: tcp
    toPort: 65535
    userIDGroupPairs:
    - description: Allow all nodes to communicate
      groupName: ci-sbx-2
      userID: "<accountID>"
  ingressRules:
  - fromPort: -1
    ipProtocol: icmp
    toPort: -1
    userIDGroupPairs:
    - description: Allow all nodes to communicate ICMP
      groupName: ci-sbx-2
      userID: "<accountID>"
  name: ci-sbx
  tags:
  - key: Name
    value: ci-sbx-k8s
  - key: AckName
    value: ci-sbx
  vpcRef:
    from:
      name: ci-sbx

Check the status of the newly created object:

❯ kubectl describe securitygroup ci-sbx

Expected outcome

Security group should be created without issues.

If VPC ID is not specified inside the userIDGroupPairs, use the one referenced via the vpcRef setting.

Other options might include adding support for securitygroupref or vpcRef settings inside the userIDGroupPairs .

Environment

• Kubernetes version: 1.28
• Using EKS (yes/no), if so version?: yes, 1.28
• AWS service targeted (S3, RDS, etc.): security groups

[a-hilaly]

Should be fixed in https://github.com/aws-controllers-k8s/ec2-controller/releases/tag/v1.2.9
/close

[ack-prow]

@a-hilaly: Closing this issue.

In response to this:

Should be fixed in https://github.com/aws-controllers-k8s/ec2-controller/releases/tag/v1.2.9
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.