raise an error when multiple backendSGs with same vpc-id and tags exist

Author: visit1985

pkg/networking/backend_sg_provider.go

@@ -298,11 +298,15 @@ func (p *defaultBackendSGProvider) getBackendSGFromEC2(ctx context.Context, sgNa
 			},
 		},
 	}
-	p.logger.V(1).Info("Queriying existing SG", "vpc-id", vpcID, "name", sgName)
+	tags := fmt.Sprintf("%v=%v, %v=%v", tagKeyK8sCluster, p.clusterName, tagKeyResource, tagValueBackend)
+	p.logger.V(1).Info("Querying existing SG", "vpc-id", vpcID, "tags", tags)
 	sgs, err := p.ec2Client.DescribeSecurityGroupsAsList(ctx, req)
 	if err != nil && !isEC2SecurityGroupNotFoundError(err) {
 		return "", err
 	}
+	if len(sgs) > 1 {
+		return "", errors.Errorf("Found multiple SGs with vpc-id %v and tags %v", vpcID, tags)
+	}
 	if len(sgs) > 0 {
 		return awssdk.ToString(sgs[0].GroupId), nil
 	}

pkg/networking/backend_sg_provider_test.go

@@ -114,6 +114,28 @@ func Test_defaultBackendSGProvider_Get(t *testing.T) {
 			},
 			want: "sg-autogen",
 		},
+		{
+			name: "backend sg enabled, auto-gen, multiple SGs exist",
+			fields: fields{
+				describeSGCalls: []describeSecurityGroupsAsListCall{
+					{
+						req: &ec2sdk.DescribeSecurityGroupsInput{
+							Filters: defaultEC2Filters,
+						},
+						resp: []ec2types.SecurityGroup{
+							{
+								GroupId: awssdk.String("sg-autogen"),
+							},
+							{
+								GroupId: awssdk.String("sg-other"),
+							},
+						},
+					},
+				},
+				ingResources: []*networking.Ingress{ing, ing1},
+			},
+			wantErr: errors.New("Found multiple SGs with vpc-id vpc-xxxyyy and tags elbv2.k8s.aws/cluster=testCluster, elbv2.k8s.aws/resource=backend-sg"),
+		},
 		{
 			name: "backend sg enabled, auto-gen new SG",
 			fields: fields{