Update rule management to avoid sporadic 503 errors (#4039)

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

* Update rule management to avoid sporadic 503 errors

Author: shraddhabang

docs/install/iam_policy.json

@@ -239,7 +239,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_cn.json

@@ -239,7 +239,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_iso.json

@@ -234,7 +234,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_isob.json

@@ -234,7 +234,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_isoe.json

@@ -234,7 +234,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_isof.json

@@ -234,7 +234,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

docs/install/iam_policy_us-gov.json

@@ -239,7 +239,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }

pkg/aws/services/elbv2.go

@@ -50,7 +50,8 @@ type ELBV2 interface {
 	DescribeRulesWithContext(ctx context.Context, input *elasticloadbalancingv2.DescribeRulesInput) (*elasticloadbalancingv2.DescribeRulesOutput, error)
 	CreateRuleWithContext(ctx context.Context, input *elasticloadbalancingv2.CreateRuleInput) (*elasticloadbalancingv2.CreateRuleOutput, error)
 	DeleteRuleWithContext(ctx context.Context, input *elasticloadbalancingv2.DeleteRuleInput) (*elasticloadbalancingv2.DeleteRuleOutput, error)
-	ModifyRuleWithContext(ctx context.Context, inout *elasticloadbalancingv2.ModifyRuleInput) (*elasticloadbalancingv2.ModifyRuleOutput, error)
+	ModifyRuleWithContext(ctx context.Context, input *elasticloadbalancingv2.ModifyRuleInput) (*elasticloadbalancingv2.ModifyRuleOutput, error)
+	SetRulePrioritiesWithContext(ctx context.Context, input *elasticloadbalancingv2.SetRulePrioritiesInput) (*elasticloadbalancingv2.SetRulePrioritiesOutput, error)
 	RegisterTargetsWithContext(ctx context.Context, input *elasticloadbalancingv2.RegisterTargetsInput) (*elasticloadbalancingv2.RegisterTargetsOutput, error)
 	DeregisterTargetsWithContext(ctx context.Context, input *elasticloadbalancingv2.DeregisterTargetsInput) (*elasticloadbalancingv2.DeregisterTargetsOutput, error)
 	DescribeTrustStoresWithContext(ctx context.Context, input *elasticloadbalancingv2.DescribeTrustStoresInput) (*elasticloadbalancingv2.DescribeTrustStoresOutput, error)
@@ -163,6 +164,14 @@ func (c *elbv2Client) DeleteRuleWithContext(ctx context.Context, input *elasticl
 	return client.DeleteRule(ctx, input)
 }
 
+func (c *elbv2Client) SetRulePrioritiesWithContext(ctx context.Context, input *elasticloadbalancingv2.SetRulePrioritiesInput) (*elasticloadbalancingv2.SetRulePrioritiesOutput, error) {
+	client, err := c.awsClientsProvider.GetELBv2Client(ctx, "SetRulePriorities")
+	if err != nil {
+		return nil, err
+	}
+	return client.SetRulePriorities(ctx, input)
+}
+
 func (c *elbv2Client) CreateRuleWithContext(ctx context.Context, input *elasticloadbalancingv2.CreateRuleInput) (*elasticloadbalancingv2.CreateRuleOutput, error) {
 	client, err := c.getClient(ctx, "CreateRule")
 	if err != nil {

pkg/aws/services/elbv2_mocks.go

@@ -6,24 +6,29 @@ import (
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/go-logr/logr"
-	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/deploy/tracking"
-	elbv2equality "sigs.k8s.io/aws-load-balancer-controller/pkg/equality/elbv2"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/runtime"
+	"slices"
+	"sort"
+	"strconv"
 	"time"
 )
 
 // ListenerRuleManager is responsible for create/update/delete ListenerRule resources.
 type ListenerRuleManager interface {
-	Create(ctx context.Context, resLR *elbv2model.ListenerRule) (elbv2model.ListenerRuleStatus, error)
+	Create(ctx context.Context, resLR *elbv2model.ListenerRule, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair) (elbv2model.ListenerRuleStatus, error)
 
-	Update(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) (elbv2model.ListenerRuleStatus, error)
+	UpdateRules(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair) (elbv2model.ListenerRuleStatus, error)
+
+	UpdateRulesTags(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) (elbv2model.ListenerRuleStatus, error)
 
 	Delete(ctx context.Context, sdkLR ListenerRuleWithTags) error
+
+	SetRulePriorities(ctx context.Context, matchedResAndSDKLRsBySettings []resAndSDKListenerRulePair, unmatchedSDKLRs []ListenerRuleWithTags) error
 }
 
 // NewDefaultListenerRuleManager constructs new defaultListenerRuleManager.
@@ -54,8 +59,8 @@ type defaultListenerRuleManager struct {
 	waitLSExistenceTimeout      time.Duration
 }
 
-func (m *defaultListenerRuleManager) Create(ctx context.Context, resLR *elbv2model.ListenerRule) (elbv2model.ListenerRuleStatus, error) {
-	req, err := buildSDKCreateListenerRuleInput(resLR.Spec, m.featureGates)
+func (m *defaultListenerRuleManager) Create(ctx context.Context, resLR *elbv2model.ListenerRule, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair) (elbv2model.ListenerRuleStatus, error) {
+	req, err := buildSDKCreateListenerRuleInput(resLR.Spec, desiredActionsAndConditions, m.featureGates)
 	if err != nil {
 		return elbv2model.ListenerRuleStatus{}, err
 	}
@@ -90,13 +95,17 @@ func (m *defaultListenerRuleManager) Create(ctx context.Context, resLR *elbv2mod
 	return buildResListenerRuleStatus(sdkLR), nil
 }
 
-func (m *defaultListenerRuleManager) Update(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) (elbv2model.ListenerRuleStatus, error) {
+func (m *defaultListenerRuleManager) UpdateRulesTags(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) (elbv2model.ListenerRuleStatus, error) {
 	if m.featureGates.Enabled(config.ListenerRulesTagging) {
 		if err := m.updateSDKListenerRuleWithTags(ctx, resLR, sdkLR); err != nil {
 			return elbv2model.ListenerRuleStatus{}, err
 		}
 	}
-	if err := m.updateSDKListenerRuleWithSettings(ctx, resLR, sdkLR); err != nil {
+	return buildResListenerRuleStatus(sdkLR), nil
+}
+
+func (m *defaultListenerRuleManager) UpdateRules(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair) (elbv2model.ListenerRuleStatus, error) {
+	if err := m.updateSDKListenerRuleWithSettings(ctx, resLR, sdkLR, desiredActionsAndConditions); err != nil {
 		return elbv2model.ListenerRuleStatus{}, err
 	}
 	return buildResListenerRuleStatus(sdkLR), nil
@@ -116,15 +125,28 @@ func (m *defaultListenerRuleManager) Delete(ctx context.Context, sdkLR ListenerR
 	return nil
 }
 
-func (m *defaultListenerRuleManager) updateSDKListenerRuleWithSettings(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) error {
-	desiredActions, err := buildSDKActions(resLR.Spec.Actions, m.featureGates)
-	if err != nil {
+func (m *defaultListenerRuleManager) SetRulePriorities(ctx context.Context, matchedResAndSDKLRsBySettings []resAndSDKListenerRulePair, unmatchedSDKLRs []ListenerRuleWithTags) error {
+	req := buildSDKSetRulePrioritiesInput(matchedResAndSDKLRsBySettings, unmatchedSDKLRs)
+	m.logger.Info("setting listener rule priorities",
+		"rule priority pairs", req.RulePriorities)
+	if _, err := m.elbv2Client.SetRulePrioritiesWithContext(ctx, req); err != nil {
 		return err
 	}
-	desiredConditions := buildSDKRuleConditions(resLR.Spec.Conditions)
-	if !isSDKListenerRuleSettingsDrifted(resLR.Spec, sdkLR, desiredActions, desiredConditions) {
-		return nil
-	}
+	m.logger.Info("setting listener rule priorities complete",
+		"rule priority pairs", req.RulePriorities)
+	return nil
+}
+
+func (m *defaultListenerRuleManager) updateSDKListenerRuleWithTags(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) error {
+	desiredTags := m.trackingProvider.ResourceTags(resLR.Stack(), resLR, resLR.Spec.Tags)
+	return m.taggingManager.ReconcileTags(ctx, awssdk.ToString(sdkLR.ListenerRule.RuleArn), desiredTags,
+		WithCurrentTags(sdkLR.Tags),
+		WithIgnoredTagKeys(m.externalManagedTags))
+}
+
+func (m *defaultListenerRuleManager) updateSDKListenerRuleWithSettings(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair) error {
+	desiredActions := desiredActionsAndConditions.desiredActions
+	desiredConditions := desiredActionsAndConditions.desiredConditions
 
 	req := buildSDKModifyListenerRuleInput(resLR.Spec, desiredActions, desiredConditions)
 	req.RuleArn = sdkLR.ListenerRule.RuleArn
@@ -142,27 +164,7 @@ func (m *defaultListenerRuleManager) updateSDKListenerRuleWithSettings(ctx conte
 	return nil
 }
 
-func (m *defaultListenerRuleManager) updateSDKListenerRuleWithTags(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) error {
-	desiredTags := m.trackingProvider.ResourceTags(resLR.Stack(), resLR, resLR.Spec.Tags)
-	return m.taggingManager.ReconcileTags(ctx, awssdk.ToString(sdkLR.ListenerRule.RuleArn), desiredTags,
-		WithCurrentTags(sdkLR.Tags),
-		WithIgnoredTagKeys(m.externalManagedTags))
-}
-
-func isSDKListenerRuleSettingsDrifted(lrSpec elbv2model.ListenerRuleSpec, sdkLR ListenerRuleWithTags,
-	desiredActions []elbv2types.Action, desiredConditions []elbv2types.RuleCondition) bool {
-
-	if !cmp.Equal(desiredActions, sdkLR.ListenerRule.Actions, elbv2equality.CompareOptionForActions()) {
-		return true
-	}
-	if !cmp.Equal(desiredConditions, sdkLR.ListenerRule.Conditions, elbv2equality.CompareOptionForRuleConditions()) {
-		return true
-	}
-
-	return false
-}
-
-func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec, featureGates config.FeatureGates) (*elbv2sdk.CreateRuleInput, error) {
+func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec, desiredActionsAndConditions *resLRDesiredActionsAndConditionsPair, featureGates config.FeatureGates) (*elbv2sdk.CreateRuleInput, error) {
 	ctx := context.Background()
 	lsARN, err := lrSpec.ListenerARN.Resolve(ctx)
 	if err != nil {
@@ -171,12 +173,20 @@ func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec, feature
 	sdkObj := &elbv2sdk.CreateRuleInput{}
 	sdkObj.ListenerArn = awssdk.String(lsARN)
 	sdkObj.Priority = awssdk.Int32(lrSpec.Priority)
-	actions, err := buildSDKActions(lrSpec.Actions, featureGates)
-	if err != nil {
-		return nil, err
+	if desiredActionsAndConditions != nil && desiredActionsAndConditions.desiredActions != nil {
+		sdkObj.Actions = desiredActionsAndConditions.desiredActions
+	} else {
+		actions, err := buildSDKActions(lrSpec.Actions, featureGates)
+		if err != nil {
+			return nil, err
+		}
+		sdkObj.Actions = actions
+	}
+	if desiredActionsAndConditions != nil && desiredActionsAndConditions.desiredConditions != nil {
+		sdkObj.Conditions = desiredActionsAndConditions.desiredConditions
+	} else {
+		sdkObj.Conditions = buildSDKRuleConditions(lrSpec.Conditions)
 	}
-	sdkObj.Actions = actions
-	sdkObj.Conditions = buildSDKRuleConditions(lrSpec.Conditions)
 	return sdkObj, nil
 }
 
@@ -187,6 +197,41 @@ func buildSDKModifyListenerRuleInput(_ elbv2model.ListenerRuleSpec, desiredActio
 	return sdkObj
 }
 
+func buildSDKSetRulePrioritiesInput(matchedResAndSDKLRsBySettings []resAndSDKListenerRulePair, unmatchedSDKLRs []ListenerRuleWithTags) *elbv2sdk.SetRulePrioritiesInput {
+	var rulePriorities []elbv2types.RulePriorityPair
+	var lastAvailablePriority int32 = 50000
+	var sdkLRs []ListenerRuleWithTags
+
+	// Sort the unmatched existing SDK rules based on their priority to be pushed down in same order
+	sort.Slice(unmatchedSDKLRs, func(i, j int) bool {
+		priorityI, _ := strconv.Atoi(awssdk.ToString(unmatchedSDKLRs[i].ListenerRule.Priority))
+		priorityJ, _ := strconv.Atoi(awssdk.ToString(unmatchedSDKLRs[j].ListenerRule.Priority))
+		return priorityI < priorityJ
+	})
+	// Push down all the unmatched existing SDK rules on load balancer so that updated rules can take their place
+	for _, sdkLR := range slices.Backward(unmatchedSDKLRs) {
+		sdkLR.ListenerRule.Priority = awssdk.String(strconv.Itoa(int(lastAvailablePriority)))
+		sdkLRs = append(sdkLRs, sdkLR)
+		lastAvailablePriority--
+	}
+	//Re-Prioritize matched rules by settings
+	for _, resAndSDKLR := range matchedResAndSDKLRsBySettings {
+		resAndSDKLR.sdkLR.ListenerRule.Priority = awssdk.String(strconv.Itoa(int(resAndSDKLR.resLR.Spec.Priority)))
+		sdkLRs = append(sdkLRs, resAndSDKLR.sdkLR)
+	}
+	for _, sdkLR := range sdkLRs {
+		p, _ := strconv.ParseInt(awssdk.ToString(sdkLR.ListenerRule.Priority), 10, 32)
+		rulePriorityPair := elbv2types.RulePriorityPair{
+			RuleArn:  sdkLR.ListenerRule.RuleArn,
+			Priority: awssdk.Int32(int32(p)),
+		}
+		rulePriorities = append(rulePriorities, rulePriorityPair)
+	}
+	sdkObj := &elbv2sdk.SetRulePrioritiesInput{
+		RulePriorities: rulePriorities,
+	}
+	return sdkObj
+}
 func buildResListenerRuleStatus(sdkLR ListenerRuleWithTags) elbv2model.ListenerRuleStatus {
 	return elbv2model.ListenerRuleStatus{
 		RuleARN: awssdk.ToString(sdkLR.ListenerRule.RuleArn),

pkg/deploy/elbv2/listener_rule_manager.go

@@ -3,21 +3,26 @@ package elbv2
 import (
 	"context"
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/go-logr/logr"
+	"github.com/google/go-cmp/cmp"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
+	elbv2equality "sigs.k8s.io/aws-load-balancer-controller/pkg/equality/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"strconv"
 )
 
 // NewListenerRuleSynthesizer constructs new listenerRuleSynthesizer.
 func NewListenerRuleSynthesizer(elbv2Client services.ELBV2, taggingManager TaggingManager,
-	lrManager ListenerRuleManager, logger logr.Logger, stack core.Stack) *listenerRuleSynthesizer {
+	lrManager ListenerRuleManager, logger logr.Logger, featureGates config.FeatureGates, stack core.Stack) *listenerRuleSynthesizer {
 	return &listenerRuleSynthesizer{
 		elbv2Client:    elbv2Client,
 		lrManager:      lrManager,
 		logger:         logger,
+		featureGates:   featureGates,
 		taggingManager: taggingManager,
 		stack:          stack,
 	}
@@ -26,6 +31,7 @@ func NewListenerRuleSynthesizer(elbv2Client services.ELBV2, taggingManager Taggi
 type listenerRuleSynthesizer struct {
 	elbv2Client    services.ELBV2
 	lrManager      ListenerRuleManager
+	featureGates   config.FeatureGates
 	logger         logr.Logger
 	taggingManager TaggingManager
 
@@ -61,26 +67,60 @@ func (s *listenerRuleSynthesizer) PostSynthesize(ctx context.Context) error {
 }
 
 func (s *listenerRuleSynthesizer) synthesizeListenerRulesOnListener(ctx context.Context, lsARN string, resLRs []*elbv2model.ListenerRule) error {
+	// Find existing listener rules on the load balancer
 	sdkLRs, err := s.findSDKListenersRulesOnLS(ctx, lsARN)
 	if err != nil {
 		return err
 	}
-
-	matchedResAndSDKLRs, unmatchedResLRs, unmatchedSDKLRs := matchResAndSDKListenerRules(resLRs, sdkLRs)
-	for _, sdkLR := range unmatchedSDKLRs {
-		if err := s.lrManager.Delete(ctx, sdkLR); err != nil {
+	// Build desired actions and conditions pairs for resource listener rules.
+	resLRDesiredActionsAndConditionsPairs := make(map[*elbv2model.ListenerRule]*resLRDesiredActionsAndConditionsPair, len(resLRs))
+	for _, resLR := range resLRs {
+		resLRDesiredActionsAndConditionsPair, err := buildResLRDesiredActionsAndConditionsPair(resLR, s.featureGates)
+		if err != nil {
+			return err
+		}
+		resLRDesiredActionsAndConditionsPairs[resLR] = resLRDesiredActionsAndConditionsPair
+	}
+	// matchedResAndSDKLRsBySettings : A slice of matched resLR and SDKLR rule pairs that have matching settings like actions and conditions. These needs to be only reprioratized to their corresponding priorities
+	// matchedResAndSDKLRsByPriority :  A slice of matched resLR and SDKLR rule pairs that have matching priorities but not settings like actions and conditions. These needs to be modified in place to avoid any 503 errors
+	// unmatchedResLRs : A slice of resLR that do not have a corresponding match in the sdkLRs. These rules need to be created on the load balancer.
+	// unmatchedSDKLRs : A slice of sdkLRs that do not have a corresponding match in the resLRs. These rules need to be first pushed down in the priority so that the new rules are created/modified at higher priority first and then deleted from the load balancer to avoid any 503 errors.
+	matchedResAndSDKLRsBySettings, matchedResAndSDKLRsByPriority, unmatchedResLRs, unmatchedSDKLRs, err := s.matchResAndSDKListenerRules(resLRs, sdkLRs, resLRDesiredActionsAndConditionsPairs)
+	if err != nil {
+		return err
+	}
+	// Re-prioritize matched listener rules.
+	if len(matchedResAndSDKLRsBySettings) > 0 {
+		err := s.lrManager.SetRulePriorities(ctx, matchedResAndSDKLRsBySettings, unmatchedSDKLRs)
+		if err != nil {
+			return err
+		}
+	}
+	// Modify rules in place which are matching priorities
+	for _, resAndSDKLR := range matchedResAndSDKLRsByPriority {
+		lsStatus, err := s.lrManager.UpdateRules(ctx, resAndSDKLR.resLR, resAndSDKLR.sdkLR, resLRDesiredActionsAndConditionsPairs[resAndSDKLR.resLR])
+		if err != nil {
 			return err
 		}
+		resAndSDKLR.resLR.SetStatus(lsStatus)
 	}
+	// Create all the new rules on the LB
 	for _, resLR := range unmatchedResLRs {
-		lrStatus, err := s.lrManager.Create(ctx, resLR)
+		lrStatus, err := s.lrManager.Create(ctx, resLR, resLRDesiredActionsAndConditionsPairs[resLR])
 		if err != nil {
 			return err
 		}
 		resLR.SetStatus(lrStatus)
 	}
-	for _, resAndSDKLR := range matchedResAndSDKLRs {
-		lsStatus, err := s.lrManager.Update(ctx, resAndSDKLR.resLR, resAndSDKLR.sdkLR)
+	// Delete all unmatched sdk LRs which were pushed down as new rules are either modified or created at higher priority
+	for _, sdkLR := range unmatchedSDKLRs {
+		if err := s.lrManager.Delete(ctx, sdkLR); err != nil {
+			return err
+		}
+	}
+	// Update existing listener rules on the load balancer for their tags
+	for _, resAndSDKLR := range matchedResAndSDKLRsBySettings {
+		lsStatus, err := s.lrManager.UpdateRulesTags(ctx, resAndSDKLR.resLR, resAndSDKLR.sdkLR)
 		if err != nil {
 			return err
 		}
@@ -110,31 +150,62 @@ type resAndSDKListenerRulePair struct {
 	sdkLR ListenerRuleWithTags
 }
 
-func matchResAndSDKListenerRules(resLRs []*elbv2model.ListenerRule, sdkLRs []ListenerRuleWithTags) ([]resAndSDKListenerRulePair, []*elbv2model.ListenerRule, []ListenerRuleWithTags) {
-	var matchedResAndSDKLRs []resAndSDKListenerRulePair
+type resLRDesiredActionsAndConditionsPair struct {
+	desiredActions    []types.Action
+	desiredConditions []types.RuleCondition
+}
+
+func (s *listenerRuleSynthesizer) matchResAndSDKListenerRules(resLRs []*elbv2model.ListenerRule, unmatchedSDKLRs []ListenerRuleWithTags, resLRDesiredActionsAndConditionsPairs map[*elbv2model.ListenerRule]*resLRDesiredActionsAndConditionsPair) ([]resAndSDKListenerRulePair, []resAndSDKListenerRulePair, []*elbv2model.ListenerRule, []ListenerRuleWithTags, error) {
+	var matchedResAndSDKLRsBySettings []resAndSDKListenerRulePair
+	var matchedResAndSDKLRsByPriority []resAndSDKListenerRulePair
 	var unmatchedResLRs []*elbv2model.ListenerRule
-	var unmatchedSDKLRs []ListenerRuleWithTags
+	var resLRsToCreate []*elbv2model.ListenerRule
+	var sdkLRsToDelete []ListenerRuleWithTags
 
-	resLRByPriority := mapResListenerRuleByPriority(resLRs)
-	sdkLRByPriority := mapSDKListenerRuleByPriority(sdkLRs)
+	for _, resLR := range resLRs {
+		resLRDesiredActionsAndConditionsPair := resLRDesiredActionsAndConditionsPairs[resLR]
+		found := false
+		for i := 0; i < len(unmatchedSDKLRs); i++ {
+			sdkLR := unmatchedSDKLRs[i]
+			if cmp.Equal(resLRDesiredActionsAndConditionsPair.desiredActions, sdkLR.ListenerRule.Actions, elbv2equality.CompareOptionForActions()) &&
+				cmp.Equal(resLRDesiredActionsAndConditionsPair.desiredConditions, sdkLR.ListenerRule.Conditions, elbv2equality.CompareOptionForRuleConditions()) {
+				sdkLRPriority, _ := strconv.ParseInt(awssdk.ToString(sdkLR.ListenerRule.Priority), 10, 64)
+				if resLR.Spec.Priority != int32(sdkLRPriority) {
+					matchedResAndSDKLRsBySettings = append(matchedResAndSDKLRsBySettings, resAndSDKListenerRulePair{
+						resLR: resLR,
+						sdkLR: sdkLR,
+					})
+				}
+				unmatchedSDKLRs = append(unmatchedSDKLRs[:i], unmatchedSDKLRs[i+1:]...)
+				i--
+				found = true
+				break
+			}
+		}
+		if !found {
+			unmatchedResLRs = append(unmatchedResLRs, resLR)
+		}
+	}
+
+	resLRByPriority := mapResListenerRuleByPriority(unmatchedResLRs)
+	sdkLRByPriority := mapSDKListenerRuleByPriority(unmatchedSDKLRs)
 	resLRPriorities := sets.Int32KeySet(resLRByPriority)
 	sdkLRPriorities := sets.Int32KeySet(sdkLRByPriority)
 	for _, priority := range resLRPriorities.Intersection(sdkLRPriorities).List() {
 		resLR := resLRByPriority[priority]
 		sdkLR := sdkLRByPriority[priority]
-		matchedResAndSDKLRs = append(matchedResAndSDKLRs, resAndSDKListenerRulePair{
+		matchedResAndSDKLRsByPriority = append(matchedResAndSDKLRsByPriority, resAndSDKListenerRulePair{
 			resLR: resLR,
 			sdkLR: sdkLR,
 		})
 	}
 	for _, priority := range resLRPriorities.Difference(sdkLRPriorities).List() {
-		unmatchedResLRs = append(unmatchedResLRs, resLRByPriority[priority])
+		resLRsToCreate = append(resLRsToCreate, resLRByPriority[priority])
 	}
 	for _, priority := range sdkLRPriorities.Difference(resLRPriorities).List() {
-		unmatchedSDKLRs = append(unmatchedSDKLRs, sdkLRByPriority[priority])
+		sdkLRsToDelete = append(sdkLRsToDelete, sdkLRByPriority[priority])
 	}
-
-	return matchedResAndSDKLRs, unmatchedResLRs, unmatchedSDKLRs
+	return matchedResAndSDKLRsBySettings, matchedResAndSDKLRsByPriority, resLRsToCreate, sdkLRsToDelete, nil
 }
 
 func mapResListenerRuleByPriority(resLRs []*elbv2model.ListenerRule) map[int32]*elbv2model.ListenerRule {

pkg/deploy/elbv2/listener_rule_manager_test.go

@@ -16,6 +16,18 @@ const (
 	defaultWaitLSExistenceTimeout      = 20 * time.Second
 )
 
+func buildResLRDesiredActionsAndConditionsPair(resLR *elbv2model.ListenerRule, featureGates config.FeatureGates) (*resLRDesiredActionsAndConditionsPair, error) {
+	desiredActions, err := buildSDKActions(resLR.Spec.Actions, featureGates)
+	if err != nil {
+		return nil, err
+	}
+	desiredConditions := buildSDKRuleConditions(resLR.Spec.Conditions)
+	return &resLRDesiredActionsAndConditionsPair{
+		desiredActions:    desiredActions,
+		desiredConditions: desiredConditions,
+	}, err
+}
+
 func buildSDKActions(modelActions []elbv2model.Action, featureGates config.FeatureGates) ([]elbv2types.Action, error) {
 	var sdkActions []elbv2types.Action
 	if len(modelActions) != 0 {

pkg/deploy/elbv2/listener_rule_synthesizer.go

@@ -93,7 +93,7 @@ func (d *defaultStackDeployer) Deploy(ctx context.Context, stack core.Stack) err
 		elbv2.NewTargetGroupSynthesizer(d.cloud.ELBV2(), d.trackingProvider, d.elbv2TaggingManager, d.elbv2TGManager, d.logger, d.featureGates, stack),
 		elbv2.NewLoadBalancerSynthesizer(d.cloud.ELBV2(), d.trackingProvider, d.elbv2TaggingManager, d.elbv2LBManager, d.logger, d.featureGates, d.controllerConfig, stack),
 		elbv2.NewListenerSynthesizer(d.cloud.ELBV2(), d.elbv2TaggingManager, d.elbv2LSManager, d.logger, stack),
-		elbv2.NewListenerRuleSynthesizer(d.cloud.ELBV2(), d.elbv2TaggingManager, d.elbv2LRManager, d.logger, stack),
+		elbv2.NewListenerRuleSynthesizer(d.cloud.ELBV2(), d.elbv2TaggingManager, d.elbv2LRManager, d.logger, d.featureGates, stack),
 		elbv2.NewTargetGroupBindingSynthesizer(d.k8sClient, d.trackingProvider, d.elbv2TGBManager, d.logger, stack),
 	}