From 7f42248d9ac90b12478333a2ebbaf8c5f81c3487 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20G=C3=B6hler?= <github@nixhub.de>
Date: Sun, 16 Mar 2025 20:53:45 +0100
Subject: [PATCH] raise an error when multiple backendSGs with same vpc-id and
 tags exist

---
 pkg/networking/backend_sg_provider.go      |  6 +++++-
 pkg/networking/backend_sg_provider_test.go | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/pkg/networking/backend_sg_provider.go b/pkg/networking/backend_sg_provider.go
index 8b3900e52..f0fd1412a 100644
--- a/pkg/networking/backend_sg_provider.go
+++ b/pkg/networking/backend_sg_provider.go
@@ -298,11 +298,15 @@ func (p *defaultBackendSGProvider) getBackendSGFromEC2(ctx context.Context, sgNa
 			},
 		},
 	}
-	p.logger.V(1).Info("Queriying existing SG", "vpc-id", vpcID, "name", sgName)
+	tags := fmt.Sprintf("%v=%v, %v=%v", tagKeyK8sCluster, p.clusterName, tagKeyResource, tagValueBackend)
+	p.logger.V(1).Info("Querying existing SG", "vpc-id", vpcID, "tags", tags)
 	sgs, err := p.ec2Client.DescribeSecurityGroupsAsList(ctx, req)
 	if err != nil && !isEC2SecurityGroupNotFoundError(err) {
 		return "", err
 	}
+	if len(sgs) > 1 {
+		return "", errors.Errorf("Found multiple SGs with vpc-id %v and tags %v", vpcID, tags)
+	}
 	if len(sgs) > 0 {
 		return awssdk.ToString(sgs[0].GroupId), nil
 	}
diff --git a/pkg/networking/backend_sg_provider_test.go b/pkg/networking/backend_sg_provider_test.go
index 4850d7d30..a40225051 100644
--- a/pkg/networking/backend_sg_provider_test.go
+++ b/pkg/networking/backend_sg_provider_test.go
@@ -114,6 +114,28 @@ func Test_defaultBackendSGProvider_Get(t *testing.T) {
 			},
 			want: "sg-autogen",
 		},
+		{
+			name: "backend sg enabled, auto-gen, multiple SGs exist",
+			fields: fields{
+				describeSGCalls: []describeSecurityGroupsAsListCall{
+					{
+						req: &ec2sdk.DescribeSecurityGroupsInput{
+							Filters: defaultEC2Filters,
+						},
+						resp: []ec2types.SecurityGroup{
+							{
+								GroupId: awssdk.String("sg-autogen"),
+							},
+							{
+								GroupId: awssdk.String("sg-other"),
+							},
+						},
+					},
+				},
+				ingResources: []*networking.Ingress{ing, ing1},
+			},
+			wantErr: errors.New("Found multiple SGs with vpc-id vpc-xxxyyy and tags elbv2.k8s.aws/cluster=testCluster, elbv2.k8s.aws/resource=backend-sg"),
+		},
 		{
 			name: "backend sg enabled, auto-gen new SG",
 			fields: fields{