e2e test: verify num autogenerated security groups for basic service …

test/e2e/service/nlb_instance_target_test.go

@@ -3,10 +3,11 @@ package service
 import (
 	"context"
 	"fmt"
+	"strings"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/aws-load-balancer-controller/test/framework/verifier"
-	"strings"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -81,10 +82,11 @@ var _ = Describe("test k8s service using instance target reconciled by the aws l
 				}
 
 				err = verifier.VerifyAWSLoadBalancerResources(ctx, tf, lbARN, verifier.LoadBalancerExpectation{
-					Type:         "network",
-					Scheme:       "internet-facing",
-					Listeners:    stack.resourceStack.getListenersPortMap(),
-					TargetGroups: expectedTargetGroups,
+					Type:              "network",
+					Scheme:            "internet-facing",
+					NumSecurityGroups: 2, // One shared backend security group, one managed security group
+					Listeners:         stack.resourceStack.getListenersPortMap(),
+					TargetGroups:      expectedTargetGroups,
 				})
 				Expect(err).NotTo(HaveOccurred())
 			})

test/e2e/service/nlb_ip_target_test.go

@@ -3,11 +3,12 @@ package service
 import (
 	"context"
 	"fmt"
-	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
-	"sigs.k8s.io/aws-load-balancer-controller/test/framework/verifier"
 	"strings"
 	"time"
 
+	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
+	"sigs.k8s.io/aws-load-balancer-controller/test/framework/verifier"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -143,8 +144,9 @@ var _ = Describe("k8s service using ip target reconciled by the aws load balance
 				}
 
 				err := verifier.VerifyAWSLoadBalancerResources(ctx, tf, lbARN, verifier.LoadBalancerExpectation{
-					Type:   "network",
-					Scheme: "internet-facing",
+					Type:              "network",
+					Scheme:            "internet-facing",
+					NumSecurityGroups: 2,
 					Listeners: map[string]string{
 						"80": "TCP",
 					},

test/framework/verifier/aws_resource_verifier.go

@@ -38,11 +38,12 @@ type ExpectedTargetGroup struct {
 }
 
 type LoadBalancerExpectation struct {
-	Name         string
-	Type         string
-	Scheme       string
-	Listeners    map[string]string // listener port, protocol
-	TargetGroups []ExpectedTargetGroup
+	Name              string
+	Type              string
+	Scheme            string
+	NumSecurityGroups int
+	Listeners         map[string]string // listener port, protocol
+	TargetGroups      []ExpectedTargetGroup
 }
 
 // ListenerExpectation contains the expected configuration for an ALB/NLB listener
@@ -79,6 +80,8 @@ func VerifyAWSLoadBalancerResources(ctx context.Context, f *framework.Framework,
 	Expect(err).NotTo(HaveOccurred())
 	err = VerifyLoadBalancerType(ctx, f, lb, expected.Type, expected.Scheme)
 	Expect(err).NotTo(HaveOccurred())
+	err = VerifyLoadBalancerSecurityGroups(lb, expected.NumSecurityGroups)
+	Expect(err).NotTo(HaveOccurred())
 	err = VerifyLoadBalancerListeners(ctx, f, lbARN, expected.Listeners)
 	Expect(err).NotTo(HaveOccurred())
 	err = VerifyLoadBalancerTargetGroups(ctx, f, lbARN, expected)
@@ -99,6 +102,13 @@ func VerifyLoadBalancerType(_ context.Context, f *framework.Framework, lb *elbv2
 	return nil
 }
 
+func VerifyLoadBalancerSecurityGroups(lb *elbv2types.LoadBalancer, numExpectedSgs int) error {
+	if numExpectedSgs > 0 {
+		Expect(lb.SecurityGroups).To(HaveLen(numExpectedSgs))
+	}
+	return nil
+}
+
 func VerifyLoadBalancerAttributes(ctx context.Context, f *framework.Framework, lbARN string, expectedAttrs map[string]string) error {
 	lbAttrs, err := f.LBManager.GetLoadBalancerAttributes(ctx, lbARN)
 	Expect(err).NotTo(HaveOccurred())