Quota fixes

cli/cmd/cluster.go

@@ -335,9 +335,8 @@ var _clusterConfigureCmd = &cobra.Command{
 			exit.Error(err)
 		}
 
-		clusterConfig := refreshCachedClusterConfig(awsClient, accessConfig, true)
-
-		clusterState, err := clusterstate.GetClusterState(awsClient, &clusterConfig)
+		oldClusterConfig := refreshCachedClusterConfig(awsClient, accessConfig, true)
+		clusterState, err := clusterstate.GetClusterState(awsClient, &oldClusterConfig)
 		if err != nil {
 			exit.Error(err)
 		}
@@ -348,7 +347,6 @@ var _clusterConfigureCmd = &cobra.Command{
 		}
 
 		staleNodeGroups := clusterState.GetStaleNodeGroupNames()
-		oldClusterConfig := refreshCachedClusterConfig(awsClient, accessConfig, true)
 		newClusterConfig, newNgs, removedNgs, scaledNgs, err := getConfigureClusterConfig(awsClient, oldClusterConfig, clusterConfigFile, staleNodeGroups, _flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)

cli/cmd/lib_cluster_config.go

@@ -305,7 +305,7 @@ func confirmInstallClusterConfig(clusterConfig *clusterconfig.Config, awsClient
 }
 
 func confirmConfigureClusterConfig(newNgs, removedNgs, scaledNgs []string, oldCc, newCc clusterconfig.Config, disallowPrompt bool) {
-	fmt.Printf("your %s cluster in region %s will receive the following changes\n", newCc.ClusterName, newCc.Region)
+	fmt.Printf("your %s cluster in region %s will receive the following changes\n\n", newCc.ClusterName, newCc.Region)
 	if len(newNgs) > 0 {
 		fmt.Printf("￮ %d %s (%s) will be added\n", len(newNgs), s.PluralS("nodegroup", len(newNgs)), s.StrsAnd(newNgs))
 	}

pkg/lib/aws/errors.go

@@ -247,7 +247,7 @@ func ErrorSecurityGroupRulesExceeded(currentLimit, additionalQuotaRequired int,
 	url := "https://console.aws.amazon.com/servicequotas/home?#!/services/vpc/quotas"
 	return errors.WithStack(&errors.Error{
 		Kind:    ErrSecurityGroupRulesExceeded,
-		Message: fmt.Sprintf("security group rules limit of %d exceeded in region %s; use fewer availability zones, remove some node groups, reduce the number of CIDR white lists (if you have any), or increase your quota for inbound/outbound rules per security group by at least %d here: %s (if your request was recently approved, please allow ~30 minutes for AWS to reflect this change)", currentLimit, region, additionalQuotaRequired, url),
+		Message: fmt.Sprintf("security group rules limit of %d exceeded in region %s; remove some node groups, use fewer availability zones (on a new cluster), reduce the number of CIDR white lists (if you have any on a new cluster), or increase your quota for inbound/outbound rules per security group by at least %d here: %s (if your request was recently approved, please allow ~30 minutes for AWS to reflect this change)", currentLimit, region, additionalQuotaRequired, url),
 	})
 }
 

pkg/lib/aws/servicequotas.go

@@ -314,20 +314,23 @@ func (c *Client) VerifyNetworkQuotas(
 
 	// check rules quota for nodegroup SGs
 	requiredRulesForSG := requiredRulesForNodeGroupSecurityGroup(len(availabilityZones), longestCIDRWhiteList)
+	// fmt.Println("requiredRulesForSG", requiredRulesForSG, "quota", quotaCodeToValueMap[_securityGroupRulesQuotaCode])
 	if requiredRulesForSG > quotaCodeToValueMap[_securityGroupRulesQuotaCode] {
 		additionalQuotaRequired := requiredRulesForSG - quotaCodeToValueMap[_securityGroupRulesQuotaCode]
 		return ErrorSecurityGroupRulesExceeded(quotaCodeToValueMap[_securityGroupRulesQuotaCode], additionalQuotaRequired, c.Region)
 	}
 
 	// check rules quota for control plane SG
-	requiredRulesForCPSG := requiredRulesForControlPlaneSecurityGroup(numNodeGroups, clusterAlreadyExists)
+	requiredRulesForCPSG := requiredRulesForControlPlaneSecurityGroup(numNodeGroups)
+	// fmt.Println("requiredRulesForCPSG", requiredRulesForCPSG, "quota", quotaCodeToValueMap[_securityGroupRulesQuotaCode])
 	if requiredRulesForCPSG > quotaCodeToValueMap[_securityGroupRulesQuotaCode] {
 		additionalQuotaRequired := requiredRulesForCPSG - quotaCodeToValueMap[_securityGroupRulesQuotaCode]
 		return ErrorSecurityGroupRulesExceeded(quotaCodeToValueMap[_securityGroupRulesQuotaCode], additionalQuotaRequired, c.Region)
 	}
 
 	// check security groups quota
-	requiredSecurityGroups := requiredSecurityGroups(numNodeGroups, clusterAlreadyExists)
+	requiredSecurityGroups := requiredSecurityGroups(numNodeGroups)
+	// fmt.Println("requiredSecurityGroups", requiredSecurityGroups)
 	sgs, err := c.DescribeSecurityGroups()
 	if err != nil {
 		return err
@@ -359,21 +362,13 @@ func requiredRulesForNodeGroupSecurityGroup(numAZs, whitelistLength int) int {
 	return _baseInboundRulesForNodeGroup + numAZs*_inboundRulesPerAZ + whitelistRuleCount
 }
 
-func requiredRulesForControlPlaneSecurityGroup(numNodeGroups int, clusterAlreadyExists bool) int {
-	if clusterAlreadyExists {
-		return 2 * numNodeGroups
-	}
-
+func requiredRulesForControlPlaneSecurityGroup(numNodeGroups int) int {
 	// +1 for the operator node group
 	// this is the number of outbound rules (there are half as many inbound rules, so that is not the limiting factor)
 	return 2 * (numNodeGroups + 1)
 }
 
-func requiredSecurityGroups(numNodeGroups int, clusterAlreadyExists bool) int {
-	if clusterAlreadyExists {
-		return numNodeGroups
-	}
-
+func requiredSecurityGroups(numNodeGroups int) int {
 	// each node group requires a security group
 	return _baseNumberOfSecurityGroups + numNodeGroups
 }

pkg/types/clusterconfig/cluster_config.go

@@ -1152,15 +1152,12 @@ func (cc *Config) ValidateOnConfigure(awsClient *aws.Client, oldConfig Config) (
 	newNgs := cc.getNewNodeGroups(oldConfig)
 	removedNgs := cc.getRemovedNodeGroups(oldConfig)
 
-	netAdditionOfNgs := len(newNgs) - len(removedNgs)
-	if netAdditionOfNgs > 0 {
-		longestCIDRWhiteList := libmath.MaxInt(len(cc.APILoadBalancerCIDRWhiteList), len(cc.OperatorLoadBalancerCIDRWhiteList))
-		if err := awsClient.VerifyNetworkQuotasOnNodeGroupsAddition(strset.FromSlice(cc.AvailabilityZones), netAdditionOfNgs, longestCIDRWhiteList); err != nil {
-			// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
-			if !aws.IsAWSError(err) {
-				errReturned = errors.Wrap(err, NodeGroupsKey)
-				return
-			}
+	longestCIDRWhiteList := libmath.MaxInt(len(cc.APILoadBalancerCIDRWhiteList), len(cc.OperatorLoadBalancerCIDRWhiteList))
+	if err := awsClient.VerifyNetworkQuotasOnNodeGroupsAddition(strset.FromSlice(cc.AvailabilityZones), len(cc.NodeGroups), longestCIDRWhiteList); err != nil {
+		// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
+		if !aws.IsAWSError(err) {
+			errReturned = errors.Wrap(err, NodeGroupsKey)
+			return
 		}
 	}