updating wif logic for determining role updates

The prior check was lead to custom roles being updated during every wif creation call if the permission set provided was not in the exact order that is returned by GCP- emperically found to be alphabetical. With this change, this assumption is no longer necassary.
openshift-online · Sep 17, 2024 · 17958de · 17958de
1 parent 46bb9dc
commit 17958de
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"reflect"
 	"strings"
 
 	"cloud.google.com/go/iam/admin/apiv1/adminpb"
@@ -250,7 +249,7 @@ func (c *shim) createOrUpdateRoles(
 		}
 
 		// Update role if permissions have changed
-		if !reflect.DeepEqual(existingRole.IncludedPermissions, permissions) {
+		if c.roleRequiresUpdate(permissions, existingRole.IncludedPermissions) {
 			existingRole.IncludedPermissions = permissions
 			_, err := c.updateRole(ctx, existingRole, c.fmtRoleResourceId(role))
 			if err != nil {
@@ -262,6 +261,25 @@ func (c *shim) createOrUpdateRoles(
 	return nil
 }
 
+func (c *shim) roleRequiresUpdate(
+	newPermissions []string,
+	existingPermissions []string,
+) bool {
+	permissionMap := map[string]bool{}
+	for _, permission := range existingPermissions {
+		permissionMap[permission] = true
+	}
+	if len(permissionMap) != len(newPermissions) {
+		return true
+	}
+	for _, permission := range newPermissions {
+		if !permissionMap[permission] {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *shim) bindRolesToServiceAccount(
 	ctx context.Context,
 	serviceAccount *cmv1.WifServiceAccount,