updating wif logic for determining role updates

The prior check was lead to custom roles being updated during every wif creation call if the permission set provided was not in the exact order that is returned by GCP- emperically found to be alphabetical. With this change, this assumption is no longer necassary.
openshift-online · Sep 16, 2024 · 82efbbb · 82efbbb
1 parent 5217d70
commit 82efbbb
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"reflect"
 	"strings"
 	"time"
 
@@ -252,7 +251,7 @@ func (c *shim) createOrUpdateRoles(
 		}
 
 		// Update role if permissions have changed
-		if !reflect.DeepEqual(existingRole.IncludedPermissions, permissions) {
+		if c.roleRequiresUpdate(permissions, existingRole.IncludedPermissions) {
 			existingRole.IncludedPermissions = permissions
 			_, err := c.updateRole(ctx, existingRole, c.fmtRoleResourceId(role))
 			if err != nil {
@@ -264,6 +263,25 @@ func (c *shim) createOrUpdateRoles(
 	return nil
 }
 
+func (c *shim) roleRequiresUpdate(
+	newPermissions []string,
+	existingPermissions []string,
+) bool {
+	permissionMap := map[string]bool{}
+	for _, permission := range existingPermissions {
+		permissionMap[permission] = true
+	}
+	if len(permissionMap) != len(newPermissions) {
+		return true
+	}
+	for _, permission := range newPermissions {
+		if !permissionMap[permission] {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *shim) bindRolesToServiceAccount(
 	ctx context.Context,
 	serviceAccount *cmv1.WifServiceAccount,