openshift · openshift-merge-bot · Mar 2, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/tests/aws-cloud-controller-manager-tests-ext/e2e/helper.go b/tests/aws-cloud-controller-manager-tests-ext/e2e/helper.go
@@ -3,9 +3,12 @@ package e2e
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	ec2 "github.com/aws/aws-sdk-go-v2/service/ec2"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	elbv2 "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
@@ -116,3 +119,78 @@ func isFeatureEnabled(ctx context.Context, featureName string) (bool, error) {
 	framework.Logf("Feature %s not found in FeatureGate status", featureName)
 	return false, nil
 }
+
+// getAWSClientEC2 creates an AWS EC2 client using default credentials configured in the environment.
+func getAWSClientEC2(ctx context.Context) (*ec2.Client, error) {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to load AWS config: %v", err)
+	}
+	return ec2.NewFromConfig(cfg), nil
+}
+
+// getAWSSecurityGroup retrieves a security group by ID using the AWS EC2 client.
+func getAWSSecurityGroup(ctx context.Context, ec2Client *ec2.Client, sgID string) (*ec2types.SecurityGroup, error) {
+	framework.Logf("describing security group %s", sgID)
+	input := &ec2.DescribeSecurityGroupsInput{
+		GroupIds: []string{sgID},
+	}
+
+	result, err := ec2Client.DescribeSecurityGroups(ctx, input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to describe security group %s: %v", sgID, err)
+	}
+
+	if len(result.SecurityGroups) == 0 {
+		return nil, fmt.Errorf("security group %s not found", sgID)
+	}
+
+	return &result.SecurityGroups[0], nil
+}
+
+// getAWSSecurityGroupRules gets the security group rules for the given security group IDs.
+func getAWSSecurityGroupRules(ctx context.Context, ec2Client *ec2.Client, groups []string) ([]ec2types.IpPermission, error) {
+	rules := []ec2types.IpPermission{}
+	for _, group := range groups {
+		sg, err := getAWSSecurityGroup(ctx, ec2Client, group)
+		if err != nil {
+			return nil, err
+		}
+		rules = append(rules, sg.IpPermissions...)
+	}
+	return rules, nil
+}
+
+// securityGroupExists checks if a security group exists by ID.
+// Returns true if it exists, false if it doesn't exist or was deleted.
+func securityGroupExists(ctx context.Context, ec2Client *ec2.Client, sgID string) (bool, error) {
+	framework.Logf("checking if security group %s exists", sgID)
+	input := &ec2.DescribeSecurityGroupsInput{
+		GroupIds: []string{sgID},
+	}
+
+	_, err := ec2Client.DescribeSecurityGroups(ctx, input)
+	if err != nil {
+		// Check if it's a "not found" error
+		if ec2IsNotFoundError(err) {
+			framework.Logf("security group %s does not exist", sgID)
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to check security group %s: %v", sgID, err)
+	}
+
+	framework.Logf("security group %s exists", sgID)
+	return true, nil
+}
+
+// ec2IsNotFoundError checks if an error is an EC2 "not found" error.
+func ec2IsNotFoundError(err error) bool {
+	if err == nil {
+		return false
+	}
+	// Check for common EC2 not found error messages
+	errMsg := err.Error()
+	return strings.Contains(errMsg, "InvalidGroup.NotFound") ||
+		strings.Contains(errMsg, "InvalidGroupId.NotFound") ||
+		strings.Contains(errMsg, "InvalidGroup.Malformed")
+}