Skip to content

ESD-1615-fix(nat-gateway): validate speed/session matrix on update path#515

Open
Phil-Browne wants to merge 4 commits into
mainfrom
worktree-ESD-1615-nat-gateway-update-matrix
Open

ESD-1615-fix(nat-gateway): validate speed/session matrix on update path#515
Phil-Browne wants to merge 4 commits into
mainfrom
worktree-ESD-1615-nat-gateway-update-matrix

Conversation

@Phil-Browne

Copy link
Copy Markdown
Contributor

Follow-up to #507. That PR added client-side speed/session-count matrix validation, but only on the create path. nat-gateway update --speed X --session-count Y still let an unsupported pair through to the API.

  • Refactor validateNATGatewaySpeedSessionMatrix to take speed/session-count directly instead of the create request.
  • Call it from UpdateNATGateway after the partial-update merge, so it validates the effective (merged) values.
  • Tests for the update path: rejects unsupported speed, rejects unsupported session count, allows a supported pair, and falls open on matrix-fetch failure.

Copilot AI review requested due to automatic review settings July 10, 2026 00:32
@Phil-Browne Phil-Browne requested review from a team and penzeliz-megaport as code owners July 10, 2026 00:32
@Phil-Browne Phil-Browne requested a review from mola-dev July 10, 2026 00:32
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.29%. Comparing base (dee5b8d) to head (60ca995).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #515   +/-   ##
=======================================
  Coverage   79.29%   79.29%           
=======================================
  Files         193      193           
  Lines       18683    18688    +5     
=======================================
+ Hits        14814    14819    +5     
  Misses       2820     2820           
  Partials     1049     1049           
Files with missing lines Coverage Δ
...ternal/commands/nat_gateway/nat_gateway_actions.go 82.03% <100.00%> (+0.23%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR closes a validation gap in the NAT gateway update workflow by applying the same speed/session-count matrix validation that already existed on the create path, ensuring unsupported combinations are rejected client-side before hitting the API.

Changes:

  • Refactors validateNATGatewaySpeedSessionMatrix to accept speed and sessionCount directly (instead of a create request).
  • Adds matrix validation to UpdateNATGateway after the partial-update merge so the effective (merged) values are validated.
  • Adds update-path test coverage for unsupported speed/session-count combinations and for “fail open” behavior when the matrix cannot be fetched.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
internal/commands/nat_gateway/nat_gateway_actions.go Refactors the matrix validation helper and applies it to the update path after defaults are merged.
internal/commands/nat_gateway/nat_gateway_test.go Adds focused tests ensuring update rejects invalid matrix pairs and fails open when the matrix fetch fails.

The speed/session-count availability matrix check ran only on create.
Update accepts --speed/--session-count too, so an unsupported pair on
update sailed past client-side checks straight to the API.

Refactor the validator to take speed/session-count directly and call it
from UpdateNATGateway after the partial-update merge, so it checks the
effective values.
@Phil-Browne Phil-Browne force-pushed the worktree-ESD-1615-nat-gateway-update-matrix branch from cfe783a to a29aec3 Compare July 10, 2026 00:35
@penzeliz-megaport

Copy link
Copy Markdown
Collaborator

The matrix check is correct on the create path, but on update it over-rejects. UpdateNATGateway calls validateNATGatewaySpeedSessionMatrix(..., req.Speed, req.Config.SessionCount, ...) (nat_gateway_actions.go ~L319) after mergeUpdateDefaults, so req.Speed / SessionCount hold the original gateway's values when the user didn't touch them. A name/term/auto-renew-only update on a grandfathered gateway whose speed/session pair was later removed from the matrix (matrix non-empty, so fail-open doesn't trigger) is rejected client-side with "speed not supported", even though speed and session weren't changed. Gate the call on speed or session-count actually changing, e.g. cmd.Flags().Changed("speed") || explicit.SessionCount.

UpdateNATGateway ran the speed/session matrix check unconditionally after
merging defaults, so a grandfathered gateway whose speed/session pair was
later dropped from the matrix would fail a name/term/auto-renew-only update
even though speed and session count weren't touched. Only validate when the
post-merge speed or session count actually differs from the original.
@Phil-Browne

Copy link
Copy Markdown
Contributor Author

Fixed in 9df9901. Rather than gating on cmd.Flags().Changed("speed") || explicit.SessionCount (which only covers the flag input path), the update now compares the post-merge req.Speed / req.Config.SessionCount against the original gateway's values and only calls validateNATGatewaySpeedSessionMatrix when one of them actually differs. This covers all three input modes (flags, JSON, interactive) uniformly, since mergeUpdateDefaults always resolves both fields to either the new value or the original one.

Added a regression test (TestUpdateNATGateway_MatrixSkippedWhenSpeedAndSessionUnchanged) that reproduces the grandfathered-gateway scenario: original speed/session pair excluded from the matrix, name-only update, expects success.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants