fix sg rule generation for TCP_QUIC and legacy SG path

Author: zac-nixon

pkg/service/model_build_target_group.go

@@ -593,7 +593,14 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworkingLegacy(ctx cont
 	trafficSource := loadBalancerSubnetCIDRs
 	defaultRangeUsed := false
 	var trafficPorts []elbv2api.NetworkingPort
-	if tgProtocol == elbv2model.ProtocolUDP || t.preserveClientIP {
+
+	/*
+		https://docs.aws.amazon.com/elasticloadbalancing/latest/network/edit-target-group-attributes.html#client-ip-preservation
+		By default, client IP preservation is enabled (and can't be disabled) for instance and IP type target groups with UDP and TCP_UDP protocols.
+		However, you can enable or disable client IP preservation for TCP and TLS target groups using the preserve_client_ip.enabled target group attribute.
+	*/
+
+	if tgProtocol == elbv2model.ProtocolUDP || tgProtocol == elbv2model.ProtocolTCP_UDP || t.preserveClientIP {
 		trafficSource = t.getLoadBalancerSourceRanges(ctx)
 		if len(trafficSource) == 0 {
 			trafficSource, err = t.getDefaultIPSourceRanges(ctx, targetGroupIPAddressType, tgProtocol, scheme)

pkg/service/model_build_target_group_test.go

@@ -1289,7 +1289,7 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworkingLegacy(t *tes
 						From: []elbv2modelk8s.NetworkingPeer{
 							{
 								IPBlock: &elbv2api.IPBlock{
-									CIDR: "172.16.0.0/19",
+									CIDR: "0.0.0.0/0",
 								},
 							},
 						},
@@ -1322,6 +1322,44 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworkingLegacy(t *tes
 				},
 			},
 		},
+		{
+			name:   "tcpudp-service with no source ranges configuration with same hc",
+			svc:    &corev1.Service{},
+			tgPort: port80,
+			hcPort: port80,
+			scheme: elbv2.LoadBalancerSchemeInternetFacing,
+			subnets: []ec2types.Subnet{
+				{
+					CidrBlock: aws.String("172.16.0.0/19"),
+					SubnetId:  aws.String("az-1"),
+				},
+			},
+			tgProtocol:    elbv2.ProtocolTCP_UDP,
+			ipAddressType: elbv2.TargetGroupIPAddressTypeIPv4,
+			want: &elbv2modelk8s.TargetGroupBindingNetworking{
+				Ingress: []elbv2modelk8s.NetworkingIngressRule{
+					{
+						From: []elbv2modelk8s.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "0.0.0.0/0",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port80,
+							},
+							{
+								Protocol: &networkingProtocolUDP,
+								Port:     &port80,
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {