🐛: elbv2: skip adding security groups to NLB in secret regions

Secret regions don't yet support security groups for NLBs.

pkg/cloud/services/elb/loadbalancer.go

@@ -64,6 +64,9 @@ const apiServerTargetGroupPrefix = "apiserver-target-"
 // listeners.
 const additionalTargetGroupPrefix = "additional-listener-"
 
+// cantAttachSGToNLBRegions is a set of regions that do not support Security Groups in NLBs.
+var cantAttachSGToNLBRegions = sets.New("us-iso-east-1", "us-iso-west-1", "us-isob-east-1")
+
 // ReconcileLoadbalancers reconciles the load balancers for the given cluster.
 func (s *Service) ReconcileLoadbalancers() error {
 	s.scope.Debug("Reconciling load balancers")
@@ -395,6 +398,11 @@ func (s *Service) createLB(spec *infrav1.LoadBalancer, lbSpec *infrav1.AWSLoadBa
 		input.IpAddressType = aws.String("dualstack")
 	}
 
+	// TODO: remove when security groups on NLBs is supported in all regions.
+	if cantAttachSGToNLBRegions.Has(s.scope.Region()) {
+		input.SecurityGroups = nil
+	}
+
 	// Allocate custom addresses (Elastic IP) to internet-facing Load Balancers, when defined.
 	// Custom, or BYO, Public IPv4 Pool need to be created prior install, and the Pool ID must be
 	// set in the VpcSpec.ElasticIPPool.PublicIPv4Pool to allow Elastic IP be consumed from