Default egress enabled when mode is set

sjmiller609 · sjmiller609 · commit f9188485cb30 · 2026-03-23T15:27:41.000-04:00
diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go
@@ -250,20 +250,11 @@ func handleRun(ctx context.Context, cmd *cli.Command) error {
 			params.Network.BandwidthUpload = hypeman.Opt(bandwidthUp)
 		}
 		if egressEnabledSet || egressMode != "" {
-			params.Network.Egress = hypeman.InstanceNewParamsNetworkEgress{}
-			if egressEnabledSet {
-				params.Network.Egress.Enabled = hypeman.Opt(cmd.Bool("network-egress-enabled"))
-			}
-			if egressMode != "" {
-				switch egressMode {
-				case "all", "http_https_only":
-					params.Network.Egress.Enforcement = hypeman.InstanceNewParamsNetworkEgressEnforcement{
-						Mode: egressMode,
-					}
-				default:
-					return fmt.Errorf("invalid network-egress-mode: %s (must be 'all' or 'http_https_only')", egressMode)
-				}
+			egress, err := buildNetworkEgress(cmd.Bool("network-egress-enabled"), egressEnabledSet, egressMode)
+			if err != nil {
+				return err
 			}
+			params.Network.Egress = egress
 		}
 	}
 
@@ -391,6 +382,28 @@ func handleRun(ctx context.Context, cmd *cli.Command) error {
 	return nil
 }
 
+func buildNetworkEgress(enabled bool, enabledSet bool, mode string) (hypeman.InstanceNewParamsNetworkEgress, error) {
+	egress := hypeman.InstanceNewParamsNetworkEgress{}
+	if enabledSet {
+		egress.Enabled = hypeman.Opt(enabled)
+	} else if mode != "" {
+		egress.Enabled = hypeman.Opt(true)
+	}
+
+	if mode != "" {
+		switch mode {
+		case "all", "http_https_only":
+			egress.Enforcement = hypeman.InstanceNewParamsNetworkEgressEnforcement{
+				Mode: mode,
+			}
+		default:
+			return hypeman.InstanceNewParamsNetworkEgress{}, fmt.Errorf("invalid network-egress-mode: %s (must be 'all' or 'http_https_only')", mode)
+		}
+	}
+
+	return egress, nil
+}
+
 // isNotFoundError checks if err is a 404 not found error
 func isNotFoundError(err error, target **hypeman.Error) bool {
 	if apiErr, ok := err.(*hypeman.Error); ok {
diff --git a/pkg/cmd/run_test.go b/pkg/cmd/run_test.go
@@ -0,0 +1,31 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildNetworkEgress(t *testing.T) {
+	t.Run("defaults enabled to true when mode is set", func(t *testing.T) {
+		egress, err := buildNetworkEgress(false, false, "all")
+		require.NoError(t, err)
+		require.True(t, egress.Enabled.Valid())
+		assert.True(t, egress.Enabled.Value)
+		assert.Equal(t, "all", egress.Enforcement.Mode)
+	})
+
+	t.Run("honors explicit disabled flag when mode is set", func(t *testing.T) {
+		egress, err := buildNetworkEgress(false, true, "http_https_only")
+		require.NoError(t, err)
+		require.True(t, egress.Enabled.Valid())
+		assert.False(t, egress.Enabled.Value)
+		assert.Equal(t, "http_https_only", egress.Enforcement.Mode)
+	})
+
+	t.Run("rejects unsupported modes", func(t *testing.T) {
+		_, err := buildNetworkEgress(false, false, "smtp_only")
+		require.EqualError(t, err, "invalid network-egress-mode: smtp_only (must be 'all' or 'http_https_only')")
+	})
+}
