unbind-security-group is not working as intended

[winkingturtle-vmw]

Please fill out the issue checklist below and provide ALL the requested information.

• [x] I reviewed open and closed github issues that may be related to my problem.
• [x] I tried updating to the latest version of the CF CLI to see if it fixed my problem.
• [x] I attempted to run the command with CF_TRACE=1 to help debug the issue.
• [x] I am reporting a bug that others will be able to reproduce.

Describe the bug and the command you saw an issue with Provide details on what you were trying to do (and why).

What happened When I run cf unbind-security-group MY-ASG MY-ORG My-SPACE --lifecycle running it's not removing security-group and I can still access the ASG rules.

Expected behavior Running the above command should behave the same as cf unbind-running-security-group, but only for that org/space.

Exact Steps To Reproduce Steps to reproduce the behavior; include the exact CLI commands and verbose output:

1. Run cf push MY-APP in MY-ORG and MY-SPACE
2. Run cf unbind-security-group public_networks MY-ORG MY-SPACE --lifecycle running
3. Run cf restart MY-APP
4. The App is still able to reach internet.

Provide more context

Notes regarding V6 and V7 CLI support: Cli Version V8: 8.7.2+501652f.2023-08-30

[Benjamintf1]

I don't think this is a bug per say. The error you get is

Unbinding running security group public_networks from org system / space test as admin...
Security group public_networks not bound to space test for lifecycle phase 'running'.
OK

This is because the public_networks group ISN'T bound to the space. It's a global rule. It seems like perhaps there are ways to improve the ux here, but I don't think deleting an entire global rule, and creating one that is bound to every org and space except the space you're in is the right solution.

[winkingturtle-vmw]

Closing this issue since the root cause is related to bad UX instead and behavior is expected.