feat(tags): filter AWS tags and ACK tags during reconciliation (#170)

michaelhtm · web-flow · commit 5b918f9b4674 · 2025-02-17T10:09:45.000-08:00
* feat(tags): add SyncAWSTags for AWS-managed tag preservation

Add utility to automatically preserve immutable AWS-managed tags (aws:*)
when modifying resources. Prevents tag operation errors with
CloudFormation and Service Catalog managed resources.

* Add FilterAWSTags as a method in AWSResourceManager interface.

This funtion will filter out tags injected by AWS and ACK.
diff --git a/mocks/pkg/types/aws_resource_manager.go b/mocks/pkg/types/aws_resource_manager.go
diff --git a/pkg/runtime/reconciler.go b/pkg/runtime/reconciler.go
@@ -330,14 +330,10 @@ func (r *resourceReconciler) handleAdoption(
 		return nil, err
 	}
 
-	rlog.Enter("rm.EnsureTags")
-	err = rm.EnsureTags(ctx, resolved, r.sc.GetMetadata())
-	rlog.Exit("rm.EnsureTags", err)
-	if err != nil {
-		return resolved, err
-	}
 	rlog.Enter("rm.ReadOne")
 	latest, err := rm.ReadOne(ctx, resolved)
+	rlog.Exit("rm.ReadOne", err)
+	rm.FilterSystemTags(latest)
 	if err != nil {
 		return latest, err
 	}
@@ -346,16 +342,6 @@ func (r *resourceReconciler) handleAdoption(
 		return latest, err
 	}
 
-	// Ensure tags again after adding the finalizer and patching the
-	// resource. Patching desired resource omits the controller tags
-	// because they are not persisted in etcd. So we again ensure
-	// that tags are present before performing the create operation.
-	rlog.Enter("rm.EnsureTags")
-	err = rm.EnsureTags(ctx, latest, r.sc.GetMetadata())
-	rlog.Exit("rm.EnsureTags", err)
-	if err != nil {
-		return latest, err
-	}
 	r.rd.MarkAdopted(latest)
 	rlog.WithValues("is_adopted", "true")
 	latest, err = r.patchResourceMetadataAndSpec(ctx, rm, desired, latest)
diff --git a/pkg/types/aws_resource_manager.go b/pkg/types/aws_resource_manager.go
@@ -85,6 +85,12 @@ type AWSResourceManager interface {
 	// If the AWSResource does not support tags, only then the controller tags
 	// will not be added to the AWSResource.
 	EnsureTags(context.Context, AWSResource, ServiceControllerMetadata) error
+	// FilterSystemTags ignores tags that are either injected by the controller
+	// or by AWS. These tags have keys that start with "aws:" or "services.k8s.aws/"
+	// and this function will remove them before adoption.
+	// Eg. resources created with cloudformation have tags that cannot be
+	//removed by an ACK controller
+	FilterSystemTags(AWSResource)
 }
 
 // AWSResourceManagerFactory returns an AWSResourceManager that can be used to
