feat(tags): filter AWS tags and ACK tags during reconciliation (#170)

* feat(tags): add SyncAWSTags for AWS-managed tag preservation Add utility to automatically preserve immutable AWS-managed tags (aws:*) when modifying resources. Prevents tag operation errors with CloudFormation and Service Catalog managed resources. * Add FilterAWSTags as a method in AWSResourceManager interface. This funtion will filter out tags injected by AWS and ACK.
aws-controllers-k8s · Feb 17, 2025 · 5b918f9 · 5b918f9
1 parent e48dd7b
commit 5b918f9
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 16 deletions.
diff --git a/mocks/pkg/types/aws_resource_manager.go b/mocks/pkg/types/aws_resource_manager.go
diff --git a/pkg/runtime/reconciler.go b/pkg/runtime/reconciler.go
@@ -330,14 +330,10 @@ func (r *resourceReconciler) handleAdoption(
 		return nil, err
 	}
 
-	rlog.Enter("rm.EnsureTags")
-	err = rm.EnsureTags(ctx, resolved, r.sc.GetMetadata())
-	rlog.Exit("rm.EnsureTags", err)
-	if err != nil {
-		return resolved, err
-	}
 	rlog.Enter("rm.ReadOne")
 	latest, err := rm.ReadOne(ctx, resolved)
+	rlog.Exit("rm.ReadOne", err)
+	rm.FilterSystemTags(latest)
 	if err != nil {
 		return latest, err
 	}
@@ -346,16 +342,6 @@ func (r *resourceReconciler) handleAdoption(
 		return latest, err
 	}
 
-	// Ensure tags again after adding the finalizer and patching the
-	// resource. Patching desired resource omits the controller tags
-	// because they are not persisted in etcd. So we again ensure
-	// that tags are present before performing the create operation.
-	rlog.Enter("rm.EnsureTags")
-	err = rm.EnsureTags(ctx, latest, r.sc.GetMetadata())
-	rlog.Exit("rm.EnsureTags", err)
-	if err != nil {
-		return latest, err
-	}
 	r.rd.MarkAdopted(latest)
 	rlog.WithValues("is_adopted", "true")
 	latest, err = r.patchResourceMetadataAndSpec(ctx, rm, desired, latest)

diff --git a/pkg/types/aws_resource_manager.go b/pkg/types/aws_resource_manager.go
@@ -85,6 +85,12 @@ type AWSResourceManager interface {
 	// If the AWSResource does not support tags, only then the controller tags
 	// will not be added to the AWSResource.
 	EnsureTags(context.Context, AWSResource, ServiceControllerMetadata) error
+	// FilterSystemTags ignores tags that are either injected by the controller
+	// or by AWS. These tags have keys that start with "aws:" or "services.k8s.aws/"
+	// and this function will remove them before adoption.
+	// Eg. resources created with cloudformation have tags that cannot be
+	//removed by an ACK controller
+	FilterSystemTags(AWSResource)
 }
 
 // AWSResourceManagerFactory returns an AWSResourceManager that can be used to