add

Author: a-hilaly

pkg/runtime/reconciler.go

@@ -262,6 +262,39 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	region := r.getRegion(desired)
 	endpointURL := r.getEndpointURL(desired)
 	gvk := r.rd.GroupVersionKind()
+
+	// If the user has specified a region that is different from the
+	// region the resource currently exists in, we need to fail the
+	// reconciliation with a terminal error.
+	if regionDrifted(desired, region) {
+		msg := fmt.Sprintf(
+			"Resource already exists in region %s, but the desired state specifies region %s. ",
+			*desired.Identifiers().Region(), region,
+		)
+		rlog.Info(
+			msg,
+			"current_region", region,
+			"desired_region", desired.Identifiers().Region(),
+		)
+		return ctrlrt.Result{}, ackerr.NewTerminalError(errors.New(msg))
+	}
+
+	// Similarly, if the user has specified an account ID that is different
+	// from the account ID the resource currently exists in, we need to
+	// fail the reconciliation with a terminal error.
+	if accountDrifted(desired, acctID) {
+		msg := fmt.Sprintf(
+			"Resource already exists in account %s, but the role used for reconciliation is in account %s. ",
+			*desired.Identifiers().OwnerAccountID(), acctID,
+		)
+		rlog.Info(
+			msg,
+			"current_account", acctID,
+			"desired_account", desired.Identifiers().OwnerAccountID(),
+		)
+		return ctrlrt.Result{}, ackerr.NewTerminalError(errors.New(msg))
+	}
+
 	// The config pivot to the roleARN will happen if it is not empty.
 	// in the NewResourceManager
 	clientConfig, err := r.sc.NewAWSConfig(ctx, region, &endpointURL, roleARN, gvk)
@@ -285,6 +318,20 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	return r.HandleReconcileError(ctx, desired, latest, err)
 }
 
+func regionDrifted(desired acktypes.AWSResource, targetRegion ackv1alpha1.AWSRegion) bool {
+	if desired.Identifiers().Region() == nil {
+		return false
+	}
+	return *desired.Identifiers().Region() != targetRegion
+}
+
+func accountDrifted(desired acktypes.AWSResource, targetAccountID ackv1alpha1.AWSAccountID) bool {
+	if desired.Identifiers().OwnerAccountID() == nil {
+		return false
+	}
+	return *desired.Identifiers().OwnerAccountID() != targetAccountID
+}
+
 func (r *resourceReconciler) handleCacheError(
 	ctx context.Context,
 	err error,

pkg/runtime/reconciler_test.go

@@ -30,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sobj "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8srtschema "k8s.io/apimachinery/pkg/runtime/schema"
+	ctrlrt "sigs.k8s.io/controller-runtime"
 	ctrlrtzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1"
@@ -503,7 +504,7 @@ func TestReconcilerAdoptOrCreateResource_Adopt(t *testing.T) {
 	latest, latestRTObj, latestMetaObj := resourceMocks()
 	latest.On("Identifiers").Return(ids)
 	latest.On("Conditions").Return([]*ackv1alpha1.Condition{})
-		latest.On(
+	latest.On(
 		"ReplaceConditions",
 		mock.AnythingOfType("[]*v1alpha1.Condition"),
 	).Return().Run(func(args mock.Arguments) {
@@ -1746,3 +1747,71 @@ func TestReconcilerUpdate_EnsureControllerTagsError(t *testing.T) {
 	rm.AssertNotCalled(t, "LateInitialize", ctx, latest)
 	rm.AssertCalled(t, "EnsureTags", ctx, desired, scmd)
 }
+
+func TestReconciler_RegionDrifted_Annotation(t *testing.T) {
+	require := require.New(t)
+	ctx := context.TODO()
+
+	// Resource has region "us-east-1" in Identifiers, but annotation says "us-west-2"
+	desired, _, metaObj := resourceMocks()
+	ids := &ackmocks.AWSResourceIdentifiers{}
+	region := ackv1alpha1.AWSRegion("us-east-1")
+	ids.On("Region").Return(&region)
+	desired.On("Identifiers").Return(ids)
+	metaObj.SetNamespace("default")
+	metaObj.SetAnnotations(map[string]string{
+		ackv1alpha1.AnnotationRegion: "us-west-2",
+	})
+
+	rmf, rd := managedResourceManagerFactoryMocks(desired, desired)
+	r, _, _ := reconcilerMocks(rmf)
+	rd.On("GroupVersionKind").Return(schema.GroupVersionKind{
+		Group:   "bookstore.services.k8s.aws",
+		Kind:    "Book",
+		Version: "v1alpha1",
+	})
+	rd.On("EmptyRuntimeObject").Return(&fakeBook{})
+	rd.On("IsManaged", desired).Return(true)
+
+	// This will trigger regionDrifted via getRegion logic
+	result, err := r.Reconcile(ctx, ctrlrt.Request{Namespace: "default", Name: "mybook"})
+	require.Error(err)
+	require.Contains(err.Error(), "region")
+	_ = result
+}
+
+func TestReconciler_AccountDrifted_NamespaceCache(t *testing.T) {
+	require := require.New(t)
+	ctx := context.TODO()
+
+	// Resource has account "111111111111" in Identifiers, but namespace cache says "222222222222"
+	desired, _, metaObj := resourceMocks()
+	ids := &ackmocks.AWSResourceIdentifiers{}
+	accountID := ackv1alpha1.AWSAccountID("111111111111")
+	ids.On("OwnerAccountID").Return(&accountID)
+	desired.On("Identifiers").Return(ids)
+	metaObj.SetNamespace("test-ns")
+
+	rmf, rd := managedResourceManagerFactoryMocks(desired, desired)
+	r, _, _ := reconcilerMocks(rmf)
+	rd.On("GroupVersionKind").Return(schema.GroupVersionKind{
+		Group:   "bookstore.services.k8s.aws",
+		Kind:    "Book",
+		Version: "v1alpha1",
+	})
+	rd.On("EmptyRuntimeObject").Return(&fakeBook{})
+	rd.On("IsManaged", desired).Return(true)
+
+	// Inject fake account ID into the reconciler's cache for the namespace
+	if r2, ok := r.(*ackrt.ResourceReconciler); ok {
+		if r2.Cache.Namespaces == nil {
+			r2.Cache.Namespaces = &ackrtcache.NamespacesCache{}
+		}
+		r2.Cache.Namespaces.SetOwnerAccountID("test-ns", "222222222222")
+	}
+
+	result, err := r.Reconcile(ctx, ctrlrt.Request{Namespace: "test-ns", Name: "mybook"})
+	require.Error(err)
+	require.Contains(err.Error(), "account")
+	_ = result
+}