From b303d4329fc151dae7ef02dbebdea99cea134274 Mon Sep 17 00:00:00 2001
From: ci-robot <ci-robot@k8s.io>
Date: Tue, 18 Feb 2025 00:16:24 +0000
Subject: [PATCH] Update to ACK runtime `v0.43.0`, code-generator `v0.43.0`

---
 apis/v1alpha1/ack-generate-metadata.yaml |  8 ++--
 config/controller/kustomization.yaml     |  2 +-
 go.mod                                   |  2 +-
 go.sum                                   |  4 +-
 helm/Chart.yaml                          |  4 +-
 helm/templates/NOTES.txt                 |  2 +-
 helm/values.yaml                         |  2 +-
 pkg/resource/broker/manager.go           | 44 ++++++++++++++++++++++
 pkg/resource/broker/tags.go              | 48 +++++++++++++++++++++++-
 9 files changed, 102 insertions(+), 14 deletions(-)

diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
index 9be83ed..00c6ae3 100755
--- a/apis/v1alpha1/ack-generate-metadata.yaml
+++ b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2025-02-06T03:31:35Z"
-  build_hash: 8762917215d9902b2011a2b0b1b0c776855a683e
-  go_version: go1.23.5
-  version: v0.42.0
+  build_date: "2025-02-18T00:15:49Z"
+  build_hash: 66c0f840b0bcf6f552be46cf5ee0fb95ad57053e
+  go_version: go1.23.6
+  version: v0.43.0
 api_directory_checksum: 613faabc7535609beb25a8f426679700a4c17bd6
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
index cb365bb..50802f3 100644
--- a/config/controller/kustomization.yaml
+++ b/config/controller/kustomization.yaml
@@ -6,4 +6,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: public.ecr.aws/aws-controllers-k8s/mq-controller
-  newTag: 1.0.3
+  newTag: 1.0.4
diff --git a/go.mod b/go.mod
index f8f552c..b4e6f89 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ toolchain go1.22.5
 
 require (
 	github.com/aws-controllers-k8s/ec2-controller v0.0.21
-	github.com/aws-controllers-k8s/runtime v0.42.0
+	github.com/aws-controllers-k8s/runtime v0.43.0
 	github.com/aws/aws-sdk-go v1.49.0
 	github.com/aws/aws-sdk-go-v2 v1.34.0
 	github.com/aws/aws-sdk-go-v2/service/mq v1.27.13
diff --git a/go.sum b/go.sum
index e8ee456..037782c 100644
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,7 @@
 github.com/aws-controllers-k8s/ec2-controller v0.0.21 h1:5O7/9aED2Tl9OT0TL2rWrc1Ix5V1UxYEgDKAhvFhPJQ=
 github.com/aws-controllers-k8s/ec2-controller v0.0.21/go.mod h1:OMsmJeJ3iQZ1sJgs3hqnjBRnJ3hmTzJUO38W5rxnB5M=
-github.com/aws-controllers-k8s/runtime v0.42.0 h1:fVb3cOwUtn0ZwTSedapES+Rspb97S8BTxMqXJt6R5uM=
-github.com/aws-controllers-k8s/runtime v0.42.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c=
+github.com/aws-controllers-k8s/runtime v0.43.0 h1:mCtMHO0rew84VbqotquvBirnKysbao+y2G3QI8bKZxM=
+github.com/aws-controllers-k8s/runtime v0.43.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c=
 github.com/aws/aws-sdk-go v1.49.0 h1:g9BkW1fo9GqKfwg2+zCD+TW/D36Ux+vtfJ8guF4AYmY=
 github.com/aws/aws-sdk-go v1.49.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU=
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
index ccde6ea..4536815 100644
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 name: mq-chart
 description: A Helm chart for the ACK service controller for Amazon MQ (MQ)
-version: 1.0.3
-appVersion: 1.0.3
+version: 1.0.4
+appVersion: 1.0.4
 home: https://github.com/aws-controllers-k8s/mq-controller
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
index a14c1cf..be3afa6 100644
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@@ -1,5 +1,5 @@
 {{ .Chart.Name }} has been installed.
-This chart deploys "public.ecr.aws/aws-controllers-k8s/mq-controller:1.0.3".
+This chart deploys "public.ecr.aws/aws-controllers-k8s/mq-controller:1.0.4".
 
 Check its status by running:
   kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}"
diff --git a/helm/values.yaml b/helm/values.yaml
index 7dde58a..de1099e 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -4,7 +4,7 @@
 
 image:
   repository: public.ecr.aws/aws-controllers-k8s/mq-controller
-  tag: 1.0.3
+  tag: 1.0.4
   pullPolicy: IfNotPresent
   pullSecrets: []
 
diff --git a/pkg/resource/broker/manager.go b/pkg/resource/broker/manager.go
index dd85884..29e3292 100644
--- a/pkg/resource/broker/manager.go
+++ b/pkg/resource/broker/manager.go
@@ -102,6 +102,7 @@ func (rm *resourceManager) ReadOne(
 		panic("resource manager's ReadOne() method received resource with nil CR object")
 	}
 	observed, err := rm.sdkFind(ctx, r)
+	mirrorAWSTags(r, observed)
 	if err != nil {
 		if observed != nil {
 			return rm.onError(observed, err)
@@ -296,6 +297,49 @@ func (rm *resourceManager) EnsureTags(
 	return nil
 }
 
+// FilterAWSTags ignores tags that have keys that start with "aws:"
+// is needed to ensure the controller does not attempt to remove
+// tags set by AWS. This function needs to be called after each Read
+// operation.
+// Eg. resources created with cloudformation have tags that cannot be
+// removed by an ACK controller
+func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) {
+	r := rm.concreteResource(res)
+	if r == nil || r.ko == nil {
+		return
+	}
+	var existingTags map[string]*string
+	existingTags = r.ko.Spec.Tags
+	resourceTags := ToACKTags(existingTags)
+	ignoreSystemTags(resourceTags)
+	r.ko.Spec.Tags = FromACKTags(resourceTags)
+}
+
+// mirrorAWSTags ensures that AWS tags are included in the desired resource
+// if they are present in the latest resource. This will ensure that the
+// aws tags are not present in a diff. The logic of the controller will
+// ensure these tags aren't patched to the resource in the cluster, and
+// will only be present to make sure we don't try to remove these tags.
+//
+// Although there are a lot of similarities between this function and
+// EnsureTags, they are very much different.
+// While EnsureTags tries to make sure the resource contains the controller
+// tags, mirrowAWSTags tries to make sure tags injected by AWS are mirrored
+// from the latest resoruce to the desired resource.
+func mirrorAWSTags(a *resource, b *resource) {
+	if a == nil || a.ko == nil || b == nil || b.ko == nil {
+		return
+	}
+	var existingLatestTags map[string]*string
+	var existingDesiredTags map[string]*string
+	existingDesiredTags = a.ko.Spec.Tags
+	existingLatestTags = b.ko.Spec.Tags
+	desiredTags := ToACKTags(existingDesiredTags)
+	latestTags := ToACKTags(existingLatestTags)
+	syncAWSTags(desiredTags, latestTags)
+	a.ko.Spec.Tags = FromACKTags(desiredTags)
+}
+
 // newResourceManager returns a new struct implementing
 // acktypes.AWSResourceManager
 // This is for AWS-SDK-GO-V2 - Created newResourceManager With AWS sdk-Go-ClientV2
diff --git a/pkg/resource/broker/tags.go b/pkg/resource/broker/tags.go
index 32ec094..e781342 100644
--- a/pkg/resource/broker/tags.go
+++ b/pkg/resource/broker/tags.go
@@ -16,14 +16,18 @@
 package broker
 
 import (
+	"slices"
+	"strings"
+
 	acktags "github.com/aws-controllers-k8s/runtime/pkg/tags"
 
 	svcapitypes "github.com/aws-controllers-k8s/mq-controller/apis/v1alpha1"
 )
 
 var (
-	_ = svcapitypes.Broker{}
-	_ = acktags.NewTags()
+	_             = svcapitypes.Broker{}
+	_             = acktags.NewTags()
+	ACKSystemTags = []string{"services.k8s.aws/namespace", "services.k8s.aws/controller-version"}
 )
 
 // ToACKTags converts the tags parameter into 'acktags.Tags' shape.
@@ -57,3 +61,43 @@ func FromACKTags(tags acktags.Tags) map[string]*string {
 	}
 	return result
 }
+
+// ignoreSystemTags ignores tags that have keys that start with "aws:"
+// and ACKSystemTags, to avoid patching them to the resourceSpec.
+// Eg. resources created with cloudformation have tags that cannot be
+// removed by an ACK controller
+func ignoreSystemTags(tags acktags.Tags) {
+	for k := range tags {
+		if strings.HasPrefix(k, "aws:") ||
+			slices.Contains(ACKSystemTags, k) {
+			delete(tags, k)
+		}
+	}
+}
+
+// syncAWSTags ensures AWS-managed tags (prefixed with "aws:") from the latest resource state
+// are preserved in the desired state. This prevents the controller from attempting to
+// modify AWS-managed tags, which would result in an error.
+//
+// AWS-managed tags are automatically added by AWS services (e.g., CloudFormation, Service Catalog)
+// and cannot be modified or deleted through normal tag operations. Common examples include:
+// - aws:cloudformation:stack-name
+// - aws:servicecatalog:productArn
+//
+// Parameters:
+//   - a: The target Tags map to be updated (typically desired state)
+//   - b: The source Tags map containing AWS-managed tags (typically latest state)
+//
+// Example:
+//
+//	latest := Tags{"aws:cloudformation:stack-name": "my-stack", "environment": "prod"}
+//	desired := Tags{"environment": "dev"}
+//	SyncAWSTags(desired, latest)
+//	desired now contains {"aws:cloudformation:stack-name": "my-stack", "environment": "dev"}
+func syncAWSTags(a acktags.Tags, b acktags.Tags) {
+	for k := range b {
+		if strings.HasPrefix(k, "aws:") {
+			a[k] = b[k]
+		}
+	}
+}