svc/sg/tags: introduce owner check for delete SG flow on BYO SG

mtulio · mtulio · commit 12af74b330b3 · 2025-07-15T13:49:06.000-03:00
diff --git a/pkg/providers/v1/tags.go b/pkg/providers/v1/tags.go
@@ -154,6 +154,31 @@ func (t *awsTagging) hasClusterTag(tags []ec2types.Tag) bool {
 	return false
 }
 
+// hasClusterTagOwned checks if the resource has the cluster tag with the value "owned"
+// This is used to determine if the resource is owned by the controller.
+// It checks both legacy and new tags.
+func (t *awsTagging) hasClusterTagOwned(tags []ec2types.Tag) bool {
+	if len(t.ClusterID) == 0 {
+		return false
+	}
+	clusterTagKey := t.clusterTagKey()
+	for _, tag := range tags {
+		tagKey := aws.ToString(tag.Key)
+		tagValue := aws.ToString(tag.Value)
+
+		// For legacy tags, the cluster ID is the value, not "owned"
+		if (tagKey == TagNameKubernetesClusterLegacy) && (tagValue == t.ClusterID) {
+			return true
+		}
+
+		// For new tags, check if it's the cluster tag with "owned" value
+		if tagKey == clusterTagKey && tagValue == string(ResourceLifecycleOwned) {
+			return true
+		}
+	}
+	return false
+}
+
 func (t *awsTagging) hasNoClusterPrefixTag(tags []ec2types.Tag) bool {
 	for _, tag := range tags {
 		if strings.HasPrefix(aws.ToString(tag.Key), TagNameKubernetesClusterPrefix) {
diff --git a/pkg/providers/v1/tags_test.go b/pkg/providers/v1/tags_test.go
@@ -343,3 +343,267 @@ func TestUntagResource(t *testing.T) {
 		})
 	}
 }
+
+func TestHasClusterTagOwned(t *testing.T) {
+	tests := []struct {
+		name      string
+		clusterID string
+		tags      []ec2types.Tag
+		expected  bool
+	}{
+		{
+			name:      "empty cluster ID returns false",
+			clusterID: "",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("owned"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "legacy tag with matching cluster ID returns true",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("test-cluster"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "legacy tag with non-matching cluster ID returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("other-cluster"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "new tag with owned value returns true",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("owned"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "new tag with shared value returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("shared"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "new tag with wrong cluster ID returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/other-cluster"),
+					Value: aws.String("owned"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "no matching tags returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("some-other-tag"),
+					Value: aws.String("some-value"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "empty tags list returns false",
+			clusterID: "test-cluster",
+			tags:      []ec2types.Tag{},
+			expected:  false,
+		},
+		{
+			name:      "both legacy and new tags present - legacy matches",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("test-cluster"),
+				},
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("shared"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "both legacy and new tags present - new matches",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("other-cluster"),
+				},
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("owned"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "both legacy and new tags present - neither matches",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("other-cluster"),
+				},
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("shared"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "tags with nil key returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   nil,
+					Value: aws.String("test-cluster"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "tags with nil value returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: nil,
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "legacy tag with empty value returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String(""),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "new tag with empty value returns false",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String(""),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "multiple tags with one legacy match",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("some-tag"),
+					Value: aws.String("some-value"),
+				},
+				{
+					Key:   aws.String("KubernetesCluster"),
+					Value: aws.String("test-cluster"),
+				},
+				{
+					Key:   aws.String("other-tag"),
+					Value: aws.String("other-value"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "multiple tags with one new match",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("some-tag"),
+					Value: aws.String("some-value"),
+				},
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("owned"),
+				},
+				{
+					Key:   aws.String("other-tag"),
+					Value: aws.String("other-value"),
+				},
+			},
+			expected: true,
+		},
+		{
+			name:      "case sensitivity - legacy tag key case mismatch",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetescluster"),
+					Value: aws.String("test-cluster"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "case sensitivity - new tag key case mismatch",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("Kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("owned"),
+				},
+			},
+			expected: false,
+		},
+		{
+			name:      "case sensitivity - new tag value case mismatch",
+			clusterID: "test-cluster",
+			tags: []ec2types.Tag{
+				{
+					Key:   aws.String("kubernetes.io/cluster/test-cluster"),
+					Value: aws.String("Owned"),
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tagging := awsTagging{
+				ClusterID: tt.clusterID,
+			}
+
+			result := tagging.hasClusterTagOwned(tt.tags)
+			assert.Equal(t, tt.expected, result, "hasClusterTagOwned returned unexpected result")
+		})
+	}
+}
