UpdateTags support for SecurityGroup resource (#95)

Description of changes:

- Implemented update tags support for **Security Group** resource.
- Added e2e tests for the same.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: LikithaVemulapalli

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,5 +1,5 @@
 ack_generate_info:
-  build_date: "2022-09-13T21:29:16Z"
+  build_date: "2022-09-13T23:09:05Z"
   build_hash: 585f06bbd6d4cc1b738acb85901e7a009bf452c7
   go_version: go1.18.3
   version: v0.20.0

pkg/resource/security_group/hook.go

@@ -160,6 +160,105 @@ func (rm *resourceManager) syncSGRules(
 	return nil
 }
 
+// syncTags used to keep tags in sync by calling Create and Delete Tags API's
+func (rm *resourceManager) syncTags(
+	ctx context.Context,
+	desired *resource,
+	latest *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.syncTags")
+	defer func(err error) {
+		exit(err)
+	}(err)
+
+	resourceId := []*string{latest.ko.Status.ID}
+
+	toAdd, toDelete := computeTagsDelta(
+		desired.ko.Spec.Tags, latest.ko.Spec.Tags,
+	)
+
+	if len(toDelete) > 0 {
+		rlog.Debug("removing tags from security group resource", "tags", toDelete)
+		_, err = rm.sdkapi.DeleteTagsWithContext(
+			ctx,
+			&svcsdk.DeleteTagsInput{
+				Resources: resourceId,
+				Tags:      rm.sdkTags(toDelete),
+			},
+		)
+		rm.metrics.RecordAPICall("UPDATE", "DeleteTags", err)
+		if err != nil {
+			return err
+		}
+
+	}
+
+	if len(toAdd) > 0 {
+		rlog.Debug("adding tags to security group resource", "tags", toAdd)
+		_, err = rm.sdkapi.CreateTagsWithContext(
+			ctx,
+			&svcsdk.CreateTagsInput{
+				Resources: resourceId,
+				Tags:      rm.sdkTags(toAdd),
+			},
+		)
+		rm.metrics.RecordAPICall("UPDATE", "CreateTags", err)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// sdkTags converts *svcapitypes.Tag array to a *svcsdk.Tag array
+func (rm *resourceManager) sdkTags(
+	tags []*svcapitypes.Tag,
+) (sdktags []*svcsdk.Tag) {
+
+	for _, i := range tags {
+		sdktag := rm.newTag(*i)
+		sdktags = append(sdktags, sdktag)
+	}
+
+	return sdktags
+}
+
+// computeTagsDelta returns tags to be added and removed from the resource
+func computeTagsDelta(
+	desired []*svcapitypes.Tag,
+	latest []*svcapitypes.Tag,
+) (toAdd []*svcapitypes.Tag, toDelete []*svcapitypes.Tag) {
+
+	desiredTags := map[string]string{}
+	for _, tag := range desired {
+		desiredTags[*tag.Key] = *tag.Value
+	}
+
+	latestTags := map[string]string{}
+	for _, tag := range latest {
+		latestTags[*tag.Key] = *tag.Value
+	}
+
+	for _, tag := range desired {
+		val, ok := latestTags[*tag.Key]
+		if !ok || val != *tag.Value {
+			toAdd = append(toAdd, tag)
+		}
+	}
+
+	for _, tag := range latest {
+		_, ok := desiredTags[*tag.Key]
+		if !ok {
+			toDelete = append(toDelete, tag)
+		}
+	}
+
+	return toAdd, toDelete
+
+}
+
 // updateTagSpecificationsInCreateRequest adds
 // Tags defined in the Spec to CreateSecurityGroupInput.TagSpecification
 // and ensures the ResourceType is always set to 'security-group'
@@ -328,6 +427,12 @@ func (rm *resourceManager) customUpdateSecurityGroup(
 		}
 	}
 
+	if delta.DifferentAt("Spec.Tags") {
+		if err := rm.syncTags(ctx, desired, latest); err != nil {
+			return nil, err
+		}
+	}
+
 	return desired, nil
 }
 

pkg/resource/security_group/sdk.go

@@ -28,8 +28,30 @@ func (rm *resourceManager) new{{ $sgRuleRefName }}(
 	return res
 }
 
+{{/* Helper method for tag support */}}
+{{- range $specFieldName, $specField := $CRD.Config.Resources.SecurityGroup.Fields }}
+{{- if $specField.From }}
+{{- $operationName := $specField.From.Operation }}
+{{- $operation := (index $SDKAPI.API.Operations $operationName) -}}
+{{- range $securityGroupRefName, $securityGroupMemberRefs := $operation.InputRef.Shape.MemberRefs -}}
+{{- if eq $securityGroupRefName "Tags" }}
+{{- $securityGroupRef := $securityGroupMemberRefs.Shape.MemberRef }}
+{{- $securityGroupRefName = "Tag" }}
+
+func (rm *resourceManager) new{{ $securityGroupRefName }}(
+	    c svcapitypes.{{ $securityGroupRefName }},
+) *svcsdk.{{ $securityGroupRefName }} {
+	res := &svcsdk.{{ $securityGroupRefName }}{}
+{{ GoCodeSetSDKForStruct $CRD "" "res" $securityGroupRef "" "c" 1 }}
+	return res
+}
+
 {{- end }}
 
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

templates/hooks/security_group/sdk_file_end.go.tpl

@@ -5,4 +5,7 @@ metadata:
 spec:
   description: $SECURITY_GROUP_DESCRIPTION
   name: $SECURITY_GROUP_NAME
-  vpcID: $VPC_ID
+  vpcID: $VPC_ID
+  tags:
+    - key: $TAG_KEY
+      value: $TAG_VALUE

test/e2e/resources/security_group.yaml

@@ -14,6 +14,7 @@
 """Integration tests for the SecurityGroup API.
 """
 
+import resource
 import pytest
 import time
 import logging
@@ -29,6 +30,7 @@
 
 CREATE_WAIT_AFTER_SECONDS = 10
 DELETE_WAIT_AFTER_SECONDS = 10
+MODIFY_WAIT_AFTER_SECONDS = 5
 
 @pytest.fixture
 def simple_security_group(request):
@@ -47,6 +49,10 @@ def simple_security_group(request):
         if 'resource_file' in data:
             resource_file = data['resource_file']
             replacements.update(data)
+        if 'tag_key' in data:
+            replacements["TAG_KEY"] = data["tag_key"]
+        if 'tag_value' in data:
+            replacements["TAG_VALUE"] = data["tag_value"]
 
     # Load Security Group CR
     resource_data = load_ec2_resource(
@@ -186,4 +192,71 @@ def test_rules_create_update_delete(self, ec2_client, simple_security_group):
 
         # Check Security Group no longer exists in AWS
         # Deleting Security Group will also delete rules
+        ec2_validator.assert_security_group(resource_id, exists=False)
+    
+
+    @pytest.mark.resource_data({'tag_key': 'initialtagkey', 'tag_value': 'initialtagvalue'})
+    def test_crud_tags(self, ec2_client, simple_security_group):
+        (ref, cr) = simple_security_group
+        
+        resource = k8s.get_resource(ref)
+        resource_id = cr["status"]["id"]
+
+        time.sleep(CREATE_WAIT_AFTER_SECONDS)
+
+        # Check SecurityGroup exists in AWS
+        ec2_validator = EC2Validator(ec2_client)
+        ec2_validator.assert_security_group(resource_id)
+        
+        # Check tags exist for SecurityGroup resource
+        assert resource["spec"]["tags"][0]["key"] == "initialtagkey"
+        assert resource["spec"]["tags"][0]["value"] == "initialtagvalue"
+
+        # New pair of tags
+        new_tags = [
+                {
+                    "key": "updatedtagkey",
+                    "value": "updatedtagvalue",
+                }
+               
+            ]
+
+        # Patch the SecurityGroup, updating the tags with new pair
+        updates = {
+            "spec": {"tags": new_tags},
+        }
+
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        # Check resource synced successfully
+        assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=5)
+        
+        # Assert tags are updated for SecurityGroup resource
+        resource = k8s.get_resource(ref)
+        assert resource["spec"]["tags"][0]["key"] == "updatedtagkey"
+        assert resource["spec"]["tags"][0]["value"] == "updatedtagvalue"
+
+        # Patch the SecurityGroup resource, deleting the tags
+        updates = {
+                "spec": {"tags": []},
+        }
+
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        # Check resource synced successfully
+        assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=5)
+        
+        # Assert tags are deleted
+        resource = k8s.get_resource(ref)
+        assert len(resource['spec']['tags']) == 0
+
+        # Delete k8s resource
+        _, deleted = k8s.delete_custom_resource(ref)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check SecurityGroup no longer exists in AWS
         ec2_validator.assert_security_group(resource_id, exists=False)