fix(secretsmanager-secret): filter aws managed secrets

Author: ekristen

resources/secretsmanager-secret.go

@@ -2,6 +2,8 @@ package resources
 
 import (
 	"context"
+	"errors"
+	"regexp"
 	"strings"
 
 	"github.com/gotidy/ptr"
@@ -19,6 +21,9 @@ import (
 
 const SecretsManagerSecretResource = "SecretsManagerSecret"
 
+var managedRegex = regexp.MustCompile("^([a-z-]+)!.*$")
+var errAWSManaged = errors.New("cannot delete AWS managed secret")
+
 func init() {
 	registry.Register(&registry.Registration{
 		Name:   SecretsManagerSecretResource,
@@ -128,6 +133,20 @@ func (r *SecretsManagerSecret) Remove(_ context.Context) error {
 	return err
 }
 
+func (r *SecretsManagerSecret) Filter() error {
+	if managedRegex.MatchString(*r.Name) {
+		return errAWSManaged
+	}
+
+	for _, tag := range r.tags {
+		if *tag.Key == "aws:secretsmanager:owningService" {
+			return errAWSManaged
+		}
+	}
+
+	return nil
+}
+
 func (r *SecretsManagerSecret) Properties() types.Properties {
 	properties := types.NewProperties()
 	properties.Set("PrimaryRegion", r.PrimaryRegion)