Don't delete resources unless field managers match

[blampe]

This fixes the delete-after-create problem by reviving #2999 using field managers (as Eron suggested) instead of annotations to confirm ownership before deleting a resource.

If the resource was created with SSA, and we don't find the expected field manager, then we no-op instead of deleting the resource. The intended effect is to remove it from our state so the "upserted" manager can continue owning it.

This is technically a breaking change in behavior for some edge cases, but I think it is justified by the potential severity of our delete-after-create bug.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[codecov]

Codecov Report

Attention: Patch coverage is 88.23529% with 2 lines in your changes missing coverage. Please review.

Project coverage is 41.12%. Comparing base (b0ab343) to head (c0839d3).

Files with missing lines	Patch %	Lines
provider/pkg/await/await.go	88.23%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3407      +/-   ##
==========================================
+ Coverage   41.08%   41.12%   +0.03%     
==========================================
  Files          87       87              
  Lines       12900    12917      +17     
==========================================
+ Hits         5300     5312      +12     
- Misses       7205     7208       +3     
- Partials      395      397       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[blampe]

As written this would also no-op in cases where the object was updated with CSA.

We can narrow this by also checking actualSSAManagers is non-empty, so we know the live object was at least touched by pulumi.

[EronWright]

Note that Helm uses labels to track ownership and to drive adoption.
helm/helm#7649

[EronWright]

What makes me uncomfortable is the idea that Pulumi being a field manager is evidence of ownership. Imagine that some other manager has taken over all but one field, say foo which Pulumi still manages. Should we still proceed to delete the resource?

Skipping deletion when there's other field managers would not work either, because the autoscaler that is controlling the replicas has no intention of owning the object.

I would advocate for adopting a Helm-like strategy of using ownership labels. The use of the standard managed-by label is quite interesting, because Pulumi and Helm would helpfully detect each other.

• https://micarlise.dev/adopt-existing-helm-resources/
• Adopt resources into release with correct instance and managed-by labels helm/helm#7649

Note that Helm recently added a flag called --take-ownership to skip the conflict check. I filed #3595 to track adding support to Release/v4.

• Add --take-ownership flag for install and upgrade commands helm/helm#13439

Interesting to note that Helm has special treatment of CRDs, e.g. they're never deleted. Consider doing the same:

• v5: consider orphaning CRDs on delete #3153

See also: #3000

@blampe are you alright with closing this PR?