feat(rds): add tag ignore prefix support

ridik-il · ridik-il · commit 978056a9549b · 2026-01-05T10:16:29.000+01:00
- Adds TagIgnorePrefixes to DBInstance spec
- Filters out tags with ignored prefixes from diff logic
- Adds unit test coverage
- Builds on top of read replica support

Signed-off-by: Riyad Ilyasov &lt;ilyasov.2003@gmail.com&gt;
Signed-off-by: Riyad Ilyasov &lt;riyad.ilyasov@swisscom.com&gt;
diff --git a/apis/rds/v1alpha1/custom_types.go b/apis/rds/v1alpha1/custom_types.go
@@ -807,6 +807,14 @@ type CustomDBInstanceParameters struct {
 	// deleted.
 	// +optional
 	DeleteAutomatedBackups *bool `json:"deleteAutomatedBackups,omitempty"`
+
+	// TagsIgnore contains rules that tell the reconciler to pretend matching
+	// tags don't exist during diff/updates. A rule key supports either exact
+	// match (e.g. "c7n:policy") or a simple prefix glob using a trailing *
+	// (e.g. "c7n:*" or "prefix*"). In all cases tags starting with the
+	// prefix "aws:" are always ignored (implicit rule "aws:*").
+	// +optional
+	TagsIgnore []TagIgnoreRule `json:"tagsIgnore,omitempty"`
 }
 
 // CustomDBInstanceObservation includes the custom status fields of DBInstance.
@@ -816,6 +824,19 @@ type CustomDBInstanceObservation struct {
 
 	// The database role may be Standalone, Primary or Replica.
 	DatabaseRole *string `json:"databaseRole,omitempty"`
+
+	// ObservedTags exposes the full, unfiltered set of external tags returned
+	// by AWS for observability. These are never used for diffing directly.
+	// +optional
+	ObservedTags []*Tag `json:"observedTags,omitempty"`
+}
+
+// TagIgnoreRule defines a single rule for ignoring a tag during diffing.
+// The Key may be an exact tag key or a prefix pattern that ends with *.
+type TagIgnoreRule struct {
+	// Key of the ignore rule. Supports exact key match or prefix* glob.
+	// +kubebuilder:validation:Required
+	Key string `json:"key"`
 }
 
 // CustomDBInstanceRoleAssociationParameters are custom parameters for the DBInstanceRoleAssociation
diff --git a/apis/rds/v1alpha1/zz_generated.deepcopy.go b/apis/rds/v1alpha1/zz_generated.deepcopy.go
diff --git a/package/crds/rds.aws.crossplane.io_dbinstances.yaml b/package/crds/rds.aws.crossplane.io_dbinstances.yaml
@@ -1980,6 +1980,26 @@ spec:
                           type: string
                       type: object
                     type: array
+                  tagsIgnore:
+                    description: |-
+                      TagsIgnore contains rules that tell the reconciler to pretend matching
+                      tags don't exist during diff/updates. A rule key supports either exact
+                      match (e.g. "c7n:policy") or a simple prefix glob using a trailing *
+                      (e.g. "c7n:*" or "prefix*"). In all cases tags starting with the
+                      prefix "aws:" are always ignored (implicit rule "aws:*").
+                    items:
+                      description: |-
+                        TagIgnoreRule defines a single rule for ignoring a tag during diffing.
+                        The Key may be an exact tag key or a prefix pattern that ends with *.
+                      properties:
+                        key:
+                          description: Key of the ignore rule. Supports exact key
+                            match or prefix* glob.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
                   tdeCredentialARN:
                     description: |-
                       The ARN from the key store with which to associate the instance for TDE encryption.
@@ -2595,6 +2615,18 @@ spec:
                       secretStatus:
                         type: string
                     type: object
+                  observedTags:
+                    description: |-
+                      ObservedTags exposes the full, unfiltered set of external tags returned
+                      by AWS for observability. These are never used for diffing directly.
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        value:
+                          type: string
+                      type: object
+                    type: array
                   optionGroupMemberships:
                     description: The list of option group memberships for this DB
                       instance.
diff --git a/pkg/controller/rds/dbinstance/setup.go b/pkg/controller/rds/dbinstance/setup.go
@@ -614,9 +614,29 @@ func (s *shared) isUpToDate(ctx context.Context, cr *svcapitypes.DBInstance, out
 		cmpopts.IgnoreFields(svcapitypes.CustomDBInstanceParameters{},
 			"SourceDBClusterID", "SourceDBClusterIDRef", "SourceDBClusterIDSelector",
 			"SourceDBInstanceID", "SourceDBInstanceIDRef", "SourceDBInstanceIDSelector"),
+		cmpopts.IgnoreFields(svcapitypes.CustomDBInstanceParameters{}, "TagsIgnore"),
 	)
 
-	s.cache.addTags, s.cache.removeTags = utils.DiffTags(cr.Spec.ForProvider.Tags, db.TagList)
+	// Build ignore rules: implicit aws:* + user supplied rules
+	ignore := []string{"aws:*"}
+	for _, r := range cr.Spec.ForProvider.TagsIgnore {
+		ignore = append(ignore, r.Key)
+	}
+	// Reset observed tags slice to avoid accumulation across reconciles
+	cr.Status.AtProvider.ObservedTags = nil
+	var observedTags []*svcsdk.Tag
+	if db.TagList != nil {
+		for _, tag := range db.TagList { // index discarded with _
+			// Capture all tags for observability
+			cr.Status.AtProvider.ObservedTags = append(cr.Status.AtProvider.ObservedTags, &svcapitypes.Tag{Key: tag.Key, Value: tag.Value})
+			// Filter only for diff purposes
+			if utils.ShouldIgnore(pointer.StringValue(tag.Key), ignore) {
+				continue
+			}
+			observedTags = append(observedTags, &svcsdk.Tag{Key: tag.Key, Value: tag.Value})
+		}
+	}
+	s.cache.addTags, s.cache.removeTags = utils.DiffTags(cr.Spec.ForProvider.Tags, observedTags)
 	tagsChanged := len(s.cache.addTags) != 0 || len(s.cache.removeTags) != 0
 
 	if diff == "" && !maintenanceWindowChanged && !backupWindowChanged && !iopsChanged && !storageThroughputChanged && !versionChanged && !vpcSGsChanged && !dbParameterGroupChanged && !optionGroupChanged && !tagsChanged {
diff --git a/pkg/controller/rds/dbinstance/setup_test.go b/pkg/controller/rds/dbinstance/setup_test.go
@@ -209,6 +209,116 @@ func TestIsUpToDate(t *testing.T) {
 				},
 			},
 		},
+		"Ignores Tags with TagsIgnore prefix*": {
+			args: args{
+				cr: &svcapitypes.DBInstance{
+					Spec: svcapitypes.DBInstanceSpec{
+						ForProvider: svcapitypes.DBInstanceParameters{
+							CustomDBInstanceParameters: svcapitypes.CustomDBInstanceParameters{
+								TagsIgnore: []svcapitypes.TagIgnoreRule{{Key: "aws:*"}, {Key: "c7n:*"}},
+							},
+							Tags: []*svcapitypes.Tag{
+								{Key: aws.String("env"), Value: aws.String("prod")},
+							},
+							DeletionProtection: aws.Bool(true),
+						},
+					},
+				},
+				out: &svcsdk.DescribeDBInstancesOutput{
+					DBInstances: []*svcsdk.DBInstance{
+						{
+							DeletionProtection: aws.Bool(true),
+							TagList: []*svcsdk.Tag{
+								{Key: aws.String("aws:createdBy"), Value: aws.String("terraform")},
+								{Key: aws.String("c7n:policy"), Value: aws.String("auto")},
+								{Key: aws.String("env"), Value: aws.String("prod")},
+							},
+						},
+					},
+				},
+				kube: test.NewMockClient(),
+			},
+			want: want{
+				upToDate: true,
+				err:      nil,
+				statusAtProvider: &svcapitypes.CustomDBInstanceObservation{
+					DatabaseRole: aws.String(databaseRoleStandalone),
+				},
+			},
+		},
+		"Ignores Tags with TagsIgnore exact": {
+			args: args{
+				cr: &svcapitypes.DBInstance{
+					Spec: svcapitypes.DBInstanceSpec{
+						ForProvider: svcapitypes.DBInstanceParameters{
+							CustomDBInstanceParameters: svcapitypes.CustomDBInstanceParameters{
+								TagsIgnore: []svcapitypes.TagIgnoreRule{{Key: "aws:*"}, {Key: "c7n:policy"}},
+							},
+							Tags: []*svcapitypes.Tag{
+								{Key: aws.String("env"), Value: aws.String("prod")},
+							},
+							DeletionProtection: aws.Bool(true),
+						},
+					},
+				},
+				out: &svcsdk.DescribeDBInstancesOutput{
+					DBInstances: []*svcsdk.DBInstance{
+						{
+							DeletionProtection: aws.Bool(true),
+							TagList: []*svcsdk.Tag{
+								{Key: aws.String("aws:createdBy"), Value: aws.String("terraform")},
+								{Key: aws.String("c7n:policy"), Value: aws.String("auto")},
+								{Key: aws.String("c7n:other"), Value: aws.String("x")},
+								{Key: aws.String("env"), Value: aws.String("prod")},
+							},
+						},
+					},
+				},
+				kube: test.NewMockClient(),
+			},
+			want: want{
+				upToDate: false, // c7n:other should be removed since not ignored and not in spec
+				err:      nil,
+				statusAtProvider: &svcapitypes.CustomDBInstanceObservation{
+					DatabaseRole: aws.String(databaseRoleStandalone),
+				},
+			},
+		},
+		"DoesNotIgnoreAllWithStarOnlyRule": {
+			args: args{
+				cr: &svcapitypes.DBInstance{
+					Spec: svcapitypes.DBInstanceSpec{
+						ForProvider: svcapitypes.DBInstanceParameters{
+							CustomDBInstanceParameters: svcapitypes.CustomDBInstanceParameters{
+								// User attempts to ignore all tags with a single "*" rule; guard should prevent this.
+								TagsIgnore: []svcapitypes.TagIgnoreRule{{Key: "*"}},
+							},
+							// Desired spec has no tags.
+							Tags:               []*svcapitypes.Tag{},
+							DeletionProtection: aws.Bool(true),
+						},
+					},
+				},
+				out: &svcsdk.DescribeDBInstancesOutput{
+					DBInstances: []*svcsdk.DBInstance{
+						{
+							DeletionProtection: aws.Bool(true),
+							TagList: []*svcsdk.Tag{
+								{Key: aws.String("env"), Value: aws.String("prod")}, // Should not be ignored; will cause diff
+							},
+						},
+					},
+				},
+				kube: test.NewMockClient(),
+			},
+			want: want{
+				upToDate: false, // env tag should be scheduled for removal
+				err:      nil,
+				statusAtProvider: &svcapitypes.CustomDBInstanceObservation{
+					DatabaseRole: aws.String(databaseRoleStandalone),
+				},
+			},
+		},
 	}
 
 	for name, tc := range cases {
diff --git a/pkg/controller/rds/utils/tags.go b/pkg/controller/rds/utils/tags.go
@@ -19,6 +19,7 @@ package utils
 import (
 	"context"
 	"sort"
+	"strings"
 
 	svcsdk "github.com/aws/aws-sdk-go/service/rds"
 	"github.com/aws/aws-sdk-go/service/rds/rdsiface"
@@ -35,6 +36,33 @@ const (
 	errCreateTags          = "cannot create tags"
 )
 
+// ShouldIgnore returns true if key matches any supplied rule. A rule may be:
+//   - exact key match (e.g. "c7n:policy")
+//   - prefix* glob where * is only allowed as the last character (e.g. "c7n:*" or "prefix*")
+//
+// No other wildcard forms are supported.
+func ShouldIgnore(key string, rules []string) bool { // intentionally simple, no regex
+	for _, r := range rules {
+		if r == "" { // skip empty
+			continue
+		}
+		if strings.HasSuffix(r, "*") {
+			prefix := strings.TrimSuffix(r, "*")
+			if prefix == "" { // guard against blanket "*" wildcard
+				continue
+			}
+			if strings.HasPrefix(key, prefix) {
+				return true
+			}
+			continue
+		}
+		if key == r { // exact
+			return true
+		}
+	}
+	return false
+}
+
 // AreTagsUpToDate for spec and resourceName
 func AreTagsUpToDate(ctx context.Context, client rdsiface.RDSAPI, spec []*svcapitypes.Tag, resourceName *string) (bool, []*svcsdk.Tag, []*string, error) {
 	current, err := ListTagsForResource(ctx, client, resourceName)
