Apply user defined tags in AWS - CCO - minted users

See CCO-77 and OCPPLAN-6006

Only need to apply for new IAM users.

Needs to be applied at create time, and not separately afterwards. Check if can be done at create time on roles and users.

However because we already have code that reconciles, we may as well keep it.

After further discussions (hat tip dhellman@redhat.com ), we're going to go the route of constant reconciliation of tags. But it will be implemented in a way that allows users to add their own tags outside of the cluster without CCO stomping over those externally set tags.

To be clear, this means if tagA=valueA was applied, then the user externally set tagA=valueB, CCO will revert back to tagA=valueA. But the user is free to set tagZ=valueZ, and CCO will leave tagZ alone.

For posterity, the proposed flow will look something like this:

Extend the CredentialsRequest status to hold desiredTags and lastAppliedTags.

if desiredTags != lastAppliedTags {

    applyErr := applyTags()

    if applyErr != nil {

        updateErr := updateLastAppliedTags()

        if updateErr != nil {

                        return updateErr

                   }

    return applyErr // always return here so we can re-reconcile after a successful lastApplliedTags update

}

 

if clusterWideTags != desiredTags {

     err := updateDesiredTags()

     return err

}

This flow should allow CCO to not leak tags in the even that tags are applied, but CCO fails to save the lastApplliedTags status. Then on re-reconcile (because of the failed status update), the clusterWideTag list changes, and CCO potentially leaks a tag.

It is possible that the cluster will not allow changes to the clusterwideTagList, but by implementing things this way, if the clusterwideTagList becomes/is editable, CCO can accommodate that change in behavior w/o any code changes.