fix: remove global var for System tags, pass systemTags from runtime

michaelhtm · michaelhtm · commit 5452297d9493 · 2025-11-22T21:43:10.000-08:00
This change ensures the system tags ignored are passed by runtime,
instead of hardcoding a specific value.
diff --git a/templates/pkg/resource/manager.go.tpl b/templates/pkg/resource/manager.go.tpl
@@ -312,13 +312,26 @@ func (rm *resourceManager) EnsureTags(
 {{- end }}
 }
 
-// FilterAWSTags ignores tags that have keys that start with "aws:"
-// is needed to ensure the controller does not attempt to remove
-// tags set by AWS. This function needs to be called after each Read
-// operation.
-// Eg. resources created with cloudformation have tags that cannot be
-//removed by an ACK controller
-func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) {
+// FilterSystemTags removes system-managed tags from the resource's tag collection
+// to prevent the controller from attempting to manage them. This includes:
+//   - Tags with keys starting with "aws:" (AWS-managed system tags)
+//   - Tags specified via the --resource-tags startup flag (controller-level tags)
+//   - Tags injected by AWS services (e.g., CloudFormation, EKS, etc.)
+//
+// This filtering is essential because:
+//   1. AWS services automatically add system tags that cannot be modified by users
+//   2. Attempting to remove these tags would result in API errors
+//   3. The controller should only manage user-defined tags, not system tags
+//
+// Must be called after each Read operation to ensure the resource state
+// reflects only manageable tags. This prevents unnecessary update attempts
+// and maintains consistency between desired and actual resource state.
+//
+// Example system tags that are filtered:
+//   - aws:cloudformation:stack-name (CloudFormation)
+//   - aws:eks:cluster-name (EKS)
+//   - services.k8s.aws/* (Kubernetes-managed)
+func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource, systemTags []string) {
 {{- if $hookCode := Hook .CRD "filter_tags" }}
 {{ $hookCode }}
 {{ else }}
@@ -342,7 +355,7 @@ func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) {
 {{ end -}}
     existingTags = r.ko.Spec.{{ $tagField.Path }}
 	resourceTags, tagKeyOrder := convertToOrderedACKTags(existingTags)
-	ignoreSystemTags(resourceTags)
+	ignoreSystemTags(resourceTags, systemTags)
 {{ GoCodeInitializeNestedStructField .CRD "r.ko" $tagField "svcapitypes" 1 -}}
 	r.ko.Spec.{{ $tagField.Path }} = fromACKTags(resourceTags, tagKeyOrder)
 {{- end }}
diff --git a/templates/pkg/resource/tags.go.tpl b/templates/pkg/resource/tags.go.tpl
@@ -11,7 +11,6 @@ import(
 var (
 	_ = svcapitypes.{{ .CRD.Kind }}{}
 	_ = acktags.NewTags()
-    ACKSystemTags = []string{"services.k8s.aws/namespace", "services.k8s.aws/controller-version"}
 )
 
 {{- if $hookCode := Hook .CRD "convert_tags" }}
@@ -59,13 +58,14 @@ func fromACKTags(tags acktags.Tags, keyOrder []string) {{ $tagFieldGoType }} {
 {{ end }}
 
 // ignoreSystemTags ignores tags that have keys that start with "aws:"
-// and ACKSystemTags, to avoid patching them to the resourceSpec.
+// and systemTags defined on startup via the --resource-tags flag,
+// to avoid patching them to the resourceSpec.
 // Eg. resources created with cloudformation have tags that cannot be
 // removed by an ACK controller
-func ignoreSystemTags(tags acktags.Tags) {
+func ignoreSystemTags(tags acktags.Tags, systemTags []string) {
 	for k := range tags {
 		if strings.HasPrefix(k, "aws:") ||
-			slices.Contains(ACKSystemTags, k) {
+			slices.Contains(systemTags, k) {
 			delete(tags, k)
 		}
 	}
