a-hilaly
commented
9 months ago @vflaux I've been thinking about this for a bit.. and it sounds quit complex, not from an implementation point of view but we will have to express the dependency order between every single possible combination of resources, manually (probably write Go). And AWS doesn't provide any sort of schema that we can parse and generate ValidatingWebhooks for controllers...
However on the other hand, we're thinking about bringing CEL to ACK runtime and allow developpers to write CEL expressions against specific controllers and resources. We slowly but surely can add more and more validation for specific kind of event/resources.. just by tweaking the code-generator.
ack-bot
Is your feature request related to a problem? Some AWS resources cannot be deleted when they are linked to others (security groups) or when they are protected against deletion (RDS DB instances). When such a resource is managed by ACK and the k8s resource is deleted, deletion is delayed because the AWS API refuses deletion.
It is impossible to undo the deletion on the k8s resource and at this point, no changes can be made on the resource. When dependency or deletion protection is removed, the resource is then deleted at next reconcile, as expected. But if you need to edit the resource or cancel the deletion, you have to manually remove the finalizer and re-adopt the resource.
For resources with a deletion protection, if you really want to delete the resource but you simply forgot to disable the protection, you can still disable it with API or the console, or re-adopt the resource. But that's not very practical.
Describe the solution you'd like Implement a validating admission webhook that deny the k8s resource deletion when the AWS resource cannot be deleted. Maybe using dry-run calls to AWS API or simply by checking the status of the resource ?