CLOUDP-175080: Deletion protection for project resources (final) (#1100)

Author: helderjs

pkg/controller/atlasproject/atlasproject_controller.go

@@ -309,32 +309,32 @@ func (r *AtlasProjectReconciler) ensureProjectResources(ctx context.Context, wor
 	}
 	results = append(results, result)
 
-	if result = ensureMaintenanceWindow(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = ensureMaintenanceWindow(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.MaintenanceWindowReadyType), "")
 	}
 	results = append(results, result)
 
-	if result = r.ensureEncryptionAtRest(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = r.ensureEncryptionAtRest(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.EncryptionAtRestReadyType), "")
 	}
 	results = append(results, result)
 
-	if result = ensureAuditing(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = ensureAuditing(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.AuditingReadyType), "")
 	}
 	results = append(results, result)
 
-	if result = ensureProjectSettings(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = ensureProjectSettings(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.ProjectSettingsReadyType), "")
 	}
 	results = append(results, result)
 
-	if result = ensureCustomRoles(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = ensureCustomRoles(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.ProjectCustomRolesReadyType), "")
 	}
 	results = append(results, result)
 
-	if result = r.ensureAssignedTeams(workflowCtx, project.ID(), project); result.IsOk() {
+	if result = r.ensureAssignedTeams(ctx, workflowCtx, project, r.SubObjectDeletionProtection); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.ProjectTeamsReadyType), "")
 	}
 	results = append(results, result)

pkg/controller/atlasproject/auditing.go

@@ -2,8 +2,12 @@ package atlasproject
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
 	"reflect"
 
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/customresource"
+
 	"go.mongodb.org/atlas/mongodbatlas"
 
 	v1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
@@ -12,19 +16,37 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/toptr"
 )
 
-func ensureAuditing(ctx *workflow.Context, projectID string, project *v1.AtlasProject) workflow.Result {
-	result := createOrDeleteAuditing(ctx, projectID, project)
+func ensureAuditing(ctx context.Context, workflowCtx *workflow.Context, project *v1.AtlasProject, protected bool) workflow.Result {
+	canReconcile, err := canAuditingReconcile(ctx, workflowCtx.Client, protected, project)
+	if err != nil {
+		result := workflow.Terminate(workflow.Internal, fmt.Sprintf("unable to resolve ownership for deletion protection: %s", err))
+		workflowCtx.SetConditionFromResult(status.AuditingReadyType, result)
+
+		return result
+	}
+
+	if !canReconcile {
+		result := workflow.Terminate(
+			workflow.AtlasDeletionProtection,
+			"unable to reconcile Auditing due to deletion protection being enabled. see https://dochub.mongodb.org/core/ako-deletion-protection for further information",
+		)
+		workflowCtx.SetConditionFromResult(status.AuditingReadyType, result)
+
+		return result
+	}
+
+	result := createOrDeleteAuditing(workflowCtx, project.ID(), project)
 	if !result.IsOk() {
-		ctx.SetConditionFromResult(status.AuditingReadyType, result)
+		workflowCtx.SetConditionFromResult(status.AuditingReadyType, result)
 		return result
 	}
 
 	if isAuditingEmpty(project.Spec.Auditing) {
-		ctx.UnsetCondition(status.AuditingReadyType)
+		workflowCtx.UnsetCondition(status.AuditingReadyType)
 		return workflow.OK()
 	}
 
-	ctx.SetConditionTrue(status.AuditingReadyType)
+	workflowCtx.SetConditionTrue(status.AuditingReadyType)
 	return workflow.OK()
 }
 
@@ -59,12 +81,24 @@ func auditingInSync(atlas *mongodbatlas.Auditing, spec *v1.Auditing) bool {
 		return true
 	}
 
-	if isAuditingEmpty(atlas) || isAuditingEmpty(spec) {
-		return false
+	specAsAtlas := &mongodbatlas.Auditing{
+		AuditAuthorizationSuccess: toptr.MakePtr(false),
+		Enabled:                   toptr.MakePtr(false),
+	}
+
+	if !isAuditingEmpty(spec) {
+		specAsAtlas = spec.ToAtlas()
+	}
+
+	if isAuditingEmpty(atlas) {
+		atlas = &mongodbatlas.Auditing{
+			AuditAuthorizationSuccess: toptr.MakePtr(false),
+			Enabled:                   toptr.MakePtr(false),
+		}
 	}
 
-	specAsAtlas := spec.ToAtlas()
 	removeConfigurationType(atlas)
+
 	return reflect.DeepEqual(atlas, specAsAtlas)
 }
 
@@ -85,3 +119,29 @@ func patchAuditing(ctx *workflow.Context, projectID string, auditing *mongodbatl
 	_, _, err := ctx.Client.Auditing.Configure(context.Background(), projectID, auditing)
 	return err
 }
+
+func canAuditingReconcile(ctx context.Context, atlasClient mongodbatlas.Client, protected bool, akoProject *v1.AtlasProject) (bool, error) {
+	if !protected {
+		return true, nil
+	}
+
+	latestConfig := &v1.AtlasProjectSpec{}
+	latestConfigString, ok := akoProject.Annotations[customresource.AnnotationLastAppliedConfiguration]
+	if ok {
+		if err := json.Unmarshal([]byte(latestConfigString), latestConfig); err != nil {
+			return false, err
+		}
+	}
+
+	auditing, _, err := atlasClient.Auditing.Get(ctx, akoProject.ID())
+	if err != nil {
+		return false, err
+	}
+
+	if isAuditingEmpty(auditing) {
+		return true, nil
+	}
+
+	return auditingInSync(auditing, latestConfig.Auditing) ||
+		auditingInSync(auditing, akoProject.Spec.Auditing), nil
+}