feat(runtime): add drift detection for cross-region and cross-account resources

Adds protection against attempting to manage AWS resources that exist in a
different region or account than the controller is configured to use. This
prevents accidental resource hijacking and provides clear error messages.

- Add `regionDrifted()` and `accountDrifted()` helper functions
- Check for drift before creating resource manager in Reconcile
- Return terminal errors when drift is detected
- Add comprehensive tests for both region and account drift scenarios

Author: a-hilaly

pkg/runtime/reconciler.go

@@ -236,29 +236,6 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	// helpful message to the user.
 	acctID, needCARMLookup := r.getOwnerAccountID(desired)
 
-	var roleARN ackv1alpha1.AWSResourceName
-	if teamID := r.getTeamID(desired); teamID != "" && r.cfg.FeatureGates.IsEnabled(featuregate.TeamLevelCARM) {
-		// The user is specifying a namespace that is annotated with a team ID.
-		// Requeue if the corresponding roleARN is not available in the Teams configmap.
-		// Additionally, set the account ID to the role's account ID.
-		roleARN, err = r.getRoleARN(string(teamID), ackrtcache.ACKRoleTeamMap)
-		if err != nil {
-			return r.handleCacheError(ctx, err, desired)
-		}
-		parsedARN, err := arn.Parse(string(roleARN))
-		if err != nil {
-			return ctrlrt.Result{}, fmt.Errorf("parsing role ARN %q from %q configmap: %v", roleARN, ackrtcache.ACKRoleTeamMap, err)
-		}
-		acctID = ackv1alpha1.AWSAccountID(parsedARN.AccountID)
-	} else if needCARMLookup {
-		// The user is specifying a namespace that is annotated with an owner account ID.
-		// Requeue if the corresponding roleARN is not available in the Accounts configmap.
-		roleARN, err = r.getRoleARN(string(acctID), ackrtcache.ACKRoleAccountMap)
-		if err != nil {
-			return r.handleCacheError(ctx, err, desired)
-		}
-	}
-
 	region := r.getRegion(desired)
 	endpointURL := r.getEndpointURL(desired)
 	gvk := r.rd.GroupVersionKind()
@@ -269,7 +246,7 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	if regionDrifted(desired, region) {
 		msg := fmt.Sprintf(
 			"Resource already exists in region %s, but the desired state specifies region %s. ",
-			*desired.Identifiers().Region(), region,
+			region, desired.MetaObject().GetAnnotations()[ackv1alpha1.AnnotationRegion],
 		)
 		rlog.Info(
 			msg,
@@ -295,6 +272,30 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 		return ctrlrt.Result{}, ackerr.NewTerminalError(errors.New(msg))
 	}
 
+	var roleARN ackv1alpha1.AWSResourceName
+	if teamID := r.getTeamID(desired); teamID != "" && r.cfg.FeatureGates.IsEnabled(featuregate.TeamLevelCARM) {
+		// The user is specifying a namespace that is annotated with a team ID.
+		// Requeue if the corresponding roleARN is not available in the Teams configmap.
+		// Additionally, set the account ID to the role's account ID.
+		roleARN, err = r.getRoleARN(string(teamID), ackrtcache.ACKRoleTeamMap)
+		if err != nil {
+			return r.handleCacheError(ctx, err, desired)
+		}
+		parsedARN, err := arn.Parse(string(roleARN))
+		if err != nil {
+			return ctrlrt.Result{}, fmt.Errorf("parsing role ARN %q from %q configmap: %v", roleARN, ackrtcache.ACKRoleTeamMap, err)
+		}
+		acctID = ackv1alpha1.AWSAccountID(parsedARN.AccountID)
+	} else if needCARMLookup {
+		// The user is specifying a namespace that is annotated with an owner account ID.
+		// Requeue if the corresponding roleARN is not available in the Accounts configmap.
+		roleARN, err = r.getRoleARN(string(acctID), ackrtcache.ACKRoleAccountMap)
+		if err != nil {
+			fmt.Println("test", roleARN, err)
+			return r.handleCacheError(ctx, err, desired)
+		}
+	}
+
 	// The config pivot to the roleARN will happen if it is not empty.
 	// in the NewResourceManager
 	clientConfig, err := r.sc.NewAWSConfig(ctx, region, &endpointURL, roleARN, gvk)
@@ -319,10 +320,7 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 }
 
 func regionDrifted(desired acktypes.AWSResource, targetRegion ackv1alpha1.AWSRegion) bool {
-	if desired.Identifiers().Region() == nil {
-		return false
-	}
-	return *desired.Identifiers().Region() != targetRegion
+	return desired.MetaObject().GetAnnotations()[ackv1alpha1.AnnotationRegion] != string(targetRegion)
 }
 
 func accountDrifted(desired acktypes.AWSResource, targetAccountID ackv1alpha1.AWSAccountID) bool {
@@ -1458,6 +1456,11 @@ func getResyncPeriod(rmf acktypes.AWSResourceManagerFactory, cfg ackcfg.Config)
 	return defaultResyncPeriod
 }
 
+// GetCaches returns the extra caches maintained by the ACK runtime
+func (r *resourceReconciler) GetCaches() ackrtcache.Caches {
+	return r.cache
+}
+
 // NewReconciler returns a new reconciler object
 func NewReconciler(
 	sc acktypes.ServiceController,