Add support for Policy Tag updates

[RedbackThomson]

Fixes aws-controllers-k8s/community#1124

Description of changes:
Adds custom hook code to support the TagPolicy and UntagPolicy SDK methods for adding, updating and deleting tags on the Policy custom resource.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[vijtrip2]

Looks great! 🚀

---

nit: For the modify tags test, can you also add another new key and also delete an existing key? : )

[RedbackThomson]

nit: For the modify tags test, can you also add another new key and also delete an existing key? : )

The first patch deletes the tag1 key and adds the tag2 key. I can add a test to further update the existing tag2 key.

[jaypipes]

appreciate you picking up my slack, @RedbackThomson. thank you sir!

[jaypipes]

/test iam-kind-e2e

[jaypipes]

@RedbackThomson looks like the test failure is legit:

         updates = {
            "spec": {"tags": new_tags},
        }
        k8s.patch_custom_resource(ref, updates)
        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
    
        latest_tags = policy.get_tags(policy_arn)
>       assert latest_tags == new_tags
E       AssertionError: assert [] == [{'key': 'tag...lue': 'val3'}]
E         Right contains one more item: {'key': 'tag2', 'value': 'val3'}
E         Full diff:
E         - [{'key': 'tag2', 'value': 'val3'}]
E         + []

tests/test_policy.py:111: AssertionError

[jaypipes]

I just noticed something... I see you've added a custom_method_name configuration option to the generator.yaml file for the Policy resource (unlike the Role resource, which uses the sdk_update_post_set_output generic hook point.

I prefer to use the generic hook points instead of creating a custom update method. Can you change that?

LATER...

Never mind, @RedbackThomson, I realized now that you had to use a custom update method because there isn't an actual UpdatePolicy API call...

[RedbackThomson]

Never mind, @RedbackThomson, I realized now that you had to use a custom update method because there isn't an actual UpdatePolicy API call...

Yeah this is a non-obvious configuration problem you have when trying to use hooks. I'll remove the hook point, though. Good call.

[jaypipes]

@RedbackThomson so I'm wondering if the fact that we are doing the deletes AFTER the adds here is the cause of the test failure. When a Tag's value only is changed, the Tag will be in both the toAdd (the updated Tag k/v) and toDelete (the original Tag k/v) collections. I'm wondering if the the RemoveTags API call only looks at the Tag key? If that is the case, the call to RemoveTag will end up removing the Tag erroneously. An easy way of checking if my hypothesis is correct would be to simply change the order above and do the removeTags call before the addTags call.

[RedbackThomson]

I think you're right, yeah. You should be able to use TagPolicy to update any tag, just by giving it an existing key with a new value. But for the sake of staying consistent with your hooks on Role, I'll just switch the order for now and make it do a delete then add.

I did test updating values in my manual testing and didn't see an issue, but I think combining an update with a delete might be the condition that is causing this problem here.

[RedbackThomson]

Tests failing due to:

botocore.exceptions.ClientError: An error occurred (Throttling) when calling the ListPolicyTags operation (reached max retries: 4): Rate exceeded

I guess I'll wait a little while to retry? This throttling seems to take a while to lift.

[vijtrip2]

/lgtm

[ack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RedbackThomson, vijtrip2

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RedbackThomson,vijtrip2]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[a-hilaly]

I believe this statement should go inside an if statement similar to:

if delta.DifferentAt("Spec.Tags") { ... }

In the future we should also deal with cases when a user modifies other fields like: Description, PolicyDocument etc...

[jaypipes]

Technically, there won't be any calls any update APIs if there aren't any changes (there will be an additional List operation, however, so we should be able to remove that call by guarding this with a delta.DifferentAt()` conditional. 👍