Update Tags Support for Namespace (#62)

Author: vramanet

aws-redshiftserverless-namespace/aws-redshiftserverless-namespace.json

@@ -225,7 +225,16 @@
         }
     },
     "tagging": {
-        "taggable": false
+        "taggable": true,
+        "tagOnCreate": true,
+        "tagUpdatable": true,
+        "cloudFormationSystemTags": false,
+        "tagProperty": "/properties/Tags",
+        "permissions": [
+            "redshift-serverless:ListTagsForResource",
+            "redshift-serverless:TagResource",
+            "redshift-serverless:UntagResource"
+        ]
     },
     "required": [
         "NamespaceName"
@@ -248,9 +257,6 @@
         "/properties/AdminUserPassword",
         "/properties/FinalSnapshotName",
         "/properties/FinalSnapshotRetentionPeriod",
-        "/properties/Tags",
-        "/properties/Tags/*/Key",
-        "/properties/Tags/*/Value",
         "/properties/ManageAdminPassword",
         "/properties/RedshiftIdcApplicationArn"
     ],
@@ -264,6 +270,7 @@
     "handlers": {
         "create": {
             "permissions": [
+                "iam:CreateServiceLinkedRole",
                 "iam:PassRole",
                 "kms:TagResource",
                 "kms:UntagResource",
@@ -282,6 +289,8 @@
                 "redshift-serverless:GetNamespace",
                 "redshift-serverless:ListSnapshotCopyConfigurations",
                 "redshift-serverless:CreateSnapshotCopyConfiguration",
+                "redshift-serverless:ListTagsForResource",
+                "redshift-serverless:TagResource",
                 "redshift:GetResourcePolicy",
                 "redshift:PutResourcePolicy",
                 "secretsmanager:CreateSecret",
@@ -294,6 +303,7 @@
             "permissions": [
                 "iam:PassRole",
                 "redshift-serverless:GetNamespace",
+                "redshift-serverless:ListTagsForResource",
                 "redshift:GetResourcePolicy",
                 "redshift-serverless:ListSnapshotCopyConfigurations"
             ]
@@ -320,6 +330,9 @@
                 "redshift-serverless:CreateSnapshotCopyConfiguration",
                 "redshift-serverless:UpdateSnapshotCopyConfiguration",
                 "redshift-serverless:DeleteSnapshotCopyConfiguration",
+                "redshift-serverless:ListTagsForResource",
+                "redshift-serverless:TagResource",
+                "redshift-serverless:UntagResource",
                 "redshift:GetResourcePolicy",
                 "redshift:PutResourcePolicy",
                 "redshift:DeleteResourcePolicy",
@@ -336,6 +349,8 @@
                 "iam:PassRole",
                 "redshift-serverless:DeleteNamespace",
                 "redshift-serverless:GetNamespace",
+                "redshift-serverless:ListTagsForResource",
+                "redshift-serverless:UntagResource",
                 "kms:RetireGrant",
                 "secretsmanager:DescribeSecret",
                 "secretsmanager:DeleteSecret",
@@ -345,7 +360,8 @@
         "list": {
             "permissions": [
                 "iam:PassRole",
-                "redshift-serverless:ListNamespaces"
+                "redshift-serverless:ListNamespaces",
+                "redshift-serverless:ListTagsForResource"
             ]
         }
     },

aws-redshiftserverless-namespace/resource-role.yaml

@@ -30,6 +30,7 @@ Resources:
             Statement:
               - Effect: Allow
                 Action:
+                - "iam:CreateServiceLinkedRole"
                 - "iam:PassRole"
                 - "kms:CancelKeyDeletion"
                 - "kms:CreateGrant"
@@ -51,6 +52,9 @@ Resources:
                 - "redshift-serverless:GetNamespace"
                 - "redshift-serverless:ListNamespaces"
                 - "redshift-serverless:ListSnapshotCopyConfigurations"
+                - "redshift-serverless:ListTagsForResource"
+                - "redshift-serverless:TagResource"
+                - "redshift-serverless:UntagResource"
                 - "redshift-serverless:UpdateNamespace"
                 - "redshift-serverless:UpdateSnapshotCopyConfiguration"
                 - "redshift:DeleteResourcePolicy"

aws-redshiftserverless-namespace/src/main/java/software/amazon/redshiftserverless/namespace/BaseHandlerStd.java

@@ -10,9 +10,12 @@
 import software.amazon.awssdk.services.redshiftserverless.model.InternalServerException;
 import software.amazon.awssdk.services.redshiftserverless.model.ListSnapshotCopyConfigurationsRequest;
 import software.amazon.awssdk.services.redshiftserverless.model.ListSnapshotCopyConfigurationsResponse;
+import software.amazon.awssdk.services.redshiftserverless.model.ListTagsForResourceRequest;
+import software.amazon.awssdk.services.redshiftserverless.model.ListTagsForResourceResponse;
 import software.amazon.awssdk.services.redshiftserverless.model.ServiceQuotaExceededException;
 import software.amazon.awssdk.services.redshiftserverless.model.Namespace;
 import software.amazon.awssdk.services.redshiftserverless.model.ResourceNotFoundException;
+import software.amazon.awssdk.services.redshiftserverless.model.RedshiftServerlessResponse;
 import software.amazon.awssdk.services.redshiftserverless.model.TooManyTagsException;
 import software.amazon.awssdk.services.redshiftserverless.model.ValidationException;
 import software.amazon.awssdk.services.redshift.RedshiftClient;
@@ -35,6 +38,10 @@ public abstract class BaseHandlerStd extends BaseHandler<CallbackContext> {
   protected final String NAMESPACE_STATUS_AVAILABLE = "available";
   protected static final Constant BACKOFF_STRATEGY = Constant.of().
           timeout(Duration.ofMinutes(30L)).delay(Duration.ofSeconds(10L)).build();
+  protected static final Constant PREOPERATION_BACKOFF_STRATEGY = Constant.of()
+          .timeout(Duration.ofMinutes(5L))
+          .delay(Duration.ofSeconds(5L))
+          .build();
 
   @Override
   public final ProgressEvent<ResourceModel, CallbackContext> handleRequest(
@@ -62,7 +69,11 @@ protected abstract ProgressEvent<ResourceModel, CallbackContext> handleRequest(
     final ProxyClient<SecretsManagerClient> secretsManagerProxyClient,
     final Logger logger);
 
-  protected boolean isNamespaceActive (final ProxyClient<RedshiftServerlessClient> proxyClient, ResourceModel resourceModel, CallbackContext context) {
+  protected boolean isNamespaceActive (final Object awsRequest,
+                                       final RedshiftServerlessResponse awsResponse,
+                                       final ProxyClient<RedshiftServerlessClient> proxyClient,
+                                       final ResourceModel resourceModel,
+                                       final CallbackContext context) {
     GetNamespaceRequest getNamespaceRequest = GetNamespaceRequest.builder().namespaceName(resourceModel.getNamespaceName()).build();
     GetNamespaceResponse getNamespaceResponse = proxyClient.injectCredentialsAndInvokeV2(getNamespaceRequest, proxyClient.client()::getNamespace);
     Namespace namespace = getNamespaceResponse.namespace();
@@ -73,6 +84,15 @@ protected boolean isNamespaceActive (final ProxyClient<RedshiftServerlessClient>
     return NAMESPACE_STATUS_AVAILABLE.equalsIgnoreCase(getNamespaceResponse.namespace().statusAsString());
   }
 
+  protected ListTagsForResourceResponse readTags(final ListTagsForResourceRequest awsRequest,
+                                                 final ProxyClient<RedshiftServerlessClient> proxyClient) {
+
+    ListTagsForResourceResponse awsResponse = proxyClient.injectCredentialsAndInvokeV2(awsRequest, proxyClient.client()::listTagsForResource);
+
+    logger.log(String.format("%s's tags have successfully been read.", ResourceModel.TYPE_NAME));
+    return awsResponse;
+  }
+
   protected boolean isNamespaceActiveAfterDelete (final ProxyClient<RedshiftServerlessClient> proxyClient, ResourceModel resourceModel, CallbackContext context) {
     GetNamespaceRequest getNamespaceRequest = GetNamespaceRequest.builder().namespaceName(resourceModel.getNamespaceName()).build();
     try {

aws-redshiftserverless-namespace/src/main/java/software/amazon/redshiftserverless/namespace/CreateHandler.java

@@ -43,7 +43,7 @@ protected ProgressEvent<ResourceModel, CallbackContext> handleRequest(
                 return proxy.initiate("AWS-RedshiftServerless-Namespace::Create", proxyClient, progress.getResourceModel(), callbackContext)
                     .translateToServiceRequest(Translator::translateToCreateRequest)
                     .makeServiceCall(this::createNamespace)
-                    .stabilize((_awsRequest, _awsResponse, _client, _model, _context) -> isNamespaceActive(_client, _model, _context))
+                    .stabilize(this::isNamespaceActive)
                     .handleError(this::defaultErrorHandler)
                     .done((_request, _response, _client, _model, _context) -> {
                         callbackContext.setNamespaceArn(_response.namespace().namespaceArn());

aws-redshiftserverless-namespace/src/main/java/software/amazon/redshiftserverless/namespace/ReadHandler.java

@@ -59,6 +59,16 @@ protected ProgressEvent<ResourceModel, CallbackContext> handleRequest(
                         });
                     return progress;
                 })
+                .then(progress -> {
+                    progress = proxy.initiate("AWS-RedshiftServerless-Namespace::Read::ReadTags", proxyClient, progress.getResourceModel(), progress.getCallbackContext())
+                        .translateToServiceRequest(Translator::translateToReadTagsRequest)
+                        .makeServiceCall(this::readTags)
+                        .handleError(this::defaultErrorHandler)
+                        .done((_request, _response, _client, _model, _context) -> {
+                            return ProgressEvent.progress(Translator.translateFromReadTagsResponse(_response, _model), _context);
+                        });
+                    return progress;
+                })
                 .then(progress -> {
                     return proxy.initiate("AWS-Redshift-ResourcePolicy::Get", redshiftProxyClient, progress.getResourceModel(), callbackContext)
                         .translateToServiceRequest(resourceModelRequest -> Translator.translateToGetResourcePolicy(resourceModelRequest, callbackContext.getNamespaceArn()))

aws-redshiftserverless-namespace/src/main/java/software/amazon/redshiftserverless/namespace/Translator.java

@@ -4,6 +4,8 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
 import software.amazon.awssdk.awscore.AwsRequest;
 import software.amazon.awssdk.services.redshift.model.DeleteResourcePolicyRequest;
 import software.amazon.awssdk.services.redshift.model.GetResourcePolicyRequest;
@@ -19,6 +21,10 @@
 import software.amazon.awssdk.services.redshiftserverless.model.CreateSnapshotCopyConfigurationRequest;
 import software.amazon.awssdk.services.redshiftserverless.model.UpdateSnapshotCopyConfigurationRequest;
 import software.amazon.awssdk.services.redshiftserverless.model.DeleteSnapshotCopyConfigurationRequest;
+import software.amazon.awssdk.services.redshiftserverless.model.ListTagsForResourceRequest;
+import software.amazon.awssdk.services.redshiftserverless.model.ListTagsForResourceResponse;
+import software.amazon.awssdk.services.redshiftserverless.model.TagResourceRequest;
+import software.amazon.awssdk.services.redshiftserverless.model.UntagResourceRequest;
 import software.amazon.cloudformation.proxy.Logger;
 
 import java.io.IOException;
@@ -38,6 +44,7 @@
  */
 
 public class Translator {
+  private static final Gson GSON = new GsonBuilder().create();
 
   /**
    * Request to create a resource
@@ -54,22 +61,13 @@ static CreateNamespaceRequest translateToCreateRequest(final ResourceModel model
             .defaultIamRoleArn(model.getDefaultIamRoleArn())
             .iamRoles(model.getIamRoles())
             .logExportsWithStrings(model.getLogExports())
-            .tags(translateTagsToSdk(model.getTags()))
+            .tags(translateToSdkTags(model.getTags()))
             .manageAdminPassword(model.getManageAdminPassword())
             .adminPasswordSecretKmsKeyId(model.getAdminPasswordSecretKmsKeyId())
             .redshiftIdcApplicationArn(model.getRedshiftIdcApplicationArn())
             .build();
   }
 
-  static List<software.amazon.awssdk.services.redshiftserverless.model.Tag> translateTagsToSdk(final List<software.amazon.redshiftserverless.namespace.Tag> tags) {
-    return Optional.ofNullable(tags).orElse(Collections.emptyList())
-            .stream()
-            .map(tag -> software.amazon.awssdk.services.redshiftserverless.model.Tag.builder()
-            .key(tag.getKey())
-            .value(tag.getValue()).build())
-            .collect(Collectors.toList());
-  }
-
   /*
     This function is to return the iam role in the same format as input iam roles.
     Instead of modifying the schema for backward compatibitlity we use regex to extract the iam role.
@@ -264,6 +262,90 @@ static AwsRequest untagResourceRequest(final ResourceModel model, final Set<Stri
     return awsRequest;
   }
 
+  /**
+   * Request to read tags for a resource
+   *
+   * @param model resource model
+   * @return awsRequest the aws service request to update tags of a resource
+   */
+  static ListTagsForResourceRequest translateToReadTagsRequest(final ResourceModel model) {
+    return ListTagsForResourceRequest.builder()
+            .resourceArn(model.getNamespace().getNamespaceArn())
+            .build();
+  }
+
+  /**
+   * Translates resource object from sdk into a resource model
+   *
+   * @param awsResponse the aws service describe resource response
+   * @param model       the resource model contained the current resource info
+   * @return awsRequest the aws service request to update tags of a resource
+   */
+  static ResourceModel translateFromReadTagsResponse(final ListTagsForResourceResponse awsResponse,
+                                                     final ResourceModel model) {
+    return model.toBuilder()
+            .tags(translateToModelTags(awsResponse.tags()))
+            .build();
+  }
+
+  /**
+   * Request to update tags for a resource
+   *
+   * @param desiredResourceState the resource model request to update tags
+   * @param currentResourceState the resource model request to delete tags
+   * @return awsRequest the aws service request to update tags of a resource
+   */
+  static UpdateTagsRequest translateToUpdateTagsRequest(final ResourceModel desiredResourceState,
+                                                        final ResourceModel currentResourceState) {
+    String resourceArn = currentResourceState.getNamespace().getNamespaceArn();
+
+    List<Tag> toBeCreatedTags = desiredResourceState.getTags() == null ? Collections.emptyList() : desiredResourceState.getTags()
+            .stream()
+            .filter(tag -> currentResourceState.getTags() == null || !currentResourceState.getTags().contains(tag))
+            .collect(Collectors.toList());
+
+    List<Tag> toBeDeletedTags = currentResourceState.getTags() == null ? Collections.emptyList() : currentResourceState.getTags()
+            .stream()
+            .filter(tag -> desiredResourceState.getTags() == null || !desiredResourceState.getTags().contains(tag))
+            .collect(Collectors.toList());
+
+    return UpdateTagsRequest.builder()
+            .createNewTagsRequest(TagResourceRequest.builder()
+                    .tags(translateToSdkTags(toBeCreatedTags))
+                    .resourceArn(resourceArn)
+                    .build())
+            .deleteOldTagsRequest(UntagResourceRequest.builder()
+                    .tagKeys(toBeDeletedTags
+                            .stream()
+                            .map(Tag::getKey)
+                            .collect(Collectors.toList()))
+                    .resourceArn(resourceArn)
+                    .build())
+            .build();
+  }
+
+  private static software.amazon.awssdk.services.redshiftserverless.model.Tag translateToSdkTag(Tag tag) {
+    return GSON.fromJson(GSON.toJson(tag), software.amazon.awssdk.services.redshiftserverless.model.Tag.class);
+  }
+
+  private static List<software.amazon.awssdk.services.redshiftserverless.model.Tag> translateToSdkTags(final List<Tag> tags) {
+    return tags == null ? null : tags
+            .stream()
+            .map(Translator::translateToSdkTag)
+            .collect(Collectors.toList());
+  }
+
+  private static Tag translateToModelTag(software.amazon.awssdk.services.redshiftserverless.model.Tag tag) {
+    return GSON.fromJson(GSON.toJson(tag), Tag.class);
+  }
+
+  private static List<Tag> translateToModelTags(Collection<software.amazon.awssdk.services.redshiftserverless.model.Tag> tags) {
+    return tags == null ? null : tags
+            .stream()
+            .map(Translator::translateToModelTag)
+            .collect(Collectors.toList());
+  }
+
   private static Namespace translateToModelNamespace(
           software.amazon.awssdk.services.redshiftserverless.model.Namespace namespace) {