Controller deleting existing/unmanaged resource

[neilharris123]

Describe the bug

I recently used the IAM controller to create an IAM role. I found that if a role exists already (created outside of ACK) with the same name as the new role, not only does ACK throw an error initially (this is expected, obviously), but if I then modfiy the name of the new ACK managed role, the controller will proceed to delete the existing role (i.e., the role created outside of ACK).

Steps to reproduce

1. Create the config for a new IAM role, with the same name as an existing role created by some other method (e.g. terraform, manually in the UI etc).
2. Deploy the ACK config for the new ACK managed role, and view the error regarding "resource already exists"
3. Modify the ACK config for the new role so that it no longer matches the existing resource, and push this change.
4. The existing/old role, which apparently ACK should not be managing is deleted by the controller, and the new ACK configured role is created.

Expected outcome

I would not expect ACK to be able to do this. The original role was not created by ACK. No config was put in place for it to adopt the existing role. I don't believe it should be able to take control of such a resource and delete it. This is dangerous behaviour.

Environment

• Kubernetes version
• Using EKS yes- 1.29
• AWS service targeted (IAM.)

[a-hilaly]

Thanks for reporting this @neilharris123 - this is a weird behaviour.. i'm a bit surprised since the controller doesn't make any delete calls unless of metadata.deletionTimestamp is set (to a non zero value).

[neilharris123]

Could it be possible that the controller somehow took control of the existing resource, and changed the name, rather than deleted it? Or does this amount to the same thing i.e. delete and re-create?