feat(runtime): add drift detection for cross-region and cross-account resources

Adds protection against attempting to manage AWS resources that exist in a
different region or account than the controller is configured to use. This
prevents accidental resource hijacking and provides clear error messages.

- Add `regionDrifted()` and `accountDrifted()` helper functions
- Check for drift before creating resource manager in Reconcile
- Return terminal errors when drift is detected
- Add comprehensive tests for both region and account drift scenarios

Author: a-hilaly

pkg/runtime/reconciler.go

@@ -236,6 +236,42 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	// helpful message to the user.
 	acctID, needCARMLookup := r.getOwnerAccountID(desired)
 
+	region := r.getRegion(desired)
+	endpointURL := r.getEndpointURL(desired)
+	gvk := r.rd.GroupVersionKind()
+
+	// If the user has specified a region that is different from the
+	// region the resource currently exists in, we need to fail the
+	// reconciliation with a terminal error.
+	if regionDrifted(desired, region) {
+		msg := fmt.Sprintf(
+			"Resource already exists in region %s, but the desired state specifies region %s. ",
+			region, desired.MetaObject().GetAnnotations()[ackv1alpha1.AnnotationRegion],
+		)
+		rlog.Info(
+			msg,
+			"current_region", region,
+			"desired_region", desired.Identifiers().Region(),
+		)
+		return ctrlrt.Result{}, ackerr.NewTerminalError(errors.New(msg))
+	}
+
+	// Similarly, if the user has specified an account ID that is different
+	// from the account ID the resource currently exists in, we need to
+	// fail the reconciliation with a terminal error.
+	if accountDrifted(desired, acctID) {
+		msg := fmt.Sprintf(
+			"Resource already exists in account %s, but the role used for reconciliation is in account %s. ",
+			*desired.Identifiers().OwnerAccountID(), acctID,
+		)
+		rlog.Info(
+			msg,
+			"current_account", acctID,
+			"desired_account", desired.Identifiers().OwnerAccountID(),
+		)
+		return ctrlrt.Result{}, ackerr.NewTerminalError(errors.New(msg))
+	}
+
 	var roleARN ackv1alpha1.AWSResourceName
 	if teamID := r.getTeamID(desired); teamID != "" && r.cfg.FeatureGates.IsEnabled(featuregate.TeamLevelCARM) {
 		// The user is specifying a namespace that is annotated with a team ID.
@@ -255,13 +291,11 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 		// Requeue if the corresponding roleARN is not available in the Accounts configmap.
 		roleARN, err = r.getRoleARN(string(acctID), ackrtcache.ACKRoleAccountMap)
 		if err != nil {
+			fmt.Println("test", roleARN, err)
 			return r.handleCacheError(ctx, err, desired)
 		}
 	}
 
-	region := r.getRegion(desired)
-	endpointURL := r.getEndpointURL(desired)
-	gvk := r.rd.GroupVersionKind()
 	// The config pivot to the roleARN will happen if it is not empty.
 	// in the NewResourceManager
 	clientConfig, err := r.sc.NewAWSConfig(ctx, region, &endpointURL, roleARN, gvk)
@@ -285,6 +319,17 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	return r.HandleReconcileError(ctx, desired, latest, err)
 }
 
+func regionDrifted(desired acktypes.AWSResource, targetRegion ackv1alpha1.AWSRegion) bool {
+	return desired.MetaObject().GetAnnotations()[ackv1alpha1.AnnotationRegion] != string(targetRegion)
+}
+
+func accountDrifted(desired acktypes.AWSResource, targetAccountID ackv1alpha1.AWSAccountID) bool {
+	if desired.Identifiers().OwnerAccountID() == nil {
+		return false
+	}
+	return *desired.Identifiers().OwnerAccountID() != targetAccountID
+}
+
 func (r *resourceReconciler) handleCacheError(
 	ctx context.Context,
 	err error,
@@ -1411,6 +1456,11 @@ func getResyncPeriod(rmf acktypes.AWSResourceManagerFactory, cfg ackcfg.Config)
 	return defaultResyncPeriod
 }
 
+// GetCaches returns the extra caches maintained by the ACK runtime
+func (r *resourceReconciler) GetCaches() ackrtcache.Caches {
+	return r.cache
+}
+
 // NewReconciler returns a new reconciler object
 func NewReconciler(
 	sc acktypes.ServiceController,