Ensure RabbitMQ Broker reaches synced status when using non-default security group (#104)

Issue #, if available:

Description of changes:
- Add .vscode to .gitignore
- Omit unchanged field from update payload
- Only set spec fields included in delta in sdkUpdate
- late initialize fields to load default values after broker creation
- Add delta pre-compare hook to match EngineVersion by prefix instead of exact match
- Add e2e test validating creation of RabbitMQ broker with non-default security group becomes synced
- Add tests for delta comparison of EngineVersion
- Update create/delete e2e test to validate update behavior

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: knottnt

.gitignore

@@ -2,6 +2,7 @@
 *.swp
 *~
 .idea
+.vscode
 /docs/site
 bin
 build

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-09-19T17:08:59Z"
-  build_hash: 6b4211163dcc34776b01da9a18217bac0f4103fd
-  go_version: go1.24.6
-  version: v0.52.0
+  build_date: "2025-09-29T19:41:37Z"
+  build_hash: ef6e2f362a0f93d4a063b0a2b416f7ab0a156843
+  go_version: go1.25.0
+  version: v0.52.0-4-gef6e2f3
 api_directory_checksum: 524e0af3e7ceea86a3153c12c06091ea924d3410
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: 7d89869149ba948467065fc8d5947d9eff039b8b
+  file_checksum: 72d5fe6ac88d647ed6c67869928f3bc12ea6a566
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -17,18 +17,27 @@ resources:
         template_path: hooks/sdk_read_one_post_set_output.go.tpl
       sdk_update_pre_set_output:
         template_path: hooks/sdk_update_pre_set_output.go.tpl
+      delta_pre_compare:
+        template_path: hooks/delta_pre_compare.go.tpl
     renames:
       operations:
         CreateBroker:
           input_fields:
             BrokerName: Name
+
+    update_operation:
+      omit_unchanged_fields: true
+      # UpdateBroker API returns nil for values not set in the request.
+      only_set_unchanged_fields: true
     fields:
-      securityGroups:
+      SecurityGroups:
+        late_initialize: {}
         references:
           service_name: ec2
           resource: SecurityGroup
           path: Status.ID
       SubnetIDs:
+        late_initialize: {}
         references:
           service_name: ec2
           resource: Subnet
@@ -54,3 +63,27 @@ resources:
           is_ignored: true
       Users.Password:
         is_secret: true
+      AuthenticationStrategy:
+        late_initialize: {}
+      AutoMinorVersionUpgrade:
+        late_initialize: {}
+      EngineVersion:
+        late_initialize: {}
+        set:
+          - method: Update
+            ignore: true
+      MaintenanceWindowStartTime:
+        late_initialize: {}
+      EncryptionOptions:
+        late_initialize: {}
+      StorageType:
+        late_initialize: {}
+      PubliclyAccessible:
+        late_initialize: {}
+      Logs:
+        late_initialize: {}
+      LDAPServerMetadata:
+        late_initialize: {
+          # LDAP Server Metadata is only available for ActiveMQ brokers
+          skip_incomplete_check: {}
+        }

config/crd/bases/mq.services.k8s.aws_brokers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: brokers.mq.services.k8s.aws
 spec:
   group: mq.services.k8s.aws

generator.yaml

@@ -17,18 +17,27 @@ resources:
         template_path: hooks/sdk_read_one_post_set_output.go.tpl
       sdk_update_pre_set_output:
         template_path: hooks/sdk_update_pre_set_output.go.tpl
+      delta_pre_compare:
+        template_path: hooks/delta_pre_compare.go.tpl
     renames:
       operations:
         CreateBroker:
           input_fields:
             BrokerName: Name
+
+    update_operation:
+      omit_unchanged_fields: true
+      # UpdateBroker API returns nil for values not set in the request.
+      only_set_unchanged_fields: true
     fields:
-      securityGroups:
+      SecurityGroups:
+        late_initialize: {}
         references:
           service_name: ec2
           resource: SecurityGroup
           path: Status.ID
       SubnetIDs:
+        late_initialize: {}
         references:
           service_name: ec2
           resource: Subnet
@@ -54,3 +63,27 @@ resources:
           is_ignored: true
       Users.Password:
         is_secret: true
+      AuthenticationStrategy:
+        late_initialize: {}
+      AutoMinorVersionUpgrade:
+        late_initialize: {}
+      EngineVersion:
+        late_initialize: {}
+        set:
+          - method: Update
+            ignore: true
+      MaintenanceWindowStartTime:
+        late_initialize: {}
+      EncryptionOptions:
+        late_initialize: {}
+      StorageType:
+        late_initialize: {}
+      PubliclyAccessible:
+        late_initialize: {}
+      Logs:
+        late_initialize: {}
+      LDAPServerMetadata:
+        late_initialize: {
+          # LDAP Server Metadata is only available for ActiveMQ brokers
+          skip_incomplete_check: {}
+        }

helm/crds/mq.services.k8s.aws_brokers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: brokers.mq.services.k8s.aws
 spec:
   group: mq.services.k8s.aws

helm/crds/services.k8s.aws_adoptedresources.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: adoptedresources.services.k8s.aws
 spec:
   group: services.k8s.aws

helm/crds/services.k8s.aws_fieldexports.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: fieldexports.services.k8s.aws
 spec:
   group: services.k8s.aws

pkg/resource/broker/delta.go

@@ -0,0 +1,114 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package broker
+
+import (
+	"testing"
+
+	svcapitypes "github.com/aws-controllers-k8s/mq-controller/apis/v1alpha1"
+	"github.com/aws/aws-sdk-go-v2/aws"
+)
+
+func TestNewResourceDelta_EngineVersionPrefix(t *testing.T) {
+	tests := []struct {
+		name           string
+		aEngineVersion *string
+		bEngineVersion *string
+		expectDelta    bool
+	}{
+		{
+			name:           "a is prefix of b - no delta expected",
+			aEngineVersion: aws.String("3.13"),
+			bEngineVersion: aws.String("3.13.1"),
+			expectDelta:    false,
+		},
+		{
+			name:           "a is prefix of b with patch version - no delta expected",
+			aEngineVersion: aws.String("5.18"),
+			bEngineVersion: aws.String("5.18.4"),
+			expectDelta:    false,
+		},
+		{
+			name:           "exact match - no delta expected",
+			aEngineVersion: aws.String("3.13.1"),
+			bEngineVersion: aws.String("3.13.1"),
+			expectDelta:    false,
+		},
+		{
+			name:           "different patch versions - no delta expected",
+			aEngineVersion: aws.String("3.13.2"),
+			bEngineVersion: aws.String("3.13.1"),
+			expectDelta:    true,
+		},
+		{
+			name:           "different minor versions - delta expected",
+			aEngineVersion: aws.String("3.13"),
+			bEngineVersion: aws.String("3.14.1"),
+			expectDelta:    true,
+		},
+		{
+			name:           "a is longer than b - delta expected",
+			aEngineVersion: aws.String("3.13.1"),
+			bEngineVersion: aws.String("3.13"),
+			expectDelta:    true,
+		},
+		{
+			name:           "nil versions - no delta expected",
+			aEngineVersion: nil,
+			bEngineVersion: nil,
+			expectDelta:    false,
+		},
+		{
+			name:           "a nil, b not nil - delta expected",
+			aEngineVersion: nil,
+			bEngineVersion: aws.String("3.13.1"),
+			expectDelta:    true,
+		},
+		{
+			name:           "a not nil, b nil - delta expected",
+			aEngineVersion: aws.String("3.13"),
+			bEngineVersion: nil,
+			expectDelta:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := &resource{
+				ko: &svcapitypes.Broker{
+					Spec: svcapitypes.BrokerSpec{
+						EngineVersion: tt.aEngineVersion,
+					},
+				},
+			}
+			b := &resource{
+				ko: &svcapitypes.Broker{
+					Spec: svcapitypes.BrokerSpec{
+						EngineVersion: tt.bEngineVersion,
+					},
+				},
+			}
+
+			delta := newResourceDelta(a, b)
+			hasDelta := delta.DifferentAt("Spec.EngineVersion")
+
+			if tt.expectDelta && !hasDelta {
+				t.Errorf("Expected delta for EngineVersion but none found")
+			}
+			if !tt.expectDelta && hasDelta {
+				t.Errorf("Expected no delta for EngineVersion but found one")
+			}
+		})
+	}
+}