Add tagging logic

Signed-off-by: William Young <will.young@engineerbetter.com>
Co-authored-by: Marcus Dantas <marcus.dantas@engineerbetter.com>

pkg/provider/aws/secretsmanager/fake/fake.go

@@ -30,11 +30,13 @@ type Client struct {
 	CreateSecretWithContextFn   CreateSecretWithContextFn
 	GetSecretValueWithContextFn GetSecretValueWithContextFn
 	PutSecretValueWithContextFn PutSecretValueWithContextFn
+	DescribeSecretWithContextFn DescribeSecretWithContextFn
 }
 
 type CreateSecretWithContextFn func(aws.Context, *awssm.CreateSecretInput, ...request.Option) (*awssm.CreateSecretOutput, error)
 type GetSecretValueWithContextFn func(aws.Context, *awssm.GetSecretValueInput, ...request.Option) (*awssm.GetSecretValueOutput, error)
 type PutSecretValueWithContextFn func(aws.Context, *awssm.PutSecretValueInput, ...request.Option) (*awssm.PutSecretValueOutput, error)
+type DescribeSecretWithContextFn func(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error)
 
 func (sm Client) CreateSecretWithContext(ctx aws.Context, input *awssm.CreateSecretInput, options ...request.Option) (*awssm.CreateSecretOutput, error) {
 	return sm.CreateSecretWithContextFn(ctx, input, options...)
@@ -66,6 +68,16 @@ func NewPutSecretValueWithContextFn(output *awssm.PutSecretValueOutput, err erro
 	}
 }
 
+func (sm Client) DescribeSecretWithContext(ctx aws.Context, input *awssm.DescribeSecretInput, options ...request.Option) (*awssm.DescribeSecretOutput, error) {
+	return sm.DescribeSecretWithContextFn(ctx, input, options...)
+}
+
+func NewDescribeSecretWithContextFn(output *awssm.DescribeSecretOutput, err error) DescribeSecretWithContextFn {
+	return func(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error) {
+		return output, err
+	}
+}
+
 // NewClient init a new fake client.
 func NewClient() *Client {
 	return &Client{

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -54,6 +54,7 @@ type SMInterface interface {
 	CreateSecretWithContext(aws.Context, *awssm.CreateSecretInput, ...request.Option) (*awssm.CreateSecretOutput, error)
 	GetSecretValueWithContext(aws.Context, *awssm.GetSecretValueInput, ...request.Option) (*awssm.GetSecretValueOutput, error)
 	PutSecretValueWithContext(aws.Context, *awssm.PutSecretValueInput, ...request.Option) (*awssm.PutSecretValueOutput, error)
+	DescribeSecretWithContext(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error)
 }
 
 const (
@@ -112,17 +113,46 @@ func (sm *SecretsManager) fetch(_ context.Context, ref esv1beta1.ExternalSecretD
 
 func (sm *SecretsManager) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
+	managedBy := "managed-by"
+	externalSecrets := "external-secrets"
+	externalSecretsTag := []*awssm.Tag{
+		&awssm.Tag{
+			Key:   &managedBy,
+			Value: &externalSecrets,
+		},
+	}
 	secretRequest := awssm.CreateSecretInput{
 		Name:         &secretName,
 		SecretBinary: value,
+		Tags:         externalSecretsTag,
 	}
 
 	secretValue := awssm.GetSecretValueInput{
 		SecretId: &secretName,
 	}
 
+	secretInput := awssm.DescribeSecretInput{
+		SecretId: &secretName,
+	}
+
 	awsSecret, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)
 
+	if err == nil {
+		data, err := sm.client.DescribeSecretWithContext(ctx, &secretInput)
+		if err != nil {
+			return err
+		}
+
+		for _, tag := range data.Tags {
+			if tag.Key == &managedBy && tag.Value == &externalSecrets {
+				goto TAGGED
+			} else {
+				return fmt.Errorf("secret not managed by external-secrets")
+			}
+		}
+
+	}
+TAGGED:
 	if awsSecret != nil && reflect.DeepEqual(awsSecret.SecretBinary, secretRequest.SecretBinary) {
 		return nil
 	} else if awsSecret.ARN != nil {