fix: remove Source=user filter from parameter group reconciliation (#271)

`getParameters()` filtered DescribeDB(Cluster)Parameters by
Source="user", but RDS classifies some user-set parameters as
"engine-default" or "system" (e.g shared_preload_libraries,
ssl). This caused a perpetual diff between desired and latest,
preventing ACK.ResourceSynced from reaching True. The fix
removes the Source filter and uses a predicate: include if key
is in desiredParams (handles misclassification and params set
to default values), otherwise include only if modifiable with
a non-nil cached default that differs from the current value
(detects removed params needing reset). ParamMeta now caches
DefaultValue from DescribeEngineDefault(Cluster)Parameters.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: shabbskagalwala

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2026-02-08T20:56:03Z"
-  build_hash: e743d683160cf0f58a4864e052cdcb0927335ca7
-  go_version: go1.25.5
-  version: v0.57.0
+  build_date: "2026-02-09T04:13:29Z"
+  build_hash: a297e8e69efb57539e353961c1b33a93e31307bf
+  go_version: go1.25.6
+  version: v0.57.0-2-ga297e8e
 api_directory_checksum: a35626c9dd4783afbee4b0991d2ed63ab37f7444
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6

pkg/resource/db_cluster_parameter_group/hooks.go

@@ -258,11 +258,14 @@ func (rm *resourceManager) syncParameters(
 	return nil
 }
 
-// getParameters retrieves the cluster parameter group's user-defined parameters
-// (overrides) and the "statuses" of those parameter overrides.
+// getParameters retrieves parameters that are either in the desired spec or
+// differ from engine defaults. We don't filter by Source="user" because RDS
+// may classify user-set parameters as "engine-default" or "system".
 func (rm *resourceManager) getParameters(
 	ctx context.Context,
 	groupName *string,
+	family *string,
+	desiredParams util.Parameters,
 ) (
 	params map[string]*string,
 	paramStatuses []*svcapitypes.Parameter,
@@ -275,7 +278,6 @@ func (rm *resourceManager) getParameters(
 			ctx,
 			&svcsdk.DescribeDBClusterParametersInput{
 				DBClusterParameterGroupName: groupName,
-				Source:                      aws.String(sourceUser),
 				Marker:                      marker,
 			},
 		)
@@ -284,7 +286,22 @@ func (rm *resourceManager) getParameters(
 			return nil, nil, err
 		}
 		for _, param := range resp.Parameters {
-			params[*param.ParameterName] = param.ParameterValue
+			pName := *param.ParameterName
+
+			_, inDesired := desiredParams[pName]
+			if !inDesired {
+				if family == nil {
+					continue
+				}
+				if param.IsModifiable == nil || !*param.IsModifiable {
+					continue
+				}
+				if !rm.paramDiffersFromDefault(ctx, *family, pName, param.ParameterValue) {
+					continue
+				}
+			}
+
+			params[pName] = param.ParameterValue
 			p := svcapitypes.Parameter{
 				ParameterName:  param.ParameterName,
 				ParameterValue: param.ParameterValue,
@@ -301,6 +318,29 @@ func (rm *resourceManager) getParameters(
 	return params, paramStatuses, nil
 }
 
+func (rm *resourceManager) paramDiffersFromDefault(
+	ctx context.Context,
+	family string,
+	paramName string,
+	currentValue *string,
+) bool {
+	pMeta, err := rm.getParameterMeta(ctx, family, paramName)
+	if err != nil || pMeta.DefaultValue == nil {
+		return false
+	}
+	return !stringPtrEqual(currentValue, pMeta.DefaultValue)
+}
+
+func stringPtrEqual(a, b *string) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return *a == *b
+}
+
 // resetParameters calls the RDS ResetDBClusterParameterGroup API call
 func (rm *resourceManager) resetParameters(
 	ctx context.Context,
@@ -431,6 +471,7 @@ func (rm *resourceManager) getFamilyParameters(
 			familyMeta[pName] = util.ParamMeta{
 				IsModifiable: *param.IsModifiable,
 				IsDynamic:    *param.ApplyType != applyTypeStatic,
+				DefaultValue: param.ParameterValue,
 			}
 		}
 		marker = resp.EngineDefaults.Marker
@@ -469,6 +510,7 @@ func (rm *resourceManager) getInstanceFamilyParameters(
 			familyMeta[pName] = util.ParamMeta{
 				IsModifiable: *param.IsModifiable,
 				IsDynamic:    *param.ApplyType != applyTypeStatic,
+				DefaultValue: param.ParameterValue,
 			}
 		}
 		marker = resp.EngineDefaults.Marker

pkg/resource/db_cluster_parameter_group/sdk.go

@@ -256,11 +256,14 @@ func (rm *resourceManager) syncParameters(
 	return nil
 }
 
-// getParameters retrieves the parameter group's user-defined parameters
-// (overrides) and the "statuses" of those parameter overrides.
+// getParameters retrieves parameters that are either in the desired spec or
+// differ from engine defaults. We don't filter by Source="user" because RDS
+// may classify user-set parameters as "engine-default" or "system".
 func (rm *resourceManager) getParameters(
 	ctx context.Context,
 	groupName *string,
+	family *string,
+	desiredParams util.Parameters,
 ) (
 	params map[string]*string,
 	paramStatuses []*svcapitypes.Parameter,
@@ -273,7 +276,6 @@ func (rm *resourceManager) getParameters(
 			ctx,
 			&svcsdk.DescribeDBParametersInput{
 				DBParameterGroupName: groupName,
-				Source:               aws.String(sourceUser),
 				Marker:               marker,
 			},
 		)
@@ -282,7 +284,22 @@ func (rm *resourceManager) getParameters(
 			return nil, nil, err
 		}
 		for _, param := range resp.Parameters {
-			params[*param.ParameterName] = param.ParameterValue
+			pName := *param.ParameterName
+
+			_, inDesired := desiredParams[pName]
+			if !inDesired {
+				if family == nil {
+					continue
+				}
+				if param.IsModifiable == nil || !*param.IsModifiable {
+					continue
+				}
+				if !rm.paramDiffersFromDefault(ctx, *family, pName, param.ParameterValue) {
+					continue
+				}
+			}
+
+			params[pName] = param.ParameterValue
 			p := svcapitypes.Parameter{
 				ParameterName:  param.ParameterName,
 				ParameterValue: param.ParameterValue,
@@ -299,6 +316,31 @@ func (rm *resourceManager) getParameters(
 	return params, paramStatuses, nil
 }
 
+func (rm *resourceManager) paramDiffersFromDefault(
+	ctx context.Context,
+	family string,
+	paramName string,
+	currentValue *string,
+) bool {
+	pMeta, err := cachedParamMeta.Get(
+		ctx, family, paramName, rm.getFamilyParameters,
+	)
+	if err != nil || pMeta.DefaultValue == nil {
+		return false
+	}
+	return !stringPtrEqual(currentValue, pMeta.DefaultValue)
+}
+
+func stringPtrEqual(a, b *string) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return *a == *b
+}
+
 // resetParameters calls the RDS ResetDBParameterGroup API call with a set of
 // no more than 20 parameters to reset.
 func (rm *resourceManager) resetParameters(
@@ -436,6 +478,7 @@ func (rm *resourceManager) getFamilyParameters(
 			familyMeta[pName] = util.ParamMeta{
 				IsModifiable: *param.IsModifiable,
 				IsDynamic:    *param.ApplyType != applyTypeStatic,
+				DefaultValue: param.ParameterValue,
 			}
 		}
 		marker = resp.EngineDefaults.Marker

pkg/resource/db_parameter_group/hooks.go

@@ -22,6 +22,7 @@ import (
 type ParamMeta struct {
 	IsModifiable bool
 	IsDynamic    bool
+	DefaultValue *string
 }
 
 // MetaFetcher is the functor we pass to the paramMetaCache that allows it to

pkg/resource/db_parameter_group/sdk.go

@@ -1,17 +1,21 @@
-    if ko.Status.ACKResourceMetadata != nil && ko.Status.ACKResourceMetadata.ARN != nil {
-        resourceARN := (*string)(ko.Status.ACKResourceMetadata.ARN)
-        tags, err := rm.getTags(ctx, *resourceARN)
-        if err != nil {
-            return nil, err
-        }
-        ko.Spec.Tags = tags
-    }
-    if ko.Spec.Name != nil {
-        groupName := ko.Spec.Name
-        params, paramStatuses, err := rm.getParameters(ctx, groupName)
-        if err != nil {
-            return nil, err
-        }
-        ko.Spec.ParameterOverrides = params
-        ko.Status.ParameterOverrideStatuses = paramStatuses
-    }
+	if ko.Status.ACKResourceMetadata != nil && ko.Status.ACKResourceMetadata.ARN != nil {
+		resourceARN := (*string)(ko.Status.ACKResourceMetadata.ARN)
+		tags, err := rm.getTags(ctx, *resourceARN)
+		if err != nil {
+			return nil, err
+		}
+		ko.Spec.Tags = tags
+	}
+	if ko.Spec.Name != nil {
+		groupName := ko.Spec.Name
+		family := ko.Spec.Family
+		desiredParams := ko.Spec.ParameterOverrides
+		params, paramStatuses, err := rm.getParameters(
+			ctx, groupName, family, desiredParams,
+		)
+		if err != nil {
+			return nil, err
+		}
+		ko.Spec.ParameterOverrides = params
+		ko.Status.ParameterOverrideStatuses = paramStatuses
+	}

pkg/util/parameter_cache.go

@@ -8,7 +8,11 @@
 	}
 	if ko.Spec.Name != nil {
 		groupName := ko.Spec.Name
-		params, paramStatuses, err := rm.getParameters(ctx, groupName)
+		family := ko.Spec.Family
+		desiredParams := ko.Spec.ParameterOverrides
+		params, paramStatuses, err := rm.getParameters(
+			ctx, groupName, family, desiredParams,
+		)
 		if err != nil {
 			return nil, err
 		}

templates/hooks/db_cluster_parameter_group/sdk_read_many_post_set_output.go.tpl

@@ -80,10 +80,21 @@ def get_parameters(db_cluster_parameter_group_name):
     """
     c = boto3.client('rds')
     try:
-        resp = c.describe_db_cluster_parameters(
-            DBClusterParameterGroupName=db_cluster_parameter_group_name,
-        )
-        return resp['Parameters']
+        all_parameters = []
+        marker = None
+        while True:
+            params = {
+                'DBClusterParameterGroupName': db_cluster_parameter_group_name,
+            }
+            if marker:
+                params['Marker'] = marker
+            resp = c.describe_db_cluster_parameters(**params)
+            all_parameters.extend(resp['Parameters'])
+            if 'Marker' in resp:
+                marker = resp['Marker']
+            else:
+                break
+        return all_parameters
     except c.exceptions.DBParameterGroupNotFoundFault:
         return []
 

templates/hooks/db_parameter_group/sdk_read_many_post_set_output.go.tpl

@@ -0,0 +1,16 @@
+apiVersion: rds.services.k8s.aws/v1alpha1
+kind: DBClusterParameterGroup
+metadata:
+  name: $DB_CLUSTER_PARAMETER_GROUP_NAME
+spec:
+  name: $DB_CLUSTER_PARAMETER_GROUP_NAME
+  description: $DB_CLUSTER_PARAMETER_GROUP_DESC
+  family: aurora-postgresql14
+  parameterOverrides:
+    log_min_duration_statement: "1000"
+    pgaudit.log: "none"
+    rds.force_ssl: "1"
+    rds.log_retention_period: "10080"
+    shared_preload_libraries: "pg_stat_statements"
+    ssl: "1"
+    ssl_min_protocol_version: "TLSv1.2"