[codegen] adding best practice to update tags

[ammokhov]

Issue #, if available:

Description of changes:

adding best practice to the codegen on how to handle tag update:

• Stack level tags might be undesired tags, hence it's a best practice to catch permission issues.
• Resource level tags is just another resource property, so if user wants to attach resource tags then we should enforce correct permission set

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[sungkkim]

I can see the why we'd want to do this for backwards compatibility of existing resources, but do we really want to enforce this on newly introduced resources? Also, Create handler will have the same issue and if we go the same route, there could be issues with tag based access control. I'd like to hear some others' opinions as well.

[nina-ctrlv]

I can see the why we'd want to do this for backwards compatibility of existing resources, but do we really want to enforce this on newly introduced resources? Also, Create handler will have the same issue and if we go the same route, there could be issues with tag based access control. I'd like to hear some others' opinions as well.

Yea, I don't think this will be solving the problem of existing resources adding tagging in a backwards incompatible manner. This code will have already been deleted for resources that are adding tagging later. We would also need to do it for create as well to cover replacement update operations

[wbingli]

I agree this additional step is confusing to understand and I don't think it's a best practice for resource especially for any new resource and we don't want to encourage to ignore the stack level tag update.

Adding a new comments to mention to handler stack level tag properly would be better than this. We should leverage other tools to prevent this happen instead of here.