Don't delete resources unless field managers match

[blampe]

This fixes the delete-after-create problem by reviving #2999 using field managers (as Eron suggested) instead of annotations to confirm ownership before deleting a resource.

If the resource was created with SSA, and we don't find the expected field manager, then we no-op instead of deleting the resource. The intended effect is to remove it from our state so the "upserted" manager can continue owning it.

This is technically a breaking change in behavior for some edge cases, but I think it is justified by the potential severity of our delete-after-create bug.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[codecov]

Codecov Report

Attention: Patch coverage is 88.23529% with 2 lines in your changes missing coverage. Please review.

Project coverage is 41.12%. Comparing base (b0ab343) to head (c0839d3).

Files with missing lines	Patch %	Lines
provider/pkg/await/await.go	88.23%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3407      +/-   ##
==========================================
+ Coverage   41.08%   41.12%   +0.03%     
==========================================
  Files          87       87              
  Lines       12900    12917      +17     
==========================================
+ Hits         5300     5312      +12     
- Misses       7205     7208       +3     
- Partials      395      397       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[blampe]

As written this would also no-op in cases where the object was updated with CSA.

We can narrow this by also checking actualSSAManagers is non-empty, so we know the live object was at least touched by pulumi.

[EronWright]

Note that Helm uses labels to track ownership and to drive adoption.
helm/helm#7649