From 06d2524e6dd9496b3b2ae00705ca6ec02abad010 Mon Sep 17 00:00:00 2001 From: smcavallo Date: Tue, 12 Dec 2023 15:01:07 -0500 Subject: [PATCH] Support inline policies as part of iam role Signed-off-by: smcavallo --- apis/iam/v1beta1/register.go | 9 + apis/iam/v1beta1/rolepolicy_types.go | 85 +++ apis/iam/v1beta1/zz_generated.deepcopy.go | 134 +++++ apis/iam/v1beta1/zz_generated.managed.go | 60 ++ apis/iam/v1beta1/zz_generated.managedlist.go | 9 + apis/iam/v1beta1/zz_generated.resolvers.go | 26 + examples/iam/rolepolicy.yaml | 22 + go.mod | 2 +- .../iam.aws.crossplane.io_rolepolicies.yaml | 366 ++++++++++++ pkg/clients/iam/fake/rolepolicy.go | 50 ++ pkg/clients/iam/policy.go | 16 +- pkg/clients/iam/rolepolicy.go | 25 + pkg/controller/iam/rolepolicy/controller.go | 202 +++++++ .../iam/rolepolicy/controller_test.go | 565 ++++++++++++++++++ pkg/controller/iam/setup.go | 2 + 15 files changed, 1570 insertions(+), 3 deletions(-) create mode 100644 apis/iam/v1beta1/rolepolicy_types.go create mode 100644 examples/iam/rolepolicy.yaml create mode 100644 package/crds/iam.aws.crossplane.io_rolepolicies.yaml create mode 100644 pkg/clients/iam/fake/rolepolicy.go create mode 100644 pkg/clients/iam/rolepolicy.go create mode 100644 pkg/controller/iam/rolepolicy/controller.go create mode 100644 pkg/controller/iam/rolepolicy/controller_test.go diff --git a/apis/iam/v1beta1/register.go b/apis/iam/v1beta1/register.go index 4d3c6c7864..1f4a978059 100644 --- a/apis/iam/v1beta1/register.go +++ b/apis/iam/v1beta1/register.go @@ -120,8 +120,17 @@ var ( OpenIDConnectProviderGroupVersionKind = SchemeGroupVersion.WithKind(OpenIDConnectProviderKind) ) +// RolePolicy type metadata. +var ( + RolePolicyKind = reflect.TypeOf(RolePolicy{}).Name() + RolePolicyGroupKind = schema.GroupKind{Group: CRDGroup, Kind: RolePolicyKind}.String() + RolePolicyKindAPIVersion = RolePolicyKind + "." + SchemeGroupVersion.String() + RolePolicyGroupVersionKind = SchemeGroupVersion.WithKind(RolePolicyKind) +) + func init() { SchemeBuilder.Register(&Role{}, &RoleList{}) + SchemeBuilder.Register(&RolePolicy{}, &RolePolicyList{}) SchemeBuilder.Register(&RolePolicyAttachment{}, &RolePolicyAttachmentList{}) SchemeBuilder.Register(&User{}, &UserList{}) SchemeBuilder.Register(&Policy{}, &PolicyList{}) diff --git a/apis/iam/v1beta1/rolepolicy_types.go b/apis/iam/v1beta1/rolepolicy_types.go new file mode 100644 index 0000000000..b76315c5a5 --- /dev/null +++ b/apis/iam/v1beta1/rolepolicy_types.go @@ -0,0 +1,85 @@ +/* +Copyright 2023 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// RolePolicyParameters define the desired state of an AWS IAM Role Inline Policy. +type RolePolicyParameters struct { + + // The JSON policy document that is the content for the policy. + Document extv1.JSON `json:"document"` + + // RoleName presents the name of the IAM role. + // +immutable + // +crossplane:generate:reference:type=Role + RoleName string `json:"roleName,omitempty"` + + // RoleNameRef references a Role to retrieve its Name + // +optional + RoleNameRef *xpv1.Reference `json:"roleNameRef,omitempty"` + + // RoleNameSelector selects a reference to a Role to retrieve its Name + // +optional + RoleNameSelector *xpv1.Selector `json:"roleNameSelector,omitempty"` +} + +// An RolePolicySpec defines the desired state of an RolePolicy. +type RolePolicySpec struct { + xpv1.ResourceSpec `json:",inline"` + ForProvider RolePolicyParameters `json:"forProvider"` +} + +// RolePolicyObservation keeps the state for the external resource +type RolePolicyObservation struct { +} + +// An RolePolicyStatus represents the observed state of an RolePolicy. +type RolePolicyStatus struct { + xpv1.ResourceStatus `json:",inline"` + AtProvider RolePolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true + +// An RolePolicy is a managed resource that represents an AWS IAM RolePolicy. +// +kubebuilder:printcolumn:name="ROLENAME",type="string",JSONPath=".spec.forProvider.roleName" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,aws} +type RolePolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec RolePolicySpec `json:"spec"` + Status RolePolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// RolePolicyList contains a list of Policies +type RolePolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RolePolicy `json:"items"` +} diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go index 1091f5bfb7..dd6da4c36a 100644 --- a/apis/iam/v1beta1/zz_generated.deepcopy.go +++ b/apis/iam/v1beta1/zz_generated.deepcopy.go @@ -983,6 +983,33 @@ func (in *RoleParameters) DeepCopy() *RoleParameters { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicy) DeepCopyInto(out *RolePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicy. +func (in *RolePolicy) DeepCopy() *RolePolicy { + if in == nil { + return nil + } + out := new(RolePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RolePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RolePolicyAttachment) DeepCopyInto(out *RolePolicyAttachment) { *out = *in @@ -1126,6 +1153,113 @@ func (in *RolePolicyAttachmentStatus) DeepCopy() *RolePolicyAttachmentStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyList) DeepCopyInto(out *RolePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RolePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyList. +func (in *RolePolicyList) DeepCopy() *RolePolicyList { + if in == nil { + return nil + } + out := new(RolePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RolePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyObservation) DeepCopyInto(out *RolePolicyObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyObservation. +func (in *RolePolicyObservation) DeepCopy() *RolePolicyObservation { + if in == nil { + return nil + } + out := new(RolePolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyParameters) DeepCopyInto(out *RolePolicyParameters) { + *out = *in + in.Document.DeepCopyInto(&out.Document) + if in.RoleNameRef != nil { + in, out := &in.RoleNameRef, &out.RoleNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleNameSelector != nil { + in, out := &in.RoleNameSelector, &out.RoleNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyParameters. +func (in *RolePolicyParameters) DeepCopy() *RolePolicyParameters { + if in == nil { + return nil + } + out := new(RolePolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicySpec) DeepCopyInto(out *RolePolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicySpec. +func (in *RolePolicySpec) DeepCopy() *RolePolicySpec { + if in == nil { + return nil + } + out := new(RolePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyStatus) DeepCopyInto(out *RolePolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + out.AtProvider = in.AtProvider +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyStatus. +func (in *RolePolicyStatus) DeepCopy() *RolePolicyStatus { + if in == nil { + return nil + } + out := new(RolePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RoleSpec) DeepCopyInto(out *RoleSpec) { *out = *in diff --git a/apis/iam/v1beta1/zz_generated.managed.go b/apis/iam/v1beta1/zz_generated.managed.go index 8ffbaccadd..91a14907ab 100644 --- a/apis/iam/v1beta1/zz_generated.managed.go +++ b/apis/iam/v1beta1/zz_generated.managed.go @@ -440,6 +440,66 @@ func (mg *Role) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { mg.Spec.WriteConnectionSecretToReference = r } +// GetCondition of this RolePolicy. +func (mg *RolePolicy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this RolePolicy. +func (mg *RolePolicy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this RolePolicy. +func (mg *RolePolicy) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this RolePolicy. +func (mg *RolePolicy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this RolePolicy. +func (mg *RolePolicy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this RolePolicy. +func (mg *RolePolicy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this RolePolicy. +func (mg *RolePolicy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this RolePolicy. +func (mg *RolePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this RolePolicy. +func (mg *RolePolicy) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this RolePolicy. +func (mg *RolePolicy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this RolePolicy. +func (mg *RolePolicy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this RolePolicy. +func (mg *RolePolicy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + // GetCondition of this RolePolicyAttachment. func (mg *RolePolicyAttachment) GetCondition(ct xpv1.ConditionType) xpv1.Condition { return mg.Status.GetCondition(ct) diff --git a/apis/iam/v1beta1/zz_generated.managedlist.go b/apis/iam/v1beta1/zz_generated.managedlist.go index 216283ffda..3827faecfc 100644 --- a/apis/iam/v1beta1/zz_generated.managedlist.go +++ b/apis/iam/v1beta1/zz_generated.managedlist.go @@ -92,6 +92,15 @@ func (l *RolePolicyAttachmentList) GetItems() []resource.Managed { return items } +// GetItems of this RolePolicyList. +func (l *RolePolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + // GetItems of this UserList. func (l *UserList) GetItems() []resource.Managed { items := make([]resource.Managed, len(l.Items)) diff --git a/apis/iam/v1beta1/zz_generated.resolvers.go b/apis/iam/v1beta1/zz_generated.resolvers.go index 82336da934..378e043480 100644 --- a/apis/iam/v1beta1/zz_generated.resolvers.go +++ b/apis/iam/v1beta1/zz_generated.resolvers.go @@ -135,6 +135,32 @@ func (mg *GroupUserMembership) ResolveReferences(ctx context.Context, c client.R return nil } +// ResolveReferences of this RolePolicy. +func (mg *RolePolicy) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: mg.Spec.ForProvider.RoleName, + Extract: reference.ExternalName(), + Reference: mg.Spec.ForProvider.RoleNameRef, + Selector: mg.Spec.ForProvider.RoleNameSelector, + To: reference.To{ + List: &RoleList{}, + Managed: &Role{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.RoleName") + } + mg.Spec.ForProvider.RoleName = rsp.ResolvedValue + mg.Spec.ForProvider.RoleNameRef = rsp.ResolvedReference + + return nil +} + // ResolveReferences of this RolePolicyAttachment. func (mg *RolePolicyAttachment) ResolveReferences(ctx context.Context, c client.Reader) error { r := reference.NewAPIResolver(c, mg) diff --git a/examples/iam/rolepolicy.yaml b/examples/iam/rolepolicy.yaml new file mode 100644 index 0000000000..d33c06a0c5 --- /dev/null +++ b/examples/iam/rolepolicy.yaml @@ -0,0 +1,22 @@ +--- +kind: RolePolicy +apiVersion: iam.aws.crossplane.io/v1beta1 +metadata: + name: somerolepolicy +spec: + forProvider: + roleName: somerole + document: + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "elastic-inference:Connect", + "Resource": "*" + } + ] + } + providerConfigRef: + name: example diff --git a/go.mod b/go.mod index b5b9dfa6f9..fa734bbb8c 100644 --- a/go.mod +++ b/go.mod @@ -44,6 +44,7 @@ require ( go.uber.org/zap v1.26.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 k8s.io/api v0.28.3 + k8s.io/apiextensions-apiserver v0.28.3 k8s.io/apimachinery v0.28.3 k8s.io/client-go v0.28.3 k8s.io/utils v0.0.0-20230726121419-3b25d923346b @@ -140,7 +141,6 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.28.3 // indirect k8s.io/component-base v0.28.3 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect diff --git a/package/crds/iam.aws.crossplane.io_rolepolicies.yaml b/package/crds/iam.aws.crossplane.io_rolepolicies.yaml new file mode 100644 index 0000000000..6c62286425 --- /dev/null +++ b/package/crds/iam.aws.crossplane.io_rolepolicies.yaml @@ -0,0 +1,366 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: rolepolicies.iam.aws.crossplane.io +spec: + group: iam.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: RolePolicy + listKind: RolePolicyList + plural: rolepolicies + singular: rolepolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.forProvider.roleName + name: ROLENAME + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An RolePolicy is a managed resource that represents an AWS IAM + RolePolicy. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RolePolicySpec defines the desired state of an RolePolicy. + properties: + deletionPolicy: + default: Delete + description: 'DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. This field is planned to be deprecated + in favor of the ManagementPolicies field in a future release. Currently, + both could be set independently and non-default values would be + honored if the feature flag is enabled. See the design doc for more + information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + enum: + - Orphan + - Delete + type: string + forProvider: + description: RolePolicyParameters define the desired state of an AWS + IAM Role Inline Policy. + properties: + document: + description: The JSON policy document that is the content for + the policy. + x-kubernetes-preserve-unknown-fields: true + roleName: + description: RoleName presents the name of the IAM role. + type: string + roleNameRef: + description: RoleNameRef references a Role to retrieve its Name + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleNameSelector: + description: RoleNameSelector selects a reference to a Role to + retrieve its Name + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + required: + - document + type: object + managementPolicies: + default: + - '*' + description: 'THIS IS A BETA FIELD. It is on by default but can be + opted out through a Crossplane feature flag. ManagementPolicies + specify the array of actions Crossplane is allowed to take on the + managed and external resources. This field is planned to replace + the DeletionPolicy field in a future release. Currently, both could + be set independently and non-default values would be honored if + the feature flag is enabled. If both are custom, the DeletionPolicy + field will be ignored. See the design doc for more information: + https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + items: + description: A ManagementAction represents an action that the Crossplane + controllers can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RolePolicyStatus represents the observed state of an RolePolicy. + properties: + atProvider: + description: RolePolicyObservation keeps the state for the external + resource + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/clients/iam/fake/rolepolicy.go b/pkg/clients/iam/fake/rolepolicy.go new file mode 100644 index 0000000000..be5229298e --- /dev/null +++ b/pkg/clients/iam/fake/rolepolicy.go @@ -0,0 +1,50 @@ +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "context" + + "github.com/aws/aws-sdk-go-v2/service/iam" + + clientset "github.com/crossplane-contrib/provider-aws/pkg/clients/iam" +) + +// this ensures that the mock implements the client interface +var _ clientset.RolePolicyClient = (*MockRolePolicyClient)(nil) + +// MockRolePolicyClient is a type that implements all the methods for RolePolicyClient interface +type MockRolePolicyClient struct { + MockGetRolePolicy func(ctx context.Context, input *iam.GetRolePolicyInput, opts []func(*iam.Options)) (*iam.GetRolePolicyOutput, error) + MockPutRolePolicy func(ctx context.Context, input *iam.PutRolePolicyInput, opts []func(*iam.Options)) (*iam.PutRolePolicyOutput, error) + MockDeleteRolePolicy func(ctx context.Context, input *iam.DeleteRolePolicyInput, opts []func(*iam.Options)) (*iam.DeleteRolePolicyOutput, error) +} + +// GetRolePolicy mocks GetRolePolicy method +func (m *MockRolePolicyClient) GetRolePolicy(ctx context.Context, input *iam.GetRolePolicyInput, opts ...func(*iam.Options)) (*iam.GetRolePolicyOutput, error) { + return m.MockGetRolePolicy(ctx, input, opts) +} + +// PutRolePolicy mocks PutRolePolicy method +func (m *MockRolePolicyClient) PutRolePolicy(ctx context.Context, input *iam.PutRolePolicyInput, opts ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) { + return m.MockPutRolePolicy(ctx, input, opts) +} + +// DeleteRolePolicy mocks DeleteRolePolicy method +func (m *MockRolePolicyClient) DeleteRolePolicy(ctx context.Context, input *iam.DeleteRolePolicyInput, opts ...func(*iam.Options)) (*iam.DeleteRolePolicyOutput, error) { + return m.MockDeleteRolePolicy(ctx, input, opts) +} diff --git a/pkg/clients/iam/policy.go b/pkg/clients/iam/policy.go index 2b862b4b4d..d381e4d555 100644 --- a/pkg/clients/iam/policy.go +++ b/pkg/clients/iam/policy.go @@ -49,7 +49,13 @@ func IsPolicyUpToDate(in v1beta1.PolicyParameters, policy iamtypes.PolicyVersion return false, "", nil } - unescapedPolicy, err := url.QueryUnescape(aws.ToString(policy.Document)) + return IsPolicyDocumentUpToDate(in.Document, policy.Document) +} + +// IsPolicyDocumentUpToDate checks whether there is a change in any of the modifiable fields in policy. +func IsPolicyDocumentUpToDate(in string, policy *string) (bool, string, error) { + + unescapedPolicy, err := url.QueryUnescape(aws.ToString(policy)) if err != nil { return false, "", err } @@ -57,7 +63,7 @@ func IsPolicyUpToDate(in v1beta1.PolicyParameters, policy iamtypes.PolicyVersion if err != nil { return false, "", err } - specPolicy, err := policyutils.ParsePolicyString(in.Document) + specPolicy, err := policyutils.ParsePolicyString(in) if err != nil { return false, "", err } @@ -65,3 +71,9 @@ func IsPolicyUpToDate(in v1beta1.PolicyParameters, policy iamtypes.PolicyVersion areEqual, diff := policyutils.ArePoliciesEqal(&specPolicy, &externpolicy) return areEqual, diff, nil } + +// ValidatePolicyObject tries to parse the raw policy into a Policy object. +func ValidatePolicyObject(policy string) error { + _, err := policyutils.ParsePolicyString(policy) + return err +} diff --git a/pkg/clients/iam/rolepolicy.go b/pkg/clients/iam/rolepolicy.go new file mode 100644 index 0000000000..c5b46e26c9 --- /dev/null +++ b/pkg/clients/iam/rolepolicy.go @@ -0,0 +1,25 @@ +package iam + +import ( + "context" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/iam" +) + +const ( + // ErrRolePolicyNotFound is the aws exception when the policy cannot be found on the role + ErrRolePolicyNotFound = "NoSuchEntity" +) + +// RolePolicyClient is the external client used for RolePolicy Custom Resource +type RolePolicyClient interface { + GetRolePolicy(ctx context.Context, input *iam.GetRolePolicyInput, opts ...func(*iam.Options)) (*iam.GetRolePolicyOutput, error) + PutRolePolicy(ctx context.Context, input *iam.PutRolePolicyInput, opts ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) + DeleteRolePolicy(ctx context.Context, input *iam.DeleteRolePolicyInput, opts ...func(*iam.Options)) (*iam.DeleteRolePolicyOutput, error) +} + +// NewRolePolicyClient returns a new client using AWS credentials as JSON encoded data. +func NewRolePolicyClient(conf aws.Config) RolePolicyClient { + return iam.NewFromConfig(conf) +} diff --git a/pkg/controller/iam/rolepolicy/controller.go b/pkg/controller/iam/rolepolicy/controller.go new file mode 100644 index 0000000000..b67952e2c4 --- /dev/null +++ b/pkg/controller/iam/rolepolicy/controller.go @@ -0,0 +1,202 @@ +/* +Copyright 2023 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rolepolicy + +import ( + "context" + + "github.com/aws/aws-sdk-go-v2/aws" + awsiam "github.com/aws/aws-sdk-go-v2/service/iam" + "github.com/aws/smithy-go" + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/controller" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/meta" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/crossplane-contrib/provider-aws/apis/iam/v1beta1" + "github.com/crossplane-contrib/provider-aws/apis/v1alpha1" + "github.com/crossplane-contrib/provider-aws/pkg/clients/iam" + "github.com/crossplane-contrib/provider-aws/pkg/features" + connectaws "github.com/crossplane-contrib/provider-aws/pkg/utils/connect/aws" + errorutils "github.com/crossplane-contrib/provider-aws/pkg/utils/errors" + custommanaged "github.com/crossplane-contrib/provider-aws/pkg/utils/reconciler/managed" +) + +const ( + errUnexpectedObject = "The managed resource is not a RolePolicy resource" + errGet = "failed to get RolePolicy for role with name" + errPutRolePolicy = "cannot put role policy" + errInvalidPolicyDocument = "invalid policy document" +) + +// SetupRolePolicy adds a controller that reconciles RolePolicy. +func SetupRolePolicy(mgr ctrl.Manager, o controller.Options) error { + name := managed.ControllerName(v1beta1.RoleGroupKind) + + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.Features.Enabled(features.EnableAlphaExternalSecretStores) { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), v1alpha1.StoreConfigGroupVersionKind)) + } + + reconcilerOpts := []managed.ReconcilerOption{ + managed.WithCriticalAnnotationUpdater(custommanaged.NewRetryingCriticalAnnotationUpdater(mgr.GetClient())), + managed.WithExternalConnecter(&connector{kube: mgr.GetClient(), newClientFn: iam.NewRolePolicyClient, newSTSClientFn: iam.NewSTSClient}), + managed.WithReferenceResolver(managed.NewAPISimpleReferenceResolver(mgr.GetClient())), + managed.WithConnectionPublishers(), + managed.WithPollInterval(o.PollInterval), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithInitializers(managed.NewNameAsExternalName(mgr.GetClient())), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithConnectionPublishers(cps...), + } + + if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + reconcilerOpts = append(reconcilerOpts, managed.WithManagementPolicies()) + } + + r := managed.NewReconciler(mgr, + resource.ManagedKind(v1beta1.RolePolicyGroupVersionKind), + reconcilerOpts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(resource.DesiredStateChanged()). + For(&v1beta1.RolePolicy{}). + Complete(r) +} + +type connector struct { + kube client.Client + newClientFn func(config aws.Config) iam.RolePolicyClient + newSTSClientFn func(config aws.Config) iam.STSClient +} + +func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) { + cfg, err := connectaws.GetConfig(ctx, c.kube, mg, connectaws.GlobalRegion) + if err != nil { + return nil, err + } + return &external{client: c.newClientFn(*cfg), sts: c.newSTSClientFn(*cfg), kube: c.kube}, nil +} + +type external struct { + client iam.RolePolicyClient + sts iam.STSClient + kube client.Client +} + +func (e *external) Observe(ctx context.Context, mgd resource.Managed) (managed.ExternalObservation, error) { + cr, ok := mgd.(*v1beta1.RolePolicy) + if !ok { + return managed.ExternalObservation{}, errors.New(errUnexpectedObject) + } + + if meta.GetExternalName(cr) == "" { + return managed.ExternalObservation{}, nil + } + + observed, err := e.client.GetRolePolicy(ctx, &awsiam.GetRolePolicyInput{ + PolicyName: aws.String(meta.GetExternalName(cr)), + RoleName: aws.String(cr.Spec.ForProvider.RoleName), + }) + + if err != nil { + return managed.ExternalObservation{}, errorutils.Wrap(resource.Ignore(iam.IsErrorNotFound, err), errGet) + } + + cr.SetConditions(xpv1.Available()) + + upToDate, diff, err := IsInlinePolicyUpToDate(string(cr.Spec.ForProvider.Document.Raw), observed.PolicyDocument) + if err != nil { + return managed.ExternalObservation{}, err + } + + return managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: upToDate, + Diff: diff, + }, nil +} + +func (e *external) Create(ctx context.Context, mgd resource.Managed) (managed.ExternalCreation, error) { + cr, ok := mgd.(*v1beta1.RolePolicy) + if !ok { + return managed.ExternalCreation{}, errors.New(errUnexpectedObject) + } + + return managed.ExternalCreation{}, e.putRolePolicy(ctx, cr) +} + +func (e *external) Update(ctx context.Context, mgd resource.Managed) (managed.ExternalUpdate, error) { + cr, ok := mgd.(*v1beta1.RolePolicy) + if !ok { + return managed.ExternalUpdate{}, errors.New(errUnexpectedObject) + } + return managed.ExternalUpdate{}, e.putRolePolicy(ctx, cr) +} + +func (e *external) Delete(ctx context.Context, mgd resource.Managed) error { + cr, ok := mgd.(*v1beta1.RolePolicy) + if !ok { + return errors.New(errUnexpectedObject) + } + + cr.Status.SetConditions(xpv1.Deleting()) + + _, err := e.client.DeleteRolePolicy(ctx, &awsiam.DeleteRolePolicyInput{ + PolicyName: aws.String(meta.GetExternalName(cr)), + RoleName: aws.String(cr.Spec.ForProvider.RoleName), + }) + + return err +} + +func (e *external) putRolePolicy(ctx context.Context, cr *v1beta1.RolePolicy) error { + if err := iam.ValidatePolicyObject(string(cr.Spec.ForProvider.Document.Raw)); err != nil { + return errors.Wrap(err, errInvalidPolicyDocument) + } + _, err := e.client.PutRolePolicy(ctx, &awsiam.PutRolePolicyInput{ + PolicyName: aws.String(meta.GetExternalName(cr)), + RoleName: aws.String(cr.Spec.ForProvider.RoleName), + PolicyDocument: aws.String(string(cr.Spec.ForProvider.Document.Raw)), + }) + return errors.Wrap(err, errPutRolePolicy) +} + +// IsRolePolicyNotFoundErr returns true if the aws exception indicates the role policy was not found +func IsRolePolicyNotFoundErr(err error) bool { + var awsErr smithy.APIError + return errors.As(err, &awsErr) && awsErr.ErrorCode() == iam.ErrRolePolicyNotFound +} + +// IsInlinePolicyUpToDate checks whether there is a change in any of the modifiable fields in policy. +func IsInlinePolicyUpToDate(cr string, external *string) (bool, string, error) { + // The AWS API returns Policy Document as an escaped string. + // Due to differences in the methods to escape a string, the comparison result between + // the spec.Document and policy.Document can sometimes be false negative (due to spaces, line feeds). + // Escaping with a common method and then comparing is a safe way. + + // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html + return iam.IsPolicyDocumentUpToDate(cr, external) +} diff --git a/pkg/controller/iam/rolepolicy/controller_test.go b/pkg/controller/iam/rolepolicy/controller_test.go new file mode 100644 index 0000000000..5d3b0633ea --- /dev/null +++ b/pkg/controller/iam/rolepolicy/controller_test.go @@ -0,0 +1,565 @@ +/* +Copyright 2023 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rolepolicy + +import ( + "context" + "testing" + + extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + + "github.com/aws/aws-sdk-go-v2/aws" + awsiam "github.com/aws/aws-sdk-go-v2/service/iam" + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/meta" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/test" + "github.com/google/go-cmp/cmp" + "github.com/pkg/errors" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/crossplane-contrib/provider-aws/apis/iam/v1beta1" + "github.com/crossplane-contrib/provider-aws/pkg/clients/iam" + "github.com/crossplane-contrib/provider-aws/pkg/clients/iam/fake" + errorutils "github.com/crossplane-contrib/provider-aws/pkg/utils/errors" +) + +var ( + unexpectedItem resource.Managed + arn = "arn:aws:iam::aws:policy/aws-service-role/AccessAnalyzerServiceRolePolicy" + documentRaw = `{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "elastic-inference:Connect", + "Resource": "*" + } + ] + }` + document = makeDocument(documentRaw) + roleName = "my-role" + policyName = "my-policy" + + errBoom = errors.New("boom") +) + +func makeDocument(raw string) extv1.JSON { + return extv1.JSON{ + Raw: []byte(raw), + } +} + +type args struct { + kube client.Client + iam iam.RolePolicyClient + cr resource.Managed +} + +type rolePolicyModifier func(*v1beta1.RolePolicy) + +func withExternalName(s string) rolePolicyModifier { + return func(r *v1beta1.RolePolicy) { meta.SetExternalName(r, s) } +} + +func withConditions(c ...xpv1.Condition) rolePolicyModifier { + return func(r *v1beta1.RolePolicy) { r.Status.ConditionedStatus.Conditions = c } +} + +func withSpec(spec v1beta1.RolePolicyParameters) rolePolicyModifier { + return func(r *v1beta1.RolePolicy) { + r.Spec.ForProvider = spec + } +} + +func rolePolicy(m ...rolePolicyModifier) *v1beta1.RolePolicy { + cr := &v1beta1.RolePolicy{} + for _, f := range m { + f(cr) + } + return cr +} + +func TestObserve(t *testing.T) { + + type want struct { + cr resource.Managed + result managed.ExternalObservation + err error + } + + cases := map[string]struct { + args + want + }{ + "Successful": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockGetRolePolicy: func(ctx context.Context, input *awsiam.GetRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.GetRolePolicyOutput, error) { + return &awsiam.GetRolePolicyOutput{ + PolicyName: aws.String(policyName), + RoleName: aws.String(roleName), + PolicyDocument: &documentRaw, + }, nil + }, + }, + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), withExternalName(arn)), + }, + want: want{ + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), withExternalName(arn), + withConditions(xpv1.Available())), + result: managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: true, + }, + }, + }, + "InvalidInput": { + args: args{ + cr: unexpectedItem, + }, + want: want{ + cr: unexpectedItem, + err: errors.New(errUnexpectedObject), + }, + }, + "GetRolePolicyError": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockGetRolePolicy: func(ctx context.Context, input *awsiam.GetRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.GetRolePolicyOutput, error) { + return nil, errBoom + }, + }, + cr: rolePolicy(withExternalName(arn)), + }, + want: want{ + cr: rolePolicy(withExternalName(arn)), + err: errorutils.Wrap(errBoom, errGet), + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := &external{client: tc.iam} + o, err := e.Observe(context.Background(), tc.args.cr) + + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.cr, tc.args.cr, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.result, o); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestCreate(t *testing.T) { + + type want struct { + cr resource.Managed + result managed.ExternalCreation + err error + } + + cases := map[string]struct { + args + want + }{ + "Successful": { + args: args{ + kube: &test.MockClient{ + MockStatusUpdate: test.NewMockClient().MockStatusUpdate, + }, + iam: &fake.MockRolePolicyClient{ + MockPutRolePolicy: func(ctx context.Context, input *awsiam.PutRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.PutRolePolicyOutput, error) { + return &awsiam.PutRolePolicyOutput{}, nil + }, + }, + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), + withExternalName(arn)), + }, + want: want{ + cr: rolePolicy( + withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), + withExternalName(arn)), + result: managed.ExternalCreation{}, + }, + }, + "InvalidInput": { + args: args{ + cr: unexpectedItem, + }, + want: want{ + cr: unexpectedItem, + err: errors.New(errUnexpectedObject), + }, + }, + "EnsurePutRolePolicyThrowsWithCorrectException": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockPutRolePolicy: func(ctx context.Context, input *awsiam.PutRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.PutRolePolicyOutput, error) { + return nil, errBoom + }, + }, + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: makeDocument("{}"), + })), + }, + want: want{ + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: makeDocument("{}"), + })), + err: errors.Wrap(errBoom, errPutRolePolicy), + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := &external{kube: test.NewMockClient(), client: tc.iam} + o, err := e.Create(context.Background(), tc.args.cr) + + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.cr, tc.args.cr, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.result, o); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestUpdate(t *testing.T) { + + type want struct { + cr resource.Managed + result managed.ExternalUpdate + err error + } + + cases := map[string]struct { + args + want + }{ + "Successful": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockPutRolePolicy: func(ctx context.Context, input *awsiam.PutRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.PutRolePolicyOutput, error) { + return &awsiam.PutRolePolicyOutput{}, nil + }, + }, + cr: rolePolicy(withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), withExternalName(arn)), + }, + want: want{ + cr: rolePolicy( + withSpec(v1beta1.RolePolicyParameters{ + Document: document, + RoleName: roleName, + }), + withExternalName(arn)), + result: managed.ExternalUpdate{}, + }, + }, + "InvalidInput": { + args: args{ + cr: unexpectedItem, + }, + want: want{ + cr: unexpectedItem, + err: errors.New(errUnexpectedObject), + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := &external{client: tc.iam} + o, err := e.Update(context.Background(), tc.args.cr) + + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.cr, tc.args.cr, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.result, o); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestDelete(t *testing.T) { + + type want struct { + cr resource.Managed + err error + } + + cases := map[string]struct { + args + want + }{ + "Successful": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockDeleteRolePolicy: func(ctx context.Context, input *awsiam.DeleteRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.DeleteRolePolicyOutput, error) { + return &awsiam.DeleteRolePolicyOutput{}, nil + }, + }, + cr: rolePolicy(withExternalName(arn)), + }, + want: want{ + cr: rolePolicy(withExternalName(arn), + withConditions(xpv1.Deleting())), + }, + }, + "InvalidInput": { + args: args{ + cr: unexpectedItem, + }, + want: want{ + cr: unexpectedItem, + err: errors.New(errUnexpectedObject), + }, + }, + "DeleteRolePolicyError": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockDeleteRolePolicy: func(ctx context.Context, input *awsiam.DeleteRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.DeleteRolePolicyOutput, error) { + return nil, errBoom + }, + }, + cr: rolePolicy(withExternalName(arn)), + }, + want: want{ + cr: rolePolicy(withExternalName(arn), + withConditions(xpv1.Deleting())), + err: errBoom, + }, + }, + "DeleteRolePolicyErrorNoSuchEntityException": { + args: args{ + iam: &fake.MockRolePolicyClient{ + MockDeleteRolePolicy: func(ctx context.Context, input *awsiam.DeleteRolePolicyInput, opts []func(*awsiam.Options)) (*awsiam.DeleteRolePolicyOutput, error) { + return nil, errors.New(iam.ErrRolePolicyNotFound) + }, + }, + cr: rolePolicy(withExternalName(arn)), + }, + want: want{ + cr: rolePolicy(withExternalName(arn), + withConditions(xpv1.Deleting())), + err: errors.New(iam.ErrRolePolicyNotFound), + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + e := &external{client: tc.iam} + err := e.Delete(context.Background(), tc.args.cr) + + if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + if diff := cmp.Diff(tc.want.cr, tc.args.cr, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestIsInlinePolicyUpToDate(t *testing.T) { + type args struct { + cr extv1.JSON + external *string + } + + cases := map[string]struct { + args args + want bool + }{ + "SameFields": { + args: args{ + cr: makeDocument(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + external: aws.String(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + }, + want: true, + }, + "SameFieldsEscaped": { + args: args{ + cr: makeDocument(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + external: aws.String(`%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22eks.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D`), + }, + want: true, + }, + "DifferentFields": { + args: args{ + cr: makeDocument(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:*" + } + ] + }`), + external: aws.String(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + }, + want: false, + }, + "SameActionArray": { + args: args{ + cr: makeDocument(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": ["sts:AssumeRole"] + } + ] + }`), + external: aws.String(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + }, + want: true, + }, + "DifferentActionArray": { + args: args{ + cr: makeDocument(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": ["sts:AssumeRole", "sts:GetFederationToken"] + } + ] + }`), + external: aws.String(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }`), + }, + want: false, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + got, _, _ := IsInlinePolicyUpToDate(string(tc.args.cr.Raw), tc.args.external) + if diff := cmp.Diff(tc.want, got); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} diff --git a/pkg/controller/iam/setup.go b/pkg/controller/iam/setup.go index d215d435a8..ec173fd053 100644 --- a/pkg/controller/iam/setup.go +++ b/pkg/controller/iam/setup.go @@ -28,6 +28,7 @@ import ( "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/openidconnectprovider" "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/policy" "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/role" + "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/rolepolicy" "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/rolepolicyattachment" "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/servicelinkedrole" "github.com/crossplane-contrib/provider-aws/pkg/controller/iam/user" @@ -47,6 +48,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { openidconnectprovider.SetupOpenIDConnectProvider, policy.SetupPolicy, role.SetupRole, + rolepolicy.SetupRolePolicy, rolepolicyattachment.SetupRolePolicyAttachment, servicelinkedrole.SetupServiceLinkedRole, user.SetupUser,