From c5e2154f78e86c41ad465b261a11f5ec9b217dfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fatih=20T=C3=BCrken?= Date: Mon, 28 Aug 2023 17:43:09 +0300 Subject: [PATCH 1/2] Remove inline_policy from Movetostatus and add example role with inline_policy --- apis/iam/v1beta1/zz_generated.deepcopy.go | 34 ++++++++++++++++++++ apis/iam/v1beta1/zz_role_types.go | 21 +++++++++++++ config/iam/config.go | 2 +- examples/iam/role-with-inline-policy.yaml | 36 ++++++++++++++++++++++ package/crds/iam.aws.upbound.io_roles.yaml | 30 ++++++++++++++++++ 5 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 examples/iam/role-with-inline-policy.yaml diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go index 52580faad4..2bd59c1998 100644 --- a/apis/iam/v1beta1/zz_generated.deepcopy.go +++ b/apis/iam/v1beta1/zz_generated.deepcopy.go @@ -1225,6 +1225,16 @@ func (in *GroupStatus) DeepCopy() *GroupStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InlinePolicyInitParameters) DeepCopyInto(out *InlinePolicyInitParameters) { *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InlinePolicyInitParameters. @@ -1265,6 +1275,16 @@ func (in *InlinePolicyObservation) DeepCopy() *InlinePolicyObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InlinePolicyParameters) DeepCopyInto(out *InlinePolicyParameters) { *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InlinePolicyParameters. @@ -2125,6 +2145,13 @@ func (in *RoleInitParameters) DeepCopyInto(out *RoleInitParameters) { *out = new(bool) **out = **in } + if in.InlinePolicy != nil { + in, out := &in.InlinePolicy, &out.InlinePolicy + *out = make([]InlinePolicyInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) @@ -2392,6 +2419,13 @@ func (in *RoleParameters) DeepCopyInto(out *RoleParameters) { *out = new(bool) **out = **in } + if in.InlinePolicy != nil { + in, out := &in.InlinePolicy, &out.InlinePolicy + *out = make([]InlinePolicyParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) diff --git a/apis/iam/v1beta1/zz_role_types.go b/apis/iam/v1beta1/zz_role_types.go index d616699f81..1f41165bbe 100755 --- a/apis/iam/v1beta1/zz_role_types.go +++ b/apis/iam/v1beta1/zz_role_types.go @@ -14,6 +14,12 @@ import ( ) type InlinePolicyInitParameters struct { + + // Friendly name of the role. See IAM Identifiers for more information. + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // Policy document as a JSON formatted string. + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` } type InlinePolicyObservation struct { @@ -26,6 +32,14 @@ type InlinePolicyObservation struct { } type InlinePolicyParameters struct { + + // Friendly name of the role. See IAM Identifiers for more information. + // +kubebuilder:validation:Optional + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // Policy document as a JSON formatted string. + // +kubebuilder:validation:Optional + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` } type RoleInitParameters struct { @@ -39,6 +53,9 @@ type RoleInitParameters struct { // Whether to force detaching any policies the role has before destroying it. Defaults to false. ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + InlinePolicy []InlinePolicyInitParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` @@ -127,6 +144,10 @@ type RoleParameters struct { // +kubebuilder:validation:Optional ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + // +kubebuilder:validation:Optional + InlinePolicy []InlinePolicyParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. // +kubebuilder:validation:Optional MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` diff --git a/config/iam/config.go b/config/iam/config.go index 2af8610790..7e4a957d64 100644 --- a/config/iam/config.go +++ b/config/iam/config.go @@ -35,7 +35,7 @@ func Configure(p *config.Provider) { // aws_iam_policy_attachment // aws_iam_role_policy_attachment // aws_iam_role_policy - config.MoveToStatus(r.TerraformResource, "inline_policy", "managed_policy_arns") + config.MoveToStatus(r.TerraformResource, "managed_policy_arns") }) p.AddResourceConfigurator("aws_iam_instance_profile", func(r *config.Resource) { diff --git a/examples/iam/role-with-inline-policy.yaml b/examples/iam/role-with-inline-policy.yaml new file mode 100644 index 0000000000..d488b0c597 --- /dev/null +++ b/examples/iam/role-with-inline-policy.yaml @@ -0,0 +1,36 @@ +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/role + labels: + testing.upbound.io/example-name: role + name: role-with-inline-policy +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + inlinePolicy: + - name: "my_inline_policy" + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": "ec2:Describe*" + } + ] + } diff --git a/package/crds/iam.aws.upbound.io_roles.yaml b/package/crds/iam.aws.upbound.io_roles.yaml index 856e1996a6..46239fd420 100644 --- a/package/crds/iam.aws.upbound.io_roles.yaml +++ b/package/crds/iam.aws.upbound.io_roles.yaml @@ -77,6 +77,21 @@ spec: description: Whether to force detaching any policies the role has before destroying it. Defaults to false. type: boolean + inlinePolicy: + description: Configuration block defining an exclusive set of + IAM inline policies associated with the IAM role. See below. + Configuring one empty block (i.e. + items: + properties: + name: + description: Friendly name of the role. See IAM Identifiers + for more information. + type: string + policy: + description: Policy document as a JSON formatted string. + type: string + type: object + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value @@ -120,6 +135,21 @@ spec: description: Whether to force detaching any policies the role has before destroying it. Defaults to false. type: boolean + inlinePolicy: + description: Configuration block defining an exclusive set of + IAM inline policies associated with the IAM role. See below. + Configuring one empty block (i.e. + items: + properties: + name: + description: Friendly name of the role. See IAM Identifiers + for more information. + type: string + policy: + description: Policy document as a JSON formatted string. + type: string + type: object + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value From d472fe67a2d87d67a9b5e765d5674670ddef79cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fatih=20T=C3=BCrken?= Date: Tue, 29 Aug 2023 13:50:16 +0300 Subject: [PATCH 2/2] Remove managed_policy_arns from Movetostatus --- apis/iam/v1beta1/zz_generated.deepcopy.go | 22 +++++++++++ apis/iam/v1beta1/zz_role_types.go | 15 ++++++-- config/iam/config.go | 7 +--- package/crds/iam.aws.upbound.io_roles.yaml | 44 ++++++++++++++++++++-- 4 files changed, 75 insertions(+), 13 deletions(-) diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go index 2bd59c1998..164f13edd3 100644 --- a/apis/iam/v1beta1/zz_generated.deepcopy.go +++ b/apis/iam/v1beta1/zz_generated.deepcopy.go @@ -2152,6 +2152,17 @@ func (in *RoleInitParameters) DeepCopyInto(out *RoleInitParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ManagedPolicyArns != nil { + in, out := &in.ManagedPolicyArns, &out.ManagedPolicyArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) @@ -2426,6 +2437,17 @@ func (in *RoleParameters) DeepCopyInto(out *RoleParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ManagedPolicyArns != nil { + in, out := &in.ManagedPolicyArns, &out.ManagedPolicyArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) diff --git a/apis/iam/v1beta1/zz_role_types.go b/apis/iam/v1beta1/zz_role_types.go index 1f41165bbe..44ce956a46 100755 --- a/apis/iam/v1beta1/zz_role_types.go +++ b/apis/iam/v1beta1/zz_role_types.go @@ -53,9 +53,12 @@ type RoleInitParameters struct { // Whether to force detaching any policies the role has before destroying it. Defaults to false. ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` - // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. InlinePolicy []InlinePolicyInitParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. + ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` @@ -102,10 +105,10 @@ type RoleObservation struct { // Name of the role. ID *string `json:"id,omitempty" tf:"id,omitempty"` - // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. InlinePolicy []InlinePolicyObservation `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` - // Set of exclusive IAM managed policy ARNs to attach to the IAM role. Configuring an empty set (i.e. + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. @@ -144,10 +147,14 @@ type RoleParameters struct { // +kubebuilder:validation:Optional ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` - // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. // +kubebuilder:validation:Optional InlinePolicy []InlinePolicyParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. + // +kubebuilder:validation:Optional + ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. // +kubebuilder:validation:Optional MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` diff --git a/config/iam/config.go b/config/iam/config.go index 7e4a957d64..e9a7b09d90 100644 --- a/config/iam/config.go +++ b/config/iam/config.go @@ -31,11 +31,8 @@ func Configure(p *config.Provider) { }) p.AddResourceConfigurator("aws_iam_role", func(r *config.Resource) { - // Mutually exclusive with: - // aws_iam_policy_attachment - // aws_iam_role_policy_attachment - // aws_iam_role_policy - config.MoveToStatus(r.TerraformResource, "managed_policy_arns") + r.MetaResource.ArgumentDocs["inline_policy"] = `Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply.` + r.MetaResource.ArgumentDocs["managed_policy_arns"] = `Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments.` }) p.AddResourceConfigurator("aws_iam_instance_profile", func(r *config.Resource) { diff --git a/package/crds/iam.aws.upbound.io_roles.yaml b/package/crds/iam.aws.upbound.io_roles.yaml index 46239fd420..26ebcc7b17 100644 --- a/package/crds/iam.aws.upbound.io_roles.yaml +++ b/package/crds/iam.aws.upbound.io_roles.yaml @@ -80,7 +80,10 @@ spec: inlinePolicy: description: Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. - Configuring one empty block (i.e. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. items: properties: name: @@ -92,6 +95,17 @@ spec: type: string type: object type: array + managedPolicyArns: + description: Set of exclusive IAM managed policy ARNs to attach + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. + items: + type: string + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value @@ -138,7 +152,10 @@ spec: inlinePolicy: description: Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. - Configuring one empty block (i.e. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. items: properties: name: @@ -150,6 +167,17 @@ spec: type: string type: object type: array + managedPolicyArns: + description: Set of exclusive IAM managed policy ARNs to attach + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. + items: + type: string + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value @@ -399,7 +427,10 @@ spec: inlinePolicy: description: Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. - Configuring one empty block (i.e. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. items: properties: name: @@ -413,7 +444,12 @@ spec: type: array managedPolicyArns: description: Set of exclusive IAM managed policy ARNs to attach - to the IAM role. Configuring an empty set (i.e. + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. items: type: string type: array