fix: add policies on create

michaelhtm · michaelhtm · commit 1107caae0261 · 2025-05-08T13:02:49.000-07:00
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2025-05-02T16:46:04Z"
-  build_hash: f8dc5330705b3752ce07dce0ac831161fd4cb14f
-  go_version: go1.24.2
-  version: v0.45.0
+  build_date: "2025-05-08T19:50:19Z"
+  build_hash: a82538df1333319f8ec1d603f6cf293aefc46e1b
+  go_version: go1.24.1
+  version: v0.45.0-3-ga82538d
 api_directory_checksum: 7e1c19231d3275a1147157f6943a7391953f7001
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -59,6 +59,8 @@ spec:
         - "$(ACK_WATCH_NAMESPACE)"
         - --watch-selectors
         - "$(ACK_WATCH_SELECTORS)"
+        - --reconcile-resources
+        - "$(RECONCILE_RESOURCES)"
         - --deletion-policy
         - "$(DELETION_POLICY)"
 {{- if .Values.leaderElection.enabled }}
@@ -107,6 +109,8 @@ spec:
           value: {{ include "ack-iam-controller.watch-namespace" . }}
         - name: ACK_WATCH_SELECTORS
           value: {{ .Values.watchSelectors }}
+        - name: RECONCILE_RESOURCES
+          value: {{ join "," .Values.reconcile.resources | quote }}
         - name: DELETION_POLICY
           value: {{ .Values.deletionPolicy }}
         - name: LEADER_ELECTION_NAMESPACE
diff --git a/helm/values.schema.json b/helm/values.schema.json
@@ -239,6 +239,14 @@
         },
         "resourceMaxConcurrentSyncs": {
           "type": "object"
+        },
+        "resources": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "List of resource kinds to reconcile. If empty, all resources will be reconciled.",
+          "default": []
         }
       },
       "type": "object"
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -137,6 +137,17 @@ reconcile:
   # An object representing the reconcile max concurrent syncs configuration for each specific
   # resource.
   resourceMaxConcurrentSyncs: {}
+  
+  # Set the value of resources to specify which resource kinds to reconcile.
+  # If empty, all resources will be reconciled.
+  # If specified, only the listed resource kinds will be reconciled.
+  resources:
+    - Groups
+    - Instanceprofiles
+    - Openidconnectproviders
+    - Policies
+    - Roles
+    - Users
 
 serviceAccount:
   # Specifies whether a service account should be created
diff --git a/pkg/resource/role/sdk.go b/pkg/resource/role/sdk.go
diff --git a/templates/hooks/role/sdk_create_post_set_output.go.tpl b/templates/hooks/role/sdk_create_post_set_output.go.tpl
@@ -5,4 +5,16 @@
             ko.Spec.AssumeRolePolicyDocument = &doc
         }
     }
+	for _, p := range desired.ko.Spec.Policies {
+		err := rm.addManagedPolicy(ctx, &resource{ko}, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
+	for n, p := range desired.ko.Spec.InlinePolicies {
+		err := rm.addInlinePolicy(ctx, &resource{ko}, n, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
     ackcondition.SetSynced(&resource{ko}, corev1.ConditionFalse, nil, nil)
