support Group.inlinePolicies (#66)

Adds support for inline policies for Group resources.

The new Group.Spec.inlinePolicies field is a map[string]*string, keyed by the inline policy name and valued with the inline policy document (serialized JSON string).

Inline policies are actually added and removed from a Group using different IAM API calls than their managed policy counterparts. Whereas managed policies (contained in the Group.Spec.Policies field) are attached and detached from the Group using the AttachPolicyGroup and DetachGroupPolicy API calls, the inline policies are attached and detached from the Group using the AddGroupPolicy and DeleteGroupPolicy API calls. Yes, this is confusing and why I hadn't actually included inline policies from the very beginning (I did not realize these were separate things and separate API calls).

Similar to managed policies, all inline policies are removed from the Group prior to group deletion.

Issue aws-controllers-k8s/community#1644

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: jaypipes

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2023-03-01T17:11:46Z"
+  build_date: "2023-03-02T15:55:10Z"
   build_hash: d0f3d78cbea8061f822cbceac3786128f091efe6
   go_version: go1.19.4
   version: v0.24.2
-api_directory_checksum: a80aaa82b401436fd8d17f6b1fe931e484c62fb8
+api_directory_checksum: 26341f700d12dfcd4033cf4203492fa381daa7b0
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:
-  file_checksum: a20dca352b45b74c1ea3bd4350ce3ab9d2d5c23e
+  file_checksum: 0a343bca2be29176e9388a2cc3d54461162c5984
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -62,6 +62,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # These are policy documents that are added to the Group using the
+      # Put/DeleteGroupPolicy APIs, as compared to the Attach/DetachGroupPolicy
+      # APIs that are for non-inline managed policies.
+      #
+      # The map key is the PolicyDocumentName and the map value is the JSON
+      # policy document.
+      InlinePolicies:
+        type: map[string]*string
     tags:
       ignore: true
   Policy:

apis/v1alpha1/group.go

@@ -38,6 +38,10 @@ spec:
               a response element in the following operations: \n * CreateGroup \n
               * GetGroup \n * ListGroups"
             properties:
+              inlinePolicies:
+                additionalProperties:
+                  type: string
+                type: object
               name:
                 description: "The name of the group to create. Do not include the
                   path in this value. \n IAM user, group, role, and policy names must

apis/v1alpha1/zz_generated.deepcopy.go

@@ -62,6 +62,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # These are policy documents that are added to the Group using the
+      # Put/DeleteGroupPolicy APIs, as compared to the Attach/DetachGroupPolicy
+      # APIs that are for non-inline managed policies.
+      #
+      # The map key is the PolicyDocumentName and the map value is the JSON
+      # policy document.
+      InlinePolicies:
+        type: map[string]*string
     tags:
       ignore: true
   Policy:

config/crd/bases/iam.services.k8s.aws_groups.yaml

@@ -38,6 +38,10 @@ spec:
               a response element in the following operations: \n - CreateGroup \n
               - GetGroup \n - ListGroups"
             properties:
+              inlinePolicies:
+                additionalProperties:
+                  type: string
+                type: object
               name:
                 description: "The name of the group to create. Do not include the
                   path in this value. \n IAM user, group, role, and policy names must

generator.yaml

@@ -15,23 +15,26 @@ package group
 
 import (
 	"context"
+	"net/url"
 
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	ackutil "github.com/aws-controllers-k8s/runtime/pkg/util"
 	svcsdk "github.com/aws/aws-sdk-go/service/iam"
+	"github.com/samber/lo"
 )
 
-// syncPolicies examines the PolicyARNs in the supplied Group and calls the
-// ListGroupPolicies, AttachGroupPolicy and DetachGroupPolicy APIs to ensure
-// that the set of attached policies stays in sync with the Group.Spec.Policies
-// field, which is a list of strings containing Policy ARNs.
-func (rm *resourceManager) syncPolicies(
+// syncManagedPolicies examines the managed PolicyARNs in the supplied Group
+// and calls the ListAttachedGroupPolicies, AttachGroupPolicy and
+// DetachGroupPolicy APIs to ensure that the set of attached policies stays in
+// sync with the Group.Spec.Policies field, which is a list of strings
+// containing Policy ARNs.
+func (rm *resourceManager) syncManagedPolicies(
 	ctx context.Context,
 	desired *resource,
 	latest *resource,
 ) (err error) {
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.syncPolicies")
+	exit := rlog.Trace("rm.syncManagedPolicies")
 	defer func() { exit(err) }()
 	toAdd := []*string{}
 	toDelete := []*string{}
@@ -51,29 +54,30 @@ func (rm *resourceManager) syncPolicies(
 	}
 
 	for _, p := range toAdd {
-		rlog.Debug("adding policy to group", "policy_arn", *p)
-		if err = rm.addPolicy(ctx, desired, p); err != nil {
+		rlog.Debug("adding managed policy to group", "policy_arn", *p)
+		if err = rm.addManagedPolicy(ctx, desired, p); err != nil {
 			return err
 		}
 	}
 	for _, p := range toDelete {
-		rlog.Debug("removing policy from group", "policy_arn", *p)
-		if err = rm.removePolicy(ctx, desired, p); err != nil {
+		rlog.Debug("removing managed policy from group", "policy_arn", *p)
+		if err = rm.removeManagedPolicy(ctx, desired, p); err != nil {
 			return err
 		}
 	}
 
 	return nil
 }
 
-// getPolicies returns the list of Policy ARNs currently attached to the Group
-func (rm *resourceManager) getPolicies(
+// getManagedPolicies returns the list of managed Policy ARNs currently
+// attached to the Group
+func (rm *resourceManager) getManagedPolicies(
 	ctx context.Context,
 	r *resource,
 ) ([]*string, error) {
 	var err error
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.getPolicies")
+	exit := rlog.Trace("rm.getManagedPolicies")
 	defer func() { exit(err) }()
 
 	input := &svcsdk.ListAttachedGroupPoliciesInput{}
@@ -95,14 +99,15 @@ func (rm *resourceManager) getPolicies(
 	return res, err
 }
 
-// addPolicy adds the supplied Policy to the supplied Group resource
-func (rm *resourceManager) addPolicy(
+// addManagedPolicy adds the supplied managed Policy to the supplied Group
+// resource
+func (rm *resourceManager) addManagedPolicy(
 	ctx context.Context,
 	r *resource,
 	policyARN *string,
 ) (err error) {
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.addPolicy")
+	exit := rlog.Trace("rm.addManagedPolicy")
 	defer func() { exit(err) }()
 
 	input := &svcsdk.AttachGroupPolicyInput{}
@@ -113,14 +118,15 @@ func (rm *resourceManager) addPolicy(
 	return err
 }
 
-// removePolicy removes the supplied Policy from the supplied Group resource
-func (rm *resourceManager) removePolicy(
+// removeManagedPolicy removes the supplied managed Policy from the supplied
+// Group resource
+func (rm *resourceManager) removeManagedPolicy(
 	ctx context.Context,
 	r *resource,
 	policyARN *string,
 ) (err error) {
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.removePolicy")
+	exit := rlog.Trace("rm.removeManagedPolicy")
 	defer func() { exit(err) }()
 
 	input := &svcsdk.DetachGroupPolicyInput{}
@@ -130,3 +136,156 @@ func (rm *resourceManager) removePolicy(
 	rm.metrics.RecordAPICall("UPDATE", "DetachGroupPolicy", err)
 	return err
 }
+
+// syncInlinePolicies examines the InlinePolicies in the supplied Group and
+// calls the ListGroupPolicies, PutGroupPolicy and DeleteGroupPolicy APIs to
+// ensure that the set of attached policies stays in sync with the
+// Group.Spec.InlinePolicies field, which is a map of policy names to policy
+// documents.
+func (rm *resourceManager) syncInlinePolicies(
+	ctx context.Context,
+	desired *resource,
+	latest *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.syncInlinePolicies")
+	defer func() { exit(err) }()
+
+	existingPolicies := latest.ko.Spec.InlinePolicies
+
+	existingPairs := lo.ToPairs(existingPolicies)
+	desiredPairs := lo.ToPairs(desired.ko.Spec.InlinePolicies)
+
+	toDelete, toAdd := lo.Difference(existingPairs, desiredPairs)
+
+	for _, pair := range toAdd {
+		polName := pair.Key
+		polDoc := pair.Value
+		rlog.Debug(
+			"adding inline policy to group",
+			"policy_name", polName,
+		)
+		err = rm.addInlinePolicy(ctx, desired, polName, polDoc)
+		if err != nil {
+			return err
+		}
+	}
+	for _, pair := range toDelete {
+		polName := pair.Key
+		rlog.Debug(
+			"removing inline policy from group",
+			"policy_name", polName,
+		)
+		if err = rm.removeInlinePolicy(ctx, desired, polName); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getInlinePolicies returns a map of inline policy name and policy docs
+// currently attached to the Group.
+//
+// NOTE(jaypipes): There's no way around the inefficiencies of this method
+// without caching stuff, and I don't think it's useful to have an unbounded
+// cache for these inline policy documents :( IAM's ListGroupPolicies API call
+// only returns the *policy names* of inline policies. You need to call
+// GetGroupPolicy API call for each inline policy name in order to get the
+// policy document. Yes, they force an O(N) time complexity for this
+// operation...
+func (rm *resourceManager) getInlinePolicies(
+	ctx context.Context,
+	r *resource,
+) (map[string]*string, error) {
+	var err error
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.getInlinePolicies")
+	defer func() { exit(err) }()
+
+	groupName := r.ko.Spec.Name
+
+	input := &svcsdk.ListGroupPoliciesInput{}
+	input.GroupName = groupName
+	res := map[string]*string{}
+
+	err = rm.sdkapi.ListGroupPoliciesPagesWithContext(
+		ctx, input, func(page *svcsdk.ListGroupPoliciesOutput, _ bool) bool {
+			if page == nil {
+				return true
+			}
+			for _, p := range page.PolicyNames {
+				res[*p] = nil
+			}
+			return page.IsTruncated != nil && *page.IsTruncated
+		},
+	)
+	rm.metrics.RecordAPICall("READ_MANY", "ListGroupPolicies", err)
+
+	// Now we need to grab the policy documents for each policy name
+	for polName, _ := range res {
+		input := &svcsdk.GetGroupPolicyInput{}
+		input.GroupName = groupName
+		input.PolicyName = &polName
+		resp, err := rm.sdkapi.GetGroupPolicyWithContext(ctx, input)
+		rm.metrics.RecordAPICall("READ_ONE", "GetGroupPolicy", err)
+		if err != nil {
+			return nil, err
+		}
+		cleanedDoc, err := decodeDocument(*resp.PolicyDocument)
+		if err != nil {
+			return nil, err
+		}
+		res[polName] = &cleanedDoc
+
+	}
+	return res, nil
+}
+
+// addInlinePolicy adds the supplied inline Policy to the supplied Group
+// resource
+func (rm *resourceManager) addInlinePolicy(
+	ctx context.Context,
+	r *resource,
+	policyName string,
+	policyDoc *string,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.addInlinePolicy")
+	defer func() { exit(err) }()
+
+	input := &svcsdk.PutGroupPolicyInput{}
+	input.GroupName = r.ko.Spec.Name
+	input.PolicyName = &policyName
+	cleanedDoc, err := decodeDocument(*policyDoc)
+	if err != nil {
+		return err
+	}
+	input.PolicyDocument = &cleanedDoc
+	_, err = rm.sdkapi.PutGroupPolicyWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "PutGroupPolicy", err)
+	return err
+}
+
+// removeInlinePolicy removes the supplied inline Policy from the supplied
+// Group resource
+func (rm *resourceManager) removeInlinePolicy(
+	ctx context.Context,
+	r *resource,
+	policyName string,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.removeInlinePolicy")
+	defer func() { exit(err) }()
+
+	input := &svcsdk.DeleteGroupPolicyInput{}
+	input.GroupName = r.ko.Spec.Name
+	input.PolicyName = &policyName
+	_, err = rm.sdkapi.DeleteGroupPolicyWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "DeleteGroupPolicy", err)
+	return err
+}
+
+func decodeDocument(encoded string) (string, error) {
+	return url.QueryUnescape(encoded)
+}