support User.inlinePolicies (#65)

Adds support for inline policies for User resources.

The new User.Spec.inlinePolicies field is a map[string]*string, keyed by the inline policy name and valued with the inline policy document (serialized JSON string).

Inline policies are actually added and removed from a User using different IAM API calls than their managed policy counterparts. Whereas managed policies (contained in the User.Spec.Policies field) are attached and detached from the User using the AttachPolicyUser and DetachUserPolicy API calls, the inline policies are attached and detached from the User using the AddUserPolicy and DeleteUserPolicy API calls. Yes, this is confusing and why I hadn't actually included inline policies from the very beginning (I did not realize these were separate things and separate API calls).

Similar to managed policies, all inline policies are removed from the User prior to user deletion.

Issue aws-controllers-k8s/community#1644

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: jaypipes

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2023-02-28T16:33:37Z"
+  build_date: "2023-03-01T17:11:46Z"
   build_hash: d0f3d78cbea8061f822cbceac3786128f091efe6
   go_version: go1.19.4
   version: v0.24.2
-api_directory_checksum: 68b20a583916eac0fb007442dfd1220a9fb9722d
+api_directory_checksum: a80aaa82b401436fd8d17f6b1fe931e484c62fb8
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:
-  file_checksum: 52f2fa89ae0904d8c6d22fafaa472d1943b23211
+  file_checksum: a20dca352b45b74c1ea3bd4350ce3ab9d2d5c23e
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -177,7 +177,6 @@ resources:
       # policy document.
       InlinePolicies:
         type: map[string]*string
-        late_initialize: {}
       Tags:
         compare:
           is_ignored: true
@@ -260,6 +259,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # These are policy documents that are added to the User using the
+      # Put/DeleteUserPolicy APIs, as compared to the Attach/DetachUserPolicy
+      # APIs that are for non-inline managed policies.
+      #
+      # The map key is the PolicyDocumentName and the map value is the JSON
+      # policy document.
+      InlinePolicies:
+        type: map[string]*string
       Tags:
         compare:
           is_ignored: true

apis/v1alpha1/user.go

@@ -38,6 +38,10 @@ spec:
               response element in the following operations: \n * CreateUser \n * GetUser
               \n * ListUsers"
             properties:
+              inlinePolicies:
+                additionalProperties:
+                  type: string
+                type: object
               name:
                 description: "The name of the user to create. \n IAM user, group,
                   role, and policy names must be unique within the account. Names

apis/v1alpha1/zz_generated.deepcopy.go

@@ -28,14 +28,25 @@
                 "iam:ListPolicyVersions",
                 "iam:ListPolicyTags",
                 "iam:ListAttachedGroupPolicies",
+                "iam:GetGroupPolicy",
+                "iam:PutGroupPolicy",
                 "iam:AttachGroupPolicy",
                 "iam:DetachGroupPolicy",
+                "iam:DeleteGroupPolicy",
                 "iam:ListAttachedRolePolicies",
+                "iam:ListRolePolicies",
+                "iam:GetRolePolicy",
+                "iam:PutRolePolicy",
                 "iam:AttachRolePolicy",
                 "iam:DetachRolePolicy",
+                "iam:DeleteRolePolicy",
                 "iam:ListAttachedUserPolicies",
+                "iam:ListUserPolicies",
+                "iam:GetUserPolicy",
+                "iam:PutUserPolicy",
                 "iam:AttachUserPolicy",
                 "iam:DetachUserPolicy",
+                "iam:DeleteUserPolicy",
                 "iam:ListRoleTags",
                 "iam:ListUserTags",
                 "iam:TagPolicy",

config/crd/bases/iam.services.k8s.aws_users.yaml

@@ -259,6 +259,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # These are policy documents that are added to the User using the
+      # Put/DeleteUserPolicy APIs, as compared to the Attach/DetachUserPolicy
+      # APIs that are for non-inline managed policies.
+      #
+      # The map key is the PolicyDocumentName and the map value is the JSON
+      # policy document.
+      InlinePolicies:
+        type: map[string]*string
       Tags:
         compare:
           is_ignored: true

config/iam/recommended-inline-policy

@@ -38,6 +38,10 @@ spec:
               response element in the following operations: \n - CreateUser \n - GetUser
               \n - ListUsers"
             properties:
+              inlinePolicies:
+                additionalProperties:
+                  type: string
+                type: object
               name:
                 description: "The name of the user to create. \n IAM user, group,
                   role, and policy names must be unique within the account. Names