support updating Tags on Role resources (#10)

Adds support for updating (adding/removing) Tags from a Role resource in
the IAM controller.

Unfortunately, the "standard" Tagris
ListTagsForResource/TagResource/UntagResource AWS Resource Group Tagging
API calls aren't supported for IAM. You need to use the IAM-specific
TagRole/UntagRole/ListRoleTags IAM API calls to work with tags on Role
resources.

Following patches will add support for the same tags on Policy
resources.

Issue: aws-controllers-k8s/community#1119

Signed-off-by: Jay Pipes <[email protected]>

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: jaypipes

config/iam/recommended-inline-policy

@@ -14,7 +14,10 @@
                 "iam:DeletePolicy",
                 "iam:ListAttachedRolePolicies",
                 "iam:AttachRolePolicy",
-                "iam:DetachRolePolicy"
+                "iam:DetachRolePolicy",
+                "iam:ListRoleTags",
+                "iam:TagRole",
+                "iam:UntagRole"
             ],
             "Resource": "*"
         }

pkg/resource/role/hooks.go

@@ -19,6 +19,8 @@ import (
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	ackutil "github.com/aws-controllers-k8s/runtime/pkg/util"
 	svcsdk "github.com/aws/aws-sdk-go/service/iam"
+
+	svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1"
 )
 
 // syncPolicies examines the PolicyARNs in the supplied Role and calls the
@@ -53,14 +55,14 @@ func (rm *resourceManager) syncPolicies(
 	}
 
 	for _, p := range toAdd {
-		rlog.Debug("attaching policy to role", "policy_arn", *p)
-		if err = rm.attachPolicy(ctx, r, p); err != nil {
+		rlog.Debug("adding policy to role", "policy_arn", *p)
+		if err = rm.addPolicy(ctx, r, p); err != nil {
 			return err
 		}
 	}
 	for _, p := range toDelete {
-		rlog.Debug("detaching policy from role", "policy_arn", *p)
-		if err = rm.detachPolicy(ctx, r, p); err != nil {
+		rlog.Debug("removing policy from role", "policy_arn", *p)
+		if err = rm.removePolicy(ctx, r, p); err != nil {
 			return err
 		}
 	}
@@ -97,14 +99,14 @@ func (rm *resourceManager) getPolicies(
 	return res, err
 }
 
-// attachPolicy attaches the supplied Policy to the supplied Role resource
-func (rm *resourceManager) attachPolicy(
+// addPolicy adds the supplied Policy to the supplied Role resource
+func (rm *resourceManager) addPolicy(
 	ctx context.Context,
 	r *resource,
 	policyARN *string,
 ) (err error) {
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.attachPolicy")
+	exit := rlog.Trace("rm.addPolicy")
 	defer exit(err)
 
 	input := &svcsdk.AttachRolePolicyInput{}
@@ -115,14 +117,14 @@ func (rm *resourceManager) attachPolicy(
 	return err
 }
 
-// detachPolicy detaches the supplied Policy from the supplied Role resource
-func (rm *resourceManager) detachPolicy(
+// removePolicy removes the supplied Policy from the supplied Role resource
+func (rm *resourceManager) removePolicy(
 	ctx context.Context,
 	r *resource,
 	policyARN *string,
 ) (err error) {
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.detachPolicy")
+	exit := rlog.Trace("rm.removePolicy")
 	defer exit(err)
 
 	input := &svcsdk.DetachRolePolicyInput{}
@@ -132,3 +134,144 @@ func (rm *resourceManager) detachPolicy(
 	rm.metrics.RecordAPICall("DELETE", "DetachRolePolicy", err)
 	return err
 }
+
+// syncTags examines the Tags in the supplied Role and calls the ListRoleTags,
+// TagRole and UntagRole APIs to ensure that the set of associated Tags  stays
+// in sync with the Role.Spec.Tags
+func (rm *resourceManager) syncTags(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.syncTags")
+	defer exit(err)
+	toAdd := []*svcapitypes.Tag{}
+	toDelete := []*svcapitypes.Tag{}
+
+	existingTags, err := rm.getTags(ctx, r)
+	if err != nil {
+		return err
+	}
+
+	for _, t := range r.ko.Spec.Tags {
+		if !inTags(*t.Key, *t.Value, existingTags) {
+			toAdd = append(toAdd, t)
+		}
+	}
+
+	for _, t := range existingTags {
+		if !inTags(*t.Key, *t.Value, r.ko.Spec.Tags) {
+			toDelete = append(toDelete, t)
+		}
+	}
+
+	for _, t := range toAdd {
+		rlog.Debug("adding tag to role", "key", *t.Key, "value", *t.Value)
+	}
+	if err = rm.addTags(ctx, r, toAdd); err != nil {
+		return err
+	}
+	for _, t := range toDelete {
+		rlog.Debug("removing tag from role", "key", *t.Key, "value", *t.Value)
+	}
+	if err = rm.removeTags(ctx, r, toDelete); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// inTags returns true if the supplied key and value can be found in the
+// supplied list of Tag structs.
+//
+// TODO(jaypipes): When we finally standardize Tag handling in ACK, move this
+// to the ACK common runtime/ or pkg/ repos
+func inTags(
+	key string,
+	value string,
+	tags []*svcapitypes.Tag,
+) bool {
+	for _, t := range tags {
+		if *t.Key == key && *t.Value == value {
+			return true
+		}
+	}
+	return false
+}
+
+// getTags returns the list of Policy ARNs currently attached to the Role
+func (rm *resourceManager) getTags(
+	ctx context.Context,
+	r *resource,
+) ([]*svcapitypes.Tag, error) {
+	var err error
+	var resp *svcsdk.ListRoleTagsOutput
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.getTags")
+	defer exit(err)
+
+	input := &svcsdk.ListRoleTagsInput{}
+	input.RoleName = r.ko.Spec.Name
+	res := []*svcapitypes.Tag{}
+
+	for {
+		resp, err = rm.sdkapi.ListRoleTagsWithContext(ctx, input)
+		if err != nil || resp == nil {
+			break
+		}
+		for _, t := range resp.Tags {
+			res = append(res, &svcapitypes.Tag{Key: t.Key, Value: t.Value})
+		}
+		if resp.IsTruncated != nil && !*resp.IsTruncated {
+			break
+		}
+	}
+	rm.metrics.RecordAPICall("GET", "ListRoleTags", err)
+	return res, err
+}
+
+// addTags adds the supplied Tags to the supplied Role resource
+func (rm *resourceManager) addTags(
+	ctx context.Context,
+	r *resource,
+	tags []*svcapitypes.Tag,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.addTag")
+	defer exit(err)
+
+	input := &svcsdk.TagRoleInput{}
+	input.RoleName = r.ko.Spec.Name
+	inTags := []*svcsdk.Tag{}
+	for _, t := range tags {
+		inTags = append(inTags, &svcsdk.Tag{Key: t.Key, Value: t.Value})
+	}
+	input.Tags = inTags
+
+	_, err = rm.sdkapi.TagRoleWithContext(ctx, input)
+	rm.metrics.RecordAPICall("CREATE", "TagRole", err)
+	return err
+}
+
+// removeTags removes the supplied Tags from the supplied Role resource
+func (rm *resourceManager) removeTags(
+	ctx context.Context,
+	r *resource,
+	tags []*svcapitypes.Tag,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.removeTag")
+	defer exit(err)
+
+	input := &svcsdk.UntagRoleInput{}
+	input.RoleName = r.ko.Spec.Name
+	inTagKeys := []*string{}
+	for _, t := range tags {
+		inTagKeys = append(inTagKeys, t.Key)
+	}
+	input.TagKeys = inTagKeys
+
+	_, err = rm.sdkapi.UntagRoleWithContext(ctx, input)
+	rm.metrics.RecordAPICall("DELETE", "UntagRole", err)
+	return err
+}

pkg/resource/role/sdk.go

@@ -3,3 +3,8 @@
 	} else {
 		ko.Spec.Policies = policies
 	}
+	if tags, err := rm.getTags(ctx, &resource{ko}); err != nil {
+		return nil, err
+	} else {
+		ko.Spec.Tags = tags
+	}

templates/hooks/role/sdk_read_one_post_set_output.go.tpl

@@ -1,6 +1,9 @@
     if err := rm.syncPolicies(ctx, &resource{ko}); err != nil {
         return nil, err
     }
+    if err := rm.syncTags(ctx, &resource{ko}); err != nil {
+        return nil, err
+    }
     // There really isn't a status of a role... it either exists or doesn't. If
     // we get here, that means the update was successful and the desired state
     // of the role matches what we provided...

templates/hooks/role/sdk_update_post_set_output.go.tpl

@@ -7,3 +7,6 @@ spec:
   description: $ROLE_DESCRIPTION
   maxSessionDuration: $MAX_SESSION_DURATION
   assumeRolePolicyDocument: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}'
+  tags:
+    - key: tag1
+      value: val1

test/e2e/resources/role_simple.yaml

@@ -114,3 +114,17 @@ def get_attached_policy_arns(role_name):
         return [p['PolicyArn'] for p in resp['AttachedPolicies']]
     except c.exceptions.NoSuchEntityException:
         return None
+
+
+def get_tags(role_name):
+    """Returns a list containing the tags that have been associated to the
+    supplied Role.
+
+    If no such Role exists, returns None.
+    """
+    c = boto3.client('iam')
+    try:
+        resp = c.list_role_tags(RoleName=role_name)
+        return resp['Tags']
+    except c.exceptions.NoSuchEntityException:
+        return None

test/e2e/role.py

@@ -103,6 +103,36 @@ def test_crud(self):
         latest_policy_arns = role.get_attached_policy_arns(role_name)
         assert latest_policy_arns == policy_arns
 
+        # Same update code path check for tags...
+        latest_tags = role.get_tags(role_name)
+        before_update_expected_tags = [
+            {
+                "Key": "tag1",
+                "Value": "val1"
+            }
+        ]
+        assert latest_tags == before_update_expected_tags
+        new_tags = [
+            {
+                "key": "tag2",
+                "value": "val2",
+            }
+        ]
+        updates = {
+            "spec": {"tags": new_tags},
+        }
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        after_update_expected_tags = [
+            {
+                "Key": "tag2",
+                "Value": "val2",
+            }
+        ]
+        latest_tags = role.get_tags(role_name)
+        assert latest_tags == after_update_expected_tags
+
         k8s.delete_custom_resource(ref)
 
         time.sleep(DELETE_WAIT_AFTER_SECONDS)