add support for updating policy (#21)

The IAM Policy resource does not support direct updates. If you want to
modify the policy's Document, you need to call the `CreatePolicyVersion`
API call and set the new policy version as the policy's
DefaultVersionID. Fairly straightforward, as far as non-updateable
resources go.

The trick with IAM Policies is that you cannot have more than 5 policy
versions associated with a user-managed Policy. This means that if you
attempt to make more than 4 calls to `CreatePolicyVersion`, you will get
errors back from IAM. So, instead, you must call `DeletePolicyVersion`
and delete one of the previous policy versions (not the one set as the
default, though).

Similarly, when attempting to delete a Policy, if there is more than a
single PolicyVersion associated with the Policy, you must first delete
all policy versions *except* the one that is the policy's DefaultVersion
before calling `DeletePolicy`, which is the only way to delete the
policy version that is the default for a policy.

This patch adds support for the above update and delete code paths,
combining all of the various calls to `ListPolicyVersions`,
`GetPolicyVersion` (to get the policy's Document),
`CreatePolicyVersion`, and `DeletePolicyVersion` APIs to make an IAM
Policy resource behave in a "normal Kubernetes way" -- in other words,
the Kubernetes user simply changes the desired state of the Policy
(including the Policy's `Spec.PolicyDocument` field) and the controller
takes care of actuating those changes.

Closes Issue: aws-controllers-k8s/community#1124

Signed-off-by: Jay Pipes <[email protected]>

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: jaypipes

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2022-03-02T19:05:38Z"
-  build_hash: ade2429bb444ab635916395ea5773d141ba135e1
-  go_version: go1.17.5
+  build_date: "2022-03-21T17:58:09Z"
+  build_hash: 0b5dc38297ec74d54da4dd326a3988dc3de68b78
+  go_version: go1.17
   version: v0.17.2
 api_directory_checksum: 7d8d584cdaec82ab61d867fc030cb9bb45ac706f
 api_version: v1alpha1
 aws_sdk_go_version: v1.42.0
 generator_config_info:
-  file_checksum: 72469db1ef2738db804a8c42687c20305eadc2c1
+  file_checksum: adee4dfc3bba2124bb0b30542295e33fa5387f20
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -30,8 +30,8 @@ resources:
     hooks:
       sdk_read_one_post_set_output:
         template_path: hooks/policy/sdk_read_one_post_set_output.go.tpl
-      sdk_create_post_set_output:
-        template_path: hooks/policy/sdk_create_post_set_output.go.tpl
+      sdk_delete_pre_build_request:
+        template_path: hooks/policy/sdk_delete_pre_build_request.go.tpl
     update_operation:
       # There is no `UpdatePolicy` API operation. The only way to update a 
       # policy is to update the properties individually (only a few properties

config/controller/deployment.yaml

@@ -28,6 +28,8 @@ spec:
         args:
         - --aws-region
         - "$(AWS_REGION)"
+        - --aws-endpoint-url
+        - "$(AWS_ENDPOINT_URL)"
         - --enable-development-logging
         - "$(ACK_ENABLE_DEVELOPMENT_LOGGING)"
         - --log-level
@@ -53,6 +55,18 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: AWS_REGION
+          value: ""
+        - name: AWS_ENDPOINT_URL
+          value: ""
+        - name: ACK_WATCH_NAMESPACE
+          value: ""
+        - name: ACK_ENABLE_DEVELOPMENT_LOGGING
+          value: "false"
+        - name: ACK_LOG_LEVEL
+          value: "info"
+        - name: ACK_RESOURCE_TAGS
+          value: "services.k8s.aws/managed=true,services.k8s.aws/created=%UTCNOW%,services.k8s.aws/namespace=%KUBERNETES_NAMESPACE%"
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false

config/iam/recommended-inline-policy

@@ -12,10 +12,16 @@
                 "iam:GetPolicy",
                 "iam:CreatePolicy",
                 "iam:DeletePolicy",
+                "iam:GetPolicyVersion",
+                "iam:CreatePolicyVersion",
+                "iam:DeletePolicyVersion",
+                "iam:ListPolicyVersions",
                 "iam:ListAttachedRolePolicies",
                 "iam:AttachRolePolicy",
                 "iam:DetachRolePolicy",
                 "iam:ListRoleTags",
+                "iam:TagPolicy",
+                "iam:UntagPolicy",
                 "iam:TagRole",
                 "iam:UntagRole"
             ],

generator.yaml

@@ -30,8 +30,8 @@ resources:
     hooks:
       sdk_read_one_post_set_output:
         template_path: hooks/policy/sdk_read_one_post_set_output.go.tpl
-      sdk_create_post_set_output:
-        template_path: hooks/policy/sdk_create_post_set_output.go.tpl
+      sdk_delete_pre_build_request:
+        template_path: hooks/policy/sdk_delete_pre_build_request.go.tpl
     update_operation:
       # There is no `UpdatePolicy` API operation. The only way to update a 
       # policy is to update the properties individually (only a few properties