feat: sync assume role policy document (#74)

Issue #, if available: aws-controllers-k8s/community#1448, but this also includes `AssumeRolePolicyDocument` in general as these are not updated regardless of whether the document change is valid or not.

Description of changes:

Adds a call to sync the `spec.assumeRolePolicyDocument` object, alongside the corresponding AWS API calls.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: jdockerty

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2023-03-22T22:04:22Z"
-  build_hash: fa24753ea8b657d8815ae3eac7accd0958f5f9fb
-  go_version: go1.19
-  version: v0.25.0
+  build_date: "2023-04-03T14:40:28Z"
+  build_hash: a6ae2078e57187b2daf47978bc07bd67072d2cba
+  go_version: go1.19.6
+  version: v0.25.0-1-ga6ae207
 api_directory_checksum: 26341f700d12dfcd4033cf4203492fa381daa7b0
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93

pkg/resource/role/hooks.go

@@ -342,6 +342,25 @@ func (rm *resourceManager) removeInlinePolicy(
 	return err
 }
 
+// putAssumeRolePolicies calls the IAM API to set a given role's
+// assume role policy document.
+func (rm *resourceManager) putAssumeRolePolicy(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.putAssumeRolePolicy")
+	defer func() { exit(err) }()
+
+	input := &svcsdk.UpdateAssumeRolePolicyInput{
+		RoleName:       r.ko.Spec.Name,
+		PolicyDocument: r.ko.Spec.AssumeRolePolicyDocument,
+	}
+	_, err = rm.sdkapi.UpdateAssumeRolePolicyWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "UpdateAssumeRolePolicy", err)
+	return err
+}
+
 // compareTags is a custom comparison function for comparing lists of Tag
 // structs where the order of the structs in the list is not important.
 func compareTags(

pkg/resource/role/sdk.go

@@ -22,6 +22,12 @@
 			return nil, err
 		}
 	}
-	if !delta.DifferentExcept("Spec.Tags", "Spec.Policies", "Spec.InlinePolicies", "Spec.PermissionsBoundary") {
+	if delta.DifferentAt("Spec.AssumeRolePolicyDocument") {
+		err = rm.putAssumeRolePolicy(ctx, desired)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if !delta.DifferentExcept("Spec.Tags", "Spec.Policies", "Spec.InlinePolicies", "Spec.PermissionsBoundary", "Spec.AssumeRolePolicyDocument") {
 		return desired, nil
 	}

templates/hooks/role/sdk_update_pre_build_request.go.tpl

@@ -149,3 +149,16 @@ def get_inline_policies(role_name):
         return policies
     except c.exceptions.NoSuchEntityException:
         return None
+
+def get_assume_role_policy(role_name):
+    """Returns a dict representing the assume role policy document for the supplied Role.
+
+    If no such Role exists, returns None.
+    """
+    c = boto3.client('iam')
+    try:
+        resp = get(role_name)
+        return resp['AssumeRolePolicyDocument']
+    except c.exceptions.NoSuchEntityException:
+        return None
+

test/e2e/role.py

@@ -14,6 +14,7 @@
 """Integration tests for the IAM Role resource"""
 
 import logging
+import json
 import time
 
 import pytest
@@ -212,8 +213,68 @@ def test_crud(self, simple_role):
 
         cr = k8s.get_resource(ref)
         assert cr is not None
-        assert 'spec' in cr
-        assert 'inlinePolicies' not in cr['spec']
+        assert "spec" in cr
+        assert "inlinePolicies" not in cr["spec"]
 
         latest_inline_policies = role.get_inline_policies(role_name)
         assert len(latest_inline_policies) == 0
+
+        # AssumeRolePolicyDocument tests
+
+        assume_role_policy_doc = '''{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": ["ec2.amazonaws.com"]
+            },
+            "Action": ["sts:AssumeRole"]
+        }
+    ]}'''
+
+        cr = k8s.get_resource(ref)
+        assert cr is not None
+        assert 'spec' in cr
+        assert 'assumeRolePolicyDocument' in cr['spec']
+
+        assume_role_policy_as_obj = json.loads(assume_role_policy_doc)
+        k8s_assume_role_policy = json.loads(cr['spec']['assumeRolePolicyDocument'])
+        assert assume_role_policy_as_obj == k8s_assume_role_policy
+
+        assume_role_policy_to_deny_doc = '''{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Principal": {
+                "Service": ["ec2.amazonaws.com"]
+            },
+            "Action": ["sts:AssumeRole"]
+        }
+    ]}'''
+
+        updates = {
+            'spec': {
+                'assumeRolePolicyDocument': assume_role_policy_to_deny_doc,
+            }
+        }
+
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        cr = k8s.get_resource(ref)
+        assert cr is not None
+        assert 'spec' in cr
+        assert 'assumeRolePolicyDocument' in cr['spec']
+
+        assume_role_policy_deny_obj = json.loads(assume_role_policy_to_deny_doc)
+        k8s_assume_role_policy_deny = json.loads(cr['spec']['assumeRolePolicyDocument'])
+        assert assume_role_policy_deny_obj == k8s_assume_role_policy_deny
+
+        # AWS slightly modifies the JSON structure underneath us here, so the documents
+        # are not identical. Instead, we can ensure that the change we made is reflected.
+        latest_assume_role_policy_doc = role.get_assume_role_policy(role_name)
+        assert latest_assume_role_policy_doc['Statement'][0]['Effect'] == k8s_assume_role_policy_deny['Statement'][0]['Effect']
+
+        # Assume role policies cannot be entirely deleted, so CRU is tested here.