Allow Policies to be attached to a Role (#8)

jaypipes · web-flow · commit b55fa2170422 · 2021-12-14T08:32:07.000-08:00
Adds a new `Role.Spec.Policies` field, of type `[]*string` that contains zero or more Policy ARNs that should be attached to the Role. The controller uses custom code in a new `pkg/resource/role/hooks.go` file that evaluates which Policy ARNs to add or remove from a Policy and calls the IAM ListAttachedRolePolicies, AttachRolePolicy and DetachRolePolicy API calls. Signed-off-by: Jay Pipes <jaypipes@gmail.com> Issue aws-controllers-k8s/community#222 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2021-12-12T13:43:21Z"
+  build_date: "2021-12-13T15:45:31Z"
   build_hash: 285d87b66b62fbfb859986ddf74c9f9b6ae743fb
   go_version: go1.17
   version: v0.15.2
-api_directory_checksum: 2cb2270674b7b11376f9dd8bb8e421f381e929e2
+api_directory_checksum: 686100a0137cba404a403f0184c1870ca2cbac47
 api_version: v1alpha1
 aws_sdk_go_version: v1.40.2
 generator_config_info:
-  file_checksum: 6ada881f79941709582e58538bf5ac4ef6144787
+  file_checksum: 0a2481b5bcfedf9ae4233187571a15231f48b8aa
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
@@ -88,3 +88,9 @@ resources:
           - from: PermissionsBoundary.PermissionsBoundaryArn
       Path:
         late_initialize: {}
+      # In order to support attaching zero or more policies to a role, we use
+      # custom update code path code that uses the Attach/DetachRolePolicy API
+      # calls to manage the set of PolicyARNs attached to this Role.
+      Policies:
+        custom_field:
+          list_of: AttachRolePolicyInput.PolicyArn
diff --git a/apis/v1alpha1/role.go b/apis/v1alpha1/role.go
diff --git a/apis/v1alpha1/types.go b/apis/v1alpha1/types.go
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/iam.services.k8s.aws_roles.yaml b/config/crd/bases/iam.services.k8s.aws_roles.yaml
@@ -97,6 +97,10 @@ spec:
                 description: The ARN of the policy that is used to set the permissions
                   boundary for the role.
                 type: string
+              policies:
+                items:
+                  type: string
+                type: array
               tags:
                 description: "A list of tags that you want to attach to the new role.
                   Each tag consists of a key name and an associated value. For more
diff --git a/config/iam/recommended-inline-policy b/config/iam/recommended-inline-policy
@@ -11,7 +11,10 @@
                 "iam:UpdateRole".
                 "iam:GetPolicy",
                 "iam:CreatePolicy",
-                "iam:DeletePolicy"
+                "iam:DeletePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:AttachRolePolicy",
+                "iam:DetachRolePolicy"
             ],
             "Resource": "*"
         }
diff --git a/generator.yaml b/generator.yaml
@@ -57,6 +57,8 @@ resources:
         late_initialize: {}
   Role:
     hooks:
+      sdk_read_one_post_set_output:
+        template_path: hooks/role/sdk_read_one_post_set_output.go.tpl
       sdk_create_post_set_output:
         template_path: hooks/role/sdk_create_post_set_output.go.tpl
       sdk_update_post_set_output:
@@ -88,3 +90,9 @@ resources:
           - from: PermissionsBoundary.PermissionsBoundaryArn
       Path:
         late_initialize: {}
+      # In order to support attaching zero or more policies to a role, we use
+      # custom update code path code that uses the Attach/DetachRolePolicy API
+      # calls to manage the set of PolicyARNs attached to this Role.
+      Policies:
+        custom_field:
+          list_of: AttachRolePolicyInput.PolicyArn
diff --git a/helm/crds/iam.services.k8s.aws_roles.yaml b/helm/crds/iam.services.k8s.aws_roles.yaml
@@ -97,6 +97,20 @@ spec:
                 description: The ARN of the policy that is used to set the permissions
                   boundary for the role.
                 type: string
+              policies:
+                items:
+                  properties:
+                    policyARN:
+                      description: "The Amazon Resource Name (ARN). ARNs are unique
+                        identifiers for Amazon Web Services resources. \n For more
+                        information about ARNs, go to Amazon Resource Names (ARNs)
+                        (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+                        in the Amazon Web Services General Reference."
+                      type: string
+                    roleName:
+                      type: string
+                  type: object
+                type: array
               tags:
                 description: "A list of tags that you want to attach to the new role.
                   Each tag consists of a key name and an associated value. For more
diff --git a/pkg/resource/role/delta.go b/pkg/resource/role/delta.go
diff --git a/pkg/resource/role/hooks.go b/pkg/resource/role/hooks.go
@@ -0,0 +1,134 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package role
+
+import (
+	"context"
+
+	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
+	ackutil "github.com/aws-controllers-k8s/runtime/pkg/util"
+	svcsdk "github.com/aws/aws-sdk-go/service/iam"
+)
+
+// syncPolicies examines the PolicyARNs in the supplied Role and calls the
+// ListRolePolicies, AttachRolePolicy and DetachRolePolicy APIs to ensure that
+// the set of attached policies stays in sync with the Role.Spec.Policies
+// field, which is a list of strings containing Policy ARNs.
+func (rm *resourceManager) syncPolicies(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.syncPolicies")
+	defer exit(err)
+	toAdd := []*string{}
+	toDelete := []*string{}
+
+	existingPolicies, err := rm.getPolicies(ctx, r)
+	if err != nil {
+		return err
+	}
+
+	for _, p := range r.ko.Spec.Policies {
+		if !ackutil.InStringPs(*p, existingPolicies) {
+			toAdd = append(toAdd, p)
+		}
+	}
+
+	for _, p := range existingPolicies {
+		if !ackutil.InStringPs(*p, r.ko.Spec.Policies) {
+			toDelete = append(toDelete, p)
+		}
+	}
+
+	for _, p := range toAdd {
+		rlog.Debug("attaching policy to role", "policy_arn", *p)
+		if err = rm.attachPolicy(ctx, r, p); err != nil {
+			return err
+		}
+	}
+	for _, p := range toDelete {
+		rlog.Debug("detaching policy from role", "policy_arn", *p)
+		if err = rm.detachPolicy(ctx, r, p); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getPolicies returns the list of Policy ARNs currently attached to the Role
+func (rm *resourceManager) getPolicies(
+	ctx context.Context,
+	r *resource,
+) ([]*string, error) {
+	var err error
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.getPolicies")
+	defer exit(err)
+
+	input := &svcsdk.ListAttachedRolePoliciesInput{}
+	input.RoleName = r.ko.Spec.Name
+	res := []*string{}
+
+	err = rm.sdkapi.ListAttachedRolePoliciesPagesWithContext(
+		ctx, input, func(page *svcsdk.ListAttachedRolePoliciesOutput, _ bool) bool {
+			if page == nil {
+				return true
+			}
+			for _, p := range page.AttachedPolicies {
+				res = append(res, p.PolicyArn)
+			}
+			return page.IsTruncated != nil && *page.IsTruncated
+		},
+	)
+	rm.metrics.RecordAPICall("GET", "ListAttachedRolePolicies", err)
+	return res, err
+}
+
+// attachPolicy attaches the supplied Policy to the supplied Role resource
+func (rm *resourceManager) attachPolicy(
+	ctx context.Context,
+	r *resource,
+	policyARN *string,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.attachPolicy")
+	defer exit(err)
+
+	input := &svcsdk.AttachRolePolicyInput{}
+	input.RoleName = r.ko.Spec.Name
+	input.PolicyArn = policyARN
+	_, err = rm.sdkapi.AttachRolePolicyWithContext(ctx, input)
+	rm.metrics.RecordAPICall("CREATE", "AttachRolePolicy", err)
+	return err
+}
+
+// detachPolicy detaches the supplied Policy from the supplied Role resource
+func (rm *resourceManager) detachPolicy(
+	ctx context.Context,
+	r *resource,
+	policyARN *string,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.detachPolicy")
+	defer exit(err)
+
+	input := &svcsdk.DetachRolePolicyInput{}
+	input.RoleName = r.ko.Spec.Name
+	input.PolicyArn = policyARN
+	_, err = rm.sdkapi.DetachRolePolicyWithContext(ctx, input)
+	rm.metrics.RecordAPICall("DELETE", "DetachRolePolicy", err)
+	return err
+}
diff --git a/pkg/resource/role/sdk.go b/pkg/resource/role/sdk.go
diff --git a/templates/hooks/role/sdk_create_post_set_output.go.tpl b/templates/hooks/role/sdk_create_post_set_output.go.tpl
@@ -1,3 +1,6 @@
+    if err := rm.syncPolicies(ctx, &resource{ko}); err != nil {
+        return nil, err
+    }
     // There really isn't a status of a role... it either exists or doesn't. If
     // we get here, that means the creation was successful and the desired
     // state of the role matches what we provided...
diff --git a/templates/hooks/role/sdk_delete_pre_build_request.go.tpl b/templates/hooks/role/sdk_delete_pre_build_request.go.tpl
@@ -0,0 +1,5 @@
+	// This causes syncPolicies to delete all associated policies from the role
+	r.ko.Spec.Policies = []*string{}
+	if err := rm.syncPolicies(ctx, r); err != nil {
+		return nil, err
+	}
diff --git a/templates/hooks/role/sdk_read_one_post_set_output.go.tpl b/templates/hooks/role/sdk_read_one_post_set_output.go.tpl
@@ -0,0 +1,5 @@
+	if policies, err := rm.getPolicies(ctx, &resource{ko}); err != nil {
+		return nil, err
+	} else {
+		ko.Spec.Policies = policies
+	}
diff --git a/templates/hooks/role/sdk_update_post_set_output.go.tpl b/templates/hooks/role/sdk_update_post_set_output.go.tpl
@@ -1,3 +1,6 @@
+    if err := rm.syncPolicies(ctx, &resource{ko}); err != nil {
+        return nil, err
+    }
     // There really isn't a status of a role... it either exists or doesn't. If
     // we get here, that means the update was successful and the desired state
     // of the role matches what we provided...
diff --git a/test/e2e/role.py b/test/e2e/role.py
@@ -100,3 +100,17 @@ def get(role_name):
         return resp['Role']
     except c.exceptions.NoSuchEntityException:
         return None
+
+
+def get_attached_policy_arns(role_name):
+    """Returns a list containing the policy ARNs that have been attached to the
+    supplied Role.
+
+    If no such Role exists, returns None.
+    """
+    c = boto3.client('iam')
+    try:
+        resp = c.list_attached_role_policies(RoleName=role_name)
+        return [p['PolicyArn'] for p in resp['AttachedPolicies']]
+    except c.exceptions.NoSuchEntityException:
+        return None
diff --git a/test/e2e/tests/test_role.py b/test/e2e/tests/test_role.py
@@ -90,6 +90,19 @@ def test_crud(self):
         assert latest is not None
         assert latest['MaxSessionDuration'] == new_max_sess_duration
 
+        # Test the code paths that synchronize the attached policies for a role
+        policy_arns = [
+            "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+        ]
+        updates = {
+            "spec": {"policies": policy_arns},
+        }
+        k8s.patch_custom_resource(ref, updates)
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+
+        latest_policy_arns = role.get_attached_policy_arns(role_name)
+        assert latest_policy_arns == policy_arns
+
         k8s.delete_custom_resource(ref)
 
         time.sleep(DELETE_WAIT_AFTER_SECONDS)
