diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 92540f8..d5cc216 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,13 +1,13 @@ ack_generate_info: - build_date: "2025-07-22T22:04:27Z" - build_hash: b2dc0f44e0b08f041de14c3944a5cc005ba97c8f + build_date: "2025-08-13T20:33:51Z" + build_hash: dd7115d68c972714778e2bdd55a6f8b792494b97 go_version: go1.24.5 - version: v0.50.0 -api_directory_checksum: fcb205ac280ed1b0f107a291e5ea43d93c0991e9 + version: v0.50.0-4-gdd7115d +api_directory_checksum: 6542a06695f8efcbc850caadb0383cc73ca9d712 api_version: v1alpha1 aws_sdk_go_version: v1.32.6 generator_config_info: - file_checksum: 9e30795ffa094ac7b68fe2bcb6913b0a2d7bccba + file_checksum: 9b330e4994e00d43b1672ac1dc7773e35e9fc432 original_file_name: generator.yaml last_modification: reason: API generation diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml index 27f288c..71a6fb5 100644 --- a/apis/v1alpha1/generator.yaml +++ b/apis/v1alpha1/generator.yaml @@ -9,7 +9,7 @@ ignore: #- Policy - PolicyVersion #- Role - - SAMLProvider + #- SAMLProvider #- ServiceLinkedRole - ServiceSpecificCredential #- User @@ -148,31 +148,7 @@ resources: - InvalidInput - MalformedPolicyDocument fields: - # Left for historical purposes. It looks like late_initialize is was - # causing the controller to infinitely requeue (every 5 seconds) when the - # description was set to nil. Not it looks like this is not needed - # anymore. - # Note(a-hilaly): Very likely the API behavior has changed and the - # late_initialize is no longer needed. - # Description: - # You might be wondering why description is late-initialized, since - # there isn't a default server-side value for description. - # - # The CreatePolicy API call accepts a Description field in the input - # and the documentation (and API model) say that a Description field is - # included in the returned response from CreatePolicy, however the - # Description returned from the CreatePolicy API call is always - # missing/nil which means the SetResource code sets the - # Spec.Description to nil. When the next time the GetPolicy API call is - # made in the next reconciliation loop, GetPolicy returns the - # description that was originally set in the CreatePolicy API call and - # a Delta difference is discovered erroneously (because the SetResource - # call after CreatePolicy incorrectly set the description to nil). So, - # we set the late initialize property of the Description field here to - # override the Spec.Description to the original value we set in the - # CreatePolicy *input* shape. - #late_initialize: {} set: - ignore: true method: Create @@ -221,13 +197,10 @@ resources: set: # The input and output shapes are different... - from: PermissionsBoundary.PermissionsBoundaryArn - # Left for historical purposes. Description: set: - ignore: true method: Create - # See above in Policy resource about why this is here. - # late_initialize: {} Path: late_initialize: {} # In order to support attaching zero or more policies to a role, we use @@ -282,6 +255,31 @@ resources: is_ignored: true update_operation: custom_method_name: customUpdateOpenIDConnectProvider + SAMLProvider: + hooks: + sdk_create_post_set_output: + template_path: hooks/saml_provider/sdk_create_post_set_output.go.tpl + sdk_update_pre_build_request: + template_path: hooks/saml_provider/sdk_update_pre_build_request.go.tpl + sdk_read_one_post_set_output: + template_path: hooks/saml_provider/sdk_read_one_post_set_output.go.tpl + exceptions: + errors: + 404: + code: NoSuchEntityException + terminal_codes: + - InvalidInputException + - EntityAlreadyExistsException + fields: + SAMLProviderArn: + is_arn_primary_key: true + Name: + is_immutable: true + is_primary_key: true + CreateDate: + is_read_only: true + ValidUntil: + is_read_only: true User: hooks: delta_pre_compare: @@ -361,4 +359,4 @@ resources: custom_method_name: customUpdateServiceLinkedRole exceptions: terminal_codes: - - InvalidInput + - InvalidInput \ No newline at end of file diff --git a/apis/v1alpha1/saml_provider.go b/apis/v1alpha1/saml_provider.go new file mode 100644 index 0000000..2070f44 --- /dev/null +++ b/apis/v1alpha1/saml_provider.go @@ -0,0 +1,91 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package v1alpha1 + +import ( + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// SAMLProviderSpec defines the desired state of SAMLProvider. +type SAMLProviderSpec struct { + + // The name of the provider to create. + // + // This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + // a string of characters consisting of upper and lowercase alphanumeric characters + // with no spaces. You can also include any of the following characters: _+=,.@- + // + // Regex Pattern: `^[\w._-]+$` + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + // +kubebuilder:validation:Required + Name *string `json:"name"` + // An XML document generated by an identity provider (IdP) that supports SAML + // 2.0. The document includes the issuer's name, expiration information, and + // keys that can be used to validate the SAML authentication response (assertions) + // that are received from the IdP. You must generate the metadata document using + // the identity management software that is used as your organization's IdP. + // + // For more information, see About SAML 2.0-based federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) + // in the IAM User Guide + // +kubebuilder:validation:Required + SAMLMetadataDocument *string `json:"sAMLMetadataDocument"` + // A list of tags that you want to attach to the new IAM SAML provider. Each + // tag consists of a key name and an associated value. For more information + // about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + // in the IAM User Guide. + // + // If any one of the tags is invalid or if you exceed the allowed maximum number + // of tags, then the entire request fails and the resource is not created. + Tags []*Tag `json:"tags,omitempty"` +} + +// SAMLProviderStatus defines the observed state of SAMLProvider +type SAMLProviderStatus struct { + // All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + // that is used to contain resource sync state, account ownership, + // constructed ARN for the resource + // +kubebuilder:validation:Optional + ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"` + // All CRs managed by ACK have a common `Status.Conditions` member that + // contains a collection of `ackv1alpha1.Condition` objects that describe + // the various terminal states of the CR and its backend AWS service API + // resource + // +kubebuilder:validation:Optional + Conditions []*ackv1alpha1.Condition `json:"conditions"` +} + +// SAMLProvider is the Schema for the SAMLProviders API +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +type SAMLProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec SAMLProviderSpec `json:"spec,omitempty"` + Status SAMLProviderStatus `json:"status,omitempty"` +} + +// SAMLProviderList contains a list of SAMLProvider +// +kubebuilder:object:root=true +type SAMLProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []SAMLProvider `json:"items"` +} + +func init() { + SchemeBuilder.Register(&SAMLProvider{}, &SAMLProviderList{}) +} diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 1c68e4b..d28df44 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -1843,6 +1843,65 @@ func (in *Role_SDK) DeepCopy() *Role_SDK { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SAMLProvider) DeepCopyInto(out *SAMLProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLProvider. +func (in *SAMLProvider) DeepCopy() *SAMLProvider { + if in == nil { + return nil + } + out := new(SAMLProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SAMLProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SAMLProviderList) DeepCopyInto(out *SAMLProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]SAMLProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLProviderList. +func (in *SAMLProviderList) DeepCopy() *SAMLProviderList { + if in == nil { + return nil + } + out := new(SAMLProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SAMLProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SAMLProviderListEntry) DeepCopyInto(out *SAMLProviderListEntry) { *out = *in @@ -1871,6 +1930,73 @@ func (in *SAMLProviderListEntry) DeepCopy() *SAMLProviderListEntry { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SAMLProviderSpec) DeepCopyInto(out *SAMLProviderSpec) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.SAMLMetadataDocument != nil { + in, out := &in.SAMLMetadataDocument, &out.SAMLMetadataDocument + *out = new(string) + **out = **in + } + if in.Tags != nil { + in, out := &in.Tags, &out.Tags + *out = make([]*Tag, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(Tag) + (*in).DeepCopyInto(*out) + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLProviderSpec. +func (in *SAMLProviderSpec) DeepCopy() *SAMLProviderSpec { + if in == nil { + return nil + } + out := new(SAMLProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SAMLProviderStatus) DeepCopyInto(out *SAMLProviderStatus) { + *out = *in + if in.ACKResourceMetadata != nil { + in, out := &in.ACKResourceMetadata, &out.ACKResourceMetadata + *out = new(corev1alpha1.ResourceMetadata) + (*in).DeepCopyInto(*out) + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]*corev1alpha1.Condition, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(corev1alpha1.Condition) + (*in).DeepCopyInto(*out) + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLProviderStatus. +func (in *SAMLProviderStatus) DeepCopy() *SAMLProviderStatus { + if in == nil { + return nil + } + out := new(SAMLProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SSHPublicKey) DeepCopyInto(out *SSHPublicKey) { *out = *in diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 90b7f12..e8b91fe 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -44,6 +44,7 @@ import ( _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/open_id_connect_provider" _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/policy" _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/role" + _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/saml_provider" _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/service_linked_role" _ "github.com/aws-controllers-k8s/iam-controller/pkg/resource/user" diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 3f03760..0143bbb 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/iam-controller - newTag: 1.4.4 + newTag: 0.0.0-non-release-version diff --git a/config/crd/bases/iam.services.k8s.aws_samlproviders.yaml b/config/crd/bases/iam.services.k8s.aws_samlproviders.yaml new file mode 100644 index 0000000..6f5421a --- /dev/null +++ b/config/crd/bases/iam.services.k8s.aws_samlproviders.yaml @@ -0,0 +1,164 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + name: samlproviders.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: SAMLProvider + listKind: SAMLProviderList + plural: samlproviders + singular: samlprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SAMLProvider is the Schema for the SAMLProviders API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SAMLProviderSpec defines the desired state of SAMLProvider. + properties: + name: + description: |- + The name of the provider to create. + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of upper and lowercase alphanumeric characters + with no spaces. You can also include any of the following characters: _+=,.@- + + Regex Pattern: `^[\w._-]+$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + sAMLMetadataDocument: + description: |- + An XML document generated by an identity provider (IdP) that supports SAML + 2.0. The document includes the issuer's name, expiration information, and + keys that can be used to validate the SAML authentication response (assertions) + that are received from the IdP. You must generate the metadata document using + the identity management software that is used as your organization's IdP. + + For more information, see About SAML 2.0-based federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) + in the IAM User Guide + type: string + tags: + description: |- + A list of tags that you want to attach to the new IAM SAML provider. Each + tag consists of a key name and an associated value. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + - sAMLMetadataDocument + type: object + status: + description: SAMLProviderStatus defines the observed state of SAMLProvider + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRs managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 8804161..147135d 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -7,5 +7,6 @@ resources: - bases/iam.services.k8s.aws_openidconnectproviders.yaml - bases/iam.services.k8s.aws_policies.yaml - bases/iam.services.k8s.aws_roles.yaml + - bases/iam.services.k8s.aws_samlproviders.yaml - bases/iam.services.k8s.aws_servicelinkedroles.yaml - bases/iam.services.k8s.aws_users.yaml diff --git a/config/rbac/cluster-role-controller.yaml b/config/rbac/cluster-role-controller.yaml index 8344b9b..14a3ea2 100644 --- a/config/rbac/cluster-role-controller.yaml +++ b/config/rbac/cluster-role-controller.yaml @@ -30,6 +30,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: @@ -48,6 +49,7 @@ rules: - openidconnectproviders/status - policies/status - roles/status + - samlproviders/status - servicelinkedroles/status - users/status verbs: diff --git a/config/rbac/role-reader.yaml b/config/rbac/role-reader.yaml index d68acf3..0fe774a 100644 --- a/config/rbac/role-reader.yaml +++ b/config/rbac/role-reader.yaml @@ -14,6 +14,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: diff --git a/config/rbac/role-writer.yaml b/config/rbac/role-writer.yaml index 463fae0..965cf93 100644 --- a/config/rbac/role-writer.yaml +++ b/config/rbac/role-writer.yaml @@ -14,6 +14,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: @@ -32,6 +33,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: diff --git a/generator.yaml b/generator.yaml index 27f288c..71a6fb5 100644 --- a/generator.yaml +++ b/generator.yaml @@ -9,7 +9,7 @@ ignore: #- Policy - PolicyVersion #- Role - - SAMLProvider + #- SAMLProvider #- ServiceLinkedRole - ServiceSpecificCredential #- User @@ -148,31 +148,7 @@ resources: - InvalidInput - MalformedPolicyDocument fields: - # Left for historical purposes. It looks like late_initialize is was - # causing the controller to infinitely requeue (every 5 seconds) when the - # description was set to nil. Not it looks like this is not needed - # anymore. - # Note(a-hilaly): Very likely the API behavior has changed and the - # late_initialize is no longer needed. - # Description: - # You might be wondering why description is late-initialized, since - # there isn't a default server-side value for description. - # - # The CreatePolicy API call accepts a Description field in the input - # and the documentation (and API model) say that a Description field is - # included in the returned response from CreatePolicy, however the - # Description returned from the CreatePolicy API call is always - # missing/nil which means the SetResource code sets the - # Spec.Description to nil. When the next time the GetPolicy API call is - # made in the next reconciliation loop, GetPolicy returns the - # description that was originally set in the CreatePolicy API call and - # a Delta difference is discovered erroneously (because the SetResource - # call after CreatePolicy incorrectly set the description to nil). So, - # we set the late initialize property of the Description field here to - # override the Spec.Description to the original value we set in the - # CreatePolicy *input* shape. - #late_initialize: {} set: - ignore: true method: Create @@ -221,13 +197,10 @@ resources: set: # The input and output shapes are different... - from: PermissionsBoundary.PermissionsBoundaryArn - # Left for historical purposes. Description: set: - ignore: true method: Create - # See above in Policy resource about why this is here. - # late_initialize: {} Path: late_initialize: {} # In order to support attaching zero or more policies to a role, we use @@ -282,6 +255,31 @@ resources: is_ignored: true update_operation: custom_method_name: customUpdateOpenIDConnectProvider + SAMLProvider: + hooks: + sdk_create_post_set_output: + template_path: hooks/saml_provider/sdk_create_post_set_output.go.tpl + sdk_update_pre_build_request: + template_path: hooks/saml_provider/sdk_update_pre_build_request.go.tpl + sdk_read_one_post_set_output: + template_path: hooks/saml_provider/sdk_read_one_post_set_output.go.tpl + exceptions: + errors: + 404: + code: NoSuchEntityException + terminal_codes: + - InvalidInputException + - EntityAlreadyExistsException + fields: + SAMLProviderArn: + is_arn_primary_key: true + Name: + is_immutable: true + is_primary_key: true + CreateDate: + is_read_only: true + ValidUntil: + is_read_only: true User: hooks: delta_pre_compare: @@ -361,4 +359,4 @@ resources: custom_method_name: customUpdateServiceLinkedRole exceptions: terminal_codes: - - InvalidInput + - InvalidInput \ No newline at end of file diff --git a/go.mod b/go.mod index b84aa4a..2abd1bc 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/micahhausler/aws-iam-policy v0.4.2 github.com/samber/lo v1.37.0 github.com/spf13/pflag v1.0.5 + github.com/stretchr/testify v1.9.0 k8s.io/api v0.32.1 k8s.io/apimachinery v0.32.1 k8s.io/client-go v0.32.1 @@ -66,6 +67,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.55.0 // indirect diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 0f320e7..ddba43e 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: iam-chart description: A Helm chart for the ACK service controller for AWS Identity & Access Management (IAM) -version: 1.4.4 -appVersion: 1.4.4 +version: 0.0.0-non-release-version +appVersion: 0.0.0-non-release-version home: https://github.com/aws-controllers-k8s/iam-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/crds/iam.services.k8s.aws_samlproviders.yaml b/helm/crds/iam.services.k8s.aws_samlproviders.yaml new file mode 100644 index 0000000..6f5421a --- /dev/null +++ b/helm/crds/iam.services.k8s.aws_samlproviders.yaml @@ -0,0 +1,164 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + name: samlproviders.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: SAMLProvider + listKind: SAMLProviderList + plural: samlproviders + singular: samlprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SAMLProvider is the Schema for the SAMLProviders API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SAMLProviderSpec defines the desired state of SAMLProvider. + properties: + name: + description: |- + The name of the provider to create. + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of upper and lowercase alphanumeric characters + with no spaces. You can also include any of the following characters: _+=,.@- + + Regex Pattern: `^[\w._-]+$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + sAMLMetadataDocument: + description: |- + An XML document generated by an identity provider (IdP) that supports SAML + 2.0. The document includes the issuer's name, expiration information, and + keys that can be used to validate the SAML authentication response (assertions) + that are received from the IdP. You must generate the metadata document using + the identity management software that is used as your organization's IdP. + + For more information, see About SAML 2.0-based federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) + in the IAM User Guide + type: string + tags: + description: |- + A list of tags that you want to attach to the new IAM SAML provider. Each + tag consists of a key name and an associated value. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + - sAMLMetadataDocument + type: object + status: + description: SAMLProviderStatus defines the observed state of SAMLProvider + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRs managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 11c6040..0a9df91 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:1.4.4". +This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:0.0.0-non-release-version". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index a9f7d06..2322bba 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -77,6 +77,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: @@ -95,6 +96,7 @@ rules: - openidconnectproviders/status - policies/status - roles/status + - samlproviders/status - servicelinkedroles/status - users/status verbs: diff --git a/helm/templates/caches-role-binding.yaml b/helm/templates/caches-role-binding.yaml index d06dfa2..d0e889a 100644 --- a/helm/templates/caches-role-binding.yaml +++ b/helm/templates/caches-role-binding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "ack-iam-controller.app.fullname" . }}-namespace-caches + name: {{ include "ack-iam-controller.app.fullname" . }}-namespaces-cache labels: app.kubernetes.io/name: {{ include "ack-iam-controller.app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -12,7 +12,7 @@ metadata: roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io - name: {{ include "ack-iam-controller.app.fullname" . }}-namespace-caches + name: {{ include "ack-iam-controller.app.fullname" . }}-namespaces-cache subjects: - kind: ServiceAccount name: {{ include "ack-iam-controller.service-account.name" . }} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index cae922a..e1101c4 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -205,7 +205,7 @@ spec: secretName: {{ .Values.aws.credentials.secretName }} {{- end }} {{- if .Values.deployment.extraVolumes }} - {{ toYaml .Values.deployment.extraVolumes | indent 8 }} + {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} {{- end }} {{- end }} {{- with .Values.deployment.strategy }} diff --git a/helm/templates/role-reader.yaml b/helm/templates/role-reader.yaml index 1826e01..4cc2b0e 100644 --- a/helm/templates/role-reader.yaml +++ b/helm/templates/role-reader.yaml @@ -21,6 +21,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: diff --git a/helm/templates/role-writer.yaml b/helm/templates/role-writer.yaml index 16c815c..aa4eaa3 100644 --- a/helm/templates/role-writer.yaml +++ b/helm/templates/role-writer.yaml @@ -21,6 +21,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: @@ -39,6 +40,7 @@ rules: - openidconnectproviders - policies - roles + - samlproviders - servicelinkedroles - users verbs: diff --git a/helm/values.yaml b/helm/values.yaml index 4fc48e4..0be1fb8 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/iam-controller - tag: 1.4.4 + tag: 0.0.0-non-release-version pullPolicy: IfNotPresent pullSecrets: [] @@ -150,6 +150,7 @@ reconcile: - OpenIDConnectProvider - Policy - Role + - SAMLProvider - ServiceLinkedRole - User @@ -182,6 +183,6 @@ featureGates: # Enables the Team level granularity for CARM. See https://github.com/aws-controllers-k8s/community/issues/2031 TeamLevelCARM: false # Enable ReadOnlyResources feature/annotation. - ReadOnlyResources: false + ReadOnlyResources: true # Enable ResourceAdoption feature/annotation. - ResourceAdoption: false \ No newline at end of file + ResourceAdoption: true \ No newline at end of file diff --git a/main b/main new file mode 100755 index 0000000..668919a Binary files /dev/null and b/main differ diff --git a/pkg/resource/saml_provider/delta.go b/pkg/resource/saml_provider/delta.go new file mode 100644 index 0000000..ffae448 --- /dev/null +++ b/pkg/resource/saml_provider/delta.go @@ -0,0 +1,67 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "bytes" + "reflect" + + ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare" + acktags "github.com/aws-controllers-k8s/runtime/pkg/tags" +) + +// Hack to avoid import errors during build... +var ( + _ = &bytes.Buffer{} + _ = &reflect.Method{} + _ = &acktags.Tags{} +) + +// newResourceDelta returns a new `ackcompare.Delta` used to compare two +// resources +func newResourceDelta( + a *resource, + b *resource, +) *ackcompare.Delta { + delta := ackcompare.NewDelta() + if (a == nil && b != nil) || + (a != nil && b == nil) { + delta.Add("", a, b) + return delta + } + + if ackcompare.HasNilDifference(a.ko.Spec.Name, b.ko.Spec.Name) { + delta.Add("Spec.Name", a.ko.Spec.Name, b.ko.Spec.Name) + } else if a.ko.Spec.Name != nil && b.ko.Spec.Name != nil { + if *a.ko.Spec.Name != *b.ko.Spec.Name { + delta.Add("Spec.Name", a.ko.Spec.Name, b.ko.Spec.Name) + } + } + if ackcompare.HasNilDifference(a.ko.Spec.SAMLMetadataDocument, b.ko.Spec.SAMLMetadataDocument) { + delta.Add("Spec.SAMLMetadataDocument", a.ko.Spec.SAMLMetadataDocument, b.ko.Spec.SAMLMetadataDocument) + } else if a.ko.Spec.SAMLMetadataDocument != nil && b.ko.Spec.SAMLMetadataDocument != nil { + if *a.ko.Spec.SAMLMetadataDocument != *b.ko.Spec.SAMLMetadataDocument { + delta.Add("Spec.SAMLMetadataDocument", a.ko.Spec.SAMLMetadataDocument, b.ko.Spec.SAMLMetadataDocument) + } + } + desiredACKTags, _ := convertToOrderedACKTags(a.ko.Spec.Tags) + latestACKTags, _ := convertToOrderedACKTags(b.ko.Spec.Tags) + if !ackcompare.MapStringStringEqual(desiredACKTags, latestACKTags) { + delta.Add("Spec.Tags", a.ko.Spec.Tags, b.ko.Spec.Tags) + } + + return delta +} diff --git a/pkg/resource/saml_provider/descriptor.go b/pkg/resource/saml_provider/descriptor.go new file mode 100644 index 0000000..67ec870 --- /dev/null +++ b/pkg/resource/saml_provider/descriptor.go @@ -0,0 +1,155 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare" + acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + rtclient "sigs.k8s.io/controller-runtime/pkg/client" + k8sctrlutil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +const ( + FinalizerString = "finalizers.iam.services.k8s.aws/SAMLProvider" +) + +var ( + GroupVersionResource = svcapitypes.GroupVersion.WithResource("samlproviders") + GroupKind = metav1.GroupKind{ + Group: "iam.services.k8s.aws", + Kind: "SAMLProvider", + } +) + +// resourceDescriptor implements the +// `aws-service-operator-k8s/pkg/types.AWSResourceDescriptor` interface +type resourceDescriptor struct { +} + +// GroupVersionKind returns a Kubernetes schema.GroupVersionKind struct that +// describes the API Group, Version and Kind of CRs described by the descriptor +func (d *resourceDescriptor) GroupVersionKind() schema.GroupVersionKind { + return svcapitypes.GroupVersion.WithKind(GroupKind.Kind) +} + +// EmptyRuntimeObject returns an empty object prototype that may be used in +// apimachinery and k8s client operations +func (d *resourceDescriptor) EmptyRuntimeObject() rtclient.Object { + return &svcapitypes.SAMLProvider{} +} + +// ResourceFromRuntimeObject returns an AWSResource that has been initialized +// with the supplied runtime.Object +func (d *resourceDescriptor) ResourceFromRuntimeObject( + obj rtclient.Object, +) acktypes.AWSResource { + return &resource{ + ko: obj.(*svcapitypes.SAMLProvider), + } +} + +// Delta returns an `ackcompare.Delta` object containing the difference between +// one `AWSResource` and another. +func (d *resourceDescriptor) Delta(a, b acktypes.AWSResource) *ackcompare.Delta { + return newResourceDelta(a.(*resource), b.(*resource)) +} + +// IsManaged returns true if the supplied AWSResource is under the management +// of an ACK service controller. What this means in practice is that the +// underlying custom resource (CR) in the AWSResource has had a +// resource-specific finalizer associated with it. +func (d *resourceDescriptor) IsManaged( + res acktypes.AWSResource, +) bool { + obj := res.RuntimeObject() + if obj == nil { + // Should not happen. If it does, there is a bug in the code + panic("nil RuntimeMetaObject in AWSResource") + } + // Remove use of custom code once + // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is + // fixed. This should be able to be: + // + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) +} + +// Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 +// is fixed. +func containsFinalizer(obj rtclient.Object, finalizer string) bool { + f := obj.GetFinalizers() + for _, e := range f { + if e == finalizer { + return true + } + } + return false +} + +// MarkManaged places the supplied resource under the management of ACK. What +// this typically means is that the resource manager will decorate the +// underlying custom resource (CR) with a finalizer that indicates ACK is +// managing the resource and the underlying CR may not be deleted until ACK is +// finished cleaning up any backend AWS service resources associated with the +// CR. +func (d *resourceDescriptor) MarkManaged( + res acktypes.AWSResource, +) { + obj := res.RuntimeObject() + if obj == nil { + // Should not happen. If it does, there is a bug in the code + panic("nil RuntimeMetaObject in AWSResource") + } + k8sctrlutil.AddFinalizer(obj, FinalizerString) +} + +// MarkUnmanaged removes the supplied resource from management by ACK. What +// this typically means is that the resource manager will remove a finalizer +// underlying custom resource (CR) that indicates ACK is managing the resource. +// This will allow the Kubernetes API server to delete the underlying CR. +func (d *resourceDescriptor) MarkUnmanaged( + res acktypes.AWSResource, +) { + obj := res.RuntimeObject() + if obj == nil { + // Should not happen. If it does, there is a bug in the code + panic("nil RuntimeMetaObject in AWSResource") + } + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) +} + +// MarkAdopted places descriptors on the custom resource that indicate the +// resource was not created from within ACK. +func (d *resourceDescriptor) MarkAdopted( + res acktypes.AWSResource, +) { + obj := res.RuntimeObject() + if obj == nil { + // Should not happen. If it does, there is a bug in the code + panic("nil RuntimeObject in AWSResource") + } + curr := obj.GetAnnotations() + if curr == nil { + curr = make(map[string]string) + } + curr[ackv1alpha1.AnnotationAdopted] = "true" + obj.SetAnnotations(curr) +} diff --git a/pkg/resource/saml_provider/hooks.go b/pkg/resource/saml_provider/hooks.go new file mode 100644 index 0000000..18cb274 --- /dev/null +++ b/pkg/resource/saml_provider/hooks.go @@ -0,0 +1,128 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package saml_provider + +import ( + "context" + + ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" + "github.com/aws/aws-sdk-go-v2/aws" + svcsdk "github.com/aws/aws-sdk-go-v2/service/iam" + svcsdktypes "github.com/aws/aws-sdk-go-v2/service/iam/types" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +// getTags retrieves the tags for a given SAMLProvider +func (rm *resourceManager) getTags( + ctx context.Context, + arn string, +) []*svcapitypes.Tag { + rlog := ackrtlog.FromContext(ctx) + resp, err := rm.sdkapi.ListSAMLProviderTags(ctx, &svcsdk.ListSAMLProviderTagsInput{ + SAMLProviderArn: aws.String(arn), + }) + if err != nil { + rlog.Debug("error getting tags for SAMLProvider", "error", err) + return nil + } + + // Convert SDK tags to API tags + apiTags := make([]*svcapitypes.Tag, len(resp.Tags)) + for i, tag := range resp.Tags { + apiTags[i] = &svcapitypes.Tag{ + Key: aws.String(*tag.Key), + Value: aws.String(*tag.Value), + } + } + + return apiTags +} + +// syncTags synchronizes tags between the desired and latest resource +func (rm *resourceManager) syncTags( + ctx context.Context, + latest *resource, + desired *resource, +) error { + rlog := ackrtlog.FromContext(ctx) + latestTags := latest.ko.Spec.Tags + desiredTags := desired.ko.Spec.Tags + + // If no tags are desired and there are no existing tags, we're done + if len(desiredTags) == 0 && len(latestTags) == 0 { + return nil + } + + // Create maps for the latest and desired tags + latestTagMap := make(map[string]string) + for _, tag := range latestTags { + latestTagMap[*tag.Key] = *tag.Value + } + + desiredTagMap := make(map[string]string) + for _, tag := range desiredTags { + desiredTagMap[*tag.Key] = *tag.Value + } + + // Find tags to remove (in latest but not in desired) + var tagsToRemove []string + for k := range latestTagMap { + _, exists := desiredTagMap[k] + if !exists { + tagsToRemove = append(tagsToRemove, k) + } + } + + // Find tags to add or update (in desired but not in latest or with different values) + tagsToAdd := make([]svcsdktypes.Tag, 0) + for k, v := range desiredTagMap { + latestVal, exists := latestTagMap[k] + if !exists || latestVal != v { + tagsToAdd = append(tagsToAdd, svcsdktypes.Tag{ + Key: aws.String(k), + Value: aws.String(v), + }) + } + } + + // Get the ARN from the resource + arn := string(*latest.ko.Status.ACKResourceMetadata.ARN) + + // Remove tags if needed + if len(tagsToRemove) > 0 { + rlog.Debug("removing tags from SAMLProvider", "arn", arn, "tags", tagsToRemove) + _, err := rm.sdkapi.UntagSAMLProvider(ctx, &svcsdk.UntagSAMLProviderInput{ + SAMLProviderArn: aws.String(arn), + TagKeys: tagsToRemove, + }) + if err != nil { + return err + } + } + + // Add tags if needed + if len(tagsToAdd) > 0 { + rlog.Debug("adding tags to SAMLProvider", "arn", arn, "tags", tagsToAdd) + _, err := rm.sdkapi.TagSAMLProvider(ctx, &svcsdk.TagSAMLProviderInput{ + SAMLProviderArn: aws.String(arn), + Tags: tagsToAdd, + }) + if err != nil { + return err + } + } + + return nil +} diff --git a/pkg/resource/saml_provider/identifiers.go b/pkg/resource/saml_provider/identifiers.go new file mode 100644 index 0000000..dd61f8c --- /dev/null +++ b/pkg/resource/saml_provider/identifiers.go @@ -0,0 +1,55 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" +) + +// resourceIdentifiers implements the +// `aws-service-operator-k8s/pkg/types.AWSResourceIdentifiers` interface +type resourceIdentifiers struct { + meta *ackv1alpha1.ResourceMetadata +} + +// ARN returns the AWS Resource Name for the backend AWS resource. If nil, +// this means the resource has not yet been created in the backend AWS +// service. +func (ri *resourceIdentifiers) ARN() *ackv1alpha1.AWSResourceName { + if ri.meta != nil { + return ri.meta.ARN + } + return nil +} + +// OwnerAccountID returns the AWS account identifier in which the +// backend AWS resource resides, or nil if this information is not known +// for the resource +func (ri *resourceIdentifiers) OwnerAccountID() *ackv1alpha1.AWSAccountID { + if ri.meta != nil { + return ri.meta.OwnerAccountID + } + return nil +} + +// Region returns the AWS region in which the resource exists, or +// nil if this information is not known. +func (ri *resourceIdentifiers) Region() *ackv1alpha1.AWSRegion { + if ri.meta != nil { + return ri.meta.Region + } + return nil +} diff --git a/pkg/resource/saml_provider/manager.go b/pkg/resource/saml_provider/manager.go new file mode 100644 index 0000000..c813dc0 --- /dev/null +++ b/pkg/resource/saml_provider/manager.go @@ -0,0 +1,404 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "context" + "fmt" + "time" + + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare" + ackcondition "github.com/aws-controllers-k8s/runtime/pkg/condition" + ackcfg "github.com/aws-controllers-k8s/runtime/pkg/config" + ackerr "github.com/aws-controllers-k8s/runtime/pkg/errors" + ackmetrics "github.com/aws-controllers-k8s/runtime/pkg/metrics" + ackrequeue "github.com/aws-controllers-k8s/runtime/pkg/requeue" + ackrt "github.com/aws-controllers-k8s/runtime/pkg/runtime" + ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" + acktags "github.com/aws-controllers-k8s/runtime/pkg/tags" + acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" + ackutil "github.com/aws-controllers-k8s/runtime/pkg/util" + "github.com/aws/aws-sdk-go-v2/aws" + svcsdk "github.com/aws/aws-sdk-go-v2/service/iam" + "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +var ( + _ = ackutil.InStrings + _ = acktags.NewTags() + _ = ackrt.MissingImageTagValue + _ = svcapitypes.SAMLProvider{} +) + +// +kubebuilder:rbac:groups=iam.services.k8s.aws,resources=samlproviders,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=iam.services.k8s.aws,resources=samlproviders/status,verbs=get;update;patch + +var lateInitializeFieldNames = []string{} + +// resourceManager is responsible for providing a consistent way to perform +// CRUD operations in a backend AWS service API for Book custom resources. +type resourceManager struct { + // cfg is a copy of the ackcfg.Config object passed on start of the service + // controller + cfg ackcfg.Config + // clientcfg is a copy of the client configuration passed on start of the + // service controller + clientcfg aws.Config + // log refers to the logr.Logger object handling logging for the service + // controller + log logr.Logger + // metrics contains a collection of Prometheus metric objects that the + // service controller and its reconcilers track + metrics *ackmetrics.Metrics + // rr is the Reconciler which can be used for various utility + // functions such as querying for Secret values given a SecretReference + rr acktypes.Reconciler + // awsAccountID is the AWS account identifier that contains the resources + // managed by this resource manager + awsAccountID ackv1alpha1.AWSAccountID + // The AWS Region that this resource manager targets + awsRegion ackv1alpha1.AWSRegion + // sdk is a pointer to the AWS service API client exposed by the + // aws-sdk-go-v2/services/{alias} package. + sdkapi *svcsdk.Client +} + +// concreteResource returns a pointer to a resource from the supplied +// generic AWSResource interface +func (rm *resourceManager) concreteResource( + res acktypes.AWSResource, +) *resource { + // cast the generic interface into a pointer type specific to the concrete + // implementing resource type managed by this resource manager + return res.(*resource) +} + +// ReadOne returns the currently-observed state of the supplied AWSResource in +// the backend AWS service API. +func (rm *resourceManager) ReadOne( + ctx context.Context, + res acktypes.AWSResource, +) (acktypes.AWSResource, error) { + r := rm.concreteResource(res) + if r.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's ReadOne() method received resource with nil CR object") + } + observed, err := rm.sdkFind(ctx, r) + mirrorAWSTags(r, observed) + if err != nil { + if observed != nil { + return rm.onError(observed, err) + } + return rm.onError(r, err) + } + return rm.onSuccess(observed) +} + +// Create attempts to create the supplied AWSResource in the backend AWS +// service API, returning an AWSResource representing the newly-created +// resource +func (rm *resourceManager) Create( + ctx context.Context, + res acktypes.AWSResource, +) (acktypes.AWSResource, error) { + r := rm.concreteResource(res) + if r.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's Create() method received resource with nil CR object") + } + created, err := rm.sdkCreate(ctx, r) + if err != nil { + if created != nil { + return rm.onError(created, err) + } + return rm.onError(r, err) + } + return rm.onSuccess(created) +} + +// Update attempts to mutate the supplied desired AWSResource in the backend AWS +// service API, returning an AWSResource representing the newly-mutated +// resource. +// Note for specialized logic implementers can check to see how the latest +// observed resource differs from the supplied desired state. The +// higher-level reonciler determines whether or not the desired differs +// from the latest observed and decides whether to call the resource +// manager's Update method +func (rm *resourceManager) Update( + ctx context.Context, + resDesired acktypes.AWSResource, + resLatest acktypes.AWSResource, + delta *ackcompare.Delta, +) (acktypes.AWSResource, error) { + desired := rm.concreteResource(resDesired) + latest := rm.concreteResource(resLatest) + if desired.ko == nil || latest.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's Update() method received resource with nil CR object") + } + updated, err := rm.sdkUpdate(ctx, desired, latest, delta) + if err != nil { + if updated != nil { + return rm.onError(updated, err) + } + return rm.onError(latest, err) + } + return rm.onSuccess(updated) +} + +// Delete attempts to destroy the supplied AWSResource in the backend AWS +// service API, returning an AWSResource representing the +// resource being deleted (if delete is asynchronous and takes time) +func (rm *resourceManager) Delete( + ctx context.Context, + res acktypes.AWSResource, +) (acktypes.AWSResource, error) { + r := rm.concreteResource(res) + if r.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's Update() method received resource with nil CR object") + } + observed, err := rm.sdkDelete(ctx, r) + if err != nil { + if observed != nil { + return rm.onError(observed, err) + } + return rm.onError(r, err) + } + + return rm.onSuccess(observed) +} + +// ARNFromName returns an AWS Resource Name from a given string name. This +// is useful for constructing ARNs for APIs that require ARNs in their +// GetAttributes operations but all we have (for new CRs at least) is a +// name for the resource +func (rm *resourceManager) ARNFromName(name string) string { + return fmt.Sprintf( + "arn:aws:iam:%s:%s:%s", + rm.awsRegion, + rm.awsAccountID, + name, + ) +} + +// LateInitialize returns an acktypes.AWSResource after setting the late initialized +// fields from the readOne call. This method will initialize the optional fields +// which were not provided by the k8s user but were defaulted by the AWS service. +// If there are no such fields to be initialized, the returned object is similar to +// object passed in the parameter. +func (rm *resourceManager) LateInitialize( + ctx context.Context, + latest acktypes.AWSResource, +) (acktypes.AWSResource, error) { + rlog := ackrtlog.FromContext(ctx) + // If there are no fields to late initialize, do nothing + if len(lateInitializeFieldNames) == 0 { + rlog.Debug("no late initialization required.") + return latest, nil + } + latestCopy := latest.DeepCopy() + lateInitConditionReason := "" + lateInitConditionMessage := "" + observed, err := rm.ReadOne(ctx, latestCopy) + if err != nil { + lateInitConditionMessage = "Unable to complete Read operation required for late initialization" + lateInitConditionReason = "Late Initialization Failure" + ackcondition.SetLateInitialized(latestCopy, corev1.ConditionFalse, &lateInitConditionMessage, &lateInitConditionReason) + ackcondition.SetSynced(latestCopy, corev1.ConditionFalse, nil, nil) + return latestCopy, err + } + lateInitializedRes := rm.lateInitializeFromReadOneOutput(observed, latestCopy) + incompleteInitialization := rm.incompleteLateInitialization(lateInitializedRes) + if incompleteInitialization { + // Add the condition with LateInitialized=False + lateInitConditionMessage = "Late initialization did not complete, requeuing with delay of 5 seconds" + lateInitConditionReason = "Delayed Late Initialization" + ackcondition.SetLateInitialized(lateInitializedRes, corev1.ConditionFalse, &lateInitConditionMessage, &lateInitConditionReason) + ackcondition.SetSynced(lateInitializedRes, corev1.ConditionFalse, nil, nil) + return lateInitializedRes, ackrequeue.NeededAfter(nil, time.Duration(5)*time.Second) + } + // Set LateInitialized condition to True + lateInitConditionMessage = "Late initialization successful" + lateInitConditionReason = "Late initialization successful" + ackcondition.SetLateInitialized(lateInitializedRes, corev1.ConditionTrue, &lateInitConditionMessage, &lateInitConditionReason) + return lateInitializedRes, nil +} + +// incompleteLateInitialization return true if there are fields which were supposed to be +// late initialized but are not. If all the fields are late initialized, false is returned +func (rm *resourceManager) incompleteLateInitialization( + res acktypes.AWSResource, +) bool { + return false +} + +// lateInitializeFromReadOneOutput late initializes the 'latest' resource from the 'observed' +// resource and returns 'latest' resource +func (rm *resourceManager) lateInitializeFromReadOneOutput( + observed acktypes.AWSResource, + latest acktypes.AWSResource, +) acktypes.AWSResource { + return latest +} + +// IsSynced returns true if the resource is synced. +func (rm *resourceManager) IsSynced(ctx context.Context, res acktypes.AWSResource) (bool, error) { + r := rm.concreteResource(res) + if r.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's IsSynced() method received resource with nil CR object") + } + + return true, nil +} + +// EnsureTags ensures that tags are present inside the AWSResource. +// If the AWSResource does not have any existing resource tags, the 'tags' +// field is initialized and the controller tags are added. +// If the AWSResource has existing resource tags, then controller tags are +// added to the existing resource tags without overriding them. +// If the AWSResource does not support tags, only then the controller tags +// will not be added to the AWSResource. +func (rm *resourceManager) EnsureTags( + ctx context.Context, + res acktypes.AWSResource, + md acktypes.ServiceControllerMetadata, +) error { + r := rm.concreteResource(res) + if r.ko == nil { + // Should never happen... if it does, it's buggy code. + panic("resource manager's EnsureTags method received resource with nil CR object") + } + defaultTags := ackrt.GetDefaultTags(&rm.cfg, r.ko, md) + var existingTags []*svcapitypes.Tag + existingTags = r.ko.Spec.Tags + resourceTags, keyOrder := convertToOrderedACKTags(existingTags) + tags := acktags.Merge(resourceTags, defaultTags) + r.ko.Spec.Tags = fromACKTags(tags, keyOrder) + return nil +} + +// FilterAWSTags ignores tags that have keys that start with "aws:" +// is needed to ensure the controller does not attempt to remove +// tags set by AWS. This function needs to be called after each Read +// operation. +// Eg. resources created with cloudformation have tags that cannot be +// removed by an ACK controller +func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) { + r := rm.concreteResource(res) + if r == nil || r.ko == nil { + return + } + var existingTags []*svcapitypes.Tag + existingTags = r.ko.Spec.Tags + resourceTags, tagKeyOrder := convertToOrderedACKTags(existingTags) + ignoreSystemTags(resourceTags) + r.ko.Spec.Tags = fromACKTags(resourceTags, tagKeyOrder) +} + +// mirrorAWSTags ensures that AWS tags are included in the desired resource +// if they are present in the latest resource. This will ensure that the +// aws tags are not present in a diff. The logic of the controller will +// ensure these tags aren't patched to the resource in the cluster, and +// will only be present to make sure we don't try to remove these tags. +// +// Although there are a lot of similarities between this function and +// EnsureTags, they are very much different. +// While EnsureTags tries to make sure the resource contains the controller +// tags, mirrowAWSTags tries to make sure tags injected by AWS are mirrored +// from the latest resoruce to the desired resource. +func mirrorAWSTags(a *resource, b *resource) { + if a == nil || a.ko == nil || b == nil || b.ko == nil { + return + } + var existingLatestTags []*svcapitypes.Tag + var existingDesiredTags []*svcapitypes.Tag + existingDesiredTags = a.ko.Spec.Tags + existingLatestTags = b.ko.Spec.Tags + desiredTags, desiredTagKeyOrder := convertToOrderedACKTags(existingDesiredTags) + latestTags, _ := convertToOrderedACKTags(existingLatestTags) + syncAWSTags(desiredTags, latestTags) + a.ko.Spec.Tags = fromACKTags(desiredTags, desiredTagKeyOrder) +} + +// newResourceManager returns a new struct implementing +// acktypes.AWSResourceManager +// This is for AWS-SDK-GO-V2 - Created newResourceManager With AWS sdk-Go-ClientV2 +func newResourceManager( + cfg ackcfg.Config, + clientcfg aws.Config, + log logr.Logger, + metrics *ackmetrics.Metrics, + rr acktypes.Reconciler, + id ackv1alpha1.AWSAccountID, + region ackv1alpha1.AWSRegion, +) (*resourceManager, error) { + return &resourceManager{ + cfg: cfg, + clientcfg: clientcfg, + log: log, + metrics: metrics, + rr: rr, + awsAccountID: id, + awsRegion: region, + sdkapi: svcsdk.NewFromConfig(clientcfg), + }, nil +} + +// onError updates resource conditions and returns updated resource +// it returns nil if no condition is updated. +func (rm *resourceManager) onError( + r *resource, + err error, +) (acktypes.AWSResource, error) { + if r == nil { + return nil, err + } + r1, updated := rm.updateConditions(r, false, err) + if !updated { + return r, err + } + for _, condition := range r1.Conditions() { + if condition.Type == ackv1alpha1.ConditionTypeTerminal && + condition.Status == corev1.ConditionTrue { + // resource is in Terminal condition + // return Terminal error + return r1, ackerr.Terminal + } + } + return r1, err +} + +// onSuccess updates resource conditions and returns updated resource +// it returns the supplied resource if no condition is updated. +func (rm *resourceManager) onSuccess( + r *resource, +) (acktypes.AWSResource, error) { + if r == nil { + return nil, nil + } + r1, updated := rm.updateConditions(r, true, nil) + if !updated { + return r, nil + } + return r1, nil +} diff --git a/pkg/resource/saml_provider/manager_factory.go b/pkg/resource/saml_provider/manager_factory.go new file mode 100644 index 0000000..c9bda6d --- /dev/null +++ b/pkg/resource/saml_provider/manager_factory.go @@ -0,0 +1,100 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "fmt" + "sync" + + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + ackcfg "github.com/aws-controllers-k8s/runtime/pkg/config" + ackmetrics "github.com/aws-controllers-k8s/runtime/pkg/metrics" + acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/go-logr/logr" + + svcresource "github.com/aws-controllers-k8s/iam-controller/pkg/resource" +) + +// resourceManagerFactory produces resourceManager objects. It implements the +// `types.AWSResourceManagerFactory` interface. +type resourceManagerFactory struct { + sync.RWMutex + // rmCache contains resource managers for a particular AWS account ID + rmCache map[string]*resourceManager +} + +// ResourcePrototype returns an AWSResource that resource managers produced by +// this factory will handle +func (f *resourceManagerFactory) ResourceDescriptor() acktypes.AWSResourceDescriptor { + return &resourceDescriptor{} +} + +// ManagerFor returns a resource manager object that can manage resources for a +// supplied AWS account +func (f *resourceManagerFactory) ManagerFor( + cfg ackcfg.Config, + clientcfg aws.Config, + log logr.Logger, + metrics *ackmetrics.Metrics, + rr acktypes.Reconciler, + id ackv1alpha1.AWSAccountID, + region ackv1alpha1.AWSRegion, + roleARN ackv1alpha1.AWSResourceName, +) (acktypes.AWSResourceManager, error) { + // We use the account ID, region, and role ARN to uniquely identify a + // resource manager. This helps us to avoid creating multiple resource + // managers for the same account/region/roleARN combination. + rmId := fmt.Sprintf("%s/%s/%s", id, region, roleARN) + f.RLock() + rm, found := f.rmCache[rmId] + f.RUnlock() + + if found { + return rm, nil + } + + f.Lock() + defer f.Unlock() + + rm, err := newResourceManager(cfg, clientcfg, log, metrics, rr, id, region) + if err != nil { + return nil, err + } + f.rmCache[rmId] = rm + return rm, nil +} + +// IsAdoptable returns true if the resource is able to be adopted +func (f *resourceManagerFactory) IsAdoptable() bool { + return true +} + +// RequeueOnSuccessSeconds returns true if the resource should be requeued after specified seconds +// Default is false which means resource will not be requeued after success. +func (f *resourceManagerFactory) RequeueOnSuccessSeconds() int { + return 0 +} + +func newResourceManagerFactory() *resourceManagerFactory { + return &resourceManagerFactory{ + rmCache: map[string]*resourceManager{}, + } +} + +func init() { + svcresource.RegisterManagerFactory(newResourceManagerFactory()) +} diff --git a/pkg/resource/saml_provider/references.go b/pkg/resource/saml_provider/references.go new file mode 100644 index 0000000..b451e39 --- /dev/null +++ b/pkg/resource/saml_provider/references.go @@ -0,0 +1,57 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "context" + + "sigs.k8s.io/controller-runtime/pkg/client" + + acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +// ClearResolvedReferences removes any reference values that were made +// concrete in the spec. It returns a copy of the input AWSResource which +// contains the original *Ref values, but none of their respective concrete +// values. +func (rm *resourceManager) ClearResolvedReferences(res acktypes.AWSResource) acktypes.AWSResource { + ko := rm.concreteResource(res).ko.DeepCopy() + + return &resource{ko} +} + +// ResolveReferences finds if there are any Reference field(s) present +// inside AWSResource passed in the parameter and attempts to resolve those +// reference field(s) into their respective target field(s). It returns a +// copy of the input AWSResource with resolved reference(s), a boolean which +// is set to true if the resource contains any references (regardless of if +// they are resolved successfully) and an error if the passed AWSResource's +// reference field(s) could not be resolved. +func (rm *resourceManager) ResolveReferences( + ctx context.Context, + apiReader client.Reader, + res acktypes.AWSResource, +) (acktypes.AWSResource, bool, error) { + return res, false, nil +} + +// validateReferenceFields validates the reference field and corresponding +// identifier field. +func validateReferenceFields(ko *svcapitypes.SAMLProvider) error { + return nil +} diff --git a/pkg/resource/saml_provider/resource.go b/pkg/resource/saml_provider/resource.go new file mode 100644 index 0000000..0e282d6 --- /dev/null +++ b/pkg/resource/saml_provider/resource.go @@ -0,0 +1,113 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "fmt" + + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + ackerrors "github.com/aws-controllers-k8s/runtime/pkg/errors" + acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rtclient "sigs.k8s.io/controller-runtime/pkg/client" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +// Hack to avoid import errors during build... +var ( + _ = &ackerrors.MissingNameIdentifier +) + +// resource implements the `aws-controller-k8s/runtime/pkg/types.AWSResource` +// interface +type resource struct { + // The Kubernetes-native CR representing the resource + ko *svcapitypes.SAMLProvider +} + +// Identifiers returns an AWSResourceIdentifiers object containing various +// identifying information, including the AWS account ID that owns the +// resource, the resource's AWS Resource Name (ARN) +func (r *resource) Identifiers() acktypes.AWSResourceIdentifiers { + return &resourceIdentifiers{r.ko.Status.ACKResourceMetadata} +} + +// IsBeingDeleted returns true if the Kubernetes resource has a non-zero +// deletion timestamp +func (r *resource) IsBeingDeleted() bool { + return !r.ko.DeletionTimestamp.IsZero() +} + +// RuntimeObject returns the Kubernetes apimachinery/runtime representation of +// the AWSResource +func (r *resource) RuntimeObject() rtclient.Object { + return r.ko +} + +// MetaObject returns the Kubernetes apimachinery/apis/meta/v1.Object +// representation of the AWSResource +func (r *resource) MetaObject() metav1.Object { + return r.ko.GetObjectMeta() +} + +// Conditions returns the ACK Conditions collection for the AWSResource +func (r *resource) Conditions() []*ackv1alpha1.Condition { + return r.ko.Status.Conditions +} + +// ReplaceConditions sets the Conditions status field for the resource +func (r *resource) ReplaceConditions(conditions []*ackv1alpha1.Condition) { + r.ko.Status.Conditions = conditions +} + +// SetObjectMeta sets the ObjectMeta field for the resource +func (r *resource) SetObjectMeta(meta metav1.ObjectMeta) { + r.ko.ObjectMeta = meta +} + +// SetStatus will set the Status field for the resource +func (r *resource) SetStatus(desired acktypes.AWSResource) { + r.ko.Status = desired.(*resource).ko.Status +} + +// SetIdentifiers sets the Spec or Status field that is referenced as the unique +// resource identifier +func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error { + if identifier.NameOrID == "" { + return ackerrors.MissingNameIdentifier + } + r.ko.Spec.Name = &identifier.NameOrID + + return nil +} + +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["name"] + if !ok { + return ackerrors.NewTerminalError(fmt.Errorf("required field missing: name")) + } + r.ko.Spec.Name = &tmp + + return nil +} + +// DeepCopy will return a copy of the resource +func (r *resource) DeepCopy() acktypes.AWSResource { + koCopy := r.ko.DeepCopy() + return &resource{koCopy} +} diff --git a/pkg/resource/saml_provider/sdk.go b/pkg/resource/saml_provider/sdk.go new file mode 100644 index 0000000..6855026 --- /dev/null +++ b/pkg/resource/saml_provider/sdk.go @@ -0,0 +1,468 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "context" + "errors" + "fmt" + "reflect" + "strings" + + ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" + ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare" + ackcondition "github.com/aws-controllers-k8s/runtime/pkg/condition" + ackerr "github.com/aws-controllers-k8s/runtime/pkg/errors" + ackrequeue "github.com/aws-controllers-k8s/runtime/pkg/requeue" + ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" + "github.com/aws/aws-sdk-go-v2/aws" + svcsdk "github.com/aws/aws-sdk-go-v2/service/iam" + svcsdktypes "github.com/aws/aws-sdk-go-v2/service/iam/types" + smithy "github.com/aws/smithy-go" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +// Hack to avoid import errors during build... +var ( + _ = &metav1.Time{} + _ = strings.ToLower("") + _ = &svcsdk.Client{} + _ = &svcapitypes.SAMLProvider{} + _ = ackv1alpha1.AWSAccountID("") + _ = &ackerr.NotFound + _ = &ackcondition.NotManagedMessage + _ = &reflect.Value{} + _ = fmt.Sprintf("") + _ = &ackrequeue.NoRequeue{} + _ = &aws.Config{} +) + +// sdkFind returns SDK-specific information about a supplied resource +func (rm *resourceManager) sdkFind( + ctx context.Context, + r *resource, +) (latest *resource, err error) { + rlog := ackrtlog.FromContext(ctx) + exit := rlog.Trace("rm.sdkFind") + defer func() { + exit(err) + }() + // If any required fields in the input shape are missing, AWS resource is + // not created yet. Return NotFound here to indicate to callers that the + // resource isn't yet created. + if rm.requiredFieldsMissingFromReadOneInput(r) { + return nil, ackerr.NotFound + } + + input, err := rm.newDescribeRequestPayload(r) + if err != nil { + return nil, err + } + + var resp *svcsdk.GetSAMLProviderOutput + resp, err = rm.sdkapi.GetSAMLProvider(ctx, input) + rm.metrics.RecordAPICall("READ_ONE", "GetSAMLProvider", err) + if err != nil { + var awsErr smithy.APIError + if errors.As(err, &awsErr) && awsErr.ErrorCode() == "NoSuchEntityException" { + return nil, ackerr.NotFound + } + return nil, err + } + + // Merge in the information we read from the API call above to the copy of + // the original Kubernetes object we passed to the function + ko := r.ko.DeepCopy() + + if resp.SAMLMetadataDocument != nil { + ko.Spec.SAMLMetadataDocument = resp.SAMLMetadataDocument + } else { + ko.Spec.SAMLMetadataDocument = nil + } + if resp.Tags != nil { + f2 := []*svcapitypes.Tag{} + for _, f2iter := range resp.Tags { + f2elem := &svcapitypes.Tag{} + if f2iter.Key != nil { + f2elem.Key = f2iter.Key + } + if f2iter.Value != nil { + f2elem.Value = f2iter.Value + } + f2 = append(f2, f2elem) + } + ko.Spec.Tags = f2 + } else { + ko.Spec.Tags = nil + } + + rm.setStatusDefaults(ko) + // Get the ARN from the resource metadata + if ko.Status.ACKResourceMetadata != nil && ko.Status.ACKResourceMetadata.ARN != nil { + // Retrieve tags for the SAMLProvider and set them in the resource + arn := string(*ko.Status.ACKResourceMetadata.ARN) + ko.Spec.Tags = rm.getTags(ctx, arn) + } + return &resource{ko}, nil +} + +// requiredFieldsMissingFromReadOneInput returns true if there are any fields +// for the ReadOne Input shape that are required but not present in the +// resource's Spec or Status +func (rm *resourceManager) requiredFieldsMissingFromReadOneInput( + r *resource, +) bool { + return (r.ko.Status.ACKResourceMetadata == nil || r.ko.Status.ACKResourceMetadata.ARN == nil) + +} + +// newDescribeRequestPayload returns SDK-specific struct for the HTTP request +// payload of the Describe API call for the resource +func (rm *resourceManager) newDescribeRequestPayload( + r *resource, +) (*svcsdk.GetSAMLProviderInput, error) { + res := &svcsdk.GetSAMLProviderInput{} + + if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { + res.SAMLProviderArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) + } + + return res, nil +} + +// sdkCreate creates the supplied resource in the backend AWS service API and +// returns a copy of the resource with resource fields (in both Spec and +// Status) filled in with values from the CREATE API operation's Output shape. +func (rm *resourceManager) sdkCreate( + ctx context.Context, + desired *resource, +) (created *resource, err error) { + rlog := ackrtlog.FromContext(ctx) + exit := rlog.Trace("rm.sdkCreate") + defer func() { + exit(err) + }() + input, err := rm.newCreateRequestPayload(ctx, desired) + if err != nil { + return nil, err + } + + var resp *svcsdk.CreateSAMLProviderOutput + _ = resp + resp, err = rm.sdkapi.CreateSAMLProvider(ctx, input) + rm.metrics.RecordAPICall("CREATE", "CreateSAMLProvider", err) + if err != nil { + return nil, err + } + // Merge in the information we read from the API call above to the copy of + // the original Kubernetes object we passed to the function + ko := desired.ko.DeepCopy() + + if ko.Status.ACKResourceMetadata == nil { + ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} + } + if resp.SAMLProviderArn != nil { + arn := ackv1alpha1.AWSResourceName(*resp.SAMLProviderArn) + ko.Status.ACKResourceMetadata.ARN = &arn + } + if resp.Tags != nil { + f1 := []*svcapitypes.Tag{} + for _, f1iter := range resp.Tags { + f1elem := &svcapitypes.Tag{} + if f1iter.Key != nil { + f1elem.Key = f1iter.Key + } + if f1iter.Value != nil { + f1elem.Value = f1iter.Value + } + f1 = append(f1, f1elem) + } + ko.Spec.Tags = f1 + } else { + ko.Spec.Tags = nil + } + + rm.setStatusDefaults(ko) + // If tags are specified, mark the resource as needing a sync + if ko.Spec.Tags != nil && len(ko.Spec.Tags) > 0 { + // Set the resource as needing a sync + ackcondition.SetSynced(&resource{ko}, corev1.ConditionFalse, nil, nil) + } + return &resource{ko}, nil +} + +// newCreateRequestPayload returns an SDK-specific struct for the HTTP request +// payload of the Create API call for the resource +func (rm *resourceManager) newCreateRequestPayload( + ctx context.Context, + r *resource, +) (*svcsdk.CreateSAMLProviderInput, error) { + res := &svcsdk.CreateSAMLProviderInput{} + + if r.ko.Spec.Name != nil { + res.Name = r.ko.Spec.Name + } + if r.ko.Spec.SAMLMetadataDocument != nil { + res.SAMLMetadataDocument = r.ko.Spec.SAMLMetadataDocument + } + if r.ko.Spec.Tags != nil { + f2 := []svcsdktypes.Tag{} + for _, f2iter := range r.ko.Spec.Tags { + f2elem := &svcsdktypes.Tag{} + if f2iter.Key != nil { + f2elem.Key = f2iter.Key + } + if f2iter.Value != nil { + f2elem.Value = f2iter.Value + } + f2 = append(f2, *f2elem) + } + res.Tags = f2 + } + + return res, nil +} + +// sdkUpdate patches the supplied resource in the backend AWS service API and +// returns a new resource with updated fields. +func (rm *resourceManager) sdkUpdate( + ctx context.Context, + desired *resource, + latest *resource, + delta *ackcompare.Delta, +) (updated *resource, err error) { + rlog := ackrtlog.FromContext(ctx) + exit := rlog.Trace("rm.sdkUpdate") + defer func() { + exit(err) + }() + // If the Tags field has changed, sync the tags + if delta.DifferentAt("Spec.Tags") { + err := rm.syncTags( + ctx, + latest, + desired, + ) + if err != nil { + return nil, err + } + } + + // If the only difference is the Tags field, we've already handled it + // so we can return the desired object and skip the actual Update call + if !delta.DifferentExcept("Spec.Tags") { + return desired, nil + } + input, err := rm.newUpdateRequestPayload(ctx, desired, delta) + if err != nil { + return nil, err + } + + var resp *svcsdk.UpdateSAMLProviderOutput + _ = resp + resp, err = rm.sdkapi.UpdateSAMLProvider(ctx, input) + rm.metrics.RecordAPICall("UPDATE", "UpdateSAMLProvider", err) + if err != nil { + return nil, err + } + // Merge in the information we read from the API call above to the copy of + // the original Kubernetes object we passed to the function + ko := desired.ko.DeepCopy() + + if ko.Status.ACKResourceMetadata == nil { + ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} + } + if resp.SAMLProviderArn != nil { + arn := ackv1alpha1.AWSResourceName(*resp.SAMLProviderArn) + ko.Status.ACKResourceMetadata.ARN = &arn + } + + rm.setStatusDefaults(ko) + return &resource{ko}, nil +} + +// newUpdateRequestPayload returns an SDK-specific struct for the HTTP request +// payload of the Update API call for the resource +func (rm *resourceManager) newUpdateRequestPayload( + ctx context.Context, + r *resource, + delta *ackcompare.Delta, +) (*svcsdk.UpdateSAMLProviderInput, error) { + res := &svcsdk.UpdateSAMLProviderInput{} + + if r.ko.Spec.SAMLMetadataDocument != nil { + res.SAMLMetadataDocument = r.ko.Spec.SAMLMetadataDocument + } + if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { + res.SAMLProviderArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) + } + + return res, nil +} + +// sdkDelete deletes the supplied resource in the backend AWS service API +func (rm *resourceManager) sdkDelete( + ctx context.Context, + r *resource, +) (latest *resource, err error) { + rlog := ackrtlog.FromContext(ctx) + exit := rlog.Trace("rm.sdkDelete") + defer func() { + exit(err) + }() + input, err := rm.newDeleteRequestPayload(r) + if err != nil { + return nil, err + } + var resp *svcsdk.DeleteSAMLProviderOutput + _ = resp + resp, err = rm.sdkapi.DeleteSAMLProvider(ctx, input) + rm.metrics.RecordAPICall("DELETE", "DeleteSAMLProvider", err) + return nil, err +} + +// newDeleteRequestPayload returns an SDK-specific struct for the HTTP request +// payload of the Delete API call for the resource +func (rm *resourceManager) newDeleteRequestPayload( + r *resource, +) (*svcsdk.DeleteSAMLProviderInput, error) { + res := &svcsdk.DeleteSAMLProviderInput{} + + if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { + res.SAMLProviderArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) + } + + return res, nil +} + +// setStatusDefaults sets default properties into supplied custom resource +func (rm *resourceManager) setStatusDefaults( + ko *svcapitypes.SAMLProvider, +) { + if ko.Status.ACKResourceMetadata == nil { + ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} + } + if ko.Status.ACKResourceMetadata.Region == nil { + ko.Status.ACKResourceMetadata.Region = &rm.awsRegion + } + if ko.Status.ACKResourceMetadata.OwnerAccountID == nil { + ko.Status.ACKResourceMetadata.OwnerAccountID = &rm.awsAccountID + } + if ko.Status.Conditions == nil { + ko.Status.Conditions = []*ackv1alpha1.Condition{} + } +} + +// updateConditions returns updated resource, true; if conditions were updated +// else it returns nil, false +func (rm *resourceManager) updateConditions( + r *resource, + onSuccess bool, + err error, +) (*resource, bool) { + ko := r.ko.DeepCopy() + rm.setStatusDefaults(ko) + + // Terminal condition + var terminalCondition *ackv1alpha1.Condition = nil + var recoverableCondition *ackv1alpha1.Condition = nil + var syncCondition *ackv1alpha1.Condition = nil + for _, condition := range ko.Status.Conditions { + if condition.Type == ackv1alpha1.ConditionTypeTerminal { + terminalCondition = condition + } + if condition.Type == ackv1alpha1.ConditionTypeRecoverable { + recoverableCondition = condition + } + if condition.Type == ackv1alpha1.ConditionTypeResourceSynced { + syncCondition = condition + } + } + var termError *ackerr.TerminalError + if rm.terminalAWSError(err) || err == ackerr.SecretTypeNotSupported || err == ackerr.SecretNotFound || errors.As(err, &termError) { + if terminalCondition == nil { + terminalCondition = &ackv1alpha1.Condition{ + Type: ackv1alpha1.ConditionTypeTerminal, + } + ko.Status.Conditions = append(ko.Status.Conditions, terminalCondition) + } + var errorMessage = "" + if err == ackerr.SecretTypeNotSupported || err == ackerr.SecretNotFound || errors.As(err, &termError) { + errorMessage = err.Error() + } else { + awsErr, _ := ackerr.AWSError(err) + errorMessage = awsErr.Error() + } + terminalCondition.Status = corev1.ConditionTrue + terminalCondition.Message = &errorMessage + } else { + // Clear the terminal condition if no longer present + if terminalCondition != nil { + terminalCondition.Status = corev1.ConditionFalse + terminalCondition.Message = nil + } + // Handling Recoverable Conditions + if err != nil { + if recoverableCondition == nil { + // Add a new Condition containing a non-terminal error + recoverableCondition = &ackv1alpha1.Condition{ + Type: ackv1alpha1.ConditionTypeRecoverable, + } + ko.Status.Conditions = append(ko.Status.Conditions, recoverableCondition) + } + recoverableCondition.Status = corev1.ConditionTrue + awsErr, _ := ackerr.AWSError(err) + errorMessage := err.Error() + if awsErr != nil { + errorMessage = awsErr.Error() + } + recoverableCondition.Message = &errorMessage + } else if recoverableCondition != nil { + recoverableCondition.Status = corev1.ConditionFalse + recoverableCondition.Message = nil + } + } + // Required to avoid the "declared but not used" error in the default case + _ = syncCondition + if terminalCondition != nil || recoverableCondition != nil || syncCondition != nil { + return &resource{ko}, true // updated + } + return nil, false // not updated +} + +// terminalAWSError returns awserr, true; if the supplied error is an aws Error type +// and if the exception indicates that it is a Terminal exception +// 'Terminal' exception are specified in generator configuration +func (rm *resourceManager) terminalAWSError(err error) bool { + if err == nil { + return false + } + + var terminalErr smithy.APIError + if !errors.As(err, &terminalErr) { + return false + } + switch terminalErr.ErrorCode() { + case "InvalidInputException", + "EntityAlreadyExistsException": + return true + default: + return false + } +} diff --git a/pkg/resource/saml_provider/tags.go b/pkg/resource/saml_provider/tags.go new file mode 100644 index 0000000..ce3c84d --- /dev/null +++ b/pkg/resource/saml_provider/tags.go @@ -0,0 +1,119 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +// Code generated by ack-generate. DO NOT EDIT. + +package saml_provider + +import ( + "slices" + "strings" + + acktags "github.com/aws-controllers-k8s/runtime/pkg/tags" + + svcapitypes "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1" +) + +var ( + _ = svcapitypes.SAMLProvider{} + _ = acktags.NewTags() + ACKSystemTags = []string{"services.k8s.aws/namespace", "services.k8s.aws/controller-version"} +) + +// convertToOrderedACKTags converts the tags parameter into 'acktags.Tags' shape. +// This method helps in creating the hub(acktags.Tags) for merging +// default controller tags with existing resource tags. It also returns a slice +// of keys maintaining the original key Order when the tags are a list +func convertToOrderedACKTags(tags []*svcapitypes.Tag) (acktags.Tags, []string) { + result := acktags.NewTags() + keyOrder := []string{} + + if len(tags) == 0 { + return result, keyOrder + } + for _, t := range tags { + if t.Key != nil { + keyOrder = append(keyOrder, *t.Key) + if t.Value != nil { + result[*t.Key] = *t.Value + } else { + result[*t.Key] = "" + } + } + } + + return result, keyOrder +} + +// fromACKTags converts the tags parameter into []*svcapitypes.Tag shape. +// This method helps in setting the tags back inside AWSResource after merging +// default controller tags with existing resource tags. When a list, +// it maintains the order from original +func fromACKTags(tags acktags.Tags, keyOrder []string) []*svcapitypes.Tag { + result := []*svcapitypes.Tag{} + + for _, k := range keyOrder { + v, ok := tags[k] + if ok { + tag := svcapitypes.Tag{Key: &k, Value: &v} + result = append(result, &tag) + delete(tags, k) + } + } + for k, v := range tags { + tag := svcapitypes.Tag{Key: &k, Value: &v} + result = append(result, &tag) + } + + return result +} + +// ignoreSystemTags ignores tags that have keys that start with "aws:" +// and ACKSystemTags, to avoid patching them to the resourceSpec. +// Eg. resources created with cloudformation have tags that cannot be +// removed by an ACK controller +func ignoreSystemTags(tags acktags.Tags) { + for k := range tags { + if strings.HasPrefix(k, "aws:") || + slices.Contains(ACKSystemTags, k) { + delete(tags, k) + } + } +} + +// syncAWSTags ensures AWS-managed tags (prefixed with "aws:") from the latest resource state +// are preserved in the desired state. This prevents the controller from attempting to +// modify AWS-managed tags, which would result in an error. +// +// AWS-managed tags are automatically added by AWS services (e.g., CloudFormation, Service Catalog) +// and cannot be modified or deleted through normal tag operations. Common examples include: +// - aws:cloudformation:stack-name +// - aws:servicecatalog:productArn +// +// Parameters: +// - a: The target Tags map to be updated (typically desired state) +// - b: The source Tags map containing AWS-managed tags (typically latest state) +// +// Example: +// +// latest := Tags{"aws:cloudformation:stack-name": "my-stack", "environment": "prod"} +// desired := Tags{"environment": "dev"} +// SyncAWSTags(desired, latest) +// desired now contains {"aws:cloudformation:stack-name": "my-stack", "environment": "dev"} +func syncAWSTags(a acktags.Tags, b acktags.Tags) { + for k := range b { + if strings.HasPrefix(k, "aws:") { + a[k] = b[k] + } + } +} diff --git a/pkg/tags/sync.go b/pkg/tags/sync.go new file mode 100644 index 0000000..274f29e --- /dev/null +++ b/pkg/tags/sync.go @@ -0,0 +1,137 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package tags + +import ( + "context" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/iam" + "github.com/aws/aws-sdk-go/service/iam/iamiface" +) + +// TagsSAMLProvider returns the tags for a given IAM SAML Provider +func TagsSAMLProvider( + ctx context.Context, + api iamiface.IAMAPI, + arn string, +) ([]*iam.Tag, error) { + resp, err := api.ListSAMLProviderTagsWithContext( + ctx, + &iam.ListSAMLProviderTagsInput{ + SAMLProviderArn: aws.String(arn), + }, + ) + if err != nil { + return nil, err + } + return resp.Tags, nil +} + +// SyncTagsSAMLProvider syncs the tags for an IAM SAML Provider by adding and removing tags +func SyncTagsSAMLProvider( + ctx context.Context, + api iamiface.IAMAPI, + arn string, + desired []*iam.Tag, + latest []*iam.Tag, +) (err error) { + // Create maps for the latest and desired tags + latestMap := make(map[string]string) + for _, tag := range latest { + latestMap[*tag.Key] = *tag.Value + } + + desiredMap := make(map[string]string) + for _, tag := range desired { + desiredMap[*tag.Key] = *tag.Value + } + + // Find tags to remove (in latest but not in desired or different value) + var tagsToRemove []string + for k := range latestMap { + _, exists := desiredMap[k] + if !exists { + tagsToRemove = append(tagsToRemove, k) + } + } + + // Find tags to add (in desired but not in latest or different value) + tagsToAdd := make(map[string]string) + for k, v := range desiredMap { + latestVal, exists := latestMap[k] + if !exists || latestVal != v { + tagsToAdd[k] = v + } + } + + if len(tagsToRemove) > 0 { + _, err = api.UntagSAMLProviderWithContext( + ctx, + &iam.UntagSAMLProviderInput{ + SAMLProviderArn: aws.String(arn), + TagKeys: aws.StringSlice(tagsToRemove), + }, + ) + if err != nil { + return err + } + } + + if len(tagsToAdd) > 0 { + // Convert the map of tags to add into a slice of IAM Tag pointers + tags := make([]*iam.Tag, 0, len(tagsToAdd)) + for k, v := range tagsToAdd { + tags = append(tags, &iam.Tag{ + Key: aws.String(k), + Value: aws.String(v), + }) + } + _, err = api.TagSAMLProviderWithContext( + ctx, + &iam.TagSAMLProviderInput{ + SAMLProviderArn: aws.String(arn), + Tags: tags, + }, + ) + if err != nil { + return err + } + } + + return nil +} + +// CompareTags compares two sets of tags and returns true if they are equal +func CompareTags( + a []*iam.Tag, + b []*iam.Tag, +) bool { + if len(a) != len(b) { + return false + } + + aMap := make(map[string]string, len(a)) + for _, tag := range a { + aMap[*tag.Key] = *tag.Value + } + + for _, tag := range b { + if val, ok := aMap[*tag.Key]; !ok || val != *tag.Value { + return false + } + } + + return true +} diff --git a/pkg/tags/sync_test.go b/pkg/tags/sync_test.go new file mode 100644 index 0000000..2da8a67 --- /dev/null +++ b/pkg/tags/sync_test.go @@ -0,0 +1,311 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package tags + +import ( + "context" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/service/iam" + "github.com/aws/aws-sdk-go/service/iam/iamiface" + "github.com/stretchr/testify/assert" +) + +// mockIAMClient is a fake implementation of the IAM API interface +type mockIAMClient struct { + iamiface.IAMAPI + // Track calls to the API methods + listTagsCalls int + tagResourceCalls int + untagResourceCalls int + // Mock responses + listTagsOutput *iam.ListSAMLProviderTagsOutput + tagOutput *iam.TagSAMLProviderOutput + untagOutput *iam.UntagSAMLProviderOutput + // Capture inputs for verification + tagInput *iam.TagSAMLProviderInput + untagInput *iam.UntagSAMLProviderInput +} + +func (m *mockIAMClient) ListSAMLProviderTagsWithContext( + _ context.Context, + input *iam.ListSAMLProviderTagsInput, + _ ...request.Option, +) (*iam.ListSAMLProviderTagsOutput, error) { + m.listTagsCalls++ + return m.listTagsOutput, nil +} + +func (m *mockIAMClient) TagSAMLProviderWithContext( + _ context.Context, + input *iam.TagSAMLProviderInput, + _ ...request.Option, +) (*iam.TagSAMLProviderOutput, error) { + m.tagResourceCalls++ + m.tagInput = input + return m.tagOutput, nil +} + +func (m *mockIAMClient) UntagSAMLProviderWithContext( + _ context.Context, + input *iam.UntagSAMLProviderInput, + _ ...request.Option, +) (*iam.UntagSAMLProviderOutput, error) { + m.untagResourceCalls++ + m.untagInput = input + return m.untagOutput, nil +} + +func TestTagsSAMLProvider(t *testing.T) { + ctx := context.Background() + mockClient := &mockIAMClient{ + listTagsOutput: &iam.ListSAMLProviderTagsOutput{ + Tags: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + }, + } + + tags, err := TagsSAMLProvider(ctx, mockClient, "arn:aws:iam::123456789012:saml-provider/test") + + assert.NoError(t, err) + assert.Equal(t, 1, mockClient.listTagsCalls) + assert.Len(t, tags, 2) + assert.Equal(t, "key1", *tags[0].Key) + assert.Equal(t, "value1", *tags[0].Value) + assert.Equal(t, "key2", *tags[1].Key) + assert.Equal(t, "value2", *tags[1].Value) +} + +func TestSyncTagsSAMLProvider(t *testing.T) { + ctx := context.Background() + mockClient := &mockIAMClient{ + tagOutput: &iam.TagSAMLProviderOutput{}, + untagOutput: &iam.UntagSAMLProviderOutput{}, + } + + testCases := []struct { + name string + desired []*iam.Tag + latest []*iam.Tag + expectTagCall bool + expectUntagCall bool + }{ + { + name: "No changes", + desired: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + latest: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + expectTagCall: false, + expectUntagCall: false, + }, + { + name: "Add tag", + desired: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + latest: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + expectTagCall: true, + expectUntagCall: false, + }, + { + name: "Remove tag", + desired: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + latest: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + expectTagCall: false, + expectUntagCall: true, + }, + { + name: "Update tag value", + desired: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("newvalue1"), + }, + }, + latest: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + expectTagCall: true, + expectUntagCall: false, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + // Reset mock counters + mockClient.tagResourceCalls = 0 + mockClient.untagResourceCalls = 0 + mockClient.tagInput = nil + mockClient.untagInput = nil + + err := SyncTagsSAMLProvider(ctx, mockClient, "arn:aws:iam::123456789012:saml-provider/test", tc.desired, tc.latest) + + assert.NoError(t, err) + if tc.expectTagCall { + assert.Equal(t, 1, mockClient.tagResourceCalls) + assert.NotNil(t, mockClient.tagInput) + } else { + assert.Equal(t, 0, mockClient.tagResourceCalls) + } + + if tc.expectUntagCall { + assert.Equal(t, 1, mockClient.untagResourceCalls) + assert.NotNil(t, mockClient.untagInput) + } else { + assert.Equal(t, 0, mockClient.untagResourceCalls) + } + }) + } +} + +func TestCompareTags(t *testing.T) { + testCases := []struct { + name string + a []*iam.Tag + b []*iam.Tag + expected bool + }{ + { + name: "Equal tags", + a: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + b: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + expected: true, + }, + { + name: "Different values", + a: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + b: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("different"), + }, + }, + expected: false, + }, + { + name: "Different lengths", + a: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + { + Key: aws.String("key2"), + Value: aws.String("value2"), + }, + }, + b: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + expected: false, + }, + { + name: "Different keys", + a: []*iam.Tag{ + { + Key: aws.String("key1"), + Value: aws.String("value1"), + }, + }, + b: []*iam.Tag{ + { + Key: aws.String("different"), + Value: aws.String("value1"), + }, + }, + expected: false, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + result := CompareTags(tc.a, tc.b) + assert.Equal(t, tc.expected, result) + }) + } +} diff --git a/templates/hooks/saml_provider/sdk_create_post_set_output.go.tpl b/templates/hooks/saml_provider/sdk_create_post_set_output.go.tpl new file mode 100644 index 0000000..2455a98 --- /dev/null +++ b/templates/hooks/saml_provider/sdk_create_post_set_output.go.tpl @@ -0,0 +1,5 @@ + // If tags are specified, mark the resource as needing a sync + if ko.Spec.Tags != nil && len(ko.Spec.Tags) > 0 { + // Set the resource as needing a sync + ackcondition.SetSynced(&resource{ko}, corev1.ConditionFalse, nil, nil) + } \ No newline at end of file diff --git a/templates/hooks/saml_provider/sdk_read_one_post_set_output.go.tpl b/templates/hooks/saml_provider/sdk_read_one_post_set_output.go.tpl new file mode 100644 index 0000000..595a8d4 --- /dev/null +++ b/templates/hooks/saml_provider/sdk_read_one_post_set_output.go.tpl @@ -0,0 +1,6 @@ + // Get the ARN from the resource metadata + if ko.Status.ACKResourceMetadata != nil && ko.Status.ACKResourceMetadata.ARN != nil { + // Retrieve tags for the SAMLProvider and set them in the resource + arn := string(*ko.Status.ACKResourceMetadata.ARN) + ko.Spec.Tags = rm.getTags(ctx, arn) + } \ No newline at end of file diff --git a/templates/hooks/saml_provider/sdk_update_pre_build_request.go.tpl b/templates/hooks/saml_provider/sdk_update_pre_build_request.go.tpl new file mode 100644 index 0000000..cde6ed7 --- /dev/null +++ b/templates/hooks/saml_provider/sdk_update_pre_build_request.go.tpl @@ -0,0 +1,17 @@ + // If the Tags field has changed, sync the tags + if delta.DifferentAt("Spec.Tags") { + err := rm.syncTags( + ctx, + latest, + desired, + ) + if err != nil { + return nil, err + } + } + + // If the only difference is the Tags field, we've already handled it + // so we can return the desired object and skip the actual Update call + if !delta.DifferentExcept("Spec.Tags") { + return desired, nil + } \ No newline at end of file