From 82c78f1163e6d4b64836e29209f21e4ec5862f23 Mon Sep 17 00:00:00 2001 From: Shay Date: Sun, 2 Jun 2024 15:59:05 +0300 Subject: [PATCH] Support resource based policy for dynamodb Signed-off-by: Shay Yannay --- .../v1beta1/zz_generated.conversion_hubs.go | 3 + .../dynamodb/v1beta1/zz_generated.deepcopy.go | 219 +++++++ apis/dynamodb/v1beta1/zz_generated.managed.go | 60 ++ .../v1beta1/zz_generated.managedlist.go | 9 + .../v1beta1/zz_generated.resolvers.go | 50 ++ .../v1beta1/zz_resourcepolicy_terraformed.go | 129 ++++ .../v1beta1/zz_resourcepolicy_types.go | 145 +++++ config/dynamodb/config.go | 7 + config/externalname.go | 7 +- config/generated.lst | 1 + .../dynamodb/v1beta1/resourcepolicy.yaml | 15 + examples/dynamodb/v1beta1/resourcepolicy.yaml | 76 +++ .../dynamodb/resourcepolicy/zz_controller.go | 91 +++ internal/controller/zz_dynamodb_setup.go | 2 + internal/controller/zz_monolith_setup.go | 2 + ...amodb.aws.upbound.io_resourcepolicies.yaml | 564 ++++++++++++++++++ 16 files changed, 1379 insertions(+), 1 deletion(-) create mode 100755 apis/dynamodb/v1beta1/zz_resourcepolicy_terraformed.go create mode 100755 apis/dynamodb/v1beta1/zz_resourcepolicy_types.go create mode 100644 examples-generated/dynamodb/v1beta1/resourcepolicy.yaml create mode 100644 examples/dynamodb/v1beta1/resourcepolicy.yaml create mode 100755 internal/controller/dynamodb/resourcepolicy/zz_controller.go create mode 100644 package/crds/dynamodb.aws.upbound.io_resourcepolicies.yaml diff --git a/apis/dynamodb/v1beta1/zz_generated.conversion_hubs.go b/apis/dynamodb/v1beta1/zz_generated.conversion_hubs.go index 4cfa4ff537..f7db66fc76 100755 --- a/apis/dynamodb/v1beta1/zz_generated.conversion_hubs.go +++ b/apis/dynamodb/v1beta1/zz_generated.conversion_hubs.go @@ -15,6 +15,9 @@ func (tr *GlobalTable) Hub() {} // Hub marks this type as a conversion hub. func (tr *KinesisStreamingDestination) Hub() {} +// Hub marks this type as a conversion hub. +func (tr *ResourcePolicy) Hub() {} + // Hub marks this type as a conversion hub. func (tr *TableItem) Hub() {} diff --git a/apis/dynamodb/v1beta1/zz_generated.deepcopy.go b/apis/dynamodb/v1beta1/zz_generated.deepcopy.go index b679020141..ccf86d49e1 100644 --- a/apis/dynamodb/v1beta1/zz_generated.deepcopy.go +++ b/apis/dynamodb/v1beta1/zz_generated.deepcopy.go @@ -1368,6 +1368,225 @@ func (in *ReplicaParameters) DeepCopy() *ReplicaParameters { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicy) DeepCopyInto(out *ResourcePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicy. +func (in *ResourcePolicy) DeepCopy() *ResourcePolicy { + if in == nil { + return nil + } + out := new(ResourcePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ResourcePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicyInitParameters) DeepCopyInto(out *ResourcePolicyInitParameters) { + *out = *in + if in.ConfirmRemoveSelfResourceAccess != nil { + in, out := &in.ConfirmRemoveSelfResourceAccess, &out.ConfirmRemoveSelfResourceAccess + *out = new(bool) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } + if in.ResourceArn != nil { + in, out := &in.ResourceArn, &out.ResourceArn + *out = new(string) + **out = **in + } + if in.ResourceArnRef != nil { + in, out := &in.ResourceArnRef, &out.ResourceArnRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ResourceArnSelector != nil { + in, out := &in.ResourceArnSelector, &out.ResourceArnSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyInitParameters. +func (in *ResourcePolicyInitParameters) DeepCopy() *ResourcePolicyInitParameters { + if in == nil { + return nil + } + out := new(ResourcePolicyInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicyList) DeepCopyInto(out *ResourcePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ResourcePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyList. +func (in *ResourcePolicyList) DeepCopy() *ResourcePolicyList { + if in == nil { + return nil + } + out := new(ResourcePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ResourcePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicyObservation) DeepCopyInto(out *ResourcePolicyObservation) { + *out = *in + if in.ConfirmRemoveSelfResourceAccess != nil { + in, out := &in.ConfirmRemoveSelfResourceAccess, &out.ConfirmRemoveSelfResourceAccess + *out = new(bool) + **out = **in + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } + if in.ResourceArn != nil { + in, out := &in.ResourceArn, &out.ResourceArn + *out = new(string) + **out = **in + } + if in.RevisionID != nil { + in, out := &in.RevisionID, &out.RevisionID + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyObservation. +func (in *ResourcePolicyObservation) DeepCopy() *ResourcePolicyObservation { + if in == nil { + return nil + } + out := new(ResourcePolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicyParameters) DeepCopyInto(out *ResourcePolicyParameters) { + *out = *in + if in.ConfirmRemoveSelfResourceAccess != nil { + in, out := &in.ConfirmRemoveSelfResourceAccess, &out.ConfirmRemoveSelfResourceAccess + *out = new(bool) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } + if in.Region != nil { + in, out := &in.Region, &out.Region + *out = new(string) + **out = **in + } + if in.ResourceArn != nil { + in, out := &in.ResourceArn, &out.ResourceArn + *out = new(string) + **out = **in + } + if in.ResourceArnRef != nil { + in, out := &in.ResourceArnRef, &out.ResourceArnRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ResourceArnSelector != nil { + in, out := &in.ResourceArnSelector, &out.ResourceArnSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyParameters. +func (in *ResourcePolicyParameters) DeepCopy() *ResourcePolicyParameters { + if in == nil { + return nil + } + out := new(ResourcePolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicySpec) DeepCopyInto(out *ResourcePolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicySpec. +func (in *ResourcePolicySpec) DeepCopy() *ResourcePolicySpec { + if in == nil { + return nil + } + out := new(ResourcePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourcePolicyStatus) DeepCopyInto(out *ResourcePolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyStatus. +func (in *ResourcePolicyStatus) DeepCopy() *ResourcePolicyStatus { + if in == nil { + return nil + } + out := new(ResourcePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *S3BucketSourceInitParameters) DeepCopyInto(out *S3BucketSourceInitParameters) { *out = *in diff --git a/apis/dynamodb/v1beta1/zz_generated.managed.go b/apis/dynamodb/v1beta1/zz_generated.managed.go index b938388f03..a4e45b1a3c 100644 --- a/apis/dynamodb/v1beta1/zz_generated.managed.go +++ b/apis/dynamodb/v1beta1/zz_generated.managed.go @@ -187,6 +187,66 @@ func (mg *KinesisStreamingDestination) SetWriteConnectionSecretToReference(r *xp mg.Spec.WriteConnectionSecretToReference = r } +// GetCondition of this ResourcePolicy. +func (mg *ResourcePolicy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this ResourcePolicy. +func (mg *ResourcePolicy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this ResourcePolicy. +func (mg *ResourcePolicy) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this ResourcePolicy. +func (mg *ResourcePolicy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this ResourcePolicy. +func (mg *ResourcePolicy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this ResourcePolicy. +func (mg *ResourcePolicy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this ResourcePolicy. +func (mg *ResourcePolicy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this ResourcePolicy. +func (mg *ResourcePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this ResourcePolicy. +func (mg *ResourcePolicy) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this ResourcePolicy. +func (mg *ResourcePolicy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this ResourcePolicy. +func (mg *ResourcePolicy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this ResourcePolicy. +func (mg *ResourcePolicy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + // GetCondition of this Table. func (mg *Table) GetCondition(ct xpv1.ConditionType) xpv1.Condition { return mg.Status.GetCondition(ct) diff --git a/apis/dynamodb/v1beta1/zz_generated.managedlist.go b/apis/dynamodb/v1beta1/zz_generated.managedlist.go index 1bf7666c96..5b19d98b2d 100644 --- a/apis/dynamodb/v1beta1/zz_generated.managedlist.go +++ b/apis/dynamodb/v1beta1/zz_generated.managedlist.go @@ -34,6 +34,15 @@ func (l *KinesisStreamingDestinationList) GetItems() []resource.Managed { return items } +// GetItems of this ResourcePolicyList. +func (l *ResourcePolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + // GetItems of this TableItemList. func (l *TableItemList) GetItems() []resource.Managed { items := make([]resource.Managed, len(l.Items)) diff --git a/apis/dynamodb/v1beta1/zz_generated.resolvers.go b/apis/dynamodb/v1beta1/zz_generated.resolvers.go index 2a7de107bd..7428d11100 100644 --- a/apis/dynamodb/v1beta1/zz_generated.resolvers.go +++ b/apis/dynamodb/v1beta1/zz_generated.resolvers.go @@ -156,6 +156,56 @@ func (mg *KinesisStreamingDestination) ResolveReferences(ctx context.Context, c return nil } +// ResolveReferences of this ResourcePolicy. +func (mg *ResourcePolicy) ResolveReferences(ctx context.Context, c client.Reader) error { + var m xpresource.Managed + var l xpresource.ManagedList + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + { + m, l, err = apisresolver.GetManagedResource("dynamodb.aws.upbound.io", "v1beta2", "Table", "TableList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.ResourceArn), + Extract: common.ARNExtractor(), + Reference: mg.Spec.ForProvider.ResourceArnRef, + Selector: mg.Spec.ForProvider.ResourceArnSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.ResourceArn") + } + mg.Spec.ForProvider.ResourceArn = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.ResourceArnRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("dynamodb.aws.upbound.io", "v1beta2", "Table", "TableList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.ResourceArn), + Extract: common.ARNExtractor(), + Reference: mg.Spec.InitProvider.ResourceArnRef, + Selector: mg.Spec.InitProvider.ResourceArnSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.ResourceArn") + } + mg.Spec.InitProvider.ResourceArn = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.ResourceArnRef = rsp.ResolvedReference + + return nil +} + // ResolveReferences of this TableItem. func (mg *TableItem) ResolveReferences(ctx context.Context, c client.Reader) error { var m xpresource.Managed diff --git a/apis/dynamodb/v1beta1/zz_resourcepolicy_terraformed.go b/apis/dynamodb/v1beta1/zz_resourcepolicy_terraformed.go new file mode 100755 index 0000000000..ab5df13506 --- /dev/null +++ b/apis/dynamodb/v1beta1/zz_resourcepolicy_terraformed.go @@ -0,0 +1,129 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this ResourcePolicy +func (mg *ResourcePolicy) GetTerraformResourceType() string { + return "aws_dynamodb_resource_policy" +} + +// GetConnectionDetailsMapping for this ResourcePolicy +func (tr *ResourcePolicy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this ResourcePolicy +func (tr *ResourcePolicy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this ResourcePolicy +func (tr *ResourcePolicy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this ResourcePolicy +func (tr *ResourcePolicy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this ResourcePolicy +func (tr *ResourcePolicy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this ResourcePolicy +func (tr *ResourcePolicy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this ResourcePolicy +func (tr *ResourcePolicy) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this ResourcePolicy +func (tr *ResourcePolicy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this ResourcePolicy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *ResourcePolicy) LateInitialize(attrs []byte) (bool, error) { + params := &ResourcePolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *ResourcePolicy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/dynamodb/v1beta1/zz_resourcepolicy_types.go b/apis/dynamodb/v1beta1/zz_resourcepolicy_types.go new file mode 100755 index 0000000000..8ddda6f7d6 --- /dev/null +++ b/apis/dynamodb/v1beta1/zz_resourcepolicy_types.go @@ -0,0 +1,145 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type ResourcePolicyInitParameters struct { + + // Set this parameter to true to confirm that you want to remove your permissions to change the policy of this resource in the future. + ConfirmRemoveSelfResourceAccess *bool `json:"confirmRemoveSelfResourceAccess,omitempty" tf:"confirm_remove_self_resource_access,omitempty"` + + // n Amazon Web Services resource-based policy document in JSON format. The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit. For a full list of all considerations that you should keep in mind while attaching a resource-based policy, see Resource-based policy considerations. + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` + + // The Amazon Resource Name (ARN) of the DynamoDB resource to which the policy will be attached. The resources you can specify include tables and streams. You can control index permissions using the base table's policy. To specify the same permission level for your table and its indexes, you can provide both the table and index Amazon Resource Name (ARN)s in the Resource field of a given Statement in your policy document. Alternatively, to specify different permissions for your table, indexes, or both, you can define multiple Statement fields in your policy document. + // +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/dynamodb/v1beta2.Table + // +crossplane:generate:reference:extractor=github.com/upbound/provider-aws/config/common.ARNExtractor() + ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"` + + // Reference to a Table in dynamodb to populate resourceArn. + // +kubebuilder:validation:Optional + ResourceArnRef *v1.Reference `json:"resourceArnRef,omitempty" tf:"-"` + + // Selector for a Table in dynamodb to populate resourceArn. + // +kubebuilder:validation:Optional + ResourceArnSelector *v1.Selector `json:"resourceArnSelector,omitempty" tf:"-"` +} + +type ResourcePolicyObservation struct { + + // Set this parameter to true to confirm that you want to remove your permissions to change the policy of this resource in the future. + ConfirmRemoveSelfResourceAccess *bool `json:"confirmRemoveSelfResourceAccess,omitempty" tf:"confirm_remove_self_resource_access,omitempty"` + + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // n Amazon Web Services resource-based policy document in JSON format. The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit. For a full list of all considerations that you should keep in mind while attaching a resource-based policy, see Resource-based policy considerations. + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` + + // The Amazon Resource Name (ARN) of the DynamoDB resource to which the policy will be attached. The resources you can specify include tables and streams. You can control index permissions using the base table's policy. To specify the same permission level for your table and its indexes, you can provide both the table and index Amazon Resource Name (ARN)s in the Resource field of a given Statement in your policy document. Alternatively, to specify different permissions for your table, indexes, or both, you can define multiple Statement fields in your policy document. + ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"` + + // A unique string that represents the revision ID of the policy. If you are comparing revision IDs, make sure to always use string comparison logic. + RevisionID *string `json:"revisionId,omitempty" tf:"revision_id,omitempty"` +} + +type ResourcePolicyParameters struct { + + // Set this parameter to true to confirm that you want to remove your permissions to change the policy of this resource in the future. + // +kubebuilder:validation:Optional + ConfirmRemoveSelfResourceAccess *bool `json:"confirmRemoveSelfResourceAccess,omitempty" tf:"confirm_remove_self_resource_access,omitempty"` + + // n Amazon Web Services resource-based policy document in JSON format. The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit. For a full list of all considerations that you should keep in mind while attaching a resource-based policy, see Resource-based policy considerations. + // +kubebuilder:validation:Optional + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` + + // Region is the region you'd like your resource to be created in. + // +upjet:crd:field:TFTag=- + // +kubebuilder:validation:Required + Region *string `json:"region" tf:"-"` + + // The Amazon Resource Name (ARN) of the DynamoDB resource to which the policy will be attached. The resources you can specify include tables and streams. You can control index permissions using the base table's policy. To specify the same permission level for your table and its indexes, you can provide both the table and index Amazon Resource Name (ARN)s in the Resource field of a given Statement in your policy document. Alternatively, to specify different permissions for your table, indexes, or both, you can define multiple Statement fields in your policy document. + // +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/dynamodb/v1beta2.Table + // +crossplane:generate:reference:extractor=github.com/upbound/provider-aws/config/common.ARNExtractor() + // +kubebuilder:validation:Optional + ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"` + + // Reference to a Table in dynamodb to populate resourceArn. + // +kubebuilder:validation:Optional + ResourceArnRef *v1.Reference `json:"resourceArnRef,omitempty" tf:"-"` + + // Selector for a Table in dynamodb to populate resourceArn. + // +kubebuilder:validation:Optional + ResourceArnSelector *v1.Selector `json:"resourceArnSelector,omitempty" tf:"-"` +} + +// ResourcePolicySpec defines the desired state of ResourcePolicy +type ResourcePolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider ResourcePolicyParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider ResourcePolicyInitParameters `json:"initProvider,omitempty"` +} + +// ResourcePolicyStatus defines the observed state of ResourcePolicy. +type ResourcePolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider ResourcePolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// ResourcePolicy is the Schema for the ResourcePolicys API. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,aws} +type ResourcePolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" + Spec ResourcePolicySpec `json:"spec"` + Status ResourcePolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// ResourcePolicyList contains a list of ResourcePolicys +type ResourcePolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ResourcePolicy `json:"items"` +} + +// Repository type metadata. +var ( + ResourcePolicy_Kind = "ResourcePolicy" + ResourcePolicy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: ResourcePolicy_Kind}.String() + ResourcePolicy_KindAPIVersion = ResourcePolicy_Kind + "." + CRDGroupVersion.String() + ResourcePolicy_GroupVersionKind = CRDGroupVersion.WithKind(ResourcePolicy_Kind) +) + +func init() { + SchemeBuilder.Register(&ResourcePolicy{}, &ResourcePolicyList{}) +} diff --git a/config/dynamodb/config.go b/config/dynamodb/config.go index 1f638bb769..69c8ddf282 100644 --- a/config/dynamodb/config.go +++ b/config/dynamodb/config.go @@ -12,6 +12,13 @@ import ( // Configure adds configurations for the dynamodb group. func Configure(p *config.Provider) { + p.AddResourceConfigurator("aws_dynamodb_resource_policy", func(r *config.Resource) { + r.References["resource_arn"] = config.Reference{ + TerraformName: "aws_dynamodb_table", + Extractor: common.PathARNExtractor, + } + }) + // currently needs an ARN reference for external name p.AddResourceConfigurator("aws_dynamodb_contributor_insights", func(r *config.Resource) { r.References["table_name"] = config.Reference{ diff --git a/config/externalname.go b/config/externalname.go index 8e9d7c2623..7d7641e957 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -68,6 +68,11 @@ var TerraformPluginFrameworkExternalNameConfigs = map[string]config.ExternalName // VPCEndpoint can be imported using the AWS-assigned VPC Endpoint ID, i.e. vpce-0a957ae9ed5aee308 "aws_opensearchserverless_vpc_endpoint": opensearchserverlessVpcEndpoint(), + // dynamodb + // + // DynamoDB table resource policy can be important using the DynamoDB resource identifier + "aws_dynamodb_resource_policy": config.IdentifierFromProvider, + // CodeGuru Profiler // Profiling Group can be imported using the the profiling group name "aws_codeguruprofiler_profiling_group": config.NameAsIdentifier, @@ -923,7 +928,7 @@ var TerraformPluginSDKExternalNameConfigs = map[string]config.ExternalName{ // DynamoDB Global Tables can be imported using the global table name "aws_dynamodb_global_table": config.NameAsIdentifier, // aws_dynamodb_tag can be imported by using the DynamoDB resource identifier and key, separated by a comma (,) - "aws_dynamodb_tag": config.TemplatedStringAsIdentifier("", "{{ .parameters.resource_arn }},{{ .parameters.key }}"), + "aws_dynamodb_tag": config.TemplatedStringAsIdentifier("", "{{ .parameters.resource_arn }},{{ .parameters.key }}"), // sns // diff --git a/config/generated.lst b/config/generated.lst index 697c715dc3..53d6a85359 100644 --- a/config/generated.lst +++ b/config/generated.lst @@ -298,6 +298,7 @@ "aws_dynamodb_contributor_insights", "aws_dynamodb_global_table", "aws_dynamodb_kinesis_streaming_destination", +"aws_dynamodb_resource_policy", "aws_dynamodb_table", "aws_dynamodb_table_item", "aws_dynamodb_table_replica", diff --git a/examples-generated/dynamodb/v1beta1/resourcepolicy.yaml b/examples-generated/dynamodb/v1beta1/resourcepolicy.yaml new file mode 100644 index 0000000000..5722079ee8 --- /dev/null +++ b/examples-generated/dynamodb/v1beta1/resourcepolicy.yaml @@ -0,0 +1,15 @@ +apiVersion: dynamodb.aws.upbound.io/v1beta1 +kind: ResourcePolicy +metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/resourcepolicy + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + policy: ${data.aws_iam_policy_document.test.json} + region: us-west-1 + resourceArnSelector: + matchLabels: + testing.upbound.io/example-name: example diff --git a/examples/dynamodb/v1beta1/resourcepolicy.yaml b/examples/dynamodb/v1beta1/resourcepolicy.yaml new file mode 100644 index 0000000000..c3716c7727 --- /dev/null +++ b/examples/dynamodb/v1beta1/resourcepolicy.yaml @@ -0,0 +1,76 @@ +apiVersion: dynamodb.aws.upbound.io/v1beta1 +kind: ResourcePolicy +metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/resourcepolicy + labels: + testing.upbound.io/example-name: example + name: example-resourcepolicy +spec: + forProvider: + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" + }, + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:BatchWriteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Scan", + "dynamodb:UpdateItem", + "dynamodb:Query", + "dynamodb:DeleteItem" + ], + "Resource": [ + "arn:aws:dynamodb:us-east-2:123456789012:table/example" + ] + } + ] + } + region: us-east-2 + resourceArnSelector: + matchLabels: + testing.upbound.io/example-name: example +--- +apiVersion: dynamodb.aws.upbound.io/v1beta1 +kind: Table +metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/table + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + attribute: + - name: UserId + type: S + - name: GameTitle + type: S + - name: TopScore + type: "N" + billingMode: PROVISIONED + globalSecondaryIndex: + - hashKey: GameTitle + name: GameTitleIndex + nonKeyAttributes: + - UserId + projectionType: INCLUDE + rangeKey: TopScore + readCapacity: 10 + writeCapacity: 10 + hashKey: UserId + rangeKey: GameTitle + readCapacity: 20 + region: us-east-2 + tags: + Environment: testing + Name: example + writeCapacity: 20 diff --git a/internal/controller/dynamodb/resourcepolicy/zz_controller.go b/internal/controller/dynamodb/resourcepolicy/zz_controller.go new file mode 100755 index 0000000000..335002b78c --- /dev/null +++ b/internal/controller/dynamodb/resourcepolicy/zz_controller.go @@ -0,0 +1,91 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package resourcepolicy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1" + features "github.com/upbound/provider-aws/internal/features" +) + +// Setup adds a controller that reconciles ResourcePolicy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.ResourcePolicy_GroupVersionKind.String()) + var initializers managed.InitializerChain + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1beta1.ResourcePolicy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginFrameworkAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_resource_policy"], + tjcontroller.WithTerraformPluginFrameworkAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginFrameworkAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginFrameworkAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginFrameworkAsyncMetricRecorder(metrics.NewMetricRecorder(v1beta1.ResourcePolicy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginFrameworkAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1beta1.ResourcePolicy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1beta1.ResourcePolicy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1beta1.ResourcePolicy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1beta1.ResourcePolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1beta1.ResourcePolicyList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1beta1.ResourcePolicy{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_dynamodb_setup.go b/internal/controller/zz_dynamodb_setup.go index 00180f147d..6c52e8a8f7 100755 --- a/internal/controller/zz_dynamodb_setup.go +++ b/internal/controller/zz_dynamodb_setup.go @@ -12,6 +12,7 @@ import ( contributorinsights "github.com/upbound/provider-aws/internal/controller/dynamodb/contributorinsights" globaltable "github.com/upbound/provider-aws/internal/controller/dynamodb/globaltable" kinesisstreamingdestination "github.com/upbound/provider-aws/internal/controller/dynamodb/kinesisstreamingdestination" + resourcepolicy "github.com/upbound/provider-aws/internal/controller/dynamodb/resourcepolicy" table "github.com/upbound/provider-aws/internal/controller/dynamodb/table" tableitem "github.com/upbound/provider-aws/internal/controller/dynamodb/tableitem" tablereplica "github.com/upbound/provider-aws/internal/controller/dynamodb/tablereplica" @@ -25,6 +26,7 @@ func Setup_dynamodb(mgr ctrl.Manager, o controller.Options) error { contributorinsights.Setup, globaltable.Setup, kinesisstreamingdestination.Setup, + resourcepolicy.Setup, table.Setup, tableitem.Setup, tablereplica.Setup, diff --git a/internal/controller/zz_monolith_setup.go b/internal/controller/zz_monolith_setup.go index 48e6193fc2..13009a9c6e 100755 --- a/internal/controller/zz_monolith_setup.go +++ b/internal/controller/zz_monolith_setup.go @@ -287,6 +287,7 @@ import ( contributorinsights "github.com/upbound/provider-aws/internal/controller/dynamodb/contributorinsights" globaltable "github.com/upbound/provider-aws/internal/controller/dynamodb/globaltable" kinesisstreamingdestination "github.com/upbound/provider-aws/internal/controller/dynamodb/kinesisstreamingdestination" + resourcepolicydynamodb "github.com/upbound/provider-aws/internal/controller/dynamodb/resourcepolicy" table "github.com/upbound/provider-aws/internal/controller/dynamodb/table" tableitem "github.com/upbound/provider-aws/internal/controller/dynamodb/tableitem" tablereplica "github.com/upbound/provider-aws/internal/controller/dynamodb/tablereplica" @@ -1237,6 +1238,7 @@ func Setup_monolith(mgr ctrl.Manager, o controller.Options) error { contributorinsights.Setup, globaltable.Setup, kinesisstreamingdestination.Setup, + resourcepolicydynamodb.Setup, table.Setup, tableitem.Setup, tablereplica.Setup, diff --git a/package/crds/dynamodb.aws.upbound.io_resourcepolicies.yaml b/package/crds/dynamodb.aws.upbound.io_resourcepolicies.yaml new file mode 100644 index 0000000000..38b48a6d83 --- /dev/null +++ b/package/crds/dynamodb.aws.upbound.io_resourcepolicies.yaml @@ -0,0 +1,564 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: resourcepolicies.dynamodb.aws.upbound.io +spec: + group: dynamodb.aws.upbound.io + names: + categories: + - crossplane + - managed + - aws + kind: ResourcePolicy + listKind: ResourcePolicyList + plural: resourcepolicies + singular: resourcepolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ResourcePolicy is the Schema for the ResourcePolicys API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourcePolicySpec defines the desired state of ResourcePolicy + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + confirmRemoveSelfResourceAccess: + description: Set this parameter to true to confirm that you want + to remove your permissions to change the policy of this resource + in the future. + type: boolean + policy: + description: n Amazon Web Services resource-based policy document + in JSON format. The maximum size supported for a resource-based + policy document is 20 KB. DynamoDB counts whitespaces when calculating + the size of a policy against this limit. For a full list of + all considerations that you should keep in mind while attaching + a resource-based policy, see Resource-based policy considerations. + type: string + region: + description: Region is the region you'd like your resource to + be created in. + type: string + resourceArn: + description: The Amazon Resource Name (ARN) of the DynamoDB resource + to which the policy will be attached. The resources you can + specify include tables and streams. You can control index permissions + using the base table's policy. To specify the same permission + level for your table and its indexes, you can provide both the + table and index Amazon Resource Name (ARN)s in the Resource + field of a given Statement in your policy document. Alternatively, + to specify different permissions for your table, indexes, or + both, you can define multiple Statement fields in your policy + document. + type: string + resourceArnRef: + description: Reference to a Table in dynamodb to populate resourceArn. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + resourceArnSelector: + description: Selector for a Table in dynamodb to populate resourceArn. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + required: + - region + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + confirmRemoveSelfResourceAccess: + description: Set this parameter to true to confirm that you want + to remove your permissions to change the policy of this resource + in the future. + type: boolean + policy: + description: n Amazon Web Services resource-based policy document + in JSON format. The maximum size supported for a resource-based + policy document is 20 KB. DynamoDB counts whitespaces when calculating + the size of a policy against this limit. For a full list of + all considerations that you should keep in mind while attaching + a resource-based policy, see Resource-based policy considerations. + type: string + resourceArn: + description: The Amazon Resource Name (ARN) of the DynamoDB resource + to which the policy will be attached. The resources you can + specify include tables and streams. You can control index permissions + using the base table's policy. To specify the same permission + level for your table and its indexes, you can provide both the + table and index Amazon Resource Name (ARN)s in the Resource + field of a given Statement in your policy document. Alternatively, + to specify different permissions for your table, indexes, or + both, you can define multiple Statement fields in your policy + document. + type: string + resourceArnRef: + description: Reference to a Table in dynamodb to populate resourceArn. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + resourceArnSelector: + description: Selector for a Table in dynamodb to populate resourceArn. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + x-kubernetes-validations: + - message: spec.forProvider.policy is a required parameter + rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies + || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) + || (has(self.initProvider) && has(self.initProvider.policy))' + status: + description: ResourcePolicyStatus defines the observed state of ResourcePolicy. + properties: + atProvider: + properties: + confirmRemoveSelfResourceAccess: + description: Set this parameter to true to confirm that you want + to remove your permissions to change the policy of this resource + in the future. + type: boolean + id: + type: string + policy: + description: n Amazon Web Services resource-based policy document + in JSON format. The maximum size supported for a resource-based + policy document is 20 KB. DynamoDB counts whitespaces when calculating + the size of a policy against this limit. For a full list of + all considerations that you should keep in mind while attaching + a resource-based policy, see Resource-based policy considerations. + type: string + resourceArn: + description: The Amazon Resource Name (ARN) of the DynamoDB resource + to which the policy will be attached. The resources you can + specify include tables and streams. You can control index permissions + using the base table's policy. To specify the same permission + level for your table and its indexes, you can provide both the + table and index Amazon Resource Name (ARN)s in the Resource + field of a given Statement in your policy document. Alternatively, + to specify different permissions for your table, indexes, or + both, you can define multiple Statement fields in your policy + document. + type: string + revisionId: + description: A unique string that represents the revision ID of + the policy. If you are comparing revision IDs, make sure to + always use string comparison logic. + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}