From 96631079bf90e8b31000ba53c598e3dd8e10f145 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fatih=20T=C3=BCrken?= Date: Mon, 3 Jul 2023 15:07:32 +0300 Subject: [PATCH] Configure RolePolicy resource and add example manifest --- apis/iam/v1beta1/zz_generated.deepcopy.go | 168 ++++++++ apis/iam/v1beta1/zz_generated.managed.go | 76 ++++ apis/iam/v1beta1/zz_generated.managedlist.go | 9 + apis/iam/v1beta1/zz_generated.resolvers.go | 27 ++ apis/iam/v1beta1/zz_generated_terraformed.go | 74 ++++ apis/iam/v1beta1/zz_rolepolicy_types.go | 104 +++++ config/externalname.go | 9 +- config/provider.go | 1 - examples-generated/apigateway/account.yaml | 18 + examples-generated/apigateway/authorizer.yaml | 18 + examples-generated/appsync/datasource.yaml | 18 + .../cloudformation/stackset.yaml | 18 + .../cloudfront/realtimelogconfig.yaml | 18 + .../cloudwatch/metricstream.yaml | 36 ++ .../codepipeline/codepipeline.yaml | 18 + .../cognitoidentity/poolrolesattachment.yaml | 18 + .../awsconfigurationrecorderstatus.yaml | 18 + .../configservice/configrule.yaml | 18 + .../configservice/deliverychannel.yaml | 18 + examples-generated/dlm/lifecyclepolicy.yaml | 18 + examples-generated/ec2/flowlog.yaml | 18 + examples-generated/iam/rolepolicy.yaml | 57 +++ examples-generated/iot/topicrule.yaml | 18 + .../transcribe/languagemodel.yaml | 31 ++ examples-generated/transfer/sshkey.yaml | 18 + examples-generated/transfer/user.yaml | 18 + examples/iam/rolepolicy.yaml | 49 +++ .../iam/rolepolicy/zz_controller.go | 55 +++ internal/controller/zz_iam_setup.go | 2 + internal/controller/zz_monolith_setup.go | 2 + .../crds/iam.aws.upbound.io_rolepolicies.yaml | 403 ++++++++++++++++++ 31 files changed, 1368 insertions(+), 5 deletions(-) create mode 100755 apis/iam/v1beta1/zz_rolepolicy_types.go create mode 100644 examples-generated/iam/rolepolicy.yaml create mode 100644 examples/iam/rolepolicy.yaml create mode 100755 internal/controller/iam/rolepolicy/zz_controller.go create mode 100644 package/crds/iam.aws.upbound.io_rolepolicies.yaml diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go index 52580faad4..888120b649 100644 --- a/apis/iam/v1beta1/zz_generated.deepcopy.go +++ b/apis/iam/v1beta1/zz_generated.deepcopy.go @@ -2434,6 +2434,33 @@ func (in *RoleParameters) DeepCopy() *RoleParameters { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicy) DeepCopyInto(out *RolePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicy. +func (in *RolePolicy) DeepCopy() *RolePolicy { + if in == nil { + return nil + } + out := new(RolePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RolePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RolePolicyAttachment) DeepCopyInto(out *RolePolicyAttachment) { *out = *in @@ -2618,6 +2645,147 @@ func (in *RolePolicyAttachmentStatus) DeepCopy() *RolePolicyAttachmentStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyList) DeepCopyInto(out *RolePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RolePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyList. +func (in *RolePolicyList) DeepCopy() *RolePolicyList { + if in == nil { + return nil + } + out := new(RolePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RolePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyObservation) DeepCopyInto(out *RolePolicyObservation) { + *out = *in + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyObservation. +func (in *RolePolicyObservation) DeepCopy() *RolePolicyObservation { + if in == nil { + return nil + } + out := new(RolePolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyParameters) DeepCopyInto(out *RolePolicyParameters) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyParameters. +func (in *RolePolicyParameters) DeepCopy() *RolePolicyParameters { + if in == nil { + return nil + } + out := new(RolePolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicySpec) DeepCopyInto(out *RolePolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicySpec. +func (in *RolePolicySpec) DeepCopy() *RolePolicySpec { + if in == nil { + return nil + } + out := new(RolePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RolePolicyStatus) DeepCopyInto(out *RolePolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyStatus. +func (in *RolePolicyStatus) DeepCopy() *RolePolicyStatus { + if in == nil { + return nil + } + out := new(RolePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RoleSpec) DeepCopyInto(out *RoleSpec) { *out = *in diff --git a/apis/iam/v1beta1/zz_generated.managed.go b/apis/iam/v1beta1/zz_generated.managed.go index ac9e5e0b5a..29bd119949 100644 --- a/apis/iam/v1beta1/zz_generated.managed.go +++ b/apis/iam/v1beta1/zz_generated.managed.go @@ -767,6 +767,82 @@ func (mg *Role) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { mg.Spec.WriteConnectionSecretToReference = r } +// GetCondition of this RolePolicy. +func (mg *RolePolicy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this RolePolicy. +func (mg *RolePolicy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicy of this RolePolicy. +func (mg *RolePolicy) GetManagementPolicy() xpv1.ManagementPolicy { + return mg.Spec.ManagementPolicy +} + +// GetProviderConfigReference of this RolePolicy. +func (mg *RolePolicy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this RolePolicy. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *RolePolicy) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetPublishConnectionDetailsTo of this RolePolicy. +func (mg *RolePolicy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this RolePolicy. +func (mg *RolePolicy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this RolePolicy. +func (mg *RolePolicy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this RolePolicy. +func (mg *RolePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicy of this RolePolicy. +func (mg *RolePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) { + mg.Spec.ManagementPolicy = r +} + +// SetProviderConfigReference of this RolePolicy. +func (mg *RolePolicy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this RolePolicy. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *RolePolicy) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetPublishConnectionDetailsTo of this RolePolicy. +func (mg *RolePolicy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this RolePolicy. +func (mg *RolePolicy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + // GetCondition of this RolePolicyAttachment. func (mg *RolePolicyAttachment) GetCondition(ct xpv1.ConditionType) xpv1.Condition { return mg.Status.GetCondition(ct) diff --git a/apis/iam/v1beta1/zz_generated.managedlist.go b/apis/iam/v1beta1/zz_generated.managedlist.go index 7728836601..d290f1ae1f 100644 --- a/apis/iam/v1beta1/zz_generated.managedlist.go +++ b/apis/iam/v1beta1/zz_generated.managedlist.go @@ -106,6 +106,15 @@ func (l *RolePolicyAttachmentList) GetItems() []resource.Managed { return items } +// GetItems of this RolePolicyList. +func (l *RolePolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + // GetItems of this SAMLProviderList. func (l *SAMLProviderList) GetItems() []resource.Managed { items := make([]resource.Managed, len(l.Items)) diff --git a/apis/iam/v1beta1/zz_generated.resolvers.go b/apis/iam/v1beta1/zz_generated.resolvers.go index bd4fb91efd..77c815c75b 100644 --- a/apis/iam/v1beta1/zz_generated.resolvers.go +++ b/apis/iam/v1beta1/zz_generated.resolvers.go @@ -10,6 +10,7 @@ import ( reference "github.com/crossplane/crossplane-runtime/pkg/reference" errors "github.com/pkg/errors" common "github.com/upbound/provider-aws/config/common" + resource "github.com/upbound/upjet/pkg/resource" client "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -150,6 +151,32 @@ func (mg *InstanceProfile) ResolveReferences(ctx context.Context, c client.Reade return nil } +// ResolveReferences of this RolePolicy. +func (mg *RolePolicy) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.RoleRef, + Selector: mg.Spec.ForProvider.RoleSelector, + To: reference.To{ + List: &RoleList{}, + Managed: &Role{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Role") + } + mg.Spec.ForProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleRef = rsp.ResolvedReference + + return nil +} + // ResolveReferences of this RolePolicyAttachment. func (mg *RolePolicyAttachment) ResolveReferences(ctx context.Context, c client.Reader) error { r := reference.NewAPIResolver(c, mg) diff --git a/apis/iam/v1beta1/zz_generated_terraformed.go b/apis/iam/v1beta1/zz_generated_terraformed.go index 5119720628..5a79f1bee4 100755 --- a/apis/iam/v1beta1/zz_generated_terraformed.go +++ b/apis/iam/v1beta1/zz_generated_terraformed.go @@ -853,6 +853,80 @@ func (tr *Role) GetTerraformSchemaVersion() int { return 0 } +// GetTerraformResourceType returns Terraform resource type for this RolePolicy +func (mg *RolePolicy) GetTerraformResourceType() string { + return "aws_iam_role_policy" +} + +// GetConnectionDetailsMapping for this RolePolicy +func (tr *RolePolicy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this RolePolicy +func (tr *RolePolicy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this RolePolicy +func (tr *RolePolicy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this RolePolicy +func (tr *RolePolicy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this RolePolicy +func (tr *RolePolicy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this RolePolicy +func (tr *RolePolicy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// LateInitialize this RolePolicy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *RolePolicy) LateInitialize(attrs []byte) (bool, error) { + params := &RolePolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *RolePolicy) GetTerraformSchemaVersion() int { + return 0 +} + // GetTerraformResourceType returns Terraform resource type for this RolePolicyAttachment func (mg *RolePolicyAttachment) GetTerraformResourceType() string { return "aws_iam_role_policy_attachment" diff --git a/apis/iam/v1beta1/zz_rolepolicy_types.go b/apis/iam/v1beta1/zz_rolepolicy_types.go new file mode 100755 index 0000000000..c80e75e235 --- /dev/null +++ b/apis/iam/v1beta1/zz_rolepolicy_types.go @@ -0,0 +1,104 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type RolePolicyObservation struct { + + // The role policy ID, in the form of role_name:role_policy_name. + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // The name of the role policy. + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // The inline policy document. This is a JSON formatted string + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` + + // The name of the IAM role to attach to the policy. + Role *string `json:"role,omitempty" tf:"role,omitempty"` +} + +type RolePolicyParameters struct { + + // The name of the role policy. + // +kubebuilder:validation:Optional + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // The inline policy document. This is a JSON formatted string + // +kubebuilder:validation:Optional + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` + + // The name of the IAM role to attach to the policy. + // +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/iam/v1beta1.Role + // +crossplane:generate:reference:extractor=github.com/upbound/upjet/pkg/resource.ExtractResourceID() + // +kubebuilder:validation:Optional + Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // Reference to a Role in iam to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a Role in iam to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` +} + +// RolePolicySpec defines the desired state of RolePolicy +type RolePolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider RolePolicyParameters `json:"forProvider"` +} + +// RolePolicyStatus defines the observed state of RolePolicy. +type RolePolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider RolePolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true + +// RolePolicy is the Schema for the RolePolicys API. Provides an IAM role policy. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,aws} +type RolePolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + // +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter" + Spec RolePolicySpec `json:"spec"` + Status RolePolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// RolePolicyList contains a list of RolePolicys +type RolePolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RolePolicy `json:"items"` +} + +// Repository type metadata. +var ( + RolePolicy_Kind = "RolePolicy" + RolePolicy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: RolePolicy_Kind}.String() + RolePolicy_KindAPIVersion = RolePolicy_Kind + "." + CRDGroupVersion.String() + RolePolicy_GroupVersionKind = CRDGroupVersion.WithKind(RolePolicy_Kind) +) + +func init() { + SchemeBuilder.Register(&RolePolicy{}, &RolePolicyList{}) +} diff --git a/config/externalname.go b/config/externalname.go index 8886b2d7dc..bc07024036 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -486,10 +486,11 @@ var ExternalNameConfigs = map[string]config.ExternalName{ "aws_iam_access_key": config.IdentifierFromProvider, "aws_iam_instance_profile": config.NameAsIdentifier, // arn:aws:iam::123456789012:policy/UsersManageOwnCredentials - "aws_iam_policy": iamPolicy(), - "aws_iam_user": config.NameAsIdentifier, - "aws_iam_group": config.NameAsIdentifier, - "aws_iam_role": config.NameAsIdentifier, + "aws_iam_policy": iamPolicy(), + "aws_iam_user": config.NameAsIdentifier, + "aws_iam_group": config.NameAsIdentifier, + "aws_iam_role": config.NameAsIdentifier, + "aws_iam_role_policy": config.IdentifierFromProvider, // Imported using the role name and policy arn separated by / // test-role/arn:aws:iam::xxxxxxxxxxxx:policy/test-policy "aws_iam_role_policy_attachment": config.IdentifierFromProvider, diff --git a/config/provider.go b/config/provider.go index bb3133ac0f..d05a3e3349 100644 --- a/config/provider.go +++ b/config/provider.go @@ -111,7 +111,6 @@ var skipList = []string{ "aws_alb_target_group_attachment$", // identical with aws_lb_target_group_attachment "aws_iam_policy_attachment$", // identical with aws_iam_*_policy_attachment resources. "aws_iam_group_policy$", // identical with aws_iam_*_policy_attachment resources. - "aws_iam_role_policy$", // identical with aws_iam_*_policy_attachment resources. "aws_iam_user_policy$", // identical with aws_iam_*_policy_attachment resources. "aws_alb$", // identical with aws_lb. "aws_alb_listener$", // identical with aws_lb_listener. diff --git a/examples-generated/apigateway/account.yaml b/examples-generated/apigateway/account.yaml index 5d13f1b706..134dab82c1 100644 --- a/examples-generated/apigateway/account.yaml +++ b/examples-generated/apigateway/account.yaml @@ -26,3 +26,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: apigateway/v1beta1/account + labels: + testing.upbound.io/example-name: cloudwatch + name: cloudwatch +spec: + forProvider: + name: default + policy: ${data.aws_iam_policy_document.cloudwatch.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: cloudwatch + +--- + diff --git a/examples-generated/apigateway/authorizer.yaml b/examples-generated/apigateway/authorizer.yaml index ac3f315c3f..50948a7382 100644 --- a/examples-generated/apigateway/authorizer.yaml +++ b/examples-generated/apigateway/authorizer.yaml @@ -66,6 +66,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: apigateway/v1beta1/authorizer + labels: + testing.upbound.io/example-name: invocation_policy + name: invocation-policy +spec: + forProvider: + name: default + policy: ${data.aws_iam_policy_document.invocation_policy.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: invocation_role + +--- + apiVersion: lambda.aws.upbound.io/v1beta1 kind: Function metadata: diff --git a/examples-generated/appsync/datasource.yaml b/examples-generated/appsync/datasource.yaml index 7f9c7fc887..f8cec6123c 100644 --- a/examples-generated/appsync/datasource.yaml +++ b/examples-generated/appsync/datasource.yaml @@ -70,3 +70,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: appsync/v1beta1/datasource + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: example + policy: ${data.aws_iam_policy_document.example.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: example + +--- + diff --git a/examples-generated/cloudformation/stackset.yaml b/examples-generated/cloudformation/stackset.yaml index 047e52ddba..e846e12106 100644 --- a/examples-generated/cloudformation/stackset.yaml +++ b/examples-generated/cloudformation/stackset.yaml @@ -54,3 +54,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_assume_role_policy.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: cloudformation/v1beta1/stackset + labels: + testing.upbound.io/example-name: AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy + name: awscloudformationstacksetadministrationrole-executionpolicy +spec: + forProvider: + name: ExecutionPolicy + policy: ${data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: AWSCloudFormationStackSetAdministrationRole + +--- + diff --git a/examples-generated/cloudfront/realtimelogconfig.yaml b/examples-generated/cloudfront/realtimelogconfig.yaml index e8940b178b..b4cb78450f 100644 --- a/examples-generated/cloudfront/realtimelogconfig.yaml +++ b/examples-generated/cloudfront/realtimelogconfig.yaml @@ -37,3 +37,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: cloudfront/v1beta1/realtimelogconfig + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: cloudfront-realtime-log-config-example + policy: ${data.aws_iam_policy_document.example.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: example + +--- + diff --git a/examples-generated/cloudwatch/metricstream.yaml b/examples-generated/cloudwatch/metricstream.yaml index e79532505e..5a5896456a 100644 --- a/examples-generated/cloudwatch/metricstream.yaml +++ b/examples-generated/cloudwatch/metricstream.yaml @@ -55,6 +55,42 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: cloudwatch/v1beta1/metricstream + labels: + testing.upbound.io/example-name: firehose_to_s3 + name: firehose-to-s3 +spec: + forProvider: + name: default + policy: ${data.aws_iam_policy_document.firehose_to_s3.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: firehose_to_s3 + +--- + +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: cloudwatch/v1beta1/metricstream + labels: + testing.upbound.io/example-name: metric_stream_to_firehose + name: metric-stream-to-firehose +spec: + forProvider: + name: default + policy: ${data.aws_iam_policy_document.metric_stream_to_firehose.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: metric_stream_to_firehose + +--- + apiVersion: firehose.aws.upbound.io/v1beta1 kind: DeliveryStream metadata: diff --git a/examples-generated/codepipeline/codepipeline.yaml b/examples-generated/codepipeline/codepipeline.yaml index 519785185d..5c357b3dc6 100644 --- a/examples-generated/codepipeline/codepipeline.yaml +++ b/examples-generated/codepipeline/codepipeline.yaml @@ -95,6 +95,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: codepipeline/v1beta1/codepipeline + labels: + testing.upbound.io/example-name: codepipeline_policy + name: codepipeline-policy +spec: + forProvider: + name: codepipeline_policy + policy: ${data.aws_iam_policy_document.codepipeline_policy.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: codepipeline_role + +--- + apiVersion: s3.aws.upbound.io/v1beta1 kind: Bucket metadata: diff --git a/examples-generated/cognitoidentity/poolrolesattachment.yaml b/examples-generated/cognitoidentity/poolrolesattachment.yaml index 221bcbcc02..e3223a3501 100644 --- a/examples-generated/cognitoidentity/poolrolesattachment.yaml +++ b/examples-generated/cognitoidentity/poolrolesattachment.yaml @@ -57,3 +57,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.authenticated.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: cognitoidentity/v1beta1/poolrolesattachment + labels: + testing.upbound.io/example-name: authenticated + name: authenticated +spec: + forProvider: + name: authenticated_policy + policy: ${data.aws_iam_policy_document.authenticated_role_policy.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: authenticated + +--- + diff --git a/examples-generated/configservice/awsconfigurationrecorderstatus.yaml b/examples-generated/configservice/awsconfigurationrecorderstatus.yaml index 964c0434dc..c65461ed4f 100644 --- a/examples-generated/configservice/awsconfigurationrecorderstatus.yaml +++ b/examples-generated/configservice/awsconfigurationrecorderstatus.yaml @@ -61,6 +61,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: configservice/v1beta1/awsconfigurationrecorderstatus + labels: + testing.upbound.io/example-name: p + name: p +spec: + forProvider: + name: awsconfig-example + policy: ${data.aws_iam_policy_document.p.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: r + +--- + apiVersion: iam.aws.upbound.io/v1beta1 kind: RolePolicyAttachment metadata: diff --git a/examples-generated/configservice/configrule.yaml b/examples-generated/configservice/configrule.yaml index 9dfccb587c..87f89065db 100644 --- a/examples-generated/configservice/configrule.yaml +++ b/examples-generated/configservice/configrule.yaml @@ -45,3 +45,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: configservice/v1beta1/configrule + labels: + testing.upbound.io/example-name: p + name: p +spec: + forProvider: + name: my-awsconfig-policy + policy: ${data.aws_iam_policy_document.p.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: r + +--- + diff --git a/examples-generated/configservice/deliverychannel.yaml b/examples-generated/configservice/deliverychannel.yaml index 134724597c..47e85e22b4 100644 --- a/examples-generated/configservice/deliverychannel.yaml +++ b/examples-generated/configservice/deliverychannel.yaml @@ -46,6 +46,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: configservice/v1beta1/deliverychannel + labels: + testing.upbound.io/example-name: p + name: p +spec: + forProvider: + name: awsconfig-example + policy: ${data.aws_iam_policy_document.p.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: r + +--- + apiVersion: s3.aws.upbound.io/v1beta1 kind: Bucket metadata: diff --git a/examples-generated/dlm/lifecyclepolicy.yaml b/examples-generated/dlm/lifecyclepolicy.yaml index a100e330af..b50e2b1578 100644 --- a/examples-generated/dlm/lifecyclepolicy.yaml +++ b/examples-generated/dlm/lifecyclepolicy.yaml @@ -45,3 +45,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: dlm/v1beta1/lifecyclepolicy + labels: + testing.upbound.io/example-name: dlm_lifecycle + name: dlm-lifecycle +spec: + forProvider: + name: dlm-lifecycle-policy + policy: ${data.aws_iam_policy_document.dlm_lifecycle.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: dlm_lifecycle_role + +--- + diff --git a/examples-generated/ec2/flowlog.yaml b/examples-generated/ec2/flowlog.yaml index 09f82d4e38..07f42d3c5d 100644 --- a/examples-generated/ec2/flowlog.yaml +++ b/examples-generated/ec2/flowlog.yaml @@ -47,3 +47,21 @@ metadata: spec: forProvider: assumeRolePolicy: ${data.aws_iam_policy_document.assume_role.json} +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: ec2/v1beta1/flowlog + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: example + policy: ${data.aws_iam_policy_document.example.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: example + +--- + diff --git a/examples-generated/iam/rolepolicy.yaml b/examples-generated/iam/rolepolicy.yaml new file mode 100644 index 0000000000..ac425b83d3 --- /dev/null +++ b/examples-generated/iam/rolepolicy.yaml @@ -0,0 +1,57 @@ +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/rolepolicy + labels: + testing.upbound.io/example-name: test_policy + name: test-policy +spec: + forProvider: + name: test_policy + policy: |- + ${jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + })} + roleSelector: + matchLabels: + testing.upbound.io/example-name: test_role + +--- + +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/rolepolicy + labels: + testing.upbound.io/example-name: test_role + name: test-role +spec: + forProvider: + assumeRolePolicy: |- + ${jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + })} + +--- + diff --git a/examples-generated/iot/topicrule.yaml b/examples-generated/iot/topicrule.yaml index 242098176e..5703473078 100644 --- a/examples-generated/iot/topicrule.yaml +++ b/examples-generated/iot/topicrule.yaml @@ -47,6 +47,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: iot/v1beta1/topicrule + labels: + testing.upbound.io/example-name: iam_policy_for_lambda + name: iam-policy-for-lambda +spec: + forProvider: + name: mypolicy + policy: ${data.aws_iam_policy_document.iam_policy_for_lambda.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: role + +--- + apiVersion: sns.aws.upbound.io/v1beta1 kind: Topic metadata: diff --git a/examples-generated/transcribe/languagemodel.yaml b/examples-generated/transcribe/languagemodel.yaml index 415fc9d376..53cf155b69 100644 --- a/examples-generated/transcribe/languagemodel.yaml +++ b/examples-generated/transcribe/languagemodel.yaml @@ -35,6 +35,37 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: transcribe/v1beta1/languagemodel + labels: + testing.upbound.io/example-name: test_policy + name: test-policy +spec: + forProvider: + name: example + policy: |- + ${jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:GetObject", + "s3:ListBucket", + ] + Effect = "Allow" + Resource = ["*"] + }, + ] + })} + roleSelector: + matchLabels: + testing.upbound.io/example-name: example + +--- + apiVersion: s3.aws.upbound.io/v1beta1 kind: Bucket metadata: diff --git a/examples-generated/transfer/sshkey.yaml b/examples-generated/transfer/sshkey.yaml index ac4ece51c8..d1c92e5622 100644 --- a/examples-generated/transfer/sshkey.yaml +++ b/examples-generated/transfer/sshkey.yaml @@ -33,6 +33,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: transfer/v1beta1/sshkey + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: tf-test-transfer-user-iam-policy + policy: ${data.aws_iam_policy_document.example.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: example + +--- + apiVersion: transfer.aws.upbound.io/v1beta1 kind: Server metadata: diff --git a/examples-generated/transfer/user.yaml b/examples-generated/transfer/user.yaml index 01e3fa7929..8330ab2c82 100644 --- a/examples-generated/transfer/user.yaml +++ b/examples-generated/transfer/user.yaml @@ -36,6 +36,24 @@ spec: --- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: transfer/v1beta1/user + labels: + testing.upbound.io/example-name: foo + name: foo +spec: + forProvider: + name: tf-test-transfer-user-iam-policy + policy: ${data.aws_iam_role_policy.foo.json} + roleSelector: + matchLabels: + testing.upbound.io/example-name: foo + +--- + apiVersion: transfer.aws.upbound.io/v1beta1 kind: Server metadata: diff --git a/examples/iam/rolepolicy.yaml b/examples/iam/rolepolicy.yaml new file mode 100644 index 0000000000..e4d2baec62 --- /dev/null +++ b/examples/iam/rolepolicy.yaml @@ -0,0 +1,49 @@ +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicy +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/rolepolicy + labels: + testing.upbound.io/example-name: test_policy + name: test-policy +spec: + forProvider: + name: test_policy + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": "ec2:Describe*" + } + ] + } + roleSelector: + matchLabels: + testing.upbound.io/example-name: test_role +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/rolepolicy + labels: + testing.upbound.io/example-name: test_role + name: test-role +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } diff --git a/internal/controller/iam/rolepolicy/zz_controller.go b/internal/controller/iam/rolepolicy/zz_controller.go new file mode 100755 index 0000000000..9b9273a07a --- /dev/null +++ b/internal/controller/iam/rolepolicy/zz_controller.go @@ -0,0 +1,55 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package rolepolicy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + tjcontroller "github.com/upbound/upjet/pkg/controller" + "github.com/upbound/upjet/pkg/terraform" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1" + features "github.com/upbound/provider-aws/internal/features" +) + +// Setup adds a controller that reconciles RolePolicy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.RolePolicy_GroupVersionKind.String()) + var initializers managed.InitializerChain + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_role_policy"], tjcontroller.WithLogger(o.Logger), + tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RolePolicy_GroupVersionKind))), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RolePolicy_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + For(&v1beta1.RolePolicy{}). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_iam_setup.go b/internal/controller/zz_iam_setup.go index 7d4478f7af..cf2cf19507 100755 --- a/internal/controller/zz_iam_setup.go +++ b/internal/controller/zz_iam_setup.go @@ -19,6 +19,7 @@ import ( openidconnectprovider "github.com/upbound/provider-aws/internal/controller/iam/openidconnectprovider" policy "github.com/upbound/provider-aws/internal/controller/iam/policy" role "github.com/upbound/provider-aws/internal/controller/iam/role" + rolepolicy "github.com/upbound/provider-aws/internal/controller/iam/rolepolicy" rolepolicyattachment "github.com/upbound/provider-aws/internal/controller/iam/rolepolicyattachment" samlprovider "github.com/upbound/provider-aws/internal/controller/iam/samlprovider" servercertificate "github.com/upbound/provider-aws/internal/controller/iam/servercertificate" @@ -47,6 +48,7 @@ func Setup_iam(mgr ctrl.Manager, o controller.Options) error { openidconnectprovider.Setup, policy.Setup, role.Setup, + rolepolicy.Setup, rolepolicyattachment.Setup, samlprovider.Setup, servercertificate.Setup, diff --git a/internal/controller/zz_monolith_setup.go b/internal/controller/zz_monolith_setup.go index d9a1b876d2..f9b5e006c4 100755 --- a/internal/controller/zz_monolith_setup.go +++ b/internal/controller/zz_monolith_setup.go @@ -492,6 +492,7 @@ import ( openidconnectprovider "github.com/upbound/provider-aws/internal/controller/iam/openidconnectprovider" policyiam "github.com/upbound/provider-aws/internal/controller/iam/policy" role "github.com/upbound/provider-aws/internal/controller/iam/role" + rolepolicy "github.com/upbound/provider-aws/internal/controller/iam/rolepolicy" rolepolicyattachment "github.com/upbound/provider-aws/internal/controller/iam/rolepolicyattachment" samlprovider "github.com/upbound/provider-aws/internal/controller/iam/samlprovider" servercertificate "github.com/upbound/provider-aws/internal/controller/iam/servercertificate" @@ -1401,6 +1402,7 @@ func Setup_monolith(mgr ctrl.Manager, o controller.Options) error { openidconnectprovider.Setup, policyiam.Setup, role.Setup, + rolepolicy.Setup, rolepolicyattachment.Setup, samlprovider.Setup, servercertificate.Setup, diff --git a/package/crds/iam.aws.upbound.io_rolepolicies.yaml b/package/crds/iam.aws.upbound.io_rolepolicies.yaml new file mode 100644 index 0000000000..2dd2661b6c --- /dev/null +++ b/package/crds/iam.aws.upbound.io_rolepolicies.yaml @@ -0,0 +1,403 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: rolepolicies.iam.aws.upbound.io +spec: + group: iam.aws.upbound.io + names: + categories: + - crossplane + - managed + - aws + kind: RolePolicy + listKind: RolePolicyList + plural: rolepolicies + singular: rolepolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: RolePolicy is the Schema for the RolePolicys API. Provides an + IAM role policy. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RolePolicySpec defines the desired state of RolePolicy + properties: + deletionPolicy: + default: Delete + description: 'DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. This field is planned to be deprecated + in favor of the ManagementPolicy field in a future release. Currently, + both could be set independently and non-default values would be + honored if the feature flag is enabled. See the design doc for more + information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + name: + description: The name of the role policy. + type: string + policy: + description: The inline policy document. This is a JSON formatted + string + type: string + role: + description: The name of the IAM role to attach to the policy. + type: string + roleRef: + description: Reference to a Role in iam to populate role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a Role in iam to populate role. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + managementPolicy: + default: FullControl + description: 'THIS IS AN ALPHA FIELD. Do not use it in production. + It is not honored unless the relevant Crossplane feature flag is + enabled, and may be changed or removed without notice. ManagementPolicy + specifies the level of control Crossplane has over the managed external + resource. This field is planned to replace the DeletionPolicy field + in a future release. Currently, both could be set independently + and non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + enum: + - FullControl + - ObserveOnly + - OrphanOnDelete + type: string + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + x-kubernetes-validations: + - message: policy is a required parameter + rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy) + status: + description: RolePolicyStatus defines the observed state of RolePolicy. + properties: + atProvider: + properties: + id: + description: The role policy ID, in the form of role_name:role_policy_name. + type: string + name: + description: The name of the role policy. + type: string + policy: + description: The inline policy document. This is a JSON formatted + string + type: string + role: + description: The name of the IAM role to attach to the policy. + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}