diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go index 52580faad4..164f13edd3 100644 --- a/apis/iam/v1beta1/zz_generated.deepcopy.go +++ b/apis/iam/v1beta1/zz_generated.deepcopy.go @@ -1225,6 +1225,16 @@ func (in *GroupStatus) DeepCopy() *GroupStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InlinePolicyInitParameters) DeepCopyInto(out *InlinePolicyInitParameters) { *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InlinePolicyInitParameters. @@ -1265,6 +1275,16 @@ func (in *InlinePolicyObservation) DeepCopy() *InlinePolicyObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InlinePolicyParameters) DeepCopyInto(out *InlinePolicyParameters) { *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InlinePolicyParameters. @@ -2125,6 +2145,24 @@ func (in *RoleInitParameters) DeepCopyInto(out *RoleInitParameters) { *out = new(bool) **out = **in } + if in.InlinePolicy != nil { + in, out := &in.InlinePolicy, &out.InlinePolicy + *out = make([]InlinePolicyInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ManagedPolicyArns != nil { + in, out := &in.ManagedPolicyArns, &out.ManagedPolicyArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) @@ -2392,6 +2430,24 @@ func (in *RoleParameters) DeepCopyInto(out *RoleParameters) { *out = new(bool) **out = **in } + if in.InlinePolicy != nil { + in, out := &in.InlinePolicy, &out.InlinePolicy + *out = make([]InlinePolicyParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ManagedPolicyArns != nil { + in, out := &in.ManagedPolicyArns, &out.ManagedPolicyArns + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.MaxSessionDuration != nil { in, out := &in.MaxSessionDuration, &out.MaxSessionDuration *out = new(float64) diff --git a/apis/iam/v1beta1/zz_role_types.go b/apis/iam/v1beta1/zz_role_types.go index d616699f81..44ce956a46 100755 --- a/apis/iam/v1beta1/zz_role_types.go +++ b/apis/iam/v1beta1/zz_role_types.go @@ -14,6 +14,12 @@ import ( ) type InlinePolicyInitParameters struct { + + // Friendly name of the role. See IAM Identifiers for more information. + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // Policy document as a JSON formatted string. + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` } type InlinePolicyObservation struct { @@ -26,6 +32,14 @@ type InlinePolicyObservation struct { } type InlinePolicyParameters struct { + + // Friendly name of the role. See IAM Identifiers for more information. + // +kubebuilder:validation:Optional + Name *string `json:"name,omitempty" tf:"name,omitempty"` + + // Policy document as a JSON formatted string. + // +kubebuilder:validation:Optional + Policy *string `json:"policy,omitempty" tf:"policy,omitempty"` } type RoleInitParameters struct { @@ -39,6 +53,12 @@ type RoleInitParameters struct { // Whether to force detaching any policies the role has before destroying it. Defaults to false. ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. + InlinePolicy []InlinePolicyInitParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. + ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` @@ -85,10 +105,10 @@ type RoleObservation struct { // Name of the role. ID *string `json:"id,omitempty" tf:"id,omitempty"` - // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. Configuring one empty block (i.e. + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. InlinePolicy []InlinePolicyObservation `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` - // Set of exclusive IAM managed policy ARNs to attach to the IAM role. Configuring an empty set (i.e. + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. @@ -127,6 +147,14 @@ type RoleParameters struct { // +kubebuilder:validation:Optional ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"` + // Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply. + // +kubebuilder:validation:Optional + InlinePolicy []InlinePolicyParameters `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"` + + // Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments. + // +kubebuilder:validation:Optional + ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"` + // Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. // +kubebuilder:validation:Optional MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"` diff --git a/config/iam/config.go b/config/iam/config.go index 2af8610790..e9a7b09d90 100644 --- a/config/iam/config.go +++ b/config/iam/config.go @@ -31,11 +31,8 @@ func Configure(p *config.Provider) { }) p.AddResourceConfigurator("aws_iam_role", func(r *config.Resource) { - // Mutually exclusive with: - // aws_iam_policy_attachment - // aws_iam_role_policy_attachment - // aws_iam_role_policy - config.MoveToStatus(r.TerraformResource, "inline_policy", "managed_policy_arns") + r.MetaResource.ArgumentDocs["inline_policy"] = `Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Crossplane will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Crossplane to remove all inline policies added out of band on apply.` + r.MetaResource.ArgumentDocs["managed_policy_arns"] = `Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Crossplane will ignore policy attachments to this resource. When configured, Crossplane will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Crossplane to remove all managed policy attachments.` }) p.AddResourceConfigurator("aws_iam_instance_profile", func(r *config.Resource) { diff --git a/examples/iam/role-with-inline-policy.yaml b/examples/iam/role-with-inline-policy.yaml new file mode 100644 index 0000000000..d488b0c597 --- /dev/null +++ b/examples/iam/role-with-inline-policy.yaml @@ -0,0 +1,36 @@ +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + annotations: + meta.upbound.io/example-id: iam/v1beta1/role + labels: + testing.upbound.io/example-name: role + name: role-with-inline-policy +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + inlinePolicy: + - name: "my_inline_policy" + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": "ec2:Describe*" + } + ] + } diff --git a/package/crds/iam.aws.upbound.io_roles.yaml b/package/crds/iam.aws.upbound.io_roles.yaml index 856e1996a6..26ebcc7b17 100644 --- a/package/crds/iam.aws.upbound.io_roles.yaml +++ b/package/crds/iam.aws.upbound.io_roles.yaml @@ -77,6 +77,35 @@ spec: description: Whether to force detaching any policies the role has before destroying it. Defaults to false. type: boolean + inlinePolicy: + description: Configuration block defining an exclusive set of + IAM inline policies associated with the IAM role. See below. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. + items: + properties: + name: + description: Friendly name of the role. See IAM Identifiers + for more information. + type: string + policy: + description: Policy document as a JSON formatted string. + type: string + type: object + type: array + managedPolicyArns: + description: Set of exclusive IAM managed policy ARNs to attach + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. + items: + type: string + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value @@ -120,6 +149,35 @@ spec: description: Whether to force detaching any policies the role has before destroying it. Defaults to false. type: boolean + inlinePolicy: + description: Configuration block defining an exclusive set of + IAM inline policies associated with the IAM role. See below. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. + items: + properties: + name: + description: Friendly name of the role. See IAM Identifiers + for more information. + type: string + policy: + description: Policy document as a JSON formatted string. + type: string + type: object + type: array + managedPolicyArns: + description: Set of exclusive IAM managed policy ARNs to attach + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. + items: + type: string + type: array maxSessionDuration: description: Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value @@ -369,7 +427,10 @@ spec: inlinePolicy: description: Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. - Configuring one empty block (i.e. + If no blocks are configured, Crossplane will not manage any + inline policies in this resource. Configuring one empty block + (i.e., inline_policy {}) will cause Crossplane to remove all + inline policies added out of band on apply. items: properties: name: @@ -383,7 +444,12 @@ spec: type: array managedPolicyArns: description: Set of exclusive IAM managed policy ARNs to attach - to the IAM role. Configuring an empty set (i.e. + to the IAM role. If this attribute is not configured, Crossplane + will ignore policy attachments to this resource. When configured, + Crossplane will align the role's managed policy attachments + with this set by attaching or detaching managed policies. Configuring + an empty set (i.e., managed_policy_arns = []) will cause Crossplane + to remove all managed policy attachments. items: type: string type: array