Skip to content

Feat/iam role policy attachment#184

Open
anas099 wants to merge 5 commits into
aws-controllers-k8s:mainfrom
anas099:feat/iam-role-policy-attachment
Open

Feat/iam role policy attachment#184
anas099 wants to merge 5 commits into
aws-controllers-k8s:mainfrom
anas099:feat/iam-role-policy-attachment

Conversation

@anas099

@anas099 anas099 commented Jun 19, 2026

Copy link
Copy Markdown

Summary

This PR adds a new IAM ACK resource, RolePolicyAttachment, to manage policy-role bindings declaratively in Kubernetes similar to Terraform resource (aws_iam_role_policy_attachment)

Problem

The IAM controller currently supports Role and Policy resources, but does not provide a first-class attachment resource for existing IAM roles and managed policies.

Because of this gap, users must rely on out-of-band tooling to attach policies to roles, especially for existing AWS IAM roles that are not created by ACK.

Solution

This PR introduces RolePolicyAttachment with generated API and controller artifacts, plus controller and RBAC wiring.

Included changes:

  • Add new API type and deepcopy generation for RolePolicyAttachment
  • Add generated resource manager implementation under pkg/resource/role_policy_attachment
  • Add CRD manifests under config/crd and helm/crds
  • Register resource manager import in controller main entrypoint
  • Add RBAC rules for rolepolicyattachments
  • Add e2e resource template and e2e tests

Behavior

RolePolicyAttachment supports:

  • direct fields for existing AWS IAM resources:
    • spec.roleName
    • spec.policyARN
  • ACK references:
    • spec.roleRef
    • spec.policyRef

Lifecycle:

  • create: AttachRolePolicy
  • read/sync: ListAttachedRolePolicies
  • delete: DetachRolePolicy

Validation

Build and compile

  • go test ./cmd/controller/... ./pkg/resource/role_policy_attachment/... passes
  • generated artifacts compile successfully

Manual cluster validation (local cluster)

  • ACK-managed Role + ACK-managed Policy + RolePolicyAttachment via references: attach successful, status synced, attached=true
  • Existing AWS role + managed policy ARN: attach successful
  • Deleting RolePolicyAttachment triggers detach successfully through finalizer path

E2E

  • Added e2e test module for RolePolicyAttachment
  • Expanded scenarios to cover multiple roles/policies and reference-based flows
  • Full pytest execution depends on valid AWS credentials in runtime environment

Generation and versions

Regenerated from pinned stable generator tag and Go toolchain:

  • code-generator tag: v0.59.1
  • go toolchain: go1.26.3
  • metadata reflects version: v0.59.1

Checklist

  • Resource implementation added
  • CRD artifacts generated
  • RBAC updated
  • Controller wiring added
  • E2E coverage added/expanded
  • Manual validation completed

@ack-prow
ack-prow Bot requested review from gustavodiaz7722 and sapphirew June 19, 2026 19:49
@ack-prow ack-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 19, 2026
@ack-prow

ack-prow Bot commented Jun 19, 2026

Copy link
Copy Markdown

Hi @anas099. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@anas099

anas099 commented Jun 21, 2026

Copy link
Copy Markdown
Author

@michaelhtm please have a look when you have time

anas099 added 3 commits July 15, 2026 06:52
Problem: ACK IAM controller lacks a first-class resource to attach policies to existing roles, forcing users to rely on out-of-band tooling for role-policy relationships.

Solution: introduce RolePolicyAttachment with generated API/manager/CRD artifacts, controller wiring, RBAC updates, and e2e coverage for reference/direct attachment flows.

Validation: manual cluster tests on dev34 confirmed attach and detach lifecycle for ACK-managed and existing AWS IAM roles/policies; compile checks pass.
Move local usage examples to parent ack-cont/examples workspace directory to keep upstream contribution focused on generated resource, controller wiring, RBAC, and tests.
Introduce an opt-in annotation on the Role resource:

    iam.services.k8s.aws/policy-reconciliation-mode: additive

When set, the controller attaches the managed policies listed in
Spec.Policies but never detaches managed policies that were attached
out-of-band (e.g. by a RolePolicyAttachment resource, or by a role
shared across clusters/accounts). The default behavior (annotation
absent) remains authoritative and unchanged, so existing Role manifests
are fully backward compatible.

- hooks.go: add isAdditivePolicyMode() + comparePolicies(); skip the
  detach set in syncManagedPolicies when additive.
- generator.yaml: mark Spec.Policies compare is_ignored so comparison is
  delegated to comparePolicies() in customPreCompare (mode-aware).
- delta.go: drop the generated Spec.Policies comparison accordingly.
- delete path (template + sdk.go): clear the annotation on the delete
  copy so DeleteRole still performs a full detach (IAM requires no
  attached managed policies before deletion).
- delta_test.go: unit tests for authoritative vs additive comparison.
- e2e: test_role_additive_policies.py verifies out-of-band policies are
  not detached, new desired policies are still attached, and the
  resource stays synced (no drift loop).
@anas099
anas099 force-pushed the feat/iam-role-policy-attachment branch from 127ea77 to 36bae8d Compare July 15, 2026 06:07
@ack-prow

ack-prow Bot commented Jul 15, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anas099
Once this PR has been reviewed and has the lgtm label, please ask for approval from michaelhtm. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants