Merge pull request #8 from edenlabllc/release/v0.2.0

Release/v0.2.0
edenlabllc · Jan 3, 2025 · 4ae1c61 · 4ae1c61
2 parents 09eb7ae + 00eab23
commit 4ae1c61
Show file tree

Hide file tree

Showing 5 changed files with 269 additions and 56 deletions.
diff --git a/api/v1alpha1/awsiamprovision_types.go b/api/v1alpha1/awsiamprovision_types.go
@@ -35,13 +35,23 @@ type AWSIAMProvisionSpec struct {
 	Roles          map[string]AWSIAMProvisionRole `json:"roles"`
 }
 
+// AWSIAMProvisionStatusRole defines the observed state of AWSIAMProvision's roles.
+type AWSIAMProvisionStatusRole struct {
+	// Important: Run "make" to regenerate code after modifying this file
+
+	Message string                     `json:"message,omitempty"`
+	Phase   string                     `json:"phase,omitempty"`
+	Status  iamctrlv1alpha1.RoleStatus `json:"status,omitempty"`
+}
+
 // AWSIAMProvisionStatus defines the observed state of AWSIAMProvision.
 type AWSIAMProvisionStatus struct {
 	// Important: Run "make" to regenerate code after modifying this file
 
-	Message         string       `json:"message,omitempty"`
-	LastUpdatedTime *metav1.Time `json:"lastUpdatedTime,omitempty"`
-	Phase           string       `json:"phase,omitempty"`
+	Message         string                               `json:"message,omitempty"`
+	LastUpdatedTime *metav1.Time                         `json:"lastUpdatedTime,omitempty"`
+	Phase           string                               `json:"phase,omitempty"`
+	Roles           map[string]AWSIAMProvisionStatusRole `json:"roles,omitempty"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/iam.aws.edenlab.io_awsiamprovisions.yaml b/config/crd/bases/iam.aws.edenlab.io_awsiamprovisions.yaml
@@ -234,6 +234,114 @@ spec:
                 type: string
               phase:
                 type: string
+              roles:
+                additionalProperties:
+                  description: AWSIAMProvisionStatusRole defines the observed state
+                    of AWSIAMProvision's roles.
+                  properties:
+                    message:
+                      type: string
+                    phase:
+                      type: string
+                    status:
+                      description: RoleStatus defines the observed state of Role
+                      properties:
+                        ackResourceMetadata:
+                          description: |-
+                            All CRs managed by ACK have a common `Status.ACKResourceMetadata` member
+                            that is used to contain resource sync state, account ownership,
+                            constructed ARN for the resource
+                          properties:
+                            arn:
+                              description: |-
+                                ARN is the Amazon Resource Name for the resource. This is a
+                                globally-unique identifier and is set only by the ACK service controller
+                                once the controller has orchestrated the creation of the resource OR
+                                when it has verified that an "adopted" resource (a resource where the
+                                ARN annotation was set by the Kubernetes user on the CR) exists and
+                                matches the supplied CR's Spec field values.
+                                https://github.com/aws/aws-controllers-k8s/issues/270
+                              type: string
+                            ownerAccountID:
+                              description: |-
+                                OwnerAccountID is the AWS Account ID of the account that owns the
+                                backend AWS service API resource.
+                              type: string
+                            region:
+                              description: Region is the AWS region in which the resource
+                                exists or will exist.
+                              type: string
+                          required:
+                          - ownerAccountID
+                          - region
+                          type: object
+                        conditions:
+                          description: |-
+                            All CRS managed by ACK have a common `Status.Conditions` member that
+                            contains a collection of `ackv1alpha1.Condition` objects that describe
+                            the various terminal states of the CR and its backend AWS service API
+                            resource
+                          items:
+                            description: |-
+                              Condition is the common struct used by all CRDs managed by ACK service
+                              controllers to indicate terminal states  of the CR and its backend AWS
+                              service API resource
+                            properties:
+                              lastTransitionTime:
+                                description: Last time the condition transitioned
+                                  from one status to another.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about the transition.
+                                type: string
+                              reason:
+                                description: The reason for the condition's last transition.
+                                type: string
+                              status:
+                                description: Status of the condition, one of True,
+                                  False, Unknown.
+                                type: string
+                              type:
+                                description: Type is the type of the Condition
+                                type: string
+                            required:
+                            - status
+                            - type
+                            type: object
+                          type: array
+                        createDate:
+                          description: |-
+                            The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
+                            when the role was created.
+                          format: date-time
+                          type: string
+                        roleID:
+                          description: |-
+                            The stable and unique string identifying the role. For more information about
+                            IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                            in the IAM User Guide.
+                          type: string
+                        roleLastUsed:
+                          description: |-
+                            Contains information about the last time that an IAM role was used. This
+                            includes the date and time and the Region in which the role was last used.
+                            Activity is only reported for the trailing 400 days. This period can be shorter
+                            if your Region began supporting these features within the last year. The
+                            role might have been used more than 400 days ago. For more information, see
+                            Regions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+                            in the IAM user Guide.
+                          properties:
+                            lastUsedDate:
+                              format: date-time
+                              type: string
+                            region:
+                              type: string
+                          type: object
+                      type: object
+                  type: object
+                type: object
             type: object
         type: object
     served: true

diff --git a/internal/controller/awsiamprovision_controller.go b/internal/controller/awsiamprovision_controller.go
@@ -19,12 +19,14 @@ package controller
 import (
 	"context"
 	"fmt"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 	"time"
 
+	iamctrlv1alpha1 "github.com/aws-controllers-k8s/iam-controller/apis/v1alpha1"
+	"github.com/google/go-cmp/cmp"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	iamv1alpha1 "aws-iam-provisioner.operators.infra/api/v1alpha1"
@@ -65,25 +67,42 @@ func (r *AWSIAMProvisionReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{RequeueAfter: frequency}, nil
 	}
 
-	provisioned := false
+	awsIAMProvisionProvisioned := false
+	sourceK8sResourceStatuses := make(map[string]*iamctrlv1alpha1.RoleStatus)
 	for name, item := range awsIAMProvision.Spec.Roles {
-		k8sResource, err := r.handleRole(awsIAMProvision, eksControlPlane, name, &item)
+		k8sResource, k8sResourceUpdated, err := r.handleRole(awsIAMProvision, eksControlPlane, name, &item)
 
 		if err != nil {
 			return ctrl.Result{}, err
 		}
 
 		if k8sResource != nil {
-			// If a resource has been returned, there was a change to it
-			provisioned = true
+			sourceK8sResourceStatuses[k8sResource.Name] = &k8sResource.Status
+		}
+
+		if k8sResourceUpdated {
+			awsIAMProvisionProvisioned = true
 		}
 	}
 
-	if awsIAMProvision.Status.Phase != "Provisioned" || provisioned {
+	targetK8sResourceStatuses := make(map[string]*iamctrlv1alpha1.RoleStatus)
+	for name, awsIAMProvisionStatusRole := range awsIAMProvision.Status.Roles {
+		targetK8sResourceStatuses[name] = &awsIAMProvisionStatusRole.Status
+	}
+
+	k8sResourceStatusesEqual := cmp.Equal(sourceK8sResourceStatuses, targetK8sResourceStatuses)
+	if k8sResourceStatusesEqual {
+		r.logger.Info(fmt.Sprintf("IAM Role statuses of AWSIAMProvision equal: %s", r.request.NamespacedName))
+	} else {
+		r.logger.Info(fmt.Sprintf("IAM Role statuses of AWSIAMProvision different: %s", r.request.NamespacedName))
+	}
+
+	// Check all conditions indicating the resource or its status are actually updated
+	if awsIAMProvision.Status.Phase != "Provisioned" || awsIAMProvisionProvisioned || !k8sResourceStatusesEqual {
 		// Resources have been provisioned successfully
 		r.logger.Info(fmt.Sprintf("AWSIAMProvision provisioned: %s", r.request.NamespacedName))
 
-		if err := r.updateCRDStatus(awsIAMProvision, "Provisioned", ""); err != nil {
+		if err := r.updateCRDStatus(awsIAMProvision, "Provisioned", "", sourceK8sResourceStatuses); err != nil {
 			return ctrl.Result{}, err
 		}
 	}
@@ -96,5 +115,6 @@ func (r *AWSIAMProvisionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&iamv1alpha1.AWSIAMProvision{}).
 		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		Owns(&iamctrlv1alpha1.Role{}). // trigger the r.Reconcile whenever an Own-ed resource is created/updated/deleted
 		Complete(r)
 }