feat: add IAMRoleSelector CRD/feature

apis/core/v1alpha1/conditions.go

@@ -66,6 +66,10 @@ const (
 	// "False" status indicates that the resource references failed to resolve.
 	// For Ex: When referenced resource is in terminal condition
 	ConditionTypeReferencesResolved ConditionType = "ACK.ReferencesResolved"
+	// ConditionTypeIAMRoleSelected indicates whether an IAMRoleSelector has been selected
+	// to manage the AWSResource. If none are selected, this condition will be removed
+	// and we'll use the custom role to manage the AWSResource
+	ConditionTypeIAMRoleSelected ConditionType = "ACK.IAMRoleSelected"
 )
 
 // Condition is the common struct used by all CRDs managed by ACK service

apis/core/v1alpha1/iam_role_selector.go

@@ -0,0 +1,66 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// LabelSelector is a label query over a set of resources.
+type LabelSelector struct {
+	MatchLabels map[string]string `json:"matchLabels"`
+}
+
+// IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+type NamespaceSelector struct {
+	Names         []string      `json:"names"`
+	LabelSelector LabelSelector `json:"labelSelector,omitempty"`
+}
+
+type GroupVersionKind struct {
+	Group   string `json:"group"`
+	Version string `json:"version"`
+	Kind    string `json:"kind"`
+}
+
+type IAMRoleSelectorSpec struct {
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set"
+	ARN                  string             `json:"arn"`
+	NamespaceSelector    NamespaceSelector  `json:"namespaceSelector,omitempty"`
+	ResourceTypeSelector []GroupVersionKind `json:"resourceTypeSelector,omitempty"`
+}
+
+type IAMRoleSelectorStatus struct{}
+
+// IAMRoleSelector is the schema for the IAMRoleSelector API.
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+type IAMRoleSelector struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              IAMRoleSelectorSpec   `json:"spec,omitempty"`
+	Status            IAMRoleSelectorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type IAMRoleSelectorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IAMRoleSelector `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IAMRoleSelector{}, &IAMRoleSelectorList{})
+}

apis/core/v1alpha1/resource_metadata.go

@@ -32,4 +32,15 @@ type ResourceMetadata struct {
 	OwnerAccountID *AWSAccountID `json:"ownerAccountID"`
 	// Region is the AWS region in which the resource exists or will exist.
 	Region *AWSRegion `json:"region"`
+	// IAMRoleSelector is the selected IAMRoleSelector that is used to manage
+	// the AWS resource. This will be nil if the default controller role is used.
+	IAMRoleSelector *SelectedIAMRole `json:"iamRoleSelector,omitempty"`
+}
+
+type SelectedIAMRole struct {
+	// SelectorName is the k8s resource name of the IAMRoleSelector object
+	SelectorName    string `json:"selectorName"`
+	// ResourceVersion is the metadata.resourceVersion of the selected
+	// IAMRoleSelector object
+	ResourceVersion string `json:"resourceVersion"`
 }

config/crd/bases/services.k8s.aws_iamroleselectors.yaml

@@ -0,0 +1,90 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.19.0
+  name: iamroleselectors.services.k8s.aws
+spec:
+  group: services.k8s.aws
+  names:
+    kind: IAMRoleSelector
+    listKind: IAMRoleSelectorList
+    plural: iamroleselectors
+    singular: iamroleselector
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IAMRoleSelector is the schema for the IAMRoleSelector API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              arn:
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable once set
+                  rule: self == oldSelf
+              namespaceSelector:
+                description: IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+                properties:
+                  labelSelector:
+                    description: LabelSelector is a label query over a set of resources.
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    required:
+                    - matchLabels
+                    type: object
+                  names:
+                    items:
+                      type: string
+                    type: array
+                required:
+                - names
+                type: object
+              resourceTypeSelector:
+                items:
+                  properties:
+                    group:
+                      type: string
+                    kind:
+                      type: string
+                    version:
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - version
+                  type: object
+                type: array
+            required:
+            - arn
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}