fix(iam/role): isUpToDate ignore roleLastUsed + add to status

Signed-off-by: Charel Baum (external expert on behalf of DB Netz AG) <[email protected]>
crossplane-contrib · Dec 6, 2023 · 55646e2 · 55646e2
1 parent 4124fb7
commit 55646e2
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 7 deletions.
diff --git a/apis/iam/v1beta1/role_types.go b/apis/iam/v1beta1/role_types.go
@@ -44,6 +44,29 @@ type Tag struct {
 	Value string `json:"value,omitempty"`
 }
 
+// Contains information about the last time that an IAM role was used. This
+// includes the date and time and the Region in which the role was last used.
+// Activity is only reported for the trailing 400 days. This period can be shorter
+// if your Region began supporting these features within the last year. The role
+// might have been used more than 400 days ago. For more information, see Regions
+// where data is tracked
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+// in the IAM User Guide. This data type is returned as a response element in the
+// GetRole and GetAccountAuthorizationDetails operations.
+type RoleLastUsed struct {
+
+	// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601)
+	// that the role was last used. This field is null if the role has not been used
+	// within the IAM tracking period. For more information about the tracking period,
+	// see Regions where data is tracked
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+	// in the IAM User Guide.
+	LastUsedDate *metav1.Time `json:"lastUsedDate,omitempty"`
+
+	// The name of the Amazon Web Services Region in which the role was last used.
+	Region *string `json:"region,omitempty"`
+}
+
 // RoleParameters define the desired state of an AWS IAM Role.
 type RoleParameters struct {
 
@@ -98,6 +121,20 @@ type RoleExternalStatus struct {
 	// IDs, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
 	// in the Using IAM guide.
 	RoleID string `json:"roleID"`
+
+	// The date and time, in ISO 8601 date-time format
+	// (http://www.iso.org/iso/iso8601), when the role was created.
+	CreateDate *metav1.Time `json:"createDate,omitempty"`
+
+	// Contains information about the last time that an IAM role was used. This
+	// includes the date and time and the Region in which the role was last used.
+	// Activity is only reported for the trailing 400 days. This period can be shorter
+	// if your Region began supporting these features within the last year. The role
+	// might have been used more than 400 days ago. For more information, see Regions
+	// where data is tracked
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+	// in the IAM User Guide.
+	RoleLastUsed *RoleLastUsed `json:"roleLastUsed,omitempty"`
 }
 
 // A RoleStatus represents the observed state of a Role.

diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go
diff --git a/package/crds/iam.aws.crossplane.io_roles.yaml b/package/crds/iam.aws.crossplane.io_roles.yaml
@@ -299,12 +299,41 @@ spec:
                       in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
                       in the IAM User Guide guide.
                     type: string
+                  createDate:
+                    description: The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
+                      when the role was created.
+                    format: date-time
+                    type: string
                   roleID:
                     description: RoleID is the stable and unique string identifying
                       the role. For more information about IDs, see IAM Identifiers
                       (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
                       in the Using IAM guide.
                     type: string
+                  roleLastUsed:
+                    description: Contains information about the last time that an
+                      IAM role was used. This includes the date and time and the Region
+                      in which the role was last used. Activity is only reported for
+                      the trailing 400 days. This period can be shorter if your Region
+                      began supporting these features within the last year. The role
+                      might have been used more than 400 days ago. For more information,
+                      see Regions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+                      in the IAM User Guide.
+                    properties:
+                      lastUsedDate:
+                        description: The date and time, in ISO 8601 date-time format
+                          (http://www.iso.org/iso/iso8601) that the role was last
+                          used. This field is null if the role has not been used within
+                          the IAM tracking period. For more information about the
+                          tracking period, see Regions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
+                          in the IAM User Guide.
+                        format: date-time
+                        type: string
+                      region:
+                        description: The name of the Amazon Web Services Region in
+                          which the role was last used.
+                        type: string
+                    type: object
                 required:
                 - arn
                 - roleID

diff --git a/pkg/clients/iam/role.go b/pkg/clients/iam/role.go
@@ -71,10 +71,20 @@ func GenerateCreateRoleInput(name string, p *v1beta1.RoleParameters) *iam.Create
 
 // GenerateRoleObservation is used to produce RoleExternalStatus from iamtypes.Role
 func GenerateRoleObservation(role iamtypes.Role) v1beta1.RoleExternalStatus {
-	return v1beta1.RoleExternalStatus{
-		ARN:    aws.ToString(role.Arn),
-		RoleID: aws.ToString(role.RoleId),
+	o := v1beta1.RoleExternalStatus{
+		ARN:        pointer.StringValue(role.Arn),
+		CreateDate: pointer.TimeToMetaTime(role.CreateDate),
+		RoleID:     pointer.StringValue(role.RoleId),
 	}
+
+	if role.RoleLastUsed != nil {
+		o.RoleLastUsed = &v1beta1.RoleLastUsed{
+			LastUsedDate: pointer.TimeToMetaTime(role.RoleLastUsed.LastUsedDate),
+			Region:       role.RoleLastUsed.Region,
+		}
+	}
+
+	return o
 }
 
 // GenerateRole assigns the in RoleParamters to role.
@@ -180,7 +190,7 @@ func IsRoleUpToDate(in v1beta1.RoleParameters, observed iamtypes.Role) (bool, st
 
 	diff := cmp.Diff(desired, &observed,
 		cmpopts.IgnoreInterfaces(struct{ resource.AttributeReferencer }{}),
-		cmpopts.IgnoreFields(observed, "AssumeRolePolicyDocument", "CreateDate", "PermissionsBoundary.PermissionsBoundaryType"),
+		cmpopts.IgnoreFields(observed, "AssumeRolePolicyDocument", "CreateDate", "PermissionsBoundary.PermissionsBoundaryType", "RoleLastUsed"),
 		cmpopts.IgnoreTypes(document.NoSerde{}), cmpopts.SortSlices(lessTag))
 	if diff == "" && policyUpToDate {
 		return true, diff, nil

diff --git a/pkg/clients/iam/role_test.go b/pkg/clients/iam/role_test.go
@@ -52,6 +52,7 @@ var (
 	tagValue           = "value"
 	permissionBoundary = "arn:aws:iam::111111111111:policy/permission-boundary"
 	createDate         = time.Now()
+	region             = "us-east-1"
 )
 
 func roleParams(m ...func(*v1beta1.RoleParameters)) *v1beta1.RoleParameters {
@@ -93,12 +94,22 @@ func role(m ...func(*iamtypes.Role)) *iamtypes.Role {
 func addRoleOutputFields(r *iamtypes.Role) {
 	r.Arn = pointer.ToOrNilIfZeroValue(roleARN)
 	r.RoleId = pointer.ToOrNilIfZeroValue(roleID)
+	r.CreateDate = &createDate
+	r.RoleLastUsed = &iamtypes.RoleLastUsed{
+		LastUsedDate: &createDate,
+		Region:       &region,
+	}
 }
 
 func roleObservation(m ...func(*v1beta1.RoleExternalStatus)) *v1beta1.RoleExternalStatus {
 	o := &v1beta1.RoleExternalStatus{
-		ARN:    roleARN,
-		RoleID: roleID,
+		ARN:        roleARN,
+		RoleID:     roleID,
+		CreateDate: pointer.TimeToMetaTime(&createDate),
+		RoleLastUsed: &v1beta1.RoleLastUsed{
+			LastUsedDate: pointer.TimeToMetaTime(&createDate),
+			Region:       &region,
+		},
 	}
 
 	for _, f := range m {
@@ -285,6 +296,10 @@ func TestIsRoleUpToDate(t *testing.T) {
 						PermissionsBoundaryArn:  &permissionBoundary,
 						PermissionsBoundaryType: "Policy",
 					},
+					RoleLastUsed: &iamtypes.RoleLastUsed{
+						LastUsedDate: &createDate,
+						Region:       pointer.ToOrNilIfZeroValue("us-east-1"),
+					},
 					Tags: []iamtypes.Tag{{
 						Key:   pointer.ToOrNilIfZeroValue("key1"),
 						Value: pointer.ToOrNilIfZeroValue("value1"),