Expanding IAM support

[infinitecompute]

What problem are you facing?

The current AWS IAM support includes two resources: IAMRole and IAMRolePolicyAttachment. A high fidelity implementation of the AWS APIs would involved adding additional resources.

TODO: User story for statically provisioning a user. IAMUser is used to add any user of S3 buckets. IAMPolicy for bringing existing policy references.

How could Crossplane help solve your problem?

An implementation mapping the APIs to their declarative resource counterparts. Evaluate the APIs to be exposed.

Add the following general resources now:

• IAMPolicy
• IAMUser
• IAMUserPolicyAttachment

We support AttachRolePolicy as an IAMRolePolicyAttachment, so the equivalent for IAMUser
IAMUserPolicyAttachment.

We’ll also want, probably as a top priority, to support modeling IAM roles. Today we can attach an IAM role, but we can’t actually create one in Crossplane. What we have today may be sufficient because there are quite a few baked in roles. As a next step, we would support managing roles, then support managing users, then support attaching roles to users.

We have decided to defer work on all other resources until we have a community use cases.

Related Issues

For a full inventory of APIs to resources see this doc (both mapped and unmapped)

• https://docs.google.com/document/d/1-pIXqGLtfcR7zROombulk9Cst7rroeIYMhzhGg4aP00/
• https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam

[negz]

My suspicion is that we might be able to deprioritise IAM once #141 is merged. We started with IAM mostly because it was (in theory) a simple service, rather than because it was super high priority. My suspicion is that now we have IAM roles, policles, and attachments modelled we've probably got most of the IAM use cases covered.

IAMUser may be the one additional thing we need; I believe S3 buckets frequently make use of them.

[negz]

Following up on my most recent comment, I believe in rough order of priority we'll need:

1. Everything that is included in move IAMRole and IAMRolePolicyAttachment to v1beta1 #141
2. A managed resource that represents an IAM policy.
3. A managed resource that represents an IAM user.
4. A managed resource that represents the attachment of an IAM policy to an IAM user.

I believe this will enable our current use cases, the ability to grant a user access to an S3 bucket, and the ability to grant a pod (role) access to an RDS instance per #126 (comment). Once those three resources are added I think we can safely pause work on IAM until the community comes forward with additional use cases for IAM.

[sahil-lakhwani]

4. A managed resource that represents the attachment of an IAM policy to an IAM user.

@negz Should this have a managed policy (arn) or an inline policy (JSON document) or both?

[prasek]

completed via:

• move IAMRole and IAMRolePolicyAttachment to v1beta1 #141
• IAMUser #194
• IAMUserPolicyAttachment #196
• Added AWS IAMGroup with UserMembership, and PolicyAttachment #249