[feat]: allow adding resource policy to dynamodb tables (#154)

Issue #, if available: aws-controllers-k8s/community#2655

Description of changes:

Allows to add a resource policy to a dynamodb table.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: shabbskagalwala

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-09-19T17:14:03Z"
+  build_date: "2025-10-21T04:38:02Z"
   build_hash: 6b4211163dcc34776b01da9a18217bac0f4103fd
   go_version: go1.24.6
   version: v0.52.0
-api_directory_checksum: bcdceff2d7ddf7c98141572260ef2e6cee8bf23f
+api_directory_checksum: d2887bf57c4e94a2687e17c41f74c875131c0beb
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: cc3489b53a45170d339a4de0d7d7ec0aa788955e
+  file_checksum: 3c4832feff83bc9c29b40bc73bafc1d7e75ab1cd
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -11,7 +11,6 @@ ignore:
   # Replica of Spec.SSESpecification
   - TableDescription.SSEDescription
   - TableDescription.TableClassSummary
-  - CreateTableInput.ResourcePolicy
   - CreateTableInput.WarmThroughput
 operations:
   UpdateGlobalTable:
@@ -29,7 +28,13 @@ resources:
         custom_field:
           list_of: CreateReplicationGroupMemberAction
         compare:
-          is_ignored: true 
+          is_ignored: true
+      ResourcePolicy:
+        from:
+          operation: PutResourcePolicy
+          path: Policy
+        compare:
+          is_ignored: true
       GlobalSecondaryIndexesDescriptions:
         custom_field:
           list_of: GlobalSecondaryIndexDescription
@@ -74,7 +79,7 @@ resources:
         from:
           operation: UpdateContributorInsights
           path: ContributorInsightsAction
-        compare: 
+        compare:
           is_ignored: true
     exceptions:
       errors:

apis/v1alpha1/table.go

@@ -325,6 +325,21 @@ spec:
                     format: int64
                     type: integer
                 type: object
+              resourcePolicy:
+                description: |-
+                  An Amazon Web Services resource-based policy document in JSON format.
+
+                     * The maximum size supported for a resource-based policy document is 20
+                     KB. DynamoDB counts whitespaces when calculating the size of a policy
+                     against this limit.
+
+                     * Within a resource-based policy, if the action for a DynamoDB service-linked
+                     role (SLR) to replicate data for a global table is denied, adding or deleting
+                     a replica will fail with an error.
+
+                  For a full list of all considerations that apply while attaching a resource-based
+                  policy, see Resource-based policy considerations (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html).
+                type: string
               sseSpecification:
                 description: Represents the settings used to enable server-side encryption.
                 properties:

apis/v1alpha1/zz_generated.deepcopy.go

@@ -11,7 +11,6 @@ ignore:
   # Replica of Spec.SSESpecification
   - TableDescription.SSEDescription
   - TableDescription.TableClassSummary
-  - CreateTableInput.ResourcePolicy
   - CreateTableInput.WarmThroughput
 operations:
   UpdateGlobalTable:
@@ -29,7 +28,13 @@ resources:
         custom_field:
           list_of: CreateReplicationGroupMemberAction
         compare:
-          is_ignored: true 
+          is_ignored: true
+      ResourcePolicy:
+        from:
+          operation: PutResourcePolicy
+          path: Policy
+        compare:
+          is_ignored: true
       GlobalSecondaryIndexesDescriptions:
         custom_field:
           list_of: GlobalSecondaryIndexDescription
@@ -74,7 +79,7 @@ resources:
         from:
           operation: UpdateContributorInsights
           path: ContributorInsightsAction
-        compare: 
+        compare:
           is_ignored: true
     exceptions:
       errors:

config/crd/bases/dynamodb.services.k8s.aws_tables.yaml

@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.39.8
 	github.com/aws/smithy-go v1.22.2
 	github.com/go-logr/logr v1.4.2
+	github.com/micahhausler/aws-iam-policy v0.4.2
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	k8s.io/api v0.32.1
@@ -20,6 +21,10 @@ require (
 	sigs.k8s.io/controller-runtime v0.20.4
 )
 
+// Temporary fix for github.com/micahhausler/aws-iam-policy. Awaiting for a-hilaly to send
+// a PR to micahhausler/aws-iam-policy to build Equal() method for PolicyDocument struct.
+replace github.com/micahhausler/aws-iam-policy => github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53
+
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.28.6 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.47 // indirect

generator.yaml

@@ -1,3 +1,5 @@
+github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53 h1:2uNM0nR2WUDN88EYFxjEaroH+PZJ6k/h9kl+KO0dWVc=
+github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53/go.mod h1:Ojgst9ZFn+VEEJpqtuw/LxVGqEf2+hwWBlkYWvF/XWM=
 github.com/aws-controllers-k8s/kms-controller v1.0.21 h1:ar8gCdl/l7qbXzr48YN5tNq4vJbB5UqnRH7pAIkP3tI=
 github.com/aws-controllers-k8s/kms-controller v1.0.21/go.mod h1:tHFXV8lkrzautPPvQtPUJABPlJ9MXPRj8GB1UublGHQ=
 github.com/aws-controllers-k8s/runtime v0.52.0 h1:Q5UIAn6SSBr60t/DiU/zr6NLBlUuK2AG3yy2ma/9gDU=

go.mod

@@ -329,6 +329,21 @@ spec:
                     format: int64
                     type: integer
                 type: object
+              resourcePolicy:
+                description: |-
+                  An Amazon Web Services resource-based policy document in JSON format.
+
+                    - The maximum size supported for a resource-based policy document is 20
+                      KB. DynamoDB counts whitespaces when calculating the size of a policy
+                      against this limit.
+
+                    - Within a resource-based policy, if the action for a DynamoDB service-linked
+                      role (SLR) to replicate data for a global table is denied, adding or deleting
+                      a replica will fail with an error.
+
+                  For a full list of all considerations that apply while attaching a resource-based
+                  policy, see Resource-based policy considerations (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html).
+                type: string
               sseSpecification:
                 description: Represents the settings used to enable server-side encryption.
                 properties:

go.sum

@@ -166,17 +166,6 @@ func (rm *resourceManager) customUpdateTable(
 		setSyncedCondition(desired, corev1.ConditionFalse, &msg, nil)
 		return desired, requeueWaitWhileCreating
 	}
-	if isTableUpdating(latest) {
-		msg := "table is currently being updated"
-		setSyncedCondition(desired, corev1.ConditionFalse, &msg, nil)
-		return desired, requeueWaitWhileUpdating
-	}
-	if tableHasTerminalStatus(latest) {
-		msg := "table is in '" + *latest.ko.Status.TableStatus + "' status"
-		setTerminalCondition(desired, corev1.ConditionTrue, &msg, nil)
-		setSyncedCondition(desired, corev1.ConditionTrue, nil, nil)
-		return desired, nil
-	}
 
 	// Merge in the information we read from the API call above to the copy of
 	// the original Kubernetes object we passed to the function
@@ -188,10 +177,36 @@ func (rm *resourceManager) customUpdateTable(
 			return nil, err
 		}
 	}
-	if !delta.DifferentExcept("Spec.Tags") {
+
+	// ResourcePolicy can be updated independently of table state
+	if delta.DifferentAt("Spec.ResourcePolicy") {
+		if latest.ko.Status.ACKResourceMetadata == nil || latest.ko.Status.ACKResourceMetadata.ARN == nil {
+			rlog.Debug("skipping ResourcePolicy sync - table ARN not available yet")
+			return &resource{ko}, requeueWaitWhileCreating
+		}
+
+		err = rm.syncResourcePolicy(ctx, desired, latest)
+		if err != nil {
+			return nil, fmt.Errorf("cannot update table resource policy %v", err)
+		}
+	}
+
+	if !delta.DifferentExcept("Spec.Tags", "Spec.ResourcePolicy") {
 		return &resource{ko}, nil
 	}
 
+	if isTableUpdating(latest) {
+		msg := "table is currently being updated"
+		setSyncedCondition(desired, corev1.ConditionFalse, &msg, nil)
+		return desired, requeueWaitWhileUpdating
+	}
+	if tableHasTerminalStatus(latest) {
+		msg := "table is in '" + *latest.ko.Status.TableStatus + "' status"
+		setTerminalCondition(desired, corev1.ConditionTrue, &msg, nil)
+		setSyncedCondition(desired, corev1.ConditionTrue, nil, nil)
+		return desired, nil
+	}
+
 	if delta.DifferentAt("Spec.TimeToLive") {
 		if err := rm.syncTTL(ctx, desired, latest); err != nil {
 			// Ignore "already disabled errors"
@@ -522,6 +537,15 @@ func (rm *resourceManager) setResourceAdditionalFields(
 	} else {
 		ko.Spec.ContinuousBackups = pitrSpec
 	}
+
+	if ko.Status.ACKResourceMetadata != nil && ko.Status.ACKResourceMetadata.ARN != nil {
+		policy, err := rm.getResourcePolicyWithContext(ctx, (*string)(ko.Status.ACKResourceMetadata.ARN))
+		if err != nil {
+			return err
+		}
+		ko.Spec.ResourcePolicy = policy
+	}
+
 	return nil
 }
 
@@ -670,6 +694,7 @@ func customPreCompare(
 			delta.Add("Spec.ContributorInsights", a.ko.Spec.ContributorInsights, b.ko.Spec.ContributorInsights)
 		}
 	}
+	compareResourcePolicyDocument(delta, a, b)
 
 }