[feat]: allow adding resource policy to dynamodb tables

Author: shabbskagalwala

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,5 +1,5 @@
 ack_generate_info:
-  build_date: "2025-10-17T18:47:29Z"
+  build_date: "2025-10-21T04:38:02Z"
   build_hash: 6b4211163dcc34776b01da9a18217bac0f4103fd
   go_version: go1.24.6
   version: v0.52.0

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.39.8
 	github.com/aws/smithy-go v1.22.2
 	github.com/go-logr/logr v1.4.2
+	github.com/micahhausler/aws-iam-policy v0.4.2
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	k8s.io/api v0.32.1
@@ -20,6 +21,10 @@ require (
 	sigs.k8s.io/controller-runtime v0.20.4
 )
 
+// Temporary fix for github.com/micahhausler/aws-iam-policy. Awaiting for a-hilaly to send
+// a PR to micahhausler/aws-iam-policy to build Equal() method for PolicyDocument struct.
+replace github.com/micahhausler/aws-iam-policy => github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53
+
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.28.6 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.47 // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53 h1:2uNM0nR2WUDN88EYFxjEaroH+PZJ6k/h9kl+KO0dWVc=
+github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53/go.mod h1:Ojgst9ZFn+VEEJpqtuw/LxVGqEf2+hwWBlkYWvF/XWM=
 github.com/aws-controllers-k8s/kms-controller v1.0.21 h1:ar8gCdl/l7qbXzr48YN5tNq4vJbB5UqnRH7pAIkP3tI=
 github.com/aws-controllers-k8s/kms-controller v1.0.21/go.mod h1:tHFXV8lkrzautPPvQtPUJABPlJ9MXPRj8GB1UublGHQ=
 github.com/aws-controllers-k8s/runtime v0.52.0 h1:Q5UIAn6SSBr60t/DiU/zr6NLBlUuK2AG3yy2ma/9gDU=

pkg/resource/table/hooks.go

@@ -694,14 +694,7 @@ func customPreCompare(
 			delta.Add("Spec.ContributorInsights", a.ko.Spec.ContributorInsights, b.ko.Spec.ContributorInsights)
 		}
 	}
-
-	if ackcompare.HasNilDifference(a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy) {
-		delta.Add("Spec.ResourcePolicy", a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy)
-	} else if a.ko.Spec.ResourcePolicy != nil && b.ko.Spec.ResourcePolicy != nil {
-		if *a.ko.Spec.ResourcePolicy != *b.ko.Spec.ResourcePolicy {
-			delta.Add("Spec.ResourcePolicy", a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy)
-		}
-	}
+	compareResourcePolicyDocument(delta, a, b)
 
 }
 

pkg/resource/table/hooks_resource_policy.go

@@ -15,12 +15,16 @@ package table
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"reflect"
 
+	ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare"
 	ackerr "github.com/aws-controllers-k8s/runtime/pkg/errors"
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	svcsdk "github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	svcsdktypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+	awsiampolicy "github.com/micahhausler/aws-iam-policy/policy"
 )
 
 // syncResourcePolicy updates a DynamoDB table's resource-based policy.
@@ -121,15 +125,53 @@ func (rm *resourceManager) getResourcePolicyWithContext(
 			ResourceArn: tableARN,
 		},
 	)
-
+	rm.metrics.RecordAPICall("GET", "GetResourcePolicy", nil)
 	if err != nil {
 		if awsErr, ok := ackerr.AWSError(err); ok && awsErr.ErrorCode() == "PolicyNotFoundException" {
 			return nil, nil
 		}
-		rm.metrics.RecordAPICall("GET", "GetResourcePolicy", err)
 		return nil, err
 	}
 
-	rm.metrics.RecordAPICall("GET", "GetResourcePolicy", nil)
 	return res.Policy, nil
 }
+
+// compareResourcePolicyDocument is a custom comparison function for
+// ResourcePolicy documents. The reason why we need a custom function for
+// this field is to handle the variability in shapes of JSON objects representing
+// IAM policies, especially when it comes to statements, actions, and other fields.
+func compareResourcePolicyDocument(
+	delta *ackcompare.Delta,
+	a *resource,
+	b *resource,
+) {
+	// Handle cases where one policy is nil and the other is not.
+	// This means one resource has a policy and the other doesn't - they're different.
+	if ackcompare.HasNilDifference(a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy) {
+		delta.Add("Spec.ResourcePolicy", a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy)
+		return
+	}
+
+	// If both policies are nil, there's no difference - both resources have no policy.
+	if a.ko.Spec.ResourcePolicy == nil && b.ko.Spec.ResourcePolicy == nil {
+		return
+	}
+
+	// At this point, both policies are non-nil. We need to compare their JSON content.
+	// To handle the variability in shapes of JSON objects representing IAM policies,
+	// especially when it comes to statements, actions, and other fields, we need
+	// a custom json.Unmarshaller approach crafted to our specific needs. Luckily,
+	// it happens that @micahhausler built a library dedicated to this very special
+	// need: github.com/micahhausler/aws-iam-policy.
+	//
+	// Copied from IAM Controller: https://github.com/aws-controllers-k8s/iam-controller/blob/main/pkg/resource/role/hooks.go#L398-L432
+	// Based on review feedback: https://github.com/aws-controllers-k8s/dynamodb-controller/pull/154#discussion_r2443876840
+	var policyDocumentA awsiampolicy.Policy
+	_ = json.Unmarshal([]byte(*a.ko.Spec.ResourcePolicy), &policyDocumentA)
+	var policyDocumentB awsiampolicy.Policy
+	_ = json.Unmarshal([]byte(*b.ko.Spec.ResourcePolicy), &policyDocumentB)
+
+	if !reflect.DeepEqual(policyDocumentA, policyDocumentB) {
+		delta.Add("Spec.ResourcePolicy", a.ko.Spec.ResourcePolicy, b.ko.Spec.ResourcePolicy)
+	}
+}

pkg/resource/table/hooks_resource_policy_test.go

@@ -0,0 +1,235 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package table
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+
+	"github.com/aws-controllers-k8s/dynamodb-controller/apis/v1alpha1"
+	compare "github.com/aws-controllers-k8s/runtime/pkg/compare"
+)
+
+func Test_compareResourcePolicyDocument(t *testing.T) {
+	type args struct {
+		a *resource
+		b *resource
+	}
+	tests := []struct {
+		name          string
+		args          args
+		wantDifferent bool
+	}{
+		{
+			name: "both policies are nil",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: nil,
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: nil,
+						},
+					},
+				},
+			},
+			wantDifferent: false,
+		},
+		{
+			name: "desired policy is set, latest policy is nil",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{"Version": "2012-10-17"}`),
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: nil,
+						},
+					},
+				},
+			},
+			wantDifferent: true,
+		},
+		{
+			name: "identical policy documents",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem", "dynamodb:Query"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem", "dynamodb:Query"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+			},
+			wantDifferent: false,
+		},
+		{
+			name: "same policy content with different whitespace formatting",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem", "dynamodb:Query"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":["dynamodb:GetItem","dynamodb:Query"],"Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"}]}`),
+						},
+					},
+				},
+			},
+			wantDifferent: false,
+		},
+		{
+			name: "different effect in statement",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Deny",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+			},
+			wantDifferent: true,
+		},
+		{
+			name: "different actions in statement",
+			args: args{
+				a: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:GetItem"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+				b: &resource{
+					ko: &v1alpha1.Table{
+						Spec: v1alpha1.TableSpec{
+							ResourcePolicy: aws.String(`{
+								"Version": "2012-10-17",
+								"Statement": [
+									{
+										"Effect": "Allow",
+										"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
+										"Action": ["dynamodb:Query"],
+										"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"
+									}
+								]
+							}`),
+						},
+					},
+				},
+			},
+			wantDifferent: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			delta := &compare.Delta{}
+			compareResourcePolicyDocument(delta, tt.args.a, tt.args.b)
+			if got := delta.DifferentAt("Spec.ResourcePolicy"); got != tt.wantDifferent {
+				t.Errorf("compareResourcePolicyDocument() difference = %v, want %v", got, tt.wantDifferent)
+			}
+		})
+	}
+}

test/e2e/requirements.txt

@@ -1 +1 @@
-acktest @ git+https://github.com/aws-controllers-k8s/test-infra.git@38ce32256cc2552ab54e190cc8a8618e93af9e0c
+acktest @ git+https://github.com/aws-controllers-k8s/test-infra.git@a53a1840e135ba800b4f2aa42b112ba9389f82a7

test/e2e/resources/table_resource_policy.yaml

@@ -0,0 +1,20 @@
+# Table used to test resource policy functionality
+apiVersion: dynamodb.services.k8s.aws/v1alpha1
+kind: Table
+metadata:
+  name: $TABLE_NAME
+spec:
+  tableName: $TABLE_NAME
+  billingMode: PAY_PER_REQUEST
+  tableClass: STANDARD
+  attributeDefinitions:
+    - attributeName: Bill
+      attributeType: S
+    - attributeName: Total
+      attributeType: S
+  keySchema:
+    - attributeName: Bill
+      keyType: HASH
+    - attributeName: Total
+      keyType: RANGE
+  resourcePolicy: '$RESOURCE_POLICY'