Add resource-based permissions support for Lambda aliases

this commit adds support for managing Lambda resource based permissions directly
on aliases. Now users can declaratively define, update, and remove permissions
for Lambda functions accessed through aliases.

The implementation leverages the AWS::Lambda `AddPermission` and `RemovePermission`
APIs to synchronize the desired permissions state defined in the CRD with the
actual alias permisions in AWS.

Author: a-hilaly

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-02-20T18:13:42Z"
-  build_hash: a326346bd3a6973254d247c9ab2dc76790c36241
+  build_date: "2025-03-25T01:17:53Z"
+  build_hash: 3722729cebe6d3c03c7e442655ef0846f91566a2
   go_version: go1.24.0
-  version: v0.43.2
-api_directory_checksum: 086df7708184fcedddb2910d4980cdff3bf9de8f
+  version: v0.43.2-7-g3722729
+api_directory_checksum: b37edb8bba9d3847d4bdf1e842b7a597821c8c37
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: 7e92f95044b114e8b39e4b28ea82afbdc992a3cb
+  file_checksum: 724cd3123b18f9c38b661085bdb33aaae1ac0b14
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/alias.go

@@ -7,65 +7,67 @@ ignore:
     # FunctionUrlConfig
     # LayerVersion
   field_paths:
-  - CreateCodeSigningConfigInput.Tags
-  - CreateEventSourceMappingInput.DocumentDBEventSourceConfig
-  - CreateEventSourceMappingInput.KMSKeyArn
-  - CreateEventSourceMappingInput.MetricsConfig
-  - CreateEventSourceMappingInput.ProvisionedPollerConfig
-  - CreateEventSourceMappingInput.Tags
-  - CreateEventSourceMappingOutput.FilterCriteriaError
-  - CreateEventSourceMappingOutput.DocumentDBEventSourceConfig
-  - CreateEventSourceMappingOutput.KMSKeyArn
-  - CreateEventSourceMappingOutput.MetricsConfig
-  - CreateEventSourceMappingOutput.ProvisionedPollerConfig
-  - FunctionCode.SourceKMSKeyArn
-  - CreateFunctionInput.LoggingConfig
-  - CreateFunctionOutput.RuntimeVersionConfig
-  - CreateFunctionOutput.LoggingConfig
-  - CreateFunctionUrlConfigInput.InvokeMode
-  - CreateFunctionUrlConfigOutput.InvokeMode
-  - PublishVersionOutput.LoggingConfig
-  - PublishVersionOutput.RuntimeVersionConfig
-  - VpcConfig.Ipv6AllowedForDualStack
+    - CreateCodeSigningConfigInput.Tags
+    - CreateEventSourceMappingInput.DocumentDBEventSourceConfig
+    - CreateEventSourceMappingInput.KMSKeyArn
+    - CreateEventSourceMappingInput.MetricsConfig
+    - CreateEventSourceMappingInput.ProvisionedPollerConfig
+    - CreateEventSourceMappingInput.Tags
+    - CreateEventSourceMappingOutput.FilterCriteriaError
+    - CreateEventSourceMappingOutput.DocumentDBEventSourceConfig
+    - CreateEventSourceMappingOutput.KMSKeyArn
+    - CreateEventSourceMappingOutput.MetricsConfig
+    - CreateEventSourceMappingOutput.ProvisionedPollerConfig
+    - FunctionCode.SourceKMSKeyArn
+    - CreateFunctionInput.LoggingConfig
+    - CreateFunctionOutput.RuntimeVersionConfig
+    - CreateFunctionOutput.LoggingConfig
+    - CreateFunctionUrlConfigInput.InvokeMode
+    - CreateFunctionUrlConfigOutput.InvokeMode
+    - PublishVersionOutput.LoggingConfig
+    - PublishVersionOutput.RuntimeVersionConfig
+    - VpcConfig.Ipv6AllowedForDualStack
+    - AddPermissionInput.FunctionName # We grab this from the Alias resource
+    - AddPermissionInput.Qualifier # We grab this from the Alias resource
 operations:
   GetFunction:
     output_wrapper_field_path: Configuration
   PublishLayerVersion:
     operation_type:
       - Create
       - Update
-    resource_name: 
+    resource_name:
       - LayerVersion
   PublishVersion:
     operation_type:
       - Create
-    resource_name: 
+    resource_name:
       - Version
   GetFunctionConfiguration:
     operation_type:
       - ReadOne
-    resource_name: 
+    resource_name:
       - Version
   DeleteFunction:
     operation_type:
       - Delete
-    resource_name: 
+    resource_name:
       - Version
       - Function
 resources:
   Function:
     synced:
       when:
         - path: Status.State
-          in: [ "Active" ]
+          in: ["Active"]
     fields:
       Code.SHA256:
         type: string
         compare:
           is_ignored: true
         set:
-        - ignore: "to"
-          method: Create
+          - ignore: "to"
+            method: Create
       Code.S3Bucket:
         references:
           resource: Bucket
@@ -161,7 +163,14 @@ resources:
         from:
           operation: PutProvisionedConcurrencyConfig
           path: .
+      Permissions:
+        custom_field:
+          list_of: AddPermissionInput
+        compare:
+          is_ignored: true
     hooks:
+      delta_pre_compare:
+        code: customPreCompare(delta, a, b)
       sdk_update_pre_build_request:
         template_path: hooks/alias/sdk_update_pre_build_request.go.tpl
       sdk_read_one_post_set_output:
@@ -288,4 +297,4 @@ resources:
             Qualifier: Version
         GetFunctionConfiguration:
           input_fields:
-            Qualifier: Version
+            Qualifier: Version

apis/v1alpha1/generator.yaml

@@ -132,6 +132,31 @@ spec:
               name:
                 description: The name of the alias.
                 type: string
+              permissions:
+                description: Permissions configures a set of Lambda permissions to
+                  grant to an alias.
+                items:
+                  properties:
+                    action:
+                      type: string
+                    eventSourceToken:
+                      type: string
+                    functionURLAuthType:
+                      type: string
+                    principal:
+                      type: string
+                    principalOrgID:
+                      type: string
+                    revisionID:
+                      type: string
+                    sourceARN:
+                      type: string
+                    sourceAccount:
+                      type: string
+                    statementID:
+                      type: string
+                  type: object
+                type: array
               provisionedConcurrencyConfig:
                 description: |-
                   Configures provisioned concurrency to a function's alias

apis/v1alpha1/types.go

@@ -4,7 +4,7 @@ resources:
       FunctionEventInvokeConfig:
         prepend: |
           Configures options for asynchronous invocation on a function.
-          
+
           - DestinationConfig
               A destination for events after they have been sent to a function for processing.
 
@@ -13,18 +13,20 @@ resources:
               Queue - The ARN of a standard SQS queue.
               Topic - The ARN of a standard SNS topic.
               Event Bus - The ARN of an Amazon EventBridge event bus.
-          
+
           - MaximumEventAgeInSeconds
               The maximum age of a request that Lambda sends to a function for processing.
-          
+
           - MaximumRetryAttempts
               The maximum number of times to retry when the function returns an error.
   Alias:
     fields:
+      Permissions:
+        prepend: Permissions configures a set of Lambda permissions to grant to an alias.
       FunctionEventInvokeConfig:
         prepend: |
           Configures options for asynchronous invocation on an alias.
-          
+
           - DestinationConfig
               A destination for events after they have been sent to a function for processing.
 
@@ -36,14 +38,14 @@ resources:
             
           - MaximumEventAgeInSeconds
               The maximum age of a request that Lambda sends to a function for processing.
-          
+
           - MaximumRetryAttempts
               The maximum number of times to retry when the function returns an error.
-      
+
       ProvisionedConcurrencyConfig:
         prepend: |
           Configures provisioned concurrency to a function's alias
 
           - ProvisionedConcurrentExecutions
               The amount of provisioned concurrency to allocate for the version or alias.
-              Minimum value of 1 is required
+              Minimum value of 1 is required