add IAMRoleSelected condition

michaelhtm · michaelhtm · commit 0d5b23448f45 · 2025-11-11T16:37:09.000-08:00
diff --git a/apis/core/v1alpha1/conditions.go b/apis/core/v1alpha1/conditions.go
@@ -66,6 +66,10 @@ const (
 	// "False" status indicates that the resource references failed to resolve.
 	// For Ex: When referenced resource is in terminal condition
 	ConditionTypeReferencesResolved ConditionType = "ACK.ReferencesResolved"
+	// ConditionTypeIAMRoleSelected indicates whether an IAMRoleSelector has been selected
+	// to manage the AWSResource. If none are selected, this condition will be removed
+	// and we'll use the custom role to manage the AWSResource
+	ConditionTypeIAMRoleSelected ConditionType = "ACK.IAMRoleSelected"
 )
 
 // Condition is the common struct used by all CRDs managed by ACK service
diff --git a/mocks/pkg/types/aws_resource.go b/mocks/pkg/types/aws_resource.go
diff --git a/pkg/condition/condition.go b/pkg/condition/condition.go
@@ -33,10 +33,13 @@ var (
 		"annotations."
 	UnknownSyncedMessage             = "Unable to determine if desired resource state matches latest observed state"
 	NotSyncedMessage                 = "Resource not synced"
-	TerminalMessage                 = "Resource is "
+	TerminalMessage                  = "Resource is "
 	SyncedMessage                    = "Resource synced successfully"
 	FailedReferenceResolutionMessage = "Reference resolution failed"
 	UnavailableIAMRoleMessage        = "IAM Role is not available"
+
+	IAMRoleSelectedReason  = "Selected"
+	IAMRoleSelectedMessage = "roleARN: %s, selectorName: %s, selectorResourceVersion: %s"
 )
 
 // Ready returns the Condition in the resource's Conditions collection that is
@@ -81,6 +84,13 @@ func ReferencesResolved(subject acktypes.ConditionManager) *ackv1alpha1.Conditio
 	return FirstOfType(subject, ackv1alpha1.ConditionTypeReferencesResolved)
 }
 
+// IAMRoleSelected returns the Condition in the resource's Conditions collection
+// that is of type ConditionTypeIAMRoleSelected. If no such condition is found,
+// returns nil.
+func IAMRoleSelected(subject acktypes.ConditionManager) *ackv1alpha1.Condition {
+	return FirstOfType(subject, ackv1alpha1.ConditionTypeIAMRoleSelected)
+}
+
 // FirstOfType returns the first Condition in the resource's Conditions
 // collection of the supplied type. If no such condition is found, returns nil.
 func FirstOfType(
@@ -252,6 +262,30 @@ func SetReferencesResolved(
 	subject.ReplaceConditions(allConds)
 }
 
+// SetIAMRoleSelected sets the resource's Condition of type ConditionTypeIAMRoleSelected
+// to the supplied status, optional message and reason.
+func SetIAMRoleSelected(
+	subject acktypes.ConditionManager,
+	status corev1.ConditionStatus,
+	message *string,
+	reason *string,
+) {
+	allConds := subject.Conditions()
+	var c *ackv1alpha1.Condition
+	if c = ReferencesResolved(subject); c == nil {
+		c = &ackv1alpha1.Condition{
+			Type: ackv1alpha1.ConditionTypeIAMRoleSelected,
+		}
+		allConds = append(allConds, c)
+	}
+	now := metav1.Now()
+	c.LastTransitionTime = &now
+	c.Status = status
+	c.Message = message
+	c.Reason = reason
+	subject.ReplaceConditions(allConds)
+}
+
 // RemoveReferencesResolved removes the condition of type ConditionTypeReferencesResolved
 // from the resource's conditions
 func RemoveReferencesResolved(
diff --git a/pkg/condition/condition_test.go b/pkg/condition/condition_test.go
@@ -49,6 +49,9 @@ func TestConditionGetters(t *testing.T) {
 	got = ackcond.Ready(r)
 	assert.Nil(got)
 
+	got = ackcond.IAMRoleSelected(r)
+	assert.Nil(got)
+
 	conds = append(conds, &ackv1alpha1.Condition{
 		Type:   ackv1alpha1.ConditionTypeResourceSynced,
 		Status: corev1.ConditionFalse,
@@ -66,6 +69,9 @@ func TestConditionGetters(t *testing.T) {
 	got = ackcond.Ready(r)
 	assert.Nil(got)
 
+	got = ackcond.IAMRoleSelected(r)
+	assert.Nil(got)
+
 	conds = append(conds, &ackv1alpha1.Condition{
 		Type:   ackv1alpha1.ConditionTypeTerminal,
 		Status: corev1.ConditionFalse,
@@ -83,6 +89,9 @@ func TestConditionGetters(t *testing.T) {
 	got = ackcond.Ready(r)
 	assert.Nil(got)
 
+	got = ackcond.IAMRoleSelected(r)
+	assert.Nil(got)
+
 	gotAll := ackcond.AllOfType(r, ackv1alpha1.ConditionTypeAdvisory)
 	assert.Empty(gotAll)
 
@@ -124,6 +133,15 @@ func TestConditionGetters(t *testing.T) {
 	r.On("Conditions").Return(conds)
 	got = ackcond.Ready(r)
 	assert.NotNil(got)
+
+	conds = append(conds, &ackv1alpha1.Condition{
+		Type:   ackv1alpha1.ConditionTypeIAMRoleSelected,
+		Status: corev1.ConditionTrue,
+	})
+	r = &ackmocks.AWSResource{}
+	r.On("Conditions").Return(conds)
+	got = ackcond.IAMRoleSelected(r)
+	assert.NotNil(got)
 }
 
 func TestConditionSetters(t *testing.T) {
@@ -329,4 +347,19 @@ func TestConditionSetters(t *testing.T) {
 		}),
 	)
 	ackcond.SetReady(r, corev1.ConditionTrue, nil, nil)
+
+	// IAMRoleSelected condition
+	r = &ackmocks.AWSResource{}
+	r.On("Conditions").Return([]*ackv1alpha1.Condition{})
+	r.On(
+		"ReplaceConditions",
+		mock.MatchedBy(func(subject []*ackv1alpha1.Condition) bool {
+			if len(subject) != 1 {
+				return false
+			}
+			return (subject[0].Type == ackv1alpha1.ConditionTypeIAMRoleSelected &&
+				subject[0].Status == corev1.ConditionTrue)
+		}),
+	)
+	ackcond.SetIAMRoleSelected(r, corev1.ConditionTrue, nil, nil)
 }
diff --git a/pkg/runtime/reconciler.go b/pkg/runtime/reconciler.go
@@ -353,12 +353,21 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 		return ctrlrt.Result{}, err
 	}
 	latest, err = r.reconcile(ctx, rm, desired)
-	if latest != nil && selector != nil {
-		latest.SetIAMRoleSelector(selector)
+	if latest != nil {
+		setIAMRoleSelectorCondition(latest, selector)
 	}
 	return r.HandleReconcileError(ctx, desired, latest, err)
 }
 
+func setIAMRoleSelectorCondition(r acktypes.ConditionManager, selector *ackv1alpha1.IAMRoleSelector) {
+	if selector == nil {
+		return
+	}
+
+	message := fmt.Sprintf(condition.IAMRoleSelectedMessage, selector.Spec.ARN, selector.GetName(), selector.GetResourceVersion())
+	condition.SetIAMRoleSelected(r, corev1.ConditionTrue, &condition.IAMRoleSelectedReason, &message)
+}
+
 // regionDrifted return true if the desired resource region is different
 // from the target region. Target region can be derived from the two places
 // in the following order:
diff --git a/pkg/types/aws_resource.go b/pkg/types/aws_resource.go
@@ -51,7 +51,4 @@ type AWSResource interface {
 	// PopulateResourceFromAnnotation will set the Spec or Status field that user
 	// provided from annotations
 	PopulateResourceFromAnnotation(fields map[string]string) error 
-	// Set the selected IAMRoleSelector information used to manage this resource
-	// in the resource status
-	SetIAMRoleSelector(*ackv1alpha1.IAMRoleSelector)
 }

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,4 @@ type AWSResource interface {`
`51`	`51`	`// PopulateResourceFromAnnotation will set the Spec or Status field that user`
`52`	`52`	`// provided from annotations`
`53`	`53`	`PopulateResourceFromAnnotation(fields map[string]string) error`
`54`		`- // Set the selected IAMRoleSelector information used to manage this resource`
`55`		`- // in the resource status`
`56`		`- SetIAMRoleSelector(*ackv1alpha1.IAMRoleSelector)`
`57`	`54`	`}`