From 1107caae0261c0d871553aafee991d05d003b0c8 Mon Sep 17 00:00:00 2001
From: michaelhtm <98621731+michaelhtm@users.noreply.github.com>
Date: Thu, 8 May 2025 13:02:49 -0700
Subject: [PATCH] fix: add policies on create

---
 apis/v1alpha1/ack-generate-metadata.yaml             |  8 ++++----
 helm/templates/deployment.yaml                       |  4 ++++
 helm/values.schema.json                              |  8 ++++++++
 helm/values.yaml                                     | 11 +++++++++++
 pkg/resource/role/sdk.go                             | 12 ++++++++++++
 .../hooks/role/sdk_create_post_set_output.go.tpl     | 12 ++++++++++++
 6 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
index e5dbc56..90603f2 100755
--- a/apis/v1alpha1/ack-generate-metadata.yaml
+++ b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2025-05-02T16:46:04Z"
-  build_hash: f8dc5330705b3752ce07dce0ac831161fd4cb14f
-  go_version: go1.24.2
-  version: v0.45.0
+  build_date: "2025-05-08T19:50:19Z"
+  build_hash: a82538df1333319f8ec1d603f6cf293aefc46e1b
+  go_version: go1.24.1
+  version: v0.45.0-3-ga82538d
 api_directory_checksum: 7e1c19231d3275a1147157f6943a7391953f7001
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
index 1183c7f..2e2a8a1 100644
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -59,6 +59,8 @@ spec:
         - "$(ACK_WATCH_NAMESPACE)"
         - --watch-selectors
         - "$(ACK_WATCH_SELECTORS)"
+        - --reconcile-resources
+        - "$(RECONCILE_RESOURCES)"
         - --deletion-policy
         - "$(DELETION_POLICY)"
 {{- if .Values.leaderElection.enabled }}
@@ -107,6 +109,8 @@ spec:
           value: {{ include "ack-iam-controller.watch-namespace" . }}
         - name: ACK_WATCH_SELECTORS
           value: {{ .Values.watchSelectors }}
+        - name: RECONCILE_RESOURCES
+          value: {{ join "," .Values.reconcile.resources | quote }}
         - name: DELETION_POLICY
           value: {{ .Values.deletionPolicy }}
         - name: LEADER_ELECTION_NAMESPACE
diff --git a/helm/values.schema.json b/helm/values.schema.json
index 37f2ca0..e656c74 100644
--- a/helm/values.schema.json
+++ b/helm/values.schema.json
@@ -239,6 +239,14 @@
         },
         "resourceMaxConcurrentSyncs": {
           "type": "object"
+        },
+        "resources": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "List of resource kinds to reconcile. If empty, all resources will be reconciled.",
+          "default": []
         }
       },
       "type": "object"
diff --git a/helm/values.yaml b/helm/values.yaml
index d78f524..d05ade2 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -137,6 +137,17 @@ reconcile:
   # An object representing the reconcile max concurrent syncs configuration for each specific
   # resource.
   resourceMaxConcurrentSyncs: {}
+  
+  # Set the value of resources to specify which resource kinds to reconcile.
+  # If empty, all resources will be reconciled.
+  # If specified, only the listed resource kinds will be reconciled.
+  resources:
+    - Groups
+    - Instanceprofiles
+    - Openidconnectproviders
+    - Policies
+    - Roles
+    - Users
 
 serviceAccount:
   # Specifies whether a service account should be created
diff --git a/pkg/resource/role/sdk.go b/pkg/resource/role/sdk.go
index c2ac7c9..70e6388 100644
--- a/pkg/resource/role/sdk.go
+++ b/pkg/resource/role/sdk.go
@@ -324,6 +324,18 @@ func (rm *resourceManager) sdkCreate(
 			ko.Spec.AssumeRolePolicyDocument = &doc
 		}
 	}
+	for _, p := range desired.ko.Spec.Policies {
+		err := rm.addManagedPolicy(ctx, &resource{ko}, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
+	for n, p := range desired.ko.Spec.InlinePolicies {
+		err := rm.addInlinePolicy(ctx, &resource{ko}, n, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
 	ackcondition.SetSynced(&resource{ko}, corev1.ConditionFalse, nil, nil)
 
 	return &resource{ko}, nil
diff --git a/templates/hooks/role/sdk_create_post_set_output.go.tpl b/templates/hooks/role/sdk_create_post_set_output.go.tpl
index 08610d1..2c691c8 100644
--- a/templates/hooks/role/sdk_create_post_set_output.go.tpl
+++ b/templates/hooks/role/sdk_create_post_set_output.go.tpl
@@ -5,4 +5,16 @@
             ko.Spec.AssumeRolePolicyDocument = &doc
         }
     }
+	for _, p := range desired.ko.Spec.Policies {
+		err := rm.addManagedPolicy(ctx, &resource{ko}, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
+	for n, p := range desired.ko.Spec.InlinePolicies {
+		err := rm.addInlinePolicy(ctx, &resource{ko}, n, p)
+		if err != nil {
+			return &resource{ko}, err
+		}
+	}
     ackcondition.SetSynced(&resource{ko}, corev1.ConditionFalse, nil, nil)