Skip to content

Sub Resource manager Intial Implementation#687

Open
gustavodiaz7722 wants to merge 2 commits intoaws-controllers-k8s:mainfrom
gustavodiaz7722:resource-manager-v4
Open

Sub Resource manager Intial Implementation#687
gustavodiaz7722 wants to merge 2 commits intoaws-controllers-k8s:mainfrom
gustavodiaz7722:resource-manager-v4

Conversation

@gustavodiaz7722
Copy link
Copy Markdown
Member

@gustavodiaz7722 gustavodiaz7722 commented Apr 10, 2026
edited
Loading

Sub-Resource Manager: Declarative support for child API operations

Summary

Many AWS resources have secondary API operations that manage auxiliary settings on a parent resource (e.g., PutBackupVaultAccessPolicy, PutBackupVaultNotifications, PutBackupVaultLockConfiguration). Previously, supporting these required fully custom code in the service controller. This PR adds first-class code-generator support for these "sub-resources," allowing controller authors to declare them in generator.yaml and have all the plumbing generated automatically.

Sub-resources appear as inline fields on the parent CRD's Spec (e.g., spec.accessPolicy, spec.notifications) — no additional CRDs are created. The generated code handles the full lifecycle: read, create, update, delete, and cleanup on parent deletion.

Design

Configuration

Sub-resources are declared in two places in generator.yaml:

1. Operation binding — maps AWS API operations to a sub-resource name:

operations:
  PutBackupVaultAccessPolicy:
    resource_name: AccessPolicy
    operation_type: create
  DeleteBackupVaultAccessPolicy:
    resource_name: AccessPolicy
    operation_type: delete
  GetBackupVaultAccessPolicy:
    resource_name: AccessPolicy
    operation_type: get

2. Parent resource config — declares sub-resources under sub_resources: with full ResourceConfig support (fields, renames, hooks, find_operation, exceptions, etc.):

resources:
  BackupVault:
    sub_resources:
      AccessPolicy:
        fields:
          BackupVaultName:
            go_tag: json:"-"
            is_primary_key: true
            compare:
              is_ignored: true
        hooks:
          sdk_read_one_post_request:
            template_path: hooks/backup_vault_access_policy/sdk_read_one_post_request.go.tpl

What gets generated

For each sub-resource, the code generator produces:

File Location Purpose
Go types apis/v1alpha1/<sub_resource>.go Spec/Status structs (no CRD markers, no TypeMeta/ObjectMeta, no List type)
sdk.go pkg/resource/<parent>/<sub_resource>/ sdkFind, sdkCreate, sdkDelete with full SDK bindings
delta.go pkg/resource/<parent>/<sub_resource>/ Field-level comparison logic
manager.go pkg/resource/<parent>/<sub_resource>/ Sub-resource manager with Sync(), Get(), NewSpecDelta()

The parent resource's generated code is automatically wired:

  • sdkFind → calls each sub-resource manager's Get() to populate ko.Spec.<SubRes> from AWS
  • sdkUpdate → calls Sync() when delta.DifferentAt("Spec.<SubRes>"), short-circuits if only sub-resource fields changed
  • sdkCreate → sets ResourceSynced=False when sub-resource spec is non-nil (forces follow-up reconcile to apply sub-resource writes)
  • sdkDelete → calls Sync() with nil desired state to clean up sub-resources before deleting the parent

Singleton pattern

The current implementation uses a singleton pattern — each sub-resource has at most one instance per parent. The manager uses a constant key ("_singleton") so that value changes route through toUpdate rather than toCreate+toDelete. This covers the vast majority of AWS sub-resource APIs (policies, configurations, notification settings).

Primary key resolution

The sub-resource's primary key (typically the parent's name or ARN) is automatically resolved from the parent:

  • If the sub-resource's is_primary_key field name contains "arn" (case-insensitive), the value is sourced from parent.Status.ACKResourceMetadata.ARN
  • Otherwise, it's copied from the parent's own primary key field

Testing

  • Existing unit tests updated for the _ = elem change in ReadMany loops (set_resource_test.go).
  • Validated end-to-end with the backup-controller, which uses this feature to implement three sub-resources on BackupVault: AccessPolicy, Notifications, and LockConfiguration. Each exercises different patterns (standard Get API with error translation hooks, field renames, custom find operation).

Future work

  • Collection sub-resources: Extend beyond singleton to support list-based sub-resources (e.g., IAM role inline policies, security group rules) where multiple items are managed per parent.

@ack-prow ack-prow Bot requested review from a-hilaly and knottnt April 10, 2026 21:39
@ack-prow
Copy link
Copy Markdown

ack-prow Bot commented Apr 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gustavodiaz7722
Once this PR has been reviewed and has the lgtm label, please assign jlbutler for approval by writing /assign @jlbutler in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knottnt knottnt mentioned this pull request Apr 27, 2026
Open
@ack-prow
Copy link
Copy Markdown

ack-prow Bot commented Apr 28, 2026

@gustavodiaz7722: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
unit-test 5d5d2d7 link true /test unit-test
ec2-controller-test 5d5d2d7 link true /test ec2-controller-test
documentdb-controller-test 5d5d2d7 link true /test documentdb-controller-test
verify-attribution 5d5d2d7 link false /test verify-attribution
acm-controller-test 5d5d2d7 link true /test acm-controller-test
apigatewayv2-controller-test 5d5d2d7 link true /test apigatewayv2-controller-test
ecr-controller-test 5d5d2d7 link true /test ecr-controller-test
prometheusservice-controller-test 5d5d2d7 link true /test prometheusservice-controller-test
pipes-controller-test 5d5d2d7 link true /test pipes-controller-test
efs-controller-test 5d5d2d7 link true /test efs-controller-test
dynamodb-controller-test 5d5d2d7 link true /test dynamodb-controller-test
lambda-controller-test 5d5d2d7 link true /test lambda-controller-test
eks-controller-test 5d5d2d7 link true /test eks-controller-test
s3-olm-test 5d5d2d7 link false /test s3-olm-test
eventbridge-controller-test 5d5d2d7 link true /test eventbridge-controller-test
iam-controller-test 5d5d2d7 link true /test iam-controller-test
cloudfront-controller-test 5d5d2d7 link true /test cloudfront-controller-test
s3-controller-test 5d5d2d7 link true /test s3-controller-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gustavodiaz7722 gustavodiaz7722 mentioned this pull request Apr 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-hilaly a-hilaly Awaiting requested review from a-hilaly

@knottnt knottnt Awaiting requested review from knottnt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gustavodiaz7722