Gatekeeper upgrade (#208)

* management policies addition * management policies removal from K8-provider * load balancer controller addition * updating policy to access global and local index * Update dynamodb-write.yaml license * upgrade deprecated api * PR review fix
awslabs · Jun 28, 2024 · 4e777bb · 4e777bb
1 parent 1a9a993
commit 4e777bb
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 96 deletions.
diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml
@@ -1,23 +1,19 @@
-apiVersion: dynamodb.aws.crossplane.io/v1alpha1
+apiVersion: dynamodb.aws.upbound.io/v1beta1
 kind: Table
 metadata:
+  annotations:
+    meta.upbound.io/example-id: dynamodb/v1beta1/globaltable
   name: sample-table
 spec:
-  deletionPolicy: Delete
+  providerConfigRef:
+    name: aws-provider-config
   forProvider:
+    attribute:
+      - name: myAttribute
+        type: S
+    hashKey: myAttribute
+    readCapacity: 1
+    writeCapacity: 1
     region: eu-west-2
-    attributeDefinitions:
-      - attributeName: id
-        attributeType: S
-    keySchema:
-      - attributeName: id
-        keyType: HASH
-    billingMode: PROVISIONED
-    provisionedThroughput:
-      readCapacityUnits: 1
-      writeCapacityUnits: 1
     tags:
-      - key: "owner"
-        value: "finance"
-  providerConfigRef:
-    name: aws-provider-config
+      owner: finance
diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml
@@ -1,24 +1,19 @@
-apiVersion: dynamodb.aws.crossplane.io/v1alpha1
+apiVersion: dynamodb.aws.upbound.io/v1beta1
 kind: Table
 metadata:
+  annotations:
+    meta.upbound.io/example-id: dynamodb/v1beta1/globaltable
   name: failing-table
 spec:
-  deletionPolicy: Delete
+  providerConfigRef:
+    name: aws-provider-config
   forProvider:
+    attribute:
+      - name: myAttribute
+        type: S
+    hashKey: myAttribute
+    readCapacity: 1
+    writeCapacity: 1
     region: us-east-1
-    attributeDefinitions:
-      - attributeName: id
-        attributeType: S
-    keySchema:
-      - attributeName: id
-        keyType: HASH
-    billingMode: PROVISIONED
-    provisionedThroughput:
-      readCapacityUnits: 1
-      writeCapacityUnits: 1
     tags:
-      - key: "owner"
-        value: "finance"
-
-  providerConfigRef:
-    name: aws-provider-config
+      owner: finance
diff --git a/examples/gatekeeper/required-tags/samples/constraint.yaml b/examples/gatekeeper/required-tags/samples/constraint.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   match:
     kinds:
-      - apiGroups: ["*"]
-        kinds: ["*"]
+      - apiGroups: ["dynamodb.aws.upbound.io"]
+        kinds: ["Table"]
   parameters:
     tags: ["owner"]
diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml
@@ -1,23 +1,19 @@
-apiVersion: dynamodb.aws.crossplane.io/v1alpha1
+apiVersion: dynamodb.aws.upbound.io/v1beta1
 kind: Table
 metadata:
+  annotations:
+    meta.upbound.io/example-id: dynamodb/v1beta1/globaltable
   name: dummy-table
 spec:
-  deletionPolicy: Delete
+  providerConfigRef:
+    name: aws-provider-config
   forProvider:
+    attribute:
+      - name: myAttribute
+        type: S
+    hashKey: myAttribute
+    readCapacity: 1
+    writeCapacity: 1
     region: eu-west-2
-    attributeDefinitions:
-      - attributeName: id
-        attributeType: S
-    keySchema:
-      - attributeName: id
-        keyType: HASH
-    billingMode: PROVISIONED
-    provisionedThroughput:
-      readCapacityUnits: 1
-      writeCapacityUnits: 1
     tags:
-      - key: "aaa"
-        value: "finance"
-  providerConfigRef:
-    name: aws-provider-config
+      aaa: finance
diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml
@@ -1,20 +1,17 @@
-apiVersion: dynamodb.aws.crossplane.io/v1alpha1
+apiVersion: dynamodb.aws.upbound.io/v1beta1
 kind: Table
 metadata:
+  annotations:
+    meta.upbound.io/example-id: dynamodb/v1beta1/globaltable
   name: dummy-table
 spec:
-  deletionPolicy: Delete
-  forProvider:
-    region: eu-west-2
-    attributeDefinitions:
-      - attributeName: id
-        attributeType: S
-    keySchema:
-      - attributeName: id
-        keyType: HASH
-    billingMode: PROVISIONED
-    provisionedThroughput:
-      readCapacityUnits: 1
-      writeCapacityUnits: 1
   providerConfigRef:
-    name: aws-provider-config
+    name: aws-provider-config
+  forProvider:
+    attribute:
+      - name: myAttribute
+        type: S
+    hashKey: myAttribute
+    readCapacity: 1
+    writeCapacity: 1
+    region: eu-west-2
diff --git a/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml
@@ -1,23 +1,19 @@
-apiVersion: dynamodb.aws.crossplane.io/v1alpha1
+apiVersion: dynamodb.aws.upbound.io/v1beta1
 kind: Table
 metadata:
+  annotations:
+    meta.upbound.io/example-id: dynamodb/v1beta1/globaltable
   name: finance-table
 spec:
-  deletionPolicy: Delete
+  providerConfigRef:
+    name: aws-provider-config
   forProvider:
+    attribute:
+      - name: myAttribute
+        type: S
+    hashKey: myAttribute
+    readCapacity: 1
+    writeCapacity: 1
     region: eu-west-2
-    attributeDefinitions:
-      - attributeName: id
-        attributeType: S
-    keySchema:
-      - attributeName: id
-        keyType: HASH
-    billingMode: PROVISIONED
-    provisionedThroughput:
-      readCapacityUnits: 1
-      writeCapacityUnits: 1
     tags:
-      - key: "owner"
-        value: "finance"
-  providerConfigRef:
-    name: aws-provider-config
+      owner: finance
diff --git a/examples/gatekeeper/required-tags/template.yaml b/examples/gatekeeper/required-tags/template.yaml
@@ -8,7 +8,6 @@ spec:
       names:
         kind: AwsRequiredTags
       validation:
-        # Schema for the `parameters` field
         openAPIV3Schema:
           type: object
           properties:
@@ -20,19 +19,11 @@ spec:
     - target: admission.k8s.gatekeeper.sh
       rego: |
         package awsrequiredtags
-        import future.keywords.every
         
         violation[{"msg": msg}] {
-          endswith(input.review.kind.group, "aws.crossplane.io")
-          not startswith(input.review.kind.kind, "ProviderConfig")
-          not input.review.object.spec.forProvider.tags
-          msg := sprintf("Attempting to provision a resource without tags, the following tags are required '%v'", [input.parameters.tags])
-        }
-
-        violation[{"msg": msg}] {
-          some requested_tag in input.parameters.tags
-          every i in input.review.object.spec.forProvider.tags {
-              requested_tag != i.key
-          }
-          msg := sprintf("Attempting to provision a resource with the following tags '%v', one or more of the required tags '%v' is missing", [input.review.object.spec.forProvider.tags, input.parameters.tags])
+          input.review.kind.group == "dynamodb.aws.upbound.io"
+          some i
+          required_tag := input.parameters.tags[i]
+          not input.review.object.spec.forProvider.tags[required_tag]
+          msg := sprintf("Attempting to provision a resource without the required tag '%v'", [required_tag])
         }