s3control-controller\Add access point policy support

[simon-torrez-al]

Hello, i'm using s3control-controller to manage s3 access point

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true

Today, it's not possible to manage the access point policy for this s3 access point.
Is it possible to implement this property ?

My solution would be to add a property named '' accessPointPolicyDocument" accepting a json formated document, like:

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true
    policyDocument: >-
      {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789:role/my-authorized-role"},"Action": ["s3:ListBucket","s3:GetObject","s3:PutObject"],"Resource": ["arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name","arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name/my/specific/path/*"]}]}

Thanks for your help on this !

[github-actions]

Hello @simon-torrez-al 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[rushmash91]

Hi @simon-torrez-al , I see the AccessPointPolicy has a Put, Get and Delete method here

We can support the controller by generation the new resource with the code generator. Just generate the controller after updating the generator similar to route53 recordset here.

[simon-torrez-al]

Hi @rushmash91 ,

Thanks a lot for your message, I'll have a look and verify that I'm able to manage this change. I'm not sure of all the implications this modification would need.

[rushmash91]

Sure! You would need to fork and clone the Code-generator, runtime and s3control-controller repo, update the generator and build the controller: https://aws-controllers-k8s.github.io/community/docs/contributor-docs/building-controller/

Let me know if you run into any issues!

[ack-bot]

Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale

[ack-bot]

Stale issues rot after 60d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 60d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle rotten