chore(work): add Crossplane examples

bootstrap/crossplane/example-managed-resources/cognito.test.yaml

@@ -0,0 +1,41 @@
+apiVersion: cognitoidp.aws.upbound.io/v1beta2
+kind: UserPool
+metadata:
+  annotations:
+    meta.upbound.io/example-id: cognitoidp/v1beta1/useringroup
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    name: example
+    region: us-east-1
+    # userPoolTier: LITE
+  providerConfigRef:
+    name: cognito
+
+---
+apiVersion: cognitoidp.aws.upbound.io/v1beta1
+kind: UserGroup
+metadata:
+  annotations:
+    meta.upbound.io/example-id: cognitoidp/v1beta1/usergroup
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    name: example
+    precedence: 42
+    region: us-east-1
+    # roleArnSelector:
+    #   matchLabels:
+    #     testing.upbound.io/example-name: group_role
+    userPoolIdSelector:
+      matchLabels:
+        testing.upbound.io/example-name: example
+  providerConfigRef:
+    name: cognito
+
+
+

bootstrap/crossplane/example-managed-resources/composite-resources/composition.yaml

@@ -0,0 +1,118 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: xexamples.aws.k8s.masos.dev
+  labels:
+    provider: aws
+spec:
+  writeConnectionSecretsToNamespace: crossplane-system
+  compositeTypeRef:
+    apiVersion: k8s.masos.dev/v1alpha1
+    kind: XExample
+
+  patchSets:
+  - name: example-id
+    patches:
+    - type: CombineFromComposite
+      combine:
+        variables:
+          - fromFieldPath: spec.name
+          - fromFieldPath: spec.tenant
+        strategy: string
+        string:
+          fmt: "%s-%s"
+      fromFieldPath: spec.id
+      toFieldPath: metadata.labels[aws.k8s.masos.dev/example-id]
+    - type: ToCompositeFieldPath
+      fromFieldPath: metadata.labels[aws.k8s.masos.dev/example-id]
+      toFieldPath: status.masos.id
+    - type: ToCompositeFieldPath
+      fromFieldPath: metadata.labels[aws.k8s.masos.dev/example-id]
+      toFieldPath: status.masos-id
+
+
+
+  resources:
+    - base:
+        apiVersion: cognitoidp.aws.upbound.io/v1beta2
+        kind: UserPool
+        spec:
+          forProvider:
+            region: us-east-1
+            deletionProtection: INACTIVE
+      name: auth-backend
+      patches:
+        - type: PatchSet
+          patchSetName: example-id
+        - type: CombineFromComposite
+          combine:
+            variables:
+              - fromFieldPath: spec.name
+              - fromFieldPath: spec.tenant
+            strategy: string
+            string:
+              fmt: "%s-%s"
+          fromFieldPath: spec.id
+          toFieldPath: spec.forProvider.name
+
+    - name: group-admin
+      base:
+        apiVersion: cognitoidp.aws.upbound.io/v1beta1
+        kind: UserGroup
+        spec:
+          providerConfigRef:
+            name: cognito
+          forProvider:
+            name: admin
+            precedence: 10
+            region: us-east-1
+            # roleArnSelector:
+            #   matchLabels:
+            #     testing.upbound.io/example-name: group_role
+            userPoolIdSelector:
+              matchLabels:
+                aws.k8s.masos.dev/example-id: unset
+      patches:
+        - type: PatchSet
+          patchSetName: example-id
+        - type: CombineFromComposite
+          combine:
+            variables:
+              - fromFieldPath: spec.name
+              - fromFieldPath: spec.tenant
+            strategy: string
+            string:
+              fmt: "%s-%s"
+          fromFieldPath: spec.id
+          toFieldPath: spec.forProvider.userPoolIdSelector.matchLabels['aws.k8s.masos.dev/example-id']
+
+    - name: example-bucket
+      base:
+        apiVersion: cognitoidp.aws.upbound.io/v1beta1
+        kind: UserGroup
+        spec:
+          providerConfigRef:
+            name: s3
+          forProvider:
+            name: admin
+            precedence: 10
+            region: us-east-1
+            # roleArnSelector:
+            #   matchLabels:
+            #     testing.upbound.io/example-name: group_role
+            userPoolIdSelector:
+              matchLabels:
+                aws.k8s.masos.dev/example-id: unset
+      patches:
+        - type: PatchSet
+          patchSetName: example-id
+        - type: CombineFromComposite
+          combine:
+            variables:
+              - fromFieldPath: spec.name
+              - fromFieldPath: spec.tenant
+            strategy: string
+            string:
+              fmt: "%s-%s"
+          fromFieldPath: spec.id
+          toFieldPath: spec.forProvider.userPoolIdSelector.matchLabels['aws.k8s.masos.dev/example-id']

bootstrap/crossplane/example-managed-resources/composite-resources/definition.yaml

@@ -0,0 +1,47 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: xexamples.k8s.masos.dev
+spec:
+  group: k8s.masos.dev
+  names:
+    kind: XExample
+    plural: xexamples
+  claimNames:
+    kind: Example
+    plural: examples
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                name:
+                  type: string
+                  description: ID of this resource that other objects will use to refer to it.
+                tenant:
+                  type: string
+                  description: Tenant using this resource
+                providerConfigRef:
+                  type: object
+                  properties:
+                    name:
+                      type: string
+
+              required:
+                - name
+                - tenant
+
+            status:
+              type: object
+              properties:
+                masos:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                masos-id:
+                  type: string

bootstrap/crossplane/example-managed-resources/composite-resources/example-claim.yaml

@@ -0,0 +1,8 @@
+apiVersion: k8s.masos.dev/v1alpha1
+kind: Example
+metadata:
+  name: this-is-an-example
+  namespace: default
+spec:
+  name: alice
+  tenant: wonderland

bootstrap/crossplane/example-managed-resources/s3.test.yaml

@@ -0,0 +1,17 @@
+apiVersion: s3.aws.upbound.io/v1beta2
+kind: Bucket
+metadata:
+  annotations:
+    meta.upbound.io/example-id: s3/v1beta2/bucket
+  labels:
+    testing.upbound.io/example-name: s3
+  name: masos-crossplane-test
+spec:
+  forProvider:
+    objectLockEnabled: true
+    region: us-east-1
+    tags:
+      example-tag: some-value
+
+  providerConfigRef:
+    name: s3

bootstrap/crossplane/iam-examples/CognitoManagement-README.md

@@ -0,0 +1,23 @@
+I'm not sure what permissions are needed to create a UserPool. There is
+no AWS managed policies for creating/updating/deleting a UserPool. In the
+description of one of the managed Cognito policies, it says:
+
+>  You will need AWS account admin privileges to create new Cognito resources.
+
+For my testing, I used the AdministratorAccess managed policy.
+
+To follow the principle of least privilege, it's not clear which actions
+Crossplane needs access to it. Here is a list of some areas that it might
+touch:
+
+* cognito-identity
+* cognito-ip
+* cognito-sync
+* iam
+* kinesis
+* lambda
+* sns
+* ses
+* mobiletargeting
+* acm
+* sms-voice

bootstrap/crossplane/iam-examples/CognitoManagement-role.json

@@ -0,0 +1,18 @@
+{
+    "Role": {
+        "Path": "/",
+        "RoleName": "CognitoManagementRole",
+        "AssumeRolePolicyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole"
+                    },
+                    "Action": "sts:AssumeRole"
+                }
+            ]
+        }
+    }
+}

bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json

@@ -0,0 +1,24 @@
+{
+    "Role": {
+        "Path": "/",
+        "RoleName": "CrossplaneServiceRole",
+        "AssumeRolePolicyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
+                    },
+                    "Action": "sts:AssumeRoleWithWebIdentity",
+                    "Condition": {
+                        "StringEquals": {
+                            "oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:sub": "system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME",
+                            "oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:aud": "sts.amazonaws.com"
+                        }
+                    }
+                }
+            ]
+        }
+    }
+}

bootstrap/crossplane/iam-examples/S3Manage-policy.json

@@ -0,0 +1,61 @@
+{
+    "RoleName": "S3Manage",
+    "PolicyName": "s3-readwrite-masos-buckets",
+    "PolicyDocument": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "VisualEditor0",
+                "Effect": "Allow",
+                "Action": [
+                    "s3:DeleteObjectTagging",
+                    "s3:DeleteObjectVersion",
+                    "s3:GetObjectVersionTagging",
+                    "s3:RestoreObject",
+                    "s3:PutObjectVersionTagging",
+                    "s3:DeleteObjectVersionTagging",
+                    "s3:GetObjectVersionAttributes",
+                    "s3:GetObjectVersionTorrent",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:GetObjectTorrent",
+                    "s3:GetObjectTagging",
+                    "s3:PutObjectTagging",
+                    "s3:DeleteObject",
+                    "s3:GetObjectVersion"
+                ],
+                "Resource": "arn:aws:s3:::masos-XXXXXXX-*/*"
+            },{
+                "Sid": "VisualEditor1",
+                "Effect": "Allow",
+                "Action": [
+                    "s3:GetLifecycleConfiguration",
+                    "s3:GetBucketTagging",
+                    "s3:GetBucketWebsite",
+                    "s3:GetBucketLogging",
+                    "s3:CreateBucket",
+                    "s3:ListBucket",
+                    "s3:GetAccelerateConfiguration",
+                    "s3:GetBucketVersioning",
+                    "s3:PutBucketCORS",
+                    "s3:GetBucketAcl",
+                    "s3:DeleteBucketPolicy",
+                    "s3:GetBucketPolicy",
+                    "s3:GetReplicationConfiguration",
+                    "s3:GetBucketObjectLockConfiguration",
+                    "s3:GetEncryptionConfiguration",
+                    "s3:PutBucketTagging",
+                    "s3:GetBucketRequestPayment",
+                    "s3:GetBucketCORS",
+                    "s3:PutBucketAcl",
+                    "s3:PutBucketPolicy",
+                    "s3:PutBucketObjectLockConfiguration",
+                    "s3:GetBucketLocation",
+                    "s3:DeleteBucket",
+                    "s3:PutBucketVersioning"
+                ],
+                "Resource": "arn:aws:s3:::masos-XXXXXXX-*"
+            }
+        ]
+    }
+}

bootstrap/crossplane/iam-examples/S3Manage-role.json

@@ -0,0 +1,18 @@
+{
+    "Role": {
+        "Path": "/",
+        "RoleName": "S3Manage",
+        "AssumeRolePolicyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole"
+                    },
+                    "Action": "sts:AssumeRole"
+                }
+            ]
+        }
+    }
+}