Sub Resource manager Intial Implementation

[gustavodiaz7722]

Sub-Resource Manager Framework

Introduces a code generation framework for managing sub-resource fields on parent CRDs through dedicated manager types. Sub-resources are fields on a parent resource (e.g. Spec.Policies, Spec.Tags on a Role) that are managed by separate AWS API operations rather than the parent's CRUD operations.

Problem

Many AWS resources have fields managed by separate API calls. For example, IAM Role has Policies (AttachRolePolicy/DetachRolePolicy), Tags (TagRole/UntagRole), InlinePolicies (PutRolePolicy/DeleteRolePolicy), PermissionsBoundary (PutRolePermissionsBoundary/DeleteRolePermissionsBoundary), and AssumeRolePolicyDocument (UpdateAssumeRolePolicy). Previously, each controller implemented custom Go code to sync these fields, leading to duplicated patterns across controllers.

Solution

The code generator now produces sub-resource manager files automatically from generator.yaml configuration. Each sub-resource gets its own package with sdk.go (generated CRUD operations), delta.go (field comparison), and manager.go (conversion and sync logic).

Configuration

Sub-resources are declared under sub_resources in generator.yaml with a mapper that defines field mappings between parent and sub-resource CRDs:

sub_resources:
  Policies:
    manager:
      read_field_path: "Spec.PolicyARNs"
      mapper:
        - from: "$item"
          to: "Spec.PolicyARN"
        - from: "Spec.Name"
          to: "Spec.RoleName"

Special mapper tokens: $item (list element), $item.Field (struct field access), $key/$value (map entries).

Source Type System

The parent field's shape type is automatically detected and dispatched to type-specific templates:

• SourceTypeScalar — single value (e.g. PermissionsBoundary)
• SourceTypeListScalar — list of scalars (e.g. Policies []*string)
• SourceTypeListStruct — list of structs (e.g. Tags []*Tag)
• SourceTypeMapScalar — map with scalar values (e.g. InlinePolicies map[string]*string)

Batch Inference

The framework automatically detects when an SDK operation accepts multiple items per call (e.g. TagRole takes Tags []*Tag) by checking if the mapper's $item target is a list field on the sub-resource CRD. When batching is detected, the sync merges all create/update/delete items into a single SDK call instead of N individual calls.

Key Changes

code-generator:

• ManagerConfig with mapper and read_field_path configuration
• SourceType enum and SourceTypeInfo with automatic type detection
• Source-type-specific convertFromParent templates (scalar, list_scalar, list_struct, map_scalar)
• Common scaffolding in sub_resource_manager.go.tpl (sync, Get, computeDelta, key)
• Sub-resource hook resolution in ResourceHookCode
• Batch merge support with BatchFieldPath inference
• sdk_find_sub_resource_get.go.tpl, sdk_update_sub_resource_sync.go.tpl, sdk_delete_sub_resource_sync.go.tpl updated for unique manager variable names

iam-controller (reference implementation):

• Role sub-resources: Policies, InlinePolicies, Tags, PermissionsBoundary, AssumeRolePolicyDocument
• Custom hooks for read-many output mapping and delete payload construction
• E2E tests for each sub-resource field's CRUD lifecycle

Testing

All 13 sub-resource e2e tests pass alongside the existing IAM controller test suite.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gustavodiaz7722
Once this PR has been reviewed and has the lgtm label, please assign jlbutler for approval by writing /assign @jlbutler in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment