Add resource-based permissions support for Lambda aliases (#161)

this commit adds support for managing Lambda resource based permissions directly
on aliases. Now users can declaratively define, update, and remove permissions
for Lambda functions accessed through aliases.

The implementation leverages the AWS::Lambda `AddPermission` and `RemovePermission`
APIs to synchronize the desired permissions state defined in the CRD with the
actual alias permisions in AWS.

Example alias:
```yaml
apiVersion: lambda.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: alias1
spec:
  name: alias1
  functionName: test-function-w-ack
  functionVersion: $LATEST
  description: some alias
  permissions:
    - statementID: "1"
      action: lambda:InvokeFunction
      principal: s3.amazonaws.com
      sourceARN: arn:aws:s3:::mybucket
    - statementID: "2"
      action: lambda:InvokeFunction
      principal: s3.amazonaws.com
      sourceARN: arn:aws:s3:::mybucket2
    - statementID: "3"
      action: lambda:InvokeFunction
      principal: s3.amazonaws.com
      sourceARN: arn:aws:s3:::mybucket3
    - statementID: "4"
      action: lambda:InvokeFunction
      principal: s3.amazonaws.com
      sourceARN: arn:aws:s3:::mybucket4
```

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: a-hilaly

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-02-20T18:13:42Z"
-  build_hash: a326346bd3a6973254d247c9ab2dc76790c36241
+  build_date: "2025-03-25T01:59:31Z"
+  build_hash: 3722729cebe6d3c03c7e442655ef0846f91566a2
   go_version: go1.24.0
-  version: v0.43.2
-api_directory_checksum: 086df7708184fcedddb2910d4980cdff3bf9de8f
+  version: v0.43.2-7-g3722729
+api_directory_checksum: b37edb8bba9d3847d4bdf1e842b7a597821c8c37
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: 7e92f95044b114e8b39e4b28ea82afbdc992a3cb
+  file_checksum: 3dbfbaabdb68f05226834184bacb6be1028ba38d
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/alias.go

@@ -27,6 +27,8 @@ ignore:
   - PublishVersionOutput.LoggingConfig
   - PublishVersionOutput.RuntimeVersionConfig
   - VpcConfig.Ipv6AllowedForDualStack
+  - AddPermissionInput.FunctionName # We grab this from the Alias resource
+  - AddPermissionInput.Qualifier # We grab this from the Alias resource   
 operations:
   GetFunction:
     output_wrapper_field_path: Configuration
@@ -161,7 +163,14 @@ resources:
         from:
           operation: PutProvisionedConcurrencyConfig
           path: .
+      Permissions:
+        custom_field:
+          list_of: AddPermissionInput
+        compare:
+          is_ignored: true
     hooks:
+      delta_pre_compare:
+        code: customPreCompare(delta, a, b)
       sdk_update_pre_build_request:
         template_path: hooks/alias/sdk_update_pre_build_request.go.tpl
       sdk_read_one_post_set_output:

apis/v1alpha1/generator.yaml

@@ -132,6 +132,31 @@ spec:
               name:
                 description: The name of the alias.
                 type: string
+              permissions:
+                description: Permissions configures a set of Lambda permissions to
+                  grant to an alias.
+                items:
+                  properties:
+                    action:
+                      type: string
+                    eventSourceToken:
+                      type: string
+                    functionURLAuthType:
+                      type: string
+                    principal:
+                      type: string
+                    principalOrgID:
+                      type: string
+                    revisionID:
+                      type: string
+                    sourceARN:
+                      type: string
+                    sourceAccount:
+                      type: string
+                    statementID:
+                      type: string
+                  type: object
+                type: array
               provisionedConcurrencyConfig:
                 description: |-
                   Configures provisioned concurrency to a function's alias

apis/v1alpha1/types.go

@@ -21,6 +21,8 @@ resources:
               The maximum number of times to retry when the function returns an error.
   Alias:
     fields:
+      Permissions:
+        prepend: Permissions configures a set of Lambda permissions to grant to an alias.
       FunctionEventInvokeConfig:
         prepend: |
           Configures options for asynchronous invocation on an alias.

apis/v1alpha1/zz_generated.deepcopy.go

@@ -27,6 +27,8 @@ ignore:
   - PublishVersionOutput.LoggingConfig
   - PublishVersionOutput.RuntimeVersionConfig
   - VpcConfig.Ipv6AllowedForDualStack
+  - AddPermissionInput.FunctionName # We grab this from the Alias resource
+  - AddPermissionInput.Qualifier # We grab this from the Alias resource   
 operations:
   GetFunction:
     output_wrapper_field_path: Configuration
@@ -161,7 +163,14 @@ resources:
         from:
           operation: PutProvisionedConcurrencyConfig
           path: .
+      Permissions:
+        custom_field:
+          list_of: AddPermissionInput
+        compare:
+          is_ignored: true
     hooks:
+      delta_pre_compare:
+        code: customPreCompare(delta, a, b)
       sdk_update_pre_build_request:
         template_path: hooks/alias/sdk_update_pre_build_request.go.tpl
       sdk_read_one_post_set_output:

config/crd/bases/lambda.services.k8s.aws_aliases.yaml

@@ -17,6 +17,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.69.8
 	github.com/aws/smithy-go v1.22.2
 	github.com/go-logr/logr v1.4.2
+	github.com/micahhausler/aws-iam-policy v0.4.2
 	github.com/spf13/pflag v1.0.5
 	k8s.io/api v0.31.0
 	k8s.io/apimachinery v0.31.0

documentation.yaml

@@ -126,6 +126,8 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/micahhausler/aws-iam-policy v0.4.2 h1:HF7bERLnpqEmffV9/wTT4jZ7TbSNVk0JbpXo1Cj3up0=
+github.com/micahhausler/aws-iam-policy v0.4.2/go.mod h1:Ojgst9ZFn+VEEJpqtuw/LxVGqEf2+hwWBlkYWvF/XWM=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

generator.yaml

@@ -132,6 +132,31 @@ spec:
               name:
                 description: The name of the alias.
                 type: string
+              permissions:
+                description: Permissions configures a set of Lambda permissions to
+                  grant to an alias.
+                items:
+                  properties:
+                    action:
+                      type: string
+                    eventSourceToken:
+                      type: string
+                    functionURLAuthType:
+                      type: string
+                    principal:
+                      type: string
+                    principalOrgID:
+                      type: string
+                    revisionID:
+                      type: string
+                    sourceARN:
+                      type: string
+                    sourceAccount:
+                      type: string
+                    statementID:
+                      type: string
+                  type: object
+                type: array
               provisionedConcurrencyConfig:
                 description: |-
                   Configures provisioned concurrency to a function's alias