feat(health): add iammanager.keikoproj.io/Iamrole health check (#15899)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

resource_customizations/iammanager.keikoproj.io/Iamrole/health.lua

@@ -0,0 +1,33 @@
+local hs = {}
+if obj.status ~= nil then
+  -- Each message may or may not use these.
+  local roleName = obj.status.roleName or "<none>"
+  local roleARN = obj.status.roleARN or "<none>"
+  local roleID = obj.status.roleID or "<none>"
+
+  if obj.status.state == "Ready" then
+    hs.status = "Healthy"
+    hs.message = "Role '" .. roleName .. "' exists with ARN '" .. roleARN .. "' and ID '" .. roleID .. "'."
+    return hs
+  end
+
+  local message = ""
+  -- Current non-ready statuses: https://github.com/keikoproj/iam-manager/blob/3aeb2f8ec3005e1c53a057b3b0f79e14a0e5b9cb/api/v1alpha1/iamrole_types.go#L150-L156
+  if obj.status.state == "Error" or obj.status.state == "RolesMaxLimitReached" or obj.status.state == "PolicyNotAllowed" or obj.status.state == "RoleNameNotAvailable" then
+    hs.status = "Degraded"
+    message = "Failed to reconcile the Iamrole "
+    if obj.status.retryCount ~= nil and obj.status.retryCount > 0 then
+      message = message .. "(retry " .. tostring(obj.status.retryCount) .. ") "
+    end
+    message = message .. "for role '" .. roleName .. "' with ARN '" .. roleARN .. "' and ID '" .. roleID .. "'."
+    if obj.status.errorDescription ~= nil then
+      message = message .. " Reconciliation error was: " .. obj.status.errorDescription
+    end
+    hs.message = message
+    return hs
+  end
+end
+
+hs.status = "Progressing"
+hs.message = "Waiting for Iamrole to be reconciled"
+return hs

resource_customizations/iammanager.keikoproj.io/Iamrole/health_test.yaml

@@ -0,0 +1,20 @@
+tests:
+- healthStatus:
+    status: Degraded
+    message: |-
+      Failed to reconcile the Iamrole (retry 1) for role 'k8s-test' with ARN 'arn:aws:iam::111111111111:role/k8s-test' and ID 'ABCDEFGHIJKLMNOPQRSTU'. Reconciliation error was: NoSuchEntity: The role with name k8s-test cannot be found.
+      	status code: 404, request id: f80c99fc-c78d-4b1c-806d-3a162fbbc900
+  inputPath: testdata/degraded_error.yaml
+- healthStatus:
+    status: Degraded
+    message: |-
+      Failed to reconcile the Iamrole for role 'k8s-test' with ARN '<none>' and ID '<none>'. Reconciliation error was: maximum number of allowed roles reached. You must delete any existing role before proceeding further
+  inputPath: testdata/degraded_rolesMaxLimitReached.yaml
+- healthStatus:
+    status: Healthy
+    message: Role 'k8s-test' exists with ARN 'arn:aws:iam::111111111111:role/k8s-test' and ID 'ABCDEFGHIJKLMNOPQRSTU'.
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Progressing
+    message: 'Waiting for Iamrole to be reconciled'
+  inputPath: testdata/progressing_noStatus.yaml

resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_error.yaml

@@ -0,0 +1,29 @@
+apiVersion: iammanager.keikoproj.io/v1alpha1
+kind: Iamrole
+metadata:
+  finalizers:
+    - iamrole.finalizers.iammanager.keikoproj.io
+  name: iamrole
+  namespace: test
+spec:
+  PolicyDocument:
+    Statement:
+      - Action:
+          - ec2:*
+        Effect: Deny
+        Resource:
+          - '*'
+      - Action:
+          - iam:*
+        Effect: Deny
+        Resource:
+          - '*'
+status:
+  errorDescription: "NoSuchEntity: The role with name k8s-test cannot
+    be found.\n\tstatus code: 404, request id: f80c99fc-c78d-4b1c-806d-3a162fbbc900"
+  lastUpdatedTimestamp: "2023-10-10T19:31:06Z"
+  retryCount: 1
+  roleARN: arn:aws:iam::111111111111:role/k8s-test
+  roleID: ABCDEFGHIJKLMNOPQRSTU
+  roleName: k8s-test
+  state: Error

resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_rolesMaxLimitReached.yaml

@@ -0,0 +1,26 @@
+apiVersion: iammanager.keikoproj.io/v1alpha1
+kind: Iamrole
+metadata:
+  finalizers:
+    - iamrole.finalizers.iammanager.keikoproj.io
+  name: iamrole
+  namespace: test
+spec:
+  PolicyDocument:
+    Statement:
+      - Action:
+          - ec2:*
+        Effect: Deny
+        Resource:
+          - '*'
+      - Action:
+          - iam:*
+        Effect: Deny
+        Resource:
+          - '*'
+status:
+  errorDescription: maximum number of allowed roles reached. You must delete any existing role before proceeding further
+  lastUpdatedTimestamp: "2023-10-10T19:25:26Z"
+  retryCount: 0
+  roleName: k8s-test
+  state: RolesMaxLimitReached

resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/healthy.yaml

@@ -0,0 +1,27 @@
+apiVersion: iammanager.keikoproj.io/v1alpha1
+kind: Iamrole
+metadata:
+  finalizers:
+    - iamrole.finalizers.iammanager.keikoproj.io
+  name: iamrole
+  namespace: default
+spec:
+  PolicyDocument:
+    Statement:
+      - Action:
+          - 'ec2:*'
+        Effect: Deny
+        Resource:
+          - '*'
+      - Action:
+          - 'iam:*'
+        Effect: Deny
+        Resource:
+          - '*'
+status:
+  lastUpdatedTimestamp: '2023-10-10T20:36:23Z'
+  retryCount: 0
+  roleARN: 'arn:aws:iam::111111111111:role/k8s-test'
+  roleID: ABCDEFGHIJKLMNOPQRSTU
+  roleName: k8s-test
+  state: Ready

resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/progressing_noStatus.yaml

@@ -0,0 +1,20 @@
+apiVersion: iammanager.keikoproj.io/v1alpha1
+kind: Iamrole
+metadata:
+  finalizers:
+    - iamrole.finalizers.iammanager.keikoproj.io
+  name: iamrole
+  namespace: default
+spec:
+  PolicyDocument:
+    Statement:
+      - Action:
+          - 'ec2:*'
+        Effect: Deny
+        Resource:
+          - '*'
+      - Action:
+          - 'iam:*'
+        Effect: Deny
+        Resource:
+          - '*'