From 7e9340431ad756dfefe0eb8353f36ff76e5a8cfa Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 9 Dec 2024 17:28:11 +0000 Subject: [PATCH] Update to ACK runtime `v0.40.0`, code-generator `v0.40.0` --- apis/v1alpha1/ack-generate-metadata.yaml | 8 ++++---- config/controller/deployment.yaml | 4 ++++ config/controller/kustomization.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- helm/Chart.yaml | 4 ++-- helm/templates/NOTES.txt | 2 +- helm/templates/caches-role-binding.yaml | 6 +++--- helm/values.yaml | 6 ++++-- pkg/resource/group/descriptor.go | 10 +++++----- pkg/resource/group/resource.go | 11 +++++++++++ pkg/resource/instance_profile/descriptor.go | 10 +++++----- pkg/resource/instance_profile/resource.go | 11 +++++++++++ .../open_id_connect_provider/descriptor.go | 10 +++++----- .../open_id_connect_provider/resource.go | 16 ++++++++++++++++ pkg/resource/policy/descriptor.go | 10 +++++----- pkg/resource/policy/resource.go | 16 ++++++++++++++++ pkg/resource/role/descriptor.go | 10 +++++----- pkg/resource/role/resource.go | 11 +++++++++++ pkg/resource/user/descriptor.go | 10 +++++----- pkg/resource/user/resource.go | 11 +++++++++++ 21 files changed, 128 insertions(+), 46 deletions(-) diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 79a6a45..76b9334 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,8 +1,8 @@ ack_generate_info: - build_date: "2024-10-10T04:09:12Z" - build_hash: 36c2d234498c2bc4f60773ab8df632af4067f43b - go_version: go1.23.2 - version: v0.39.1 + build_date: "2024-12-09T17:27:50Z" + build_hash: 631aeb190e332addb8379672df6367a0875dce88 + go_version: go1.23.3 + version: v0.40.0 api_directory_checksum: 761a2c708651b0273bf39d98dddaf029de23d337 api_version: v1alpha1 aws_sdk_go_version: v1.49.0 diff --git a/config/controller/deployment.yaml b/config/controller/deployment.yaml index e518f04..f571c49 100644 --- a/config/controller/deployment.yaml +++ b/config/controller/deployment.yaml @@ -41,6 +41,8 @@ spec: - "$(LEADER_ELECTION_NAMESPACE)" - --reconcile-default-max-concurrent-syncs - "$(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS)" + - --feature-gates + - "$(FEATURE_GATES)" image: controller:latest name: controller ports: @@ -76,6 +78,8 @@ spec: value: "ack-system" - name: "RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS" value: "1" + - name: "FEATURE_GATES" + value: "" securityContext: allowPrivilegeEscalation: false privileged: false diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index b22900c..9819d01 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/iam-controller - newTag: 1.3.13 + newTag: 1.3.14 diff --git a/go.mod b/go.mod index 84a1ec0..f517e8d 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.0 toolchain go1.22.5 require ( - github.com/aws-controllers-k8s/runtime v0.39.0 + github.com/aws-controllers-k8s/runtime v0.40.0 github.com/aws/aws-sdk-go v1.49.0 github.com/go-logr/logr v1.4.2 github.com/micahhausler/aws-iam-policy v0.4.2 diff --git a/go.sum b/go.sum index f05ec07..977fd85 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53 h1:2uNM0nR2WUDN88EYFxjEaroH+PZJ6k/h9kl+KO0dWVc= github.com/a-hilaly/aws-iam-policy v0.0.0-20231121054900-2c56e839ca53/go.mod h1:Ojgst9ZFn+VEEJpqtuw/LxVGqEf2+hwWBlkYWvF/XWM= -github.com/aws-controllers-k8s/runtime v0.39.0 h1:IgOXluSzvb4UcDr9eU7SPw5MJnL7kt5R6DuF5Qu9zVQ= -github.com/aws-controllers-k8s/runtime v0.39.0/go.mod h1:G07g26y1cxyZO6Ngp+LwXf03CqFyLNL7os4Py4IdyGY= +github.com/aws-controllers-k8s/runtime v0.40.0 h1:FplFYgzCIbQsPafarP3dy/4bG1uGR8G1OLYOWO4a7Lc= +github.com/aws-controllers-k8s/runtime v0.40.0/go.mod h1:G07g26y1cxyZO6Ngp+LwXf03CqFyLNL7os4Py4IdyGY= github.com/aws/aws-sdk-go v1.49.0 h1:g9BkW1fo9GqKfwg2+zCD+TW/D36Ux+vtfJ8guF4AYmY= github.com/aws/aws-sdk-go v1.49.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 041245c..0b2b121 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: iam-chart description: A Helm chart for the ACK service controller for AWS Identity & Access Management (IAM) -version: 1.3.13 -appVersion: 1.3.13 +version: 1.3.14 +appVersion: 1.3.14 home: https://github.com/aws-controllers-k8s/iam-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index c8444c5..d66f3d0 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:1.3.13". +This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:1.3.14". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/templates/caches-role-binding.yaml b/helm/templates/caches-role-binding.yaml index fdff62f..a047f3f 100644 --- a/helm/templates/caches-role-binding.yaml +++ b/helm/templates/caches-role-binding.yaml @@ -8,7 +8,7 @@ roleRef: name: ack-namespaces-cache-iam-controller subjects: - kind: ServiceAccount - name: ack-iam-controller + name: {{ include "ack-iam-controller.service-account.name" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -22,5 +22,5 @@ roleRef: name: ack-configmaps-cache-iam-controller subjects: - kind: ServiceAccount - name: ack-iam-controller - namespace: {{ .Release.Namespace }} \ No newline at end of file + name: {{ include "ack-iam-controller.service-account.name" . }} + namespace: {{ .Release.Namespace }} diff --git a/helm/values.yaml b/helm/values.yaml index 7bfacbb..03b7c42 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/iam-controller - tag: 1.3.13 + tag: 1.3.14 pullPolicy: IfNotPresent pullSecrets: [] @@ -163,4 +163,6 @@ featureGates: # Enables the Team level granularity for CARM. See https://github.com/aws-controllers-k8s/community/issues/2031 TeamLevelCARM: false # Enable ReadOnlyResources feature/annotation. - ReadOnlyResources: false \ No newline at end of file + ReadOnlyResources: false + # Enable ResourceAdoption feature/annotation. + ResourceAdoption: false \ No newline at end of file diff --git a/pkg/resource/group/descriptor.go b/pkg/resource/group/descriptor.go index 9688bd3..3a00742 100644 --- a/pkg/resource/group/descriptor.go +++ b/pkg/resource/group/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/Group" + FinalizerString = "finalizers.iam.services.k8s.aws/Group" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/group/resource.go b/pkg/resource/group/resource.go index 7c88620..927bdeb 100644 --- a/pkg/resource/group/resource.go +++ b/pkg/resource/group/resource.go @@ -93,6 +93,17 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["name"] + if !ok { + return ackerrors.MissingNameIdentifier + } + r.ko.Spec.Name = &tmp + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy() diff --git a/pkg/resource/instance_profile/descriptor.go b/pkg/resource/instance_profile/descriptor.go index 96586cd..d139981 100644 --- a/pkg/resource/instance_profile/descriptor.go +++ b/pkg/resource/instance_profile/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/InstanceProfile" + FinalizerString = "finalizers.iam.services.k8s.aws/InstanceProfile" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/instance_profile/resource.go b/pkg/resource/instance_profile/resource.go index 3754bb8..f53a9e4 100644 --- a/pkg/resource/instance_profile/resource.go +++ b/pkg/resource/instance_profile/resource.go @@ -93,6 +93,17 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["name"] + if !ok { + return ackerrors.MissingNameIdentifier + } + r.ko.Spec.Name = &tmp + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy() diff --git a/pkg/resource/open_id_connect_provider/descriptor.go b/pkg/resource/open_id_connect_provider/descriptor.go index 809d1e5..3c4171c 100644 --- a/pkg/resource/open_id_connect_provider/descriptor.go +++ b/pkg/resource/open_id_connect_provider/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/OpenIDConnectProvider" + FinalizerString = "finalizers.iam.services.k8s.aws/OpenIDConnectProvider" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/open_id_connect_provider/resource.go b/pkg/resource/open_id_connect_provider/resource.go index 77d00f6..8d9e1c5 100644 --- a/pkg/resource/open_id_connect_provider/resource.go +++ b/pkg/resource/open_id_connect_provider/resource.go @@ -93,6 +93,22 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["arn"] + if !ok { + return ackerrors.MissingNameIdentifier + } + + if r.ko.Status.ACKResourceMetadata == nil { + r.ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} + } + arn := ackv1alpha1.AWSResourceName(tmp) + r.ko.Status.ACKResourceMetadata.ARN = &arn + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy() diff --git a/pkg/resource/policy/descriptor.go b/pkg/resource/policy/descriptor.go index 58788a0..dde2c5c 100644 --- a/pkg/resource/policy/descriptor.go +++ b/pkg/resource/policy/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/Policy" + FinalizerString = "finalizers.iam.services.k8s.aws/Policy" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/policy/resource.go b/pkg/resource/policy/resource.go index 9d673f7..ea92706 100644 --- a/pkg/resource/policy/resource.go +++ b/pkg/resource/policy/resource.go @@ -93,6 +93,22 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["arn"] + if !ok { + return ackerrors.MissingNameIdentifier + } + + if r.ko.Status.ACKResourceMetadata == nil { + r.ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} + } + arn := ackv1alpha1.AWSResourceName(tmp) + r.ko.Status.ACKResourceMetadata.ARN = &arn + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy() diff --git a/pkg/resource/role/descriptor.go b/pkg/resource/role/descriptor.go index 4c56959..8af22ea 100644 --- a/pkg/resource/role/descriptor.go +++ b/pkg/resource/role/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/Role" + FinalizerString = "finalizers.iam.services.k8s.aws/Role" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/role/resource.go b/pkg/resource/role/resource.go index 3775b5c..2c02e95 100644 --- a/pkg/resource/role/resource.go +++ b/pkg/resource/role/resource.go @@ -93,6 +93,17 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["name"] + if !ok { + return ackerrors.MissingNameIdentifier + } + r.ko.Spec.Name = &tmp + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy() diff --git a/pkg/resource/user/descriptor.go b/pkg/resource/user/descriptor.go index 19c1579..c0910b4 100644 --- a/pkg/resource/user/descriptor.go +++ b/pkg/resource/user/descriptor.go @@ -28,7 +28,7 @@ import ( ) const ( - finalizerString = "finalizers.iam.services.k8s.aws/User" + FinalizerString = "finalizers.iam.services.k8s.aws/User" ) var ( @@ -88,8 +88,8 @@ func (d *resourceDescriptor) IsManaged( // https://github.com/kubernetes-sigs/controller-runtime/issues/994 is // fixed. This should be able to be: // - // return k8sctrlutil.ContainsFinalizer(obj, finalizerString) - return containsFinalizer(obj, finalizerString) + // return k8sctrlutil.ContainsFinalizer(obj, FinalizerString) + return containsFinalizer(obj, FinalizerString) } // Remove once https://github.com/kubernetes-sigs/controller-runtime/issues/994 @@ -118,7 +118,7 @@ func (d *resourceDescriptor) MarkManaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.AddFinalizer(obj, finalizerString) + k8sctrlutil.AddFinalizer(obj, FinalizerString) } // MarkUnmanaged removes the supplied resource from management by ACK. What @@ -133,7 +133,7 @@ func (d *resourceDescriptor) MarkUnmanaged( // Should not happen. If it does, there is a bug in the code panic("nil RuntimeMetaObject in AWSResource") } - k8sctrlutil.RemoveFinalizer(obj, finalizerString) + k8sctrlutil.RemoveFinalizer(obj, FinalizerString) } // MarkAdopted places descriptors on the custom resource that indicate the diff --git a/pkg/resource/user/resource.go b/pkg/resource/user/resource.go index ee6bc4e..9874d54 100644 --- a/pkg/resource/user/resource.go +++ b/pkg/resource/user/resource.go @@ -93,6 +93,17 @@ func (r *resource) SetIdentifiers(identifier *ackv1alpha1.AWSIdentifiers) error return nil } +// PopulateResourceFromAnnotation populates the fields passed from adoption annotation +func (r *resource) PopulateResourceFromAnnotation(fields map[string]string) error { + tmp, ok := fields["name"] + if !ok { + return ackerrors.MissingNameIdentifier + } + r.ko.Spec.Name = &tmp + + return nil +} + // DeepCopy will return a copy of the resource func (r *resource) DeepCopy() acktypes.AWSResource { koCopy := r.ko.DeepCopy()