aws-controllers-k8s · naclonts · Dec 10, 2025 · Dec 10, 2025 · Dec 11, 2025 · knottnt
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-11-29T03:25:13Z"
-  build_hash: 23c7074fa310ad1ccb38946775397c203b49f024
-  go_version: go1.25.4
-  version: v0.56.0
-api_directory_checksum: fcb205ac280ed1b0f107a291e5ea43d93c0991e9
+  build_date: "2025-12-11T00:17:14Z"
+  build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a
+  go_version: go1.24.0
+  version: v0.56.0-3-g5c8b905
+api_directory_checksum: 1395aec536d8707909426eb19b38cb474d815578
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: ceef3af34f41f300f4d827886f35d272f50cb38c
+  file_checksum: f92b9883a39e21b7e7b2e2e6bfa5d180542e8303
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
@@ -64,6 +64,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # In order to support adding zero or more users to a group, we use
+      # custom update code that calls the AddUserToGroup and RemoveUserFromGroup
+      # APIs to manage the set of users in this Group.
+      Users:
+        type: "[]*string"
+        references:
+          resource: User
+          path: Spec.Name
       # These are policy documents that are added to the Group using the
       # Put/DeleteGroupPolicy APIs, as compared to the Attach/DetachGroupPolicy
       # APIs that are for non-inline managed policies.
@@ -136,9 +144,9 @@ resources:
       sdk_delete_pre_build_request:
         template_path: hooks/policy/sdk_delete_pre_build_request.go.tpl
     update_operation:
-      # There is no `UpdatePolicy` API operation. The only way to update a 
+      # There is no `UpdatePolicy` API operation. The only way to update a
       # policy is to update the properties individually (only a few properties
-      # support this) or to delete the policy and recreate it entirely. 
+      # support this) or to delete the policy and recreate it entirely.
       #
       # This custom method will support updating the properties individually,
       # but there is currently no support for the delete/create option.

diff --git a/apis/v1alpha1/group.go b/apis/v1alpha1/group.go
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
@@ -6,4 +6,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: public.ecr.aws/aws-controllers-k8s/iam-controller
-  newTag: 1.6.0
+  newTag: 0.0.0-non-release-version
diff --git a/config/crd/bases/iam.services.k8s.aws_groups.yaml b/config/crd/bases/iam.services.k8s.aws_groups.yaml
@@ -105,6 +105,29 @@ spec:
                       type: object
                   type: object
                 type: array
+              userRefs:
+                items:
+                  description: "AWSResourceReferenceWrapper provides a wrapper around
+                    *AWSResourceReference\ntype to provide more user friendly syntax
+                    for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
+                    \ name: my-api"
+                  properties:
+                    from:
+                      description: |-
+                        AWSResourceReference provides all the values necessary to reference another
+                        k8s resource for finding the identifier(Id/ARN/Name)
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                  type: object
+                type: array
+              users:
+                items:
+                  type: string
+                type: array
             required:
             - name
             type: object

diff --git a/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml b/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml
@@ -63,6 +63,16 @@ spec:
                 required:
                 - names
                 type: object
+              resourceLabelSelector:
+                description: LabelSelector is a label query over a set of resources.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                required:
+                - matchLabels
+                type: object
               resourceTypeSelector:
                 items:
                   properties:

diff --git a/config/crd/common/kustomization.yaml b/config/crd/common/kustomization.yaml
@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - bases/services.k8s.aws_iamroleselectors.yaml
   - bases/services.k8s.aws_fieldexports.yaml
+  - bases/services.k8s.aws_iamroleselectors.yaml
diff --git a/generator.yaml b/generator.yaml
@@ -64,6 +64,14 @@ resources:
         references:
           resource: Policy
           path: Status.ACKResourceMetadata.ARN
+      # In order to support adding zero or more users to a group, we use
+      # custom update code that calls the AddUserToGroup and RemoveUserFromGroup
+      # APIs to manage the set of users in this Group.
+      Users:
+        type: "[]*string"
+        references:
+          resource: User
+          path: Spec.Name
       # These are policy documents that are added to the Group using the
       # Put/DeleteGroupPolicy APIs, as compared to the Attach/DetachGroupPolicy
       # APIs that are for non-inline managed policies.
@@ -136,9 +144,9 @@ resources:
       sdk_delete_pre_build_request:
         template_path: hooks/policy/sdk_delete_pre_build_request.go.tpl
     update_operation:
-      # There is no `UpdatePolicy` API operation. The only way to update a 
+      # There is no `UpdatePolicy` API operation. The only way to update a
       # policy is to update the properties individually (only a few properties
-      # support this) or to delete the policy and recreate it entirely. 
+      # support this) or to delete the policy and recreate it entirely.
       #
       # This custom method will support updating the properties individually,
       # but there is currently no support for the delete/create option.

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 name: iam-chart
 description: A Helm chart for the ACK service controller for AWS Identity & Access Management (IAM)
-version: 1.6.0
-appVersion: 1.6.0
+version: 0.0.0-non-release-version
+appVersion: 0.0.0-non-release-version
 home: https://github.com/aws-controllers-k8s/iam-controller
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:

diff --git a/helm/crds/iam.services.k8s.aws_groups.yaml b/helm/crds/iam.services.k8s.aws_groups.yaml
@@ -105,6 +105,29 @@ spec:
                       type: object
                   type: object
                 type: array
+              userRefs:
+                items:
+                  description: "AWSResourceReferenceWrapper provides a wrapper around
+                    *AWSResourceReference\ntype to provide more user friendly syntax
+                    for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
+                    \ name: my-api"
+                  properties:
+                    from:
+                      description: |-
+                        AWSResourceReference provides all the values necessary to reference another
+                        k8s resource for finding the identifier(Id/ARN/Name)
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                  type: object
+                type: array
+              users:
+                items:
+                  type: string
+                type: array
             required:
             - name
             type: object

diff --git a/helm/crds/services.k8s.aws_iamroleselectors.yaml b/helm/crds/services.k8s.aws_iamroleselectors.yaml
@@ -63,6 +63,16 @@ spec:
                 required:
                 - names
                 type: object
+              resourceLabelSelector:
+                description: LabelSelector is a label query over a set of resources.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                required:
+                - matchLabels
+                type: object
               resourceTypeSelector:
                 items:
                   properties:

diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
@@ -1,5 +1,5 @@
 {{ .Chart.Name }} has been installed.
-This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:1.6.0".
+This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:0.0.0-non-release-version".
 
 Check its status by running:
   kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}"

diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -51,6 +51,13 @@ spec:
         - "$(AWS_REGION)"
         - --aws-endpoint-url
         - "$(AWS_ENDPOINT_URL)"
+{{- if .Values.aws.identity_endpoint_url }}
+        - --aws-identity-endpoint-url
+        - "$(AWS_IDENTITY_ENDPOINT_URL)"
+{{- end }}
+{{- if .Values.aws.allow_unsafe_aws_endpoint_urls }}
+        - --allow-unsafe-aws-endpoint-urls
+{{- end }}
 {{- if .Values.log.enable_development_logging }}
         - --enable-development-logging
 {{- end }}
@@ -109,6 +116,8 @@ spec:
           value: {{ .Values.aws.region }}
         - name: AWS_ENDPOINT_URL
           value: {{ .Values.aws.endpoint_url | quote }}
+        - name: AWS_IDENTITY_ENDPOINT_URL
+          value: {{ .Values.aws.identity_endpoint_url | quote }}
         - name: ACK_WATCH_NAMESPACE
           value: {{ include "ack-iam-controller.watch-namespace" . }}
         - name: ACK_WATCH_SELECTORS

diff --git a/helm/values.schema.json b/helm/values.schema.json
@@ -171,9 +171,16 @@
         "region": {
           "type": "string"
         },
-        "endpoint": {
+        "endpoint_url": {
           "type": "string"
         },
+        "identity_endpoint_url": {
+          "type": "string"
+        },
+        "allow_unsafe_aws_endpoint_urls": {
+          "type": "boolean",
+          "default": false
+        },
         "credentials": {
           "description": "AWS credentials information",
           "properties": {

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -4,7 +4,7 @@
 
 image:
   repository: public.ecr.aws/aws-controllers-k8s/iam-controller
-  tag: 1.6.0
+  tag: 0.0.0-non-release-version
   pullPolicy: IfNotPresent
   pullSecrets: []
 
@@ -90,6 +90,8 @@ aws:
   # If specified, use the AWS region for AWS API calls
   region: ""
   endpoint_url: ""
+  identity_endpoint_url: ""
+  allow_unsafe_aws_endpoint_urls: false
   credentials:
     # If specified, Secret with shared credentials file to use.
     secretName: ""

diff --git a/pkg/resource/group/delta.go b/pkg/resource/group/delta.go