From f116109cbf6eecd8ea3ee96970108257d2f0e247 Mon Sep 17 00:00:00 2001
From: michaelhtm <98621731+michaelhtm@users.noreply.github.com>
Date: Thu, 11 Dec 2025 14:37:09 -0800
Subject: [PATCH] chore: allow PIA adoption by clusterName, namespace, and
 ServiceAccount

With these changes, we allow users to use ClusterName, Namespace, and
ServiceAccount to adopt a PodIdentityAssociation resource when using
`adopt-or-create`
---
 apis/v1alpha1/ack-generate-metadata.yaml      |  8 ++--
 apis/v1alpha1/generator.yaml                  |  2 +
 generator.yaml                                |  2 +
 .../pod_identity_association/hooks.go         | 40 ++++++++++++++++++-
 pkg/resource/pod_identity_association/sdk.go  |  6 +++
 .../sdk_read_one_pre_build_request.go.tpl     |  6 +++
 6 files changed, 59 insertions(+), 5 deletions(-)
 create mode 100644 templates/hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl

diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
index 9435779a..301d6398 100755
--- a/apis/v1alpha1/ack-generate-metadata.yaml
+++ b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-12-04T22:22:03Z"
-  build_hash: 87b3ccf81d5171062be0fbf0d803787bb5de414e
+  build_date: "2025-12-11T22:27:42Z"
+  build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a
   go_version: go1.25.4
-  version: v0.56.0-3-g87b3ccf
+  version: v0.56.0-3-g5c8b905
 api_directory_checksum: df9ec56e987fdc93ed2e7f55c55cf0bc3372b109
 api_version: v1alpha1
 aws_sdk_go_version: v1.40.1
 generator_config_info:
-  file_checksum: 09e8ab62fa9bc1628dd6077670e7a1d1e8214b56
+  file_checksum: 6d7da86eb8e7c7421bc826b2d2d4bda6dfede164
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
index 61812468..c86529e6 100644
--- a/apis/v1alpha1/generator.yaml
+++ b/apis/v1alpha1/generator.yaml
@@ -445,6 +445,8 @@ resources:
         template_path: hooks/pod_identity_association/sdk_update_post_build_request.go.tpl
       sdk_read_one_post_set_output:
         template_path: hooks/pod_identity_association/sdk_read_one_post_set_output.go.tpl
+      sdk_read_one_pre_build_request:
+        template_path: hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl
       sdk_create_post_set_output:
         template_path: hooks/pod_identity_association/sdk_create_post_set_output.go.tpl
     fields:
diff --git a/generator.yaml b/generator.yaml
index 61812468..c86529e6 100644
--- a/generator.yaml
+++ b/generator.yaml
@@ -445,6 +445,8 @@ resources:
         template_path: hooks/pod_identity_association/sdk_update_post_build_request.go.tpl
       sdk_read_one_post_set_output:
         template_path: hooks/pod_identity_association/sdk_read_one_post_set_output.go.tpl
+      sdk_read_one_pre_build_request:
+        template_path: hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl
       sdk_create_post_set_output:
         template_path: hooks/pod_identity_association/sdk_create_post_set_output.go.tpl
     fields:
diff --git a/pkg/resource/pod_identity_association/hooks.go b/pkg/resource/pod_identity_association/hooks.go
index 878babb6..3c4a0319 100644
--- a/pkg/resource/pod_identity_association/hooks.go
+++ b/pkg/resource/pod_identity_association/hooks.go
@@ -13,6 +13,44 @@
 
 package pod_identity_association
 
-import "github.com/aws-controllers-k8s/eks-controller/pkg/tags"
+import (
+	"context"
+
+	"github.com/aws-controllers-k8s/eks-controller/pkg/tags"
+	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
+	svcsdk "github.com/aws/aws-sdk-go-v2/service/eks"
+)
 
 var syncTags = tags.SyncTags
+
+func (rm *resourceManager) getAssociationID(ctx context.Context, r *resource) (id *string, err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.getSecretID")
+	defer func() {
+		exit(err)
+	}()
+
+	// ClusterName is a required field for ListPodIdentityAssociations operation
+	// we treat an undefined ClusterName as not found.
+	if r.ko.Spec.ClusterName == nil {
+		return nil, nil
+	}
+
+	resp, err := rm.sdkapi.ListPodIdentityAssociations(ctx, &svcsdk.ListPodIdentityAssociationsInput{
+		ClusterName:    r.ko.Spec.ClusterName,
+		Namespace:      r.ko.Spec.Namespace,
+		ServiceAccount: r.ko.Spec.ServiceAccount,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// if more than one are returned, we don't want to manage them
+	// and treat it as not found
+	if len(resp.Associations) != 1 {
+		return nil, nil
+	}
+
+	return resp.Associations[0].AssociationId, nil
+
+}
diff --git a/pkg/resource/pod_identity_association/sdk.go b/pkg/resource/pod_identity_association/sdk.go
index b8ec3962..0533bf46 100644
--- a/pkg/resource/pod_identity_association/sdk.go
+++ b/pkg/resource/pod_identity_association/sdk.go
@@ -62,6 +62,12 @@ func (rm *resourceManager) sdkFind(
 	defer func() {
 		exit(err)
 	}()
+	if r.ko.Status.AssociationID == nil {
+		r.ko.Status.AssociationID, err = rm.getAssociationID(ctx, r)
+		if err != nil {
+			return nil, err
+		}
+	}
 	// If any required fields in the input shape are missing, AWS resource is
 	// not created yet. Return NotFound here to indicate to callers that the
 	// resource isn't yet created.
diff --git a/templates/hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl b/templates/hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl
new file mode 100644
index 00000000..7daf417c
--- /dev/null
+++ b/templates/hooks/pod_identity_association/sdk_read_one_pre_build_request.go.tpl
@@ -0,0 +1,6 @@
+	if r.ko.Status.AssociationID == nil {
+		r.ko.Status.AssociationID, err = rm.getAssociationID(ctx, r)
+		if err != nil {
+			return nil, err
+		}
+	}
\ No newline at end of file