Add standalone ResolverRuleAssociation CRD

[Mais316]

The existing inline ResolverRule.Spec.Associations field requires ownership of the ResolverRule CR to manage VPC associations. This does not work for shared rules (e.g. rules shared via AWS RAM or managed by a central platform team) where individual clusters only need to associate an existing rule with their VPC.

This adds a standalone ResolverRuleAssociation CRD that enables fleet-scale adoption: each cluster independently associates a shared rule with its own VPC without needing to manage the rule itself.

AWS API mapping:

• Create: AssociateResolverRule
• Read: GetResolverRuleAssociation
• Delete: DisassociateResolverRule
• Update: N/A (all fields are immutable)

Spec fields:

• resolverRuleID (required, immutable, with ResolverRule reference support)
• vpcID (required, immutable)
• name (optional, immutable)

Status fields:

• id (primary key, AWS-assigned)
• status
• statusMessage

Includes E2E tests for:

• Basic create/delete lifecycle
• Multiple VPCs associated with the same rule

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

Hi @Mais316. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Mais316]

@michaelhtm appreciate your kind review when you have time please 🙏

[Mais316]

@michaelhtm gentle reminder 🙏

[Mais316]

@michaelhtm adding more details here as well as per slack

Thanks again :) for the pointer to ResolverRule. Let me explain our case so it's clearer why I think we still need a standalone association.

Our setup is hub-and-spoke. The resolver endpoints and rules live in the hub VPC (DMZ subnet, since that's the only place allowed to send DNS queries out). The rules are then shared to all spoke accounts via AWS RAM. So from a spoke's perspective the rule is already there, read-only. We can't create it locally because the endpoint has to sit in the DMZ.
What each spoke actually needs is just the association of its own VPC to that shared rule, nothing else.

The problem with the current ResolverRule CRD and its inline Associations array is that we have one build module that provisions VPC + EKS per spoke. Every spoke runs the same code against the same shared rule. If each cluster adopts the rule and writes into the Associations array, they end up fighting over it. Spoke A writes its VPC, spoke B's reconcile loop removes it and writes its own, and so on. Our e2e build can't converge because of this. On top of that the rule isn't really owned by the spoke, it's owned by the platform team in the hub, so spokes shouldn't be authoritative over its spec at all.

This is the same reason Terraform models it as a standalone resource (aws_route53_resolver_rule_association), separate from the rule itself. Each spoke manages only its own association, no shared mutable array. That worked for us before we moved to ACK and it's the shape this PR mirrors.

So what the PR adds is a separate ResolverRuleAssociation CRD where each spoke creates only its own association object, the ResolverRule CR doesn't need to exist in the spoke cluster, and fields are immutable to match the AWS API (AssociateResolverRule / DisassociateResolverRule, no update path).

One question back to you :) am I right that with the current CRD the only path for our case would be to re-adopt the same shared rule in every spoke and let them race on the Associations array? If there's a pattern I'm missing to handle cross-account shared-rule association with ResolverRule alone, I'd be glad to learn it. But from the API shape and our e2e results, a standalone association CRD looks like the natural fit, the same way the AWS API itself models it.
Happy to iterate on the design.

[Mais316]

@michaelhtm

As per Trevor Feedback on slack

I've addressed this by adding an annotation:

metadata:
  annotations:
    route53resolver.services.k8s.aws/manage-associations: "false"

When set to "false" on a ResolverRule CR, the controller completely skips managing the spec.associations field — no reading, creating, updating, or deleting associations via that CR. This defers all association lifecycle to standalone ResolverRuleAssociation CRs.

Guarded paths:

• sdkFind — skips ListResolverRuleAssociations (won't populate spec.associations)
• sdkCreate — skips creating inline associations after rule creation
• sdkDelete — skips disassociating VPCs before rule deletion (standalone CRs handle their own cleanup via DisassociateResolverRule)
• customUpdate — skips syncAssociation on spec diff

When the annotation is absent or any value other than "false", the existing inline behavior is fully preserved (backward-compatible).

I also added an E2E test (test_manage_associations_annotation.py) that:

1. Creates a ResolverRule with manage-associations: "false"
2. Creates a standalone ResolverRuleAssociation targeting the same rule
3. Triggers a reconcile on the rule (via tag patch)
4. Verifies the standalone association is not removed

[Mais316]

@michaelhtm annotation change has been reverted, kindly review when you have time 🙏

[Mais316]

@michaelhtm please review when you have time :)

[knottnt]

@Mais316 Left a few comments. Just note, any changes to the generator.yaml should be applied to the generator.yaml file in the root of the repository.

[knottnt]

/test all

[Mais316]

/test all

[ack-prow]

@Mais316: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/test all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[knottnt]

/test all

[Mais316]

/test all

Could u plz trigger new test, did dome changes

[knottnt]

/test all

[knottnt]

@Mais316 This hooks should be unnecessary when using synced:when. When using that config in generator.yaml code is generated to evaluate whether or not the resource is in a synced status and requeue if it is not. From the e2e test logs while the polling logic did time out we do see the test ResolverRuleAssociation reach a synced (COMPLETE) state in the controller logs.

 ref = CustomResourceReference(group='route53resolver.services.k8s.aws', version='v1alpha1', plural='resolverruleassociations', name='rule-assoc-88rt14u19eq7eeexuls4k', namespace='default')
timeout = 90

    def wait_for_association_complete(ref, timeout=ASSOCIATION_TIMEOUT_SECONDS):
        """Poll the CR until status.status == COMPLETE or timeout."""
        deadline = time.time() + timeout
        while time.time() < deadline:
            cr = k8s.get_resource(ref)
            if cr and cr.get('status', {}).get('status') == 'COMPLETE':
                return cr
            time.sleep(10)
>       pytest.fail(f"Association {ref.name} did not reach COMPLETE within {timeout}s")
E       Failed: Association rule-assoc-88rt14u19eq7eeexuls4k did not reach COMPLETE within 90s

2026-06-01T22:38:28.689Z	DEBUG	ackrt	patched resource status	{"kind": "ResolverRuleAssociation", "namespace": "default", "name": "rule-assoc-88rt14u19eq7eeexuls4k", "account": "", "role": "", "": "us-west-2", "is_adopted": false, "generation": 1, "json": "{\"metadata\":{\"resourceVersion\":\"991\"},\"status\":{\"conditions\":[{\"lastTransitionTime\":\"2026-06-01T22:38:28Z\",\"message\":\"Resource synced successfully\",\"reason\":\"\",\"status\":\"True\",\"type\":\"ACK.ResourceSynced\"},{\"lastTransitionTime\":\"2026-06-01T22:38:28Z\",\"message\":\"Resource synced successfully\",\"reason\":\"\",\"status\":\"True\",\"type\":\"Ready\"}],\"status\":\"COMPLETE\",\"statusMessage\":\"\"}}"}

[Mais316]

@knottnt Removed unnecessary hooks synced:when already handles the requeue via IsSynced(). The e2e timeout was 90s in the previous run but the test code has 180s now, so it should pass on the next CI run 🤞

[Mais316]

@knottnt please trigger another test, when you have time :)

[michaelhtm]

/test all

[Mais316]

@knottnt one passed the other one failed, pushed a fix, please trigger another test :)

[gw3]�[36m [ 80%] �[0m�[32mPASSED�[0m tests/test_resolver_rule_association.py::TestResolverRuleAssociation::test_create_delete 
[gw4]�[36m [100%] �[0m�[31mFAILED�[0m tests/test_resolver_rule_association.py::TestResolverRuleAssociation::test_multiple_vpcs_same_rule 

[michaelhtm]

/test all

[Mais316]

@michaelhtm all is passed now :)

[michaelhtm]

Thanks @Mais316
Can we add a documentation.yaml where we can put the Associations limitation?
It should have been introduced in the latest code-generator commit
aws-controllers-k8s/code-generator#710

[michaelhtm]

/label release/minor

[Mais316]

Thanks @Mais316 Can we add a documentation.yaml where we can put the Associations limitation? It should have been introduced in the latest code-generator commit aws-controllers-k8s/code-generator#710

done :)

[Mais316]

@michaelhtm please advise if it looks good.

[michaelhtm]

Nice!
/ok-to-test
/lgtm

[michaelhtm]

/test all

[michaelhtm]

/ok-to-test
/lgtm

[ack-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Mais316, michaelhtm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [michaelhtm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment