feat: support for IAM authentication mode for user

apis/v1alpha1/generator.yaml

@@ -457,8 +457,6 @@ ignore:
     - CacheCluster.LogDeliveryConfigurations
     - CacheCluster.PendingModifiedValues.ScaleConfig
     - PendingModifiedValues.LogDeliveryConfigurations
-    - CreateUserInput.AuthenticationMode
-    - ModifyUserInput.AuthenticationMode
     - CreateCacheSubnetGroupOutput.CacheSubnetGroup.SupportedNetworkTypes
     - CreateCacheSubnetGroupOutput.CacheSubnetGroup.Subnets.SupportedNetworkTypes
     - ModifyCacheSubnetGroupOutput.CacheSubnetGroup.Subnets.SupportedNetworkTypes

generator.yaml

@@ -457,8 +457,6 @@ ignore:
     - CacheCluster.LogDeliveryConfigurations
     - CacheCluster.PendingModifiedValues.ScaleConfig
     - PendingModifiedValues.LogDeliveryConfigurations
-    - CreateUserInput.AuthenticationMode
-    - ModifyUserInput.AuthenticationMode
     - CreateCacheSubnetGroupOutput.CacheSubnetGroup.SupportedNetworkTypes
     - CreateCacheSubnetGroupOutput.CacheSubnetGroup.Subnets.SupportedNetworkTypes
     - ModifyCacheSubnetGroupOutput.CacheSubnetGroup.Subnets.SupportedNetworkTypes

helm/crds/elasticache.services.k8s.aws_users.yaml

@@ -44,6 +44,18 @@ spec:
 
                   Regex Pattern: `\S`
                 type: string
+              authenticationMode:
+                description: |-
+                  Specifies the authentication mode to use. Includes the authentication type
+                  (e.g. iam, no-password-required, password). Passwords should be provided
+                  via the spec.passwords field using SecretKeyReference.
+                properties:
+                  type:
+                    description: |-
+                      Specifies the authentication type. Possible options are IAM authentication,
+                      password and no password.
+                    type: string
+                type: object
               engine:
                 description: |-
                   The options are valkey or redis.

pkg/resource/user/hooks.go

@@ -17,6 +17,7 @@ import (
 	"context"
 
 	svcsdk "github.com/aws/aws-sdk-go-v2/service/elasticache"
+	svcsdktypes "github.com/aws/aws-sdk-go-v2/service/elasticache/types"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 
@@ -95,6 +96,14 @@ func (rm *resourceManager) populateUpdatePayload(
 		input.AccessString = r.ko.Spec.AccessString
 	}
 
+	if delta.DifferentAt("Spec.AuthenticationMode") && r.ko.Spec.AuthenticationMode != nil {
+		authMode := &svcsdktypes.AuthenticationMode{}
+		if r.ko.Spec.AuthenticationMode.Type != nil {
+			authMode.Type = svcsdktypes.InputAuthenticationType(*r.ko.Spec.AuthenticationMode.Type)
+		}
+		input.AuthenticationMode = authMode
+	}
+
 	if delta.DifferentAt("Spec.NoPasswordRequired") && r.ko.Spec.NoPasswordRequired != nil {
 		input.NoPasswordRequired = r.ko.Spec.NoPasswordRequired
 	}

test/e2e/resources/user_iam.yaml

@@ -0,0 +1,11 @@
+apiVersion: elasticache.services.k8s.aws/v1alpha1
+kind: User
+metadata:
+  name: $USER_ID
+spec:
+  accessString: $ACCESS_STRING
+  authenticationMode:
+    type: iam
+  engine: valkey
+  userID: $USER_ID
+  userName: $USER_ID

test/e2e/tests/test_user.py

@@ -107,6 +107,32 @@ def user_password(user_password_input, elasticache_client):
     assert_user_deletion(user_password_input['USER_ID'])
 
 
+@pytest.fixture(scope="module")
+def user_iam_input():
+    return {
+        "USER_ID": random_suffix_name("user-iam", 32),
+        "ACCESS_STRING": "on ~app::* -@all +@read"
+    }
+
+
+@pytest.fixture(scope="module")
+def user_iam(user_iam_input, elasticache_client):
+
+    # inject parameters into yaml; create User in cluster
+    user = load_elasticache_resource("user_iam", additional_replacements=user_iam_input)
+    reference = k8s.CustomResourceReference(
+        CRD_GROUP, CRD_VERSION, RESOURCE_PLURAL, user_iam_input["USER_ID"], namespace="default")
+    _ = k8s.create_custom_resource(reference, user)
+    resource = k8s.wait_resource_consumed_by_controller(reference)
+    assert resource is not None
+    yield (reference, resource)
+
+    # teardown: delete in k8s, assert user does not exist in AWS
+    k8s.delete_custom_resource(reference)
+    sleep(DEFAULT_WAIT_SECS)
+    assert_user_deletion(user_iam_input['USER_ID'])
+
+
 @service_marker
 class TestUser:
 
@@ -128,6 +154,17 @@ def test_user_nopass(self, user_nopass, user_nopass_input):
         resource = k8s.get_resource(reference)
         assert resource["status"]["lastRequestedAccessString"] == new_access_string
 
+    # test creation with IAM authentication mode (valkey engine)
+    def test_user_iam(self, user_iam, user_iam_input):
+        (reference, resource) = user_iam
+        assert k8s.get_resource_exists(reference)
+
+        assert k8s.wait_on_condition(reference, "ACK.ResourceSynced", "True", wait_periods=5)
+        resource = k8s.get_resource(reference)
+        assert resource["status"]["lastRequestedAccessString"] == user_iam_input["ACCESS_STRING"]
+        assert resource["status"]["authentication"] is not None
+        assert resource["status"]["authentication"]["type_"] == "iam"
+
     # test creation with Passwords specified (as k8s secrets)
     def test_user_password(self, user_password, user_password_input):
         (reference, resource) = user_password