Fix Topic.sns update loops

[ulucinar]

Description of your changes

We've observed update loops with the Topic.sns resources when inline policies are given. The desired policy document in the spec can differ from the actual (observed) document in the following two ways:

• Missing Version node. An example is as follows:

    {
      "Statement": [
      {
        "Sid": "publish",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "get-attributes",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:GetTopicAttributes",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "list-subscriptions",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:ListSubscriptionsByTopic",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      }
      ]
    }

  What's observed constains a Version node:

    {
      "Version": "2008-10-17",
      "Statement": [
      {
        "Sid": "publish",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "get-attributes",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:GetTopicAttributes",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "list-subscriptions",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123456789110:role/sample-role"
        },
        "Action": "sns:ListSubscriptionsByTopic",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      }
      ]
    }

  Please note the Version node in the observed policy document.

• Topology differences: What's declared in spec could be:

    {
      "Statement": [
      {
        "Sid": "publish",
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::123456789110:role/sample-role"
          ]
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "get-attributes",
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::123456789110:role/sample-role"
          ]
        },
        "Action": "sns:GetTopicAttributes",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      },
      {
        "Sid": "list-subscriptions",
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::123456789110:role/sample-role"
          ]
        },
        "Action": "sns:ListSubscriptionsByTopic",
        "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
      }
      ]
    }

And what's observed could then be:

      {
        "Version": "2008-10-17",
        "Statement": [
        {
          "Sid": "publish",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::123456789110:role/sample-role"
          },
          "Action": "sns:Publish",
          "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
        },
        {
          "Sid": "get-attributes",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::123456789110:role/sample-role"
          },
          "Action": "sns:GetTopicAttributes",
          "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
        },
        {
          "Sid": "list-subscriptions",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::123456789110:role/sample-role"
          },
          "Action": "sns:ListSubscriptionsByTopic",
          "Resource": "arn:aws:sns:us-west-1:123456789110:resource1"
        }
        ]
      }

Please note that the declared AWS IAM principals are JSON arrays whereas the observed ones are strings.

This PR proposes to introduce a custom Terraform diff to filter out such differences that result in an update loop. This is already implemented as a diff suppress function in the underlying Terraform provider. We should consider making sure that these suppress functions are properly invoked in a future iteration but it will result in a larger change that will require more rigorous testing.

This PR also adds a Topic.sns example manifest with an inline policy document to test the fix.

I have:

• [x] Read and followed Crossplane's contribution process.
• [x] Run make reviewable to ensure this PR is ready for review.
• [ ] Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

• Successful uptest run with the diff customization: https://github.com/crossplane-contrib/provider-upjet-aws/actions/runs/9406883608/
• Also validated that we can force an update loop without the diff customization: https://github.com/crossplane-contrib/provider-upjet-aws/actions/runs/9408319232

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[ulucinar]

/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"

[mbbush]

I've definitely observed this same update loop in other resources that contain an IAM policy, in addition to one more: converting an AWS account id to the ARN of that account's root in a Principal element.

Do we have an issue to track these improvements?