search

aws-controllers-k8s / community

AWS Controllers for Kubernetes (ACK) is a project enabling you to manage AWS services from Kubernetes
https://aws-controllers-k8s.github.io/community/
Apache License 2.0
2.44k stars 258 forks source link

Unable to update tags for existing SQS queue #1541

Closed rj425 closed 1 year ago

rj425 commented 2 years ago

Describe the bug I have a SQS queue that has few tags already. On adding new tags to the .spec.tags, i can see the new tags appearing in manifest and everything. But, the AWS console shows otherwise. New tags are not reflected.

tags:
  namespace: {{ $.Values.namespace }}
  app: {{ $.Values.app_name }}   
  abc:v1:costAllocation1: {{ $.Values.team_id }}
  abc:v1:costAllocation2: {{ $.Values.namespace }}
  abc:v1:costAllocation3: {{ $.Values.app_name }}

Steps to reproduce

Expected outcome New tags should appear in AWS console.

rj425 commented 1 year ago

Also, recently noticed a similar behavior with resource access policies. For an existing SQS Queue, we updated the access policy within that resource. And the SQS controller fails to update the queue policy noticed in AWS console.

@A-Hilaly Can this please be looked at? Thanks.

jaypipes commented 1 year ago

@rj425 I will look into this ASAP.

jaypipes commented 1 year ago

@rj425 so, the Policy attribute should definitely be being updated. Can you please paste the YAML (redacted for any account-specific stuff) that you are using before and after Spec update so I can add a reproducible test case?

As for tag support, the SQS controller does not yet support tags (either setting or updating). I will work on this feature shortly.

rj425 commented 1 year ago

Hi @jaypipes

Thank you for taking this up.

SQS controller version used: v0.0.4

Resource Definition before update

apiVersion: sqs.services.k8s.aws/v1alpha1
kind: Queue
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: 'dev-simple-app:sqs.services.k8s.aws/Queue:lorum/abc-simple-app-queue1'
  name: abc-simple-app-queue1
  namespace: lorum
spec:
  delaySeconds: '0'
  policy: |
    {

      "Version": "2008-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__owner_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": "1111111111111111"
          },
          "Action": [
            "SQS:*"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        },
        {
          "Sid": "__sender_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1111111111111111:role/abc-simple-app"
            ]
          },
          "Action": [
            "SQS:SendMessage"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        },
        {
          "Sid": "__receiver_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1111111111111111:role/abc-simple-app"
            ]
          },
          "Action": [
            "SQS:ChangeMessageVisibility",
            "SQS:DeleteMessage",
            "SQS:ReceiveMessage"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        }
      ]
    }
  queueName: abc-simple-app-queue1
  tags:
    app: simple-app
    namespace: lorum
    'xyz:v1:costAllocation1': abc-core-infra
    'xyz:v1:costAllocation2': lorum
    'xyz:v1:costAllocation3': simple-app

Resource definition after update

apiVersion: sqs.services.k8s.aws/v1alpha1
kind: Queue
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: 'dev-simple-app:sqs.services.k8s.aws/Queue:lorum/abc-simple-app-queue1'
  name: abc-simple-app-queue1
  namespace: lorum
spec:
  delaySeconds: '0'
  policy: |
    {

      "Version": "2008-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__owner_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": "1111111111111111"
          },
          "Action": [
            "SQS:*"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        },
        {
          "Sid": "__sender_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1111111111111111:role/abc-simple-app"
            ]
          },
          "Action": [
            "SQS:SendMessage"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        },
        {
          "Sid": "__receiver_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1111111111111111:role/abc-simple-app"
            ]
          },
          "Action": [
            "SQS:ChangeMessageVisibility"
          ],
          "Resource": "arn:aws:sqs:*:1111111111111111:abc-simple-app-queue1"
        }
      ]
    }
  queueName: abc-simple-app-queue1
  tags:
    app: simple-app
    namespace: lorum
    'xyz:v1:costAllocation1': abc-core-infra
    'xyz:v1:costAllocation2': lorum
    'xyz:v1:costAllocation3': simple-app
jaypipes commented 1 year ago

@rj425 OK! This is now fixed in the v0.0.07 release of the SQS controller :) Please close this issue out after verifying everything is properly working for you.

rj425 commented 1 year ago

@jaypipes Thank you so much for taking this up. Does this fix also address the issue of resource policy not updating the actual AWS resource (issue).

I will test out this release. Thanks again.

jaypipes commented 1 year ago

@rj425 sorry for delayed response. I have just added an e2e test that updates queue attributes and verifies the changes are properly reflected in the queue on the AWS API side. So, yes, this should indeed be closed out with the latest (v1.0.0) sqs-controller release :)

jaypipes commented 1 year ago

Completed.