search

crossplane-contrib / provider-jet-aws

AWS Provider for Crossplane that is built with Terrajet.
https://crossplane.io
Apache License 2.0
37 stars 30 forks source link

Security group with `vpcIdSelector` #124

Closed vfarcic closed 2 years ago

vfarcic commented 2 years ago

What happened?

Failed to create a composition with a VPC and a SecurityGroup that references it through vpcIdSelector.

How can we reproduce it?

  1. Create the following Composition:
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-tf-aws
  labels:
    provider: tf-aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: devopstoolkitseries.com/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
  - name: vpc-nodepool
    base:
      apiVersion: ec2.aws.tf.crossplane.io/v1alpha1
      kind: VPC
      spec:
        forProvider:
          region: us-east-1
          cidrBlock: 10.0.0.0/16
          enableDnsSupport: true
    patches:
    - fromFieldPath: spec.id
      toFieldPath: metadata.name
  - name: sg-nodepool
    base:
      apiVersion: ec2.aws.tf.crossplane.io/v1alpha1
      kind: SecurityGroup
      spec:
        forProvider:
          description: Cluster communication with worker nodes
          name: devops-catalog
          region: us-east-1
          vpcIdSelector:
            matchControllerRef: true
          egress:
          - fromPort: 0
            toPort: 0
            protocol: "-1"
            cidrBlocks:
            - "0.0.0.0/0"
    patches:
    - fromFieldPath: spec.id
      toFieldPath: metadata.name

  1. Create a claim based on that Composition.

  2. Describe the security group. The output should be similar to the following:

...
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2021-10-19T21:35:01Z
    Message:               observe failed: cannot run refresh: cannot refresh: {"@level":"info","@message":"Terraform 1.0.5","@module":"terraform.ui","@timestamp":"2021-10-19T21:35:00.414249Z","terraform":"1.0.5","type":"version","ui":"0.1.0"}
{"@level":"error","@message":"Error: Incorrect attribute value type","@module":"terraform.ui","@timestamp":"2021-10-19T21:35:01.413866Z","diagnostic":{"severity":"error","summary":"Incorrect attribute value type","detail":"Inappropriate value for attribute \"egress\": element 0: attributes \"description\", \"ipv6_cidr_blocks\", \"prefix_list_ids\", \"security_groups\", and \"self\" are required.","range":{"filename":"main.tf.json","start":{"line":1,"column":165,"byte":164},"end":{"line":1,"column":238,"byte":237}},"snippet":{"context":"resource.aws_security_group.a-team-eks","code":"{\"provider\":{\"tf-provider\":{\"region\":\"us-east-1\"}},\"resource\":{\"aws_security_group\":{\"a-team-eks\":{\"description\":\"Cluster communication with worker nodes\",\"egress\":[{\"cidr_blocks\":[\"0.0.0.0/0\"],\"from_port\":0,\"protocol\":\"-1\",\"to_port\":0}],\"lifecycle\":{\"prevent_destroy\":true},\"name\":\"devops-catalog\",\"vpc_id\":\"vpc-08af90611f837503f\"}}},\"terraform\":{\"required_providers\":{\"tf-provider\":{\"source\":\"hashicorp/aws\",\"version\":\"3.56.0\"}}}}","start_line":1,"highlight_start_offset":164,"highlight_end_offset":237,"values":[]}},"type":"diagnostic"}
: exit status 1
    Reason:  ReconcileError
    Status:  False
    Type:    Synced
Events:
  Type     Reason                           Age                 From                                                           Message
  ----     ------                           ----                ----                                                           -------
  Warning  CannotResolveResourceReferences  71s (x25 over 85s)  managed/ec2.aws.tf.crossplane.io/v1alpha1, kind=securitygroup  cannot resolve references: mg.Spec.ForProvider.VpcID: referenced field was empty (referenced resource may not yet be ready)
turkenh commented 2 years ago

This seems to be related: https://github.com/hashicorp/terraform-provider-aws/issues/8786

After a quick skim, it looks like you need to provide all parameters in attribute groups, so, I would assume that it should work if you also provide the ipv6_cidr_blocks parameter under egress.

We need to figure out how to deal with that in terrajet for a better experience though.