Security group gets changed and has sync problem when specific security group rules are added

BGrasnick commented 2 years ago

What happened?

When we try to create a SecurityGroup and add two specific SecurityGroupRules (with port range: all) the SecurityGroup breaks and cannot sync. Also deletion is not happening automatically anymore when we delete the composite resource (deletion of both the managed resource as well as the SecurityGroup object). The SecurityGroup is empty at first and gets created and has ready and synced "True": (In the following I am omitting the unecessay parts like automatically generated annotations & labels etc. If any more details are necessary please let me know)

apiVersion: ec2.aws.jet.crossplane.io/v1alpha2
kind: SecurityGroup
metadata:
  finalizers:
  - finalizer.managedresource.crossplane.io
  name: security-group-worker-nodes
spec:
  deletionPolicy: Delete
  forProvider:
    description: The security group for the worker nodes
    name: security-group-worker-nodes
    region: eu-central-1
    tags:
      my: tags
      crossplane-kind: securitygroup.ec2.aws.jet.crossplane.io
      crossplane-name: security-group-worker-nodes
      crossplane-providerconfig: default
    vpcId: ${vpc-id}
  providerConfigRef:
    name: default

but after the following SecurityGroupRules are created, egress and ingress are added to the SecurityGroup and it gives the following errors:

apiVersion: ec2.aws.jet.crossplane.io/v1alpha2
kind: SecurityGroupRule
metadata:
  finalizers:
  - finalizer.managedresource.crossplane.io
  name: security-group-rule-worker-egress-allow-all
spec:
  deletionPolicy: Delete
  forProvider:
    cidrBlocks:
    - 0.0.0.0/0
    fromPort: 0
    protocol: "-1"
    region: eu-central-1
    securityGroupId: ${sg-id-from-patch}
    toPort: 65535
    type: egress
  providerConfigRef:
    name: default

apiVersion: ec2.aws.jet.crossplane.io/v1alpha2
kind: SecurityGroupRule
metadata:
  finalizers:
  - finalizer.managedresource.crossplane.io
  name: security-group-rule-worker-ingress-from-worker
spec:
  deletionPolicy: Delete
  forProvider:
    fromPort: 0
    protocol: "-1"
    region: eu-central-1
    securityGroupId: ${sg-id-from-patch}
    sourceSecurityGroupId: ${sg-id-from-patch}
    toPort: 65535
    type: ingress
  providerConfigRef:
    name: default

apiVersion: ec2.aws.jet.crossplane.io/v1alpha2
kind: SecurityGroup
metadata:
  finalizers:
  - finalizer.managedresource.crossplane.io
  name: security-group-worker-nodes
spec:
  deletionPolicy: Delete
  forProvider:
    description: The security group for the worker nodes
    egress:
    - cidrBlocks:
      - 0.0.0.0/0
      protocol: "-1"
    ingress:
    - protocol: "-1"
      self: true
    name: security-group-worker-nodes
    region: eu-central-1
    tags:
      my: tags
      crossplane-kind: securitygroup.ec2.aws.jet.crossplane.io
      crossplane-name: security-group-worker-nodes
      crossplane-providerconfig: default
    vpcId: vpc-id 
  providerConfigRef:
    name: default

observe failed: cannot run refresh: refresh failed: Missing required argument: The argument "ingress.0.from_port" is required, but no definition was found.: File name: main.tf.json
Missing required argument: The argument "ingress.0.to_port" is required, but no definition was found.: File name: main.tf.json
Missing required argument: The argument "egress.0.from_port" is required, but no definition was found.: File name: main.tf.json
Missing required argument: The argument "egress.0.to_port" is required, but no definition was found.: File name: main.tf.json

Somehow the egress and ingress are added but not the port ranges.

The SecurityGroupRules get ready and synced "True".

How can we reproduce it?

Create barebones empty SecurityGroup like above and then add two SecurityGroupRules using this security group id (like above, we use a composition and patch the security group id to the composite resource and then use it from their to patch into the SecurityGroupRules).

What environment did it happen in?

Crossplane version: 1.8.1 provider-jet-aws version: v0.5.0-preview

Cloud provider or hardware configuration

aws

Kubernetes version (use kubectl version)

Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.11+6b3cbdd", GitCommit:"047f86f8e2212f25394de1c8bad35d9426ae0f4c", GitTreeState:"clean", BuildDate:"2022-05-04T12:09:18Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes distribution (e.g. Tectonic, GKE, OpenShift)

OpenShift 4.8.46

OS (e.g. from /etc/os-release)

Red Hat Enterprise Linux CoreOS 48.84.202206281246-0

Kernel (e.g. uname -a)

4.18.0-305.49.1.el8_4.x86_64

empath-nirvana commented 2 years ago

I'm also experiencing this problem.

Also, if you don't provide a name or a name prefix, it adds both which also breaks the sync.

empath-nirvana commented 2 years ago

I also don't understand why it's modifying the spec at all. It absolutely should never be modifying the spec -- it should be updating the at_provider after it syncs, right?

jibiabraham commented 2 years ago

This is known issue. There is a PR - SecurityGroup fails to create due to missing attributes #157 that kind of sort of fixes this. It has not made it into a release just yet.

What you're seeing is the state being late initialized via observed terraform state. And then subsequently all zero values being stripped out

BGrasnick commented 2 years ago

Hey I tried it again with using main as the image version for provider-jet-aws and it worked. Seems like https://github.com/crossplane-contrib/provider-jet-aws/pull/198 was merged right after 0.5.0 and didn't make the cut but actually fixes this problem. I hope it will be included in a release asap.

crossplane-contrib / provider-jet-aws