search

crossplane-contrib / provider-jet-aws

AWS Provider for Crossplane that is built with Terrajet.
https://crossplane.io
Apache License 2.0
37 stars 30 forks source link

multiple rolepolicyattachment Drift detected (delete) #233

Closed haarchri closed 1 year ago

haarchri commented 1 year ago

What happened?

we tried today setup a basic role.iam.aws.jet.crossplane.io and setup multiple rolepolicyattachment.iam.aws.jet.crossplane.io to this role - the issue is that the policy attachments on the role constantly gets removed and added again - so in no time the policies are attachached from multiple rolepolicyattachment.iam.aws.jet.crossplane.io - the only thing we can see is "Drift detected (delete)" 

NAME                                                   READY   SYNCED   EXTERNAL-NAME           AGE
role.iam.aws.jet.crossplane.io/sop-prod-grafana-role   True    True     sop-prod-grafana-role   1d
NAME                                                                            READY   SYNCED   EXTERNAL-NAME                                      AGE
rolepolicyattachment.iam.aws.jet.crossplane.io/test1-dr9p7-42p4f                False   True     sop-prod-grafana-role-20220909162408677200000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test2-8hg7t-92s7z                False   True     sop-prod-grafana-role-20220909162149725800000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test3-fgjlt-xl8mk                False   True     sop-prod-grafana-role-20220909162437312700000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test4-fpdpz-lt9js                False   True     sop-prod-grafana-role-20220909162506086200000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test5-5zb25-5zr6h                True   True     sop-prod-grafana-role-20220909162217975800000001   10h

next round:

NAME                                                                            READY   SYNCED   EXTERNAL-NAME                                      AGE
rolepolicyattachment.iam.aws.jet.crossplane.io/test1-dr9p7-42p4f                False   True     sop-prod-grafana-role-20220909162408677200000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test2-8hg7t-92s7z                False   True     sop-prod-grafana-role-20220909162149725800000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test3-fgjlt-xl8mk                True   True     sop-prod-grafana-role-20220909162437312700000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test4-fpdpz-lt9js                True   True     sop-prod-grafana-role-20220909162506086200000001   10h
rolepolicyattachment.iam.aws.jet.crossplane.io/test5-5zb25-5zr6h                False   True     sop-prod-grafana-role-20220909162217975800000001   10h

How can we reproduce it?

1.6627130918036826e+09 DEBUG provider-jet-aws refresh ended {"workspace": "/tmp/1ff8194e-a72d-4e56-b009-db8121124ebc", "out": "{\"@level\":\"info\",\"@message\":\"Terraform 1.0.5\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:38.647279Z\",\"terraform\":\"1.0.5\",\"type\":\"version\",\"ui\":\"0.1.0\"}\n{\"@level\":\"info\",\"@message\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx: Refreshing state... [id=sop-prod-grafana-role-20220909083952719300000001]\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.369013Z\",\"hook\":{\"resource\":{\"addr\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"module\":\"\",\"resource\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"implied_provider\":\"aws\",\"resource_type\":\"aws_iam_role_policy_attachment\",\"resource_name\":\"test-cluster-ld44x-576wx\",\"resource_key\":null},\"id_key\":\"id\",\"id_value\":\"sop-prod-grafana-role-20220909083952719300000001\"},\"type\":\"refresh_start\"}\n{\"@level\":\"info\",\"@message\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx: Refresh complete\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.782965Z\",\"hook\":{\"resource\":{\"addr\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"module\":\"\",\"resource\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"implied_provider\":\"aws\",\"resource_type\":\"aws_iam_role_policy_attachment\",\"resource_name\":\"test-cluster-ld44x-576wx\",\"resource_key\":null}},\"type\":\"refresh_complete\"}\n{\"@level\":\"info\",\"@message\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx: Drift detected (delete)\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.793859Z\",\"change\":{\"resource\":{\"addr\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"module\":\"\",\"resource\":\"aws_iam_role_policy_attachment.test-cluster-ld44x-576wx\",\"implied_provider\":\"aws\",\"resource_type\":\"aws_iam_role_policy_attachment\",\"resource_name\":\"test-cluster-ld44x-576wx\",\"resource_key\":null},\"action\":\"delete\"},\"type\":\"resource_drift\"}\n{\"@level\":\"info\",\"@message\":\"Plan: 0 to add, 0 to change, 0 to destroy.\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.793971Z\",\"changes\":{\"add\":0,\"change\":0,\"remove\":0,\"operation\":\"plan\"},\"type\":\"change_summary\"}\n{\"@level\":\"info\",\"@message\":\"Apply complete! Resources: 0 added, 0 changed, 0 destroyed.\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.797657Z\",\"changes\":{\"add\":0,\"change\":0,\"remove\":0,\"operation\":\"apply\"},\"type\":\"change_summary\"}\n{\"@level\":\"info\",\"@message\":\"Outputs: 0\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2022-09-09T08:44:51.797694Z\",\"outputs\":{},\"type\":\"outputs\"}\n"}

What environment did it happen in?

Crossplane version:

haarchri commented 1 year ago 
 kubectl describe role.iam.aws.jet.crossplane.io/sop-prod-grafana-role
Spec:
  Deletion Policy:  Delete
  For Provider:
    Assume Role Policy:  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "grafana.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    Inline Policy:
    Managed Policy Arns:
      arn:aws:iam::xxx:policy/terraform-xxx
    Max Session Duration:  3600
    Path:                  /
    Tags:
      Crossplane - Kind:            role.iam.aws.jet.crossplane.io
      Crossplane - Name:            sop-prod-grafana-role
      Crossplane - Providerconfig:  aws-provider-xxx
  Provider Config Ref:
    Name:  aws-provider-xxx
Status:
  At Provider:
    Arn:          arn:aws:iam::xxx:role/sop-prod-grafana-role
    Create Date:  2022-08-17T10:54:08Z
    Id:           sop-prod-grafana-role
    Tags All:
      Crossplane - Kind:            role.iam.aws.jet.crossplane.io
      Crossplane - Name:            sop-prod-grafana-role
      Crossplane - Providerconfig:  aws-provider-xxxx
    Unique Id:                      xxxx
  Conditions:
    Last Transition Time:  2022-08-17T10:54:19Z
    Reason:                Available
    Status:                True
    Type:                  Ready
    Last Transition Time:  2022-08-25T08:47:28Z
    Reason:                ReconcileSuccess
    Status:                True
    Type:                  Synced

i guess its because of:

    Managed Policy Arns:
      arn:aws:iam::xxx:policy/terraform-xxx
haarchri commented 1 year ago

okay we checked out its an issue with Managed Policy Arns Field