search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
143 stars 120 forks source link

[Bug]: IAM Role inlinePolicy conflicting with IAM RolePolicy #1207

Closed caspar-ds closed 6 months ago

caspar-ds commented 6 months ago

Is there an existing issue for this?

Affected Resource(s)

Resource MRs required to reproduce the bug

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  name: crossplane-test-role
spec:
  forProvider:
    assumeRolePolicy: |-
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
              "AWS": "*"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
  providerConfigRef:
    name: default
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicy
metadata:
  name: crossplane-test-policy
spec:
  forProvider:
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": [
              "*"
            ]
          }
        ]
      }
    role: crossplane-test-role
  providerConfigRef:
    name: default

Steps to Reproduce

  1. Create the Role and RolePolicy
  2. Wait for the Role to be reconciled. Note the inlinePolicy field is now present on the role: 
    inlinePolicy:
- name: crossplane-test-policy
  policy: '{"Version":"2012-10-17","Statement":[{"Action":"ec2:DescribeInstances","Effect":"Allow","Resource":["*"]}]}'
  3. Delete the RolePolicy
  4. Note that the inline role policy has been removed
  5. Wait until next reconciliation of the Role
  6. Note that the inline role policy has been recreated due to the inlinePolicy

What happened?

As no inlinePolicy was defined on the Role it should not be managing inline policies:

If no blocks are configured, Crossplane will not manage any inline policies in this resource.

Setting inlinePolicy: [] or inlinePolicy: ~ has no effect and the field is removed during reconciliation.

Relevant Error Output Snippet

No response

Crossplane Version

1.15.0

Provider Version

0.47.2

Kubernetes Version

1.26

Kubernetes Distribution

EKS 1.26

Additional Info

No response

mbbush commented 6 months ago

When you see inlinePolicy set on the Role, is the field in spec.forProvider or status.atProvider?

haarchri commented 6 months ago

@mbbush remembers me on your comment in https://github.com/crossplane-contrib/provider-upjet-aws/pull/933#issuecomment-1776159401

mbbush commented 6 months ago

Yeah, I couldn't remember if we ever made the second fix. Sounds like probably not.

caspar-ds commented 6 months ago

When you see inlinePolicy set on the Role, is the field in spec.forProvider or status.atProvider?

It's in both