search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 113 forks source link

[Bug]: AWS RDS Logs Cannot Be Turned Off #1256

Open humoflife opened 3 months ago

humoflife commented 3 months ago

Is there an existing issue for this?

Affected Resource(s)

rds.aws.upbound.io/v1beta1: Cluster

Resource MRs required to reproduce the bug

rds.aws.upbound.io/v1beta1: Cluster rds.aws.upbound.io/v1beta1: SubnetGroup ec2.aws.upbound.io/v1beta1: Subnet ec2.aws.upbound.io/v1beta1: VPC

Steps to Reproduce

Create an rds.aws.upbound.io/v1beta1: Cluster.

Enable cloudwatch logs as follows on initial install.

enabledCloudwatchLogsExport:

What happened?

The enabledCloudwatchLogsExport is not updated, and the logs are not turned off.

Relevant Error Output Snippet

NA

Crossplane Version

v1.14.3-up.1

Provider Version

v0.47.1

Kubernetes Version

v1.29.1

Kubernetes Distribution

EKS

Additional Info

This behavior may impact more than the RDS enabledCloudwatchLogsExport array. Perhaps more arrays that need to be explicitly cleared to remove a configuration are not? Perhaps this can and/or should be centrally solved in Upjet instead of for a specific provider GVK?

humoflife commented 2 months ago

Confirming that this issue is in the provider. Reproduced as follows through MR yaml.

Applied the following to create the cluster with logging:

apiVersion: rds.aws.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    meta.upbound.io/example-id: rds/v1beta1/clusterendpoint
  labels:
    testing.upbound.io/example-name: default-ce
  name: example-ce
spec:
  forProvider:
    enabledCloudwatchLogsExports:
      - postgresql
    engine: aurora-postgresql
    manageMasterUserPassword: true
    masterUsername: cpadmin
    region: us-west-1
    skipFinalSnapshot: true
  writeConnectionSecretToRef:
    name: sample-rds-cluster-secret
    namespace: upbound-system

Then applied the following to try to turn logs off:

apiVersion: rds.aws.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    meta.upbound.io/example-id: rds/v1beta1/clusterendpoint
  labels:
    testing.upbound.io/example-name: default-ce
  name: example-ce
spec:
  forProvider:
    enabledCloudwatchLogsExports: []
    engine: aurora-postgresql
    manageMasterUserPassword: true
    masterUsername: cpadmin
    region: us-west-1
    skipFinalSnapshot: true
  writeConnectionSecretToRef:
    name: sample-rds-cluster-secret
    namespace: upbound-system

See attached screenshot that shows that logs are still turned on: Screenshot 2024-05-01 at 1 24 00 PM

It also shows that the enabledCloudWatchLogsExport is still set after applying an empty array per below.

k get cluster.rds.aws.upbound.io/example-ce -o yaml
apiVersion: rds.aws.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    crossplane.io/external-create-pending: "2024-05-01T20:21:30Z"
    crossplane.io/external-create-succeeded: "2024-05-01T20:21:30Z"
    crossplane.io/external-name: example-ce
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rds.aws.upbound.io/v1beta1","kind":"Cluster","metadata":{"annotations":{"meta.upbound.io/example-id":"rds/v1beta1/clusterendpoint"},"labels":{"testing.upbound.io/example-name":"default-ce"},"name":"example-ce"},"spec":{"forProvider":{"enabledCloudwatchLogsExports":[],"engine":"aurora-postgresql","manageMasterUserPassword":true,"masterUsername":"cpadmin","region":"us-west-1","skipFinalSnapshot":true},"writeConnectionSecretToRef":{"name":"sample-rds-cluster-secret","namespace":"upbound-system"}}}
    meta.upbound.io/example-id: rds/v1beta1/clusterendpoint
  creationTimestamp: "2024-05-01T20:21:30Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 6
  labels:
    testing.upbound.io/example-name: default-ce
  name: example-ce
  resourceVersion: "46846"
  uid: 532eb99c-47fd-4530-934b-a17e3aead6db
spec:
  deletionPolicy: Delete
  forProvider:
    allocatedStorage: 1
    availabilityZones:
    - us-west-1b
    - us-west-1c
    backupRetentionPeriod: 1
    dbClusterParameterGroupName: default.aurora-postgresql15
    dbSubnetGroupName: default
    deleteAutomatedBackups: true
    enabledCloudwatchLogsExports:
    - postgresql
    engine: aurora-postgresql
    engineMode: provisioned
    engineVersion: "15.4"
    manageMasterUserPassword: true
    masterUsername: cpadmin
    networkType: IPV4
    port: 5432
    preferredBackupWindow: 06:58-07:28
    preferredMaintenanceWindow: tue:06:26-tue:06:56
    region: us-west-1
    skipFinalSnapshot: true
    tags:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
  initProvider: {}
  managementPolicies:
  - '*'
  providerConfigRef:
    name: default
  writeConnectionSecretToRef:
    name: sample-rds-cluster-secret
    namespace: upbound-system
status:
  atProvider:
    allocatedStorage: 1
    arn: arn:aws:rds:us-west-1:218131738736:cluster:example-ce
    availabilityZones:
    - us-west-1b
    - us-west-1c
    backtrackWindow: 0
    backupRetentionPeriod: 1
    clusterResourceId: cluster-UR7HFRWZEZHJNWQPX3HQ2HOS7U
    copyTagsToSnapshot: false
    dbClusterInstanceClass: ""
    dbClusterParameterGroupName: default.aurora-postgresql15
    dbSubnetGroupName: default
    dbSystemId: ""
    deleteAutomatedBackups: true
    deletionProtection: false
    enableGlobalWriteForwarding: false
    enableHttpEndpoint: false
    enabledCloudwatchLogsExports:
    - postgresql
    endpoint: example-ce.cluster-cp00ewyprrnv.us-west-1.rds.amazonaws.com
    engine: aurora-postgresql
    engineMode: provisioned
    engineVersion: "15.4"
    engineVersionActual: "15.4"
    globalClusterIdentifier: ""
    hostedZoneId: Z10WI91S59XXQN
    iamDatabaseAuthenticationEnabled: false
    id: example-ce
    iops: 0
    kmsKeyId: ""
    manageMasterUserPassword: true
    masterUserSecret:
    - kmsKeyId: arn:aws:kms:us-west-1:218131738736:key/65b01394-d118-4176-b3c6-562bec1ccf2e
      secretArn: arn:aws:secretsmanager:us-west-1:218131738736:secret:rds!cluster-3dcfdc5b-cfb7-40aa-969e-6313d85708ab-tL8TsT
      secretStatus: active
    masterUsername: cpadmin
    networkType: IPV4
    port: 5432
    preferredBackupWindow: 06:58-07:28
    preferredMaintenanceWindow: tue:06:26-tue:06:56
    readerEndpoint: example-ce.cluster-ro-cp00ewyprrnv.us-west-1.rds.amazonaws.com
    replicationSourceIdentifier: ""
    skipFinalSnapshot: true
    storageEncrypted: false
    storageType: ""
    tags:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
    tagsAll:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
    vpcSecurityGroupIds:
    - sg-e733d3af
  conditions:
  - lastTransitionTime: "2024-05-01T20:22:15Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-05-01T20:21:30Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2024-05-01T20:22:13Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation

Conversely, when starting with a new cluster and applying an empty array, the enabledCoudWatchLogs array is in the request map and absent from the atProvider fields.

apiVersion: rds.aws.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    crossplane.io/external-create-pending: "2024-05-01T20:36:56Z"
    crossplane.io/external-create-succeeded: "2024-05-01T20:36:56Z"
    crossplane.io/external-name: example-ce
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rds.aws.upbound.io/v1beta1","kind":"Cluster","metadata":{"annotations":{"meta.upbound.io/example-id":"rds/v1beta1/clusterendpoint"},"labels":{"testing.upbound.io/example-name":"default-ce"},"name":"example-ce"},"spec":{"forProvider":{"enabledCloudwatchLogsExports":[],"engine":"aurora-postgresql","manageMasterUserPassword":true,"masterUsername":"cpadmin","region":"us-west-1","skipFinalSnapshot":true},"writeConnectionSecretToRef":{"name":"sample-rds-cluster-secret","namespace":"upbound-system"}}}
    meta.upbound.io/example-id: rds/v1beta1/clusterendpoint
  creationTimestamp: "2024-05-01T20:36:56Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 3
  labels:
    testing.upbound.io/example-name: default-ce
  name: example-ce
  resourceVersion: "48453"
  uid: b5e5b4d0-22ab-4e4d-bb6e-44a04a3d4078
spec:
  deletionPolicy: Delete
  forProvider:
    allocatedStorage: 1
    availabilityZones:
    - us-west-1b
    - us-west-1c
    backupRetentionPeriod: 1
    dbClusterParameterGroupName: default.aurora-postgresql15
    dbSubnetGroupName: default
    deleteAutomatedBackups: true
    engine: aurora-postgresql
    engineMode: provisioned
    engineVersion: "15.4"
    manageMasterUserPassword: true
    masterUsername: cpadmin
    networkType: IPV4
    port: 5432
    preferredBackupWindow: 09:02-09:32
    preferredMaintenanceWindow: mon:09:43-mon:10:13
    region: us-west-1
    skipFinalSnapshot: true
    tags:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
  initProvider: {}
  managementPolicies:
  - '*'
  providerConfigRef:
    name: default
  writeConnectionSecretToRef:
    name: sample-rds-cluster-secret
    namespace: upbound-system
status:
  atProvider:
    allocatedStorage: 1
    arn: arn:aws:rds:us-west-1:218131738736:cluster:example-ce
    availabilityZones:
    - us-west-1b
    - us-west-1c
    backtrackWindow: 0
    backupRetentionPeriod: 1
    clusterResourceId: cluster-FLOH7SKAAPV4FF6OR2PJKIS5CI
    copyTagsToSnapshot: false
    dbClusterInstanceClass: ""
    dbClusterParameterGroupName: default.aurora-postgresql15
    dbSubnetGroupName: default
    dbSystemId: ""
    deleteAutomatedBackups: true
    deletionProtection: false
    enableGlobalWriteForwarding: false
    enableHttpEndpoint: false
    endpoint: example-ce.cluster-cp00ewyprrnv.us-west-1.rds.amazonaws.com
    engine: aurora-postgresql
    engineMode: provisioned
    engineVersion: "15.4"
    engineVersionActual: "15.4"
    globalClusterIdentifier: ""
    hostedZoneId: Z10WI91S59XXQN
    iamDatabaseAuthenticationEnabled: false
    id: example-ce
    iops: 0
    kmsKeyId: ""
    manageMasterUserPassword: true
    masterUserSecret:
    - kmsKeyId: arn:aws:kms:us-west-1:218131738736:key/65b01394-d118-4176-b3c6-562bec1ccf2e
      secretArn: arn:aws:secretsmanager:us-west-1:218131738736:secret:rds!cluster-bb3dae8d-cce6-480e-8b9d-24504c736336-dn79Cu
      secretStatus: active
    masterUsername: cpadmin
    networkType: IPV4
    port: 5432
    preferredBackupWindow: 09:02-09:32
    preferredMaintenanceWindow: mon:09:43-mon:10:13
    readerEndpoint: example-ce.cluster-ro-cp00ewyprrnv.us-west-1.rds.amazonaws.com
    replicationSourceIdentifier: ""
    skipFinalSnapshot: true
    storageEncrypted: false
    storageType: ""
    tags:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
    tagsAll:
      crossplane-kind: cluster.rds.aws.upbound.io
      crossplane-name: example-ce
      crossplane-providerconfig: default
    vpcSecurityGroupIds:
    - sg-e733d3af
  conditions:
  - lastTransitionTime: "2024-05-01T20:38:01Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-05-01T20:36:56Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2024-05-01T20:37:59Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation
humoflife commented 2 months ago

when entirely omitting the enabledCloudwatchLogsExports field which is possible through function-go-templating, then the external resource array is cleared and logging will stop.

turkenf commented 1 month ago

Hi @humoflife, thank you for bringing up this issue, is this still valid with the provider version 1.4.0?