search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

[Bug]: managedPolicyArn array for Role broken in provider-aws-iam #1329

Closed trevoredshelf closed 1 month ago

trevoredshelf commented 1 month ago

Is there an existing issue for this?

Affected Resource(s)

iam.aws.upbound.io/v1beta1 - Role

Resource MRs required to reproduce the bug

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  annotations:
    meta.upbound.io/example-id: iam/v1beta1/role
  labels:
    testing.upbound.io/example-name: role
  name: role-with-inline-policy-new
spec:
  forProvider:
    description: test description
    forceDetachPolicies: true
    assumeRolePolicy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "eks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
    managedPolicyArns: [] ## reconciliation doesn't work
    # managedPolicyArns: ["arn:aws:iam::aws:policy/AdministratorAccess"] ## now reconciliation works
    inlinePolicy:
      - name: my_inline_policy
        policy: |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Resource": "*",
                "Action": "ec2:*"
              }
            ]
          }

Steps to Reproduce

  1. kubectl -f apply the manifest above
  2. Add any managed policy to the role
  3. Confirm after poll internal that managed policy was not detached from role

What happened?

In order for the managedPolicyArns array to work, there needs to be at least 1 policy included. If at least one policy exists in the array, Crossplane will successfully reconcile and remove any additional managed policies that get attached to the role. However, if the array is empty, reconciliation fails when managed policies are attached.

Relevant Error Output Snippet

No response

Crossplane Version

1.16.0

Provider Version

1.4.0

Kubernetes Version

No response

Kubernetes Distribution

No response

Additional Info

No response

trevoredshelf commented 1 month ago

Nevermind, it looks as though you just need to include an empty string in the empty array for managedPolicyArns to work.

[""] works but [] doesn't. Documentation just needs to be updated.

chlunde commented 1 month ago

@trevoredshelf can you try 1.5.0? I could not reproduce this issue.