search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

[Bug]: The AWS WAF classic IPSet resource is stuck and not deleted when the Claim or XR is deleted. #1369

Open MichaelRSilva opened 1 week ago

MichaelRSilva commented 1 week ago

Is there an existing issue for this?

Affected Resource(s)

Resource MRs required to reproduce the bug

...
resources:
    - name: rule
      base:
        apiVersion: waf.aws.upbound.io/v1beta1
        kind: Rule
        metadata:
          annotations:
            meta.upbound.io/example-id: waf/v1beta1/rule
          labels:
            testing.upbound.io/example-name: wafrule
          name: wafrule
        spec:
          forProvider:
            metricName: tfWAFRule
            name: tfWAFRule
            predicates:
            - dataIdSelector:
                matchLabels:
                  testing.upbound.io/example-name: ipset
              negated: false
              type: IPMatch
            region: us-east-1
    - name: ipset
      base:
        apiVersion: waf.aws.upbound.io/v1beta1
        kind: IPSet
        metadata:
          annotations:
            meta.upbound.io/example-id: waf/v1beta1/rule
          labels:
            testing.upbound.io/example-name: ipset
          name: ipset
        spec:
          forProvider:
            ipSetDescriptors:
            - type: IPV4
              value: 192.0.7.0/24
            name: tfIPSet
            region: us-east-1
...

Steps to Reproduce

I'm using the provider-aws-waf to create IPSet and Rule in a composition, the Rule has a predicate pointing to one IPSet. When I delete the claim or XR, the Rule is deleted but the IPSet is getting stuck. I can see the IP addresses inside the IPSet are deleted, but the resource not.

What happened?

The IPSet should be deleted when a `kubectl delete -f waf-xr.yaml' command is executed, but only the IPSet IPs are deleted, the resource is orphaned and still exists, as it is possible to view it in the console.

Screenshot 2024-06-11 at 04 50 51

When executing the command kubectl describe ipset it is possible to see that there are invalid attempts to delete.

Screenshot 2024-06-11 at 05 02 14

Relevant Error Output Snippet

No response

Crossplane Version

1.16

Provider Version

1.7.0

Kubernetes Version

1.29.4-eks-036c24b

Kubernetes Distribution

EKS

Additional Info

No response