Open jason-odess opened 1 year ago
I used the example from marketplace and I could not reproduce the issue in my environment in the 0.32.1 version. Could you please send the entire manifest that you used while observing the issue?
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
annotations:
meta.upbound.io/example-id: sagemaker/v1beta1/app
labels:
testing.upbound.io/example-name: example
name: jo-test-role
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "sagemaker.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
providerConfigRef:
name: provider-config-aws-ets-shared-np
@jason-odess could you show the apiVersion
you are using?
Apologies for the cut/paste miss there:
apiVersion: iam.aws.upbound.io/v1beta1
I am unable to duplicate this issue on my local Kind cluster.
kubectl version --short
Client Version: v1.26.3
Kustomize Version: v4.5.7
Server Version: v1.25.3
kubectl get provider.pkg
NAME INSTALLED HEALTHY PACKAGE AGE
provider-aws True True xpkg.upbound.io/upbound/provider-aws:v0.32.1 3h59m
manifest:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
annotations:
meta.upbound.io/example-id: sagemaker/v1beta1/app
labels:
testing.upbound.io/example-name: example
name: jo-test-role
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "sagemaker.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
result:
kubectl get -f role1.yaml
NAME READY SYNCED EXTERNAL-NAME AGE
jo-test-role True True jo-test-role 11m
After some digging, I found that the issue was not actually with the tags on the managed resource I was trying to deploy, but rather the tags on the providerConfig that I was referencing in the claim.
This provider config has not changed between 0.31.0 and 0.32.1, so we'll need to understand why those tags are causing the problem.
---
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: provider-config-aws-test
spec:
assumeRoleChain:
- externalID: crossplane-deployment-role
roleARN: arn:aws:iam::191135509750:role/caas-crossplane-eks/caas-iam-eks-deploy-role
tags:
- key: deployment_guid
value: 40b4c6b5-14c6-47a4-92c9-b7e4eeef7ef5
transitiveTagKeys:
- deployment_guid
credentials:
secretRef:
key: creds
name: crossplane-iam-user
namespace: uxp-system
source: Secret
This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale
. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh
will mark this issue as not stale.
What happened?
Creating AWS resources with Provider-AWS 0.32.1 fails on EKS 1.23
How can we reproduce it?
Using example from: https://marketplace.upbound.io/providers/upbound/provider-aws/v0.32.1/resources/iam.aws.upbound.io/Role/v1beta1
`Last Transition Time: 2023-04-12T15:14:50Z Message: observe failed: cannot run refresh: refresh failed: Incorrect attribute value type: Inappropriate value for attribute "tags": map of string required. Reason: ReconcileError Status: False Type: Synced Events: Type Reason Age From Message
Warning CannotInitializeManagedResource 37m managed/iam.aws.upbound.io/v1beta1, kind=role Operation cannot be fulfilled on roles.iam.aws.upbound.io "jo-test-role": the object has been modified; please apply your changes to the latest version and try again Warning CannotObserveExternalResource 118s (x41 over 37m) managed/iam.aws.upbound.io/v1beta1, kind=role cannot run refresh: refresh failed: Incorrect attribute value type: Inappropriate value for attribute "tags": map of string required.`
Same manifest applied to a cluster running 0.31.0 results in `Events: Type Reason Age From Message
Normal CreatedExternalResource 47s managed/iam.aws.upbound.io/v1beta1, kind=role Successfully requested creation of external resource`
What environment did it happen in?