search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

0.32.1 - Inappropriate value for attribute "tags": map of string required #668

Open jason-odess opened 1 year ago

jason-odess commented 1 year ago

What happened?

Creating AWS resources with Provider-AWS 0.32.1 fails on EKS 1.23

How can we reproduce it?

Using example from: https://marketplace.upbound.io/providers/upbound/provider-aws/v0.32.1/resources/iam.aws.upbound.io/Role/v1beta1

`Last Transition Time: 2023-04-12T15:14:50Z Message: observe failed: cannot run refresh: refresh failed: Incorrect attribute value type: Inappropriate value for attribute "tags": map of string required. Reason: ReconcileError Status: False Type: Synced Events: Type Reason Age From Message

Warning CannotInitializeManagedResource 37m managed/iam.aws.upbound.io/v1beta1, kind=role Operation cannot be fulfilled on roles.iam.aws.upbound.io "jo-test-role": the object has been modified; please apply your changes to the latest version and try again Warning CannotObserveExternalResource 118s (x41 over 37m) managed/iam.aws.upbound.io/v1beta1, kind=role cannot run refresh: refresh failed: Incorrect attribute value type: Inappropriate value for attribute "tags": map of string required.`

Same manifest applied to a cluster running 0.31.0 results in `Events: Type Reason Age From Message

Normal CreatedExternalResource 47s managed/iam.aws.upbound.io/v1beta1, kind=role Successfully requested creation of external resource`

What environment did it happen in?

sergenyalcin commented 1 year ago

I used the example from marketplace and I could not reproduce the issue in my environment in the 0.32.1 version. Could you please send the entire manifest that you used while observing the issue?

jason-odess commented 1 year ago 

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  annotations:
    meta.upbound.io/example-id: sagemaker/v1beta1/app
  labels:
    testing.upbound.io/example-name: example
  name: jo-test-role
spec:
  forProvider:
    assumeRolePolicy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "sagemaker.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      }
  providerConfigRef:
    name: provider-config-aws-ets-shared-np
ytsarev commented 1 year ago

@jason-odess could you show the apiVersion you are using?

jason-odess commented 1 year ago

Apologies for the cut/paste miss there: apiVersion: iam.aws.upbound.io/v1beta1

stevendborrelli commented 1 year ago

I am unable to duplicate this issue on my local Kind cluster. 

kubectl version --short 
Client Version: v1.26.3
Kustomize Version: v4.5.7
Server Version: v1.25.3 

kubectl get provider.pkg
NAME            INSTALLED   HEALTHY   PACKAGE                                                    AGE
provider-aws    True        True      xpkg.upbound.io/upbound/provider-aws:v0.32.1               3h59m

manifest:

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  annotations:
    meta.upbound.io/example-id: sagemaker/v1beta1/app
  labels:
    testing.upbound.io/example-name: example
  name: jo-test-role
spec:
  forProvider:
    assumeRolePolicy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "sagemaker.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      }

result:

kubectl get -f role1.yaml     
NAME           READY   SYNCED   EXTERNAL-NAME   AGE
jo-test-role   True    True     jo-test-role    11m
jason-odess commented 1 year ago

After some digging, I found that the issue was not actually with the tags on the managed resource I was trying to deploy, but rather the tags on the providerConfig that I was referencing in the claim.

This provider config has not changed between 0.31.0 and 0.32.1, so we'll need to understand why those tags are causing the problem.


---
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: provider-config-aws-test
spec:
  assumeRoleChain:
  - externalID: crossplane-deployment-role
    roleARN: arn:aws:iam::191135509750:role/caas-crossplane-eks/caas-iam-eks-deploy-role
    tags:
      - key: deployment_guid
        value: 40b4c6b5-14c6-47a4-92c9-b7e4eeef7ef5
    transitiveTagKeys:
      - deployment_guid
  credentials:
    secretRef:
      key: creds
      name: crossplane-iam-user
      namespace: uxp-system
    source: Secret
github-actions[bot] commented 2 months ago

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.