search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 117 forks source link

Parameter.ssm.aws.upbound.io - want to observe value for use in composites #808

Open patrickleet opened 11 months ago

patrickleet commented 11 months ago

What happened?

https://marketplace.upbound.io/providers/upbound/provider-aws-ssm/v0.38.0/resources/ssm.aws.upbound.io/Parameter/v1beta1

I want to observe a value from the aws parameter store and use it in a composite.

My plan was to use managementPolicy with ObserveOnly, which is now managementPolicies with Observe.

However this did not work in a number of ways:

  1. What I hoped would work:
apiVersion: ssm.aws.upbound.io/v1beta1
kind: Parameter
metadata:
  name: test-param
  annotations:
    crossplane.io/external-name: /infra/network/devops-xdp-vpc/VpcId
spec:
  managementPolicies:
    - Observe
  forProvider:
    region: us-east-1
    type: String

I was hoping with this atProvider would be filled in with insecureValue, but it does not have that value:

> kubectl get parameters.ssm.aws.upbound.io test-param -o yaml | yq .status.atProvider
allowedPattern: ""
arn: arn:aws:ssm:us-east-1:xxx:parameter/infra/network/devops-xdp-vpc/VpcId
dataType: text
description: String
id: /infra/network/devops-xdp-vpc/VpcId
keyId: ""
tags:
  crossplane-kind: parameter.ssm.aws.upbound.io
  crossplane-name: xdp-vpc-id
  crossplane-providerconfig: default
tagsAll:
  crossplane-kind: parameter.ssm.aws.upbound.io
  crossplane-name: xdp-vpc-id
  crossplane-providerconfig: default
tier: Standard
type: String
version: 2

I tried adding forProvider.insecureValue to anything to try to trick it to display that value but that did not work.

Next I tried just import via external name:

apiVersion: ssm.aws.upbound.io/v1beta1
kind: Parameter
metadata:
  name: test-param
  annotations:
    crossplane.io/external-name: /infra/network/devops-xdp-vpc/VpcId
spec:
  deletionPolicy: Orphan
  forProvider:
    region: us-east-1
    type: String

which results in 

status:
  atProvider: {}
  conditions:
  - lastTransitionTime: "2023-08-02T23:05:14Z"
    message: |-
      observe failed: cannot run refresh: refresh failed: Invalid combination of arguments: "insecure_value": one of `insecure_value,value` must be specified
      Invalid combination of arguments: "value": one of `insecure_value,value` must be specified
    reason: ReconcileError
    status: "False"
    type: Synced

If I set insecureValue and this point though it'll overwrite what I'm trying to read.

How can we reproduce it?

Try the configs I posted above to create Parameters that reference a path in AWS SSM Parameters Store as readonly to be able to access the value and use in composites.

What environment did it happen in?

Client Version: v1.25.2
Kustomize Version: v4.5.7
Server Version: v1.26.3+k3s1
patrickleet commented 11 months ago

There was more conversation about this here https://crossplane.slack.com/archives/C01718T2476/p1691008466503949

patrickleet commented 11 months ago

Adding 

    insecureValue: placeholder
    overwrite: false

seems to get the desired result but isn't intuitive

github-actions[bot] commented 3 months ago

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.