IdentityProviderConfig changes force a lifecycle_destroy

[stevendborrelli]

What problem are you facing?

Changes made to a IdentityProviderConfig causes the resource to be stuck in a lifecycle_destroy state. The resource should either be immutable or allow the recreation (which is currently against the XRM spec):

apiVersion: eks.aws.upbound.io/v1beta1
kind: IdentityProviderConfig
metadata:
  name: oidc-test
spec:
deletionPolicy: Delete
        forProvider:
          oidc:
          - clientId: {{your client id here }}
            groupsClaim: roles. ←------------We are attempting to change this to groups
            issuerUrl: {{ issuerURL here }}
            usernameClaim: upn

Causes a lifecycle_destroy error:

message: 'observe failed: cannot run plan: plan failed: Instance cannot be destroyed Resource aws_eks_identity_provider_config.use1-icp-internal-dev-rapid has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag.'

• AWS API does not have a Update method https://docs.aws.amazon.com/eks/latest/APIReference/API_DisassociateIdentityProviderConfig.html, you must disassociate (delete) and recreate.
• The TF sets it as a ForceNew <provider https://github.com/hashicorp/terraform-provider-aws/blob/f4b691325088fb6c4e7b3ae331884b3e681ff52f/internal/service/eks/identity_provider_config.go#L75C7-L75C7>

How could Official AWS Provider help solve your problem?

Resources should check for ForceNew fields and either reject changes, or allow the user the option to recreate/destroy.

[haarchri]

this issue we need to fix in upjet ?

[stevendborrelli]

@haarchri yes, I believe it should be enforced there or at the XP level. Opened here to track the precise issue we encountered.

[stevendborrelli]

Related issue https://github.com/upbound/upjet/issues/78

[yebolenko]

The same happens also for kinesis Stream resource. Once, it's created, it cannot be destroyed with the same error: Instance cannot be destroyed Resource lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag.'

[github-actions[bot]]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[yebolenko]

any update?

[github-actions[bot]]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[haarchri]

/fresh