Closed waterfoul closed 1 month ago
Hi @waterfoul,
Thank you for raising this issue, I could not reproduce this with the current example manifest.
Could you please share with us your example and reproduction steps?
Hello @turkenf and @waterfoul ,
I'm currently facing the exact same issue with Storage Account management policies. Altough the manifest is correct, the Observe phase fails. Apparently, it doesn't have the values for Management Policy Name (that appears as"default"), Storage Account Name (appears as \
Note that I'm using storageAccountIdRef to select the parent Storage Account. Crossplane is able to retrieve the correct storage account and populate the storageAccountId field. In previous tests, I also used storageAccountIdSelector with matchLabels to select the parent Storage Account. The resource was also selected correctly, but the same error happened.
ManagementPolicy manifest:
apiVersion: storage.azure.upbound.io/v1beta1
kind: ManagementPolicy
metadata:
annotations:
crossplane.io/composition-resource-name: managementpolicy
crossplane.io/external-name: delete-policy
labels:
crossplane.io/claim-name: demostorageaccountnp-delete-policy
crossplane.io/claim-namespace: connectsupply
crossplane.io/composite: demostorageaccountnp-delete-policy-2kxwh
environment: pr
system: brcsupply
name: demostorageaccountnp-delete-policy-2kxwh-87wvg
ownerReferences:
- apiVersion: nestle.org/v1alpha1
blockOwnerDeletion: true
controller: true
kind: xmanagementpolicy
name: demostorageaccountnp-delete-policy-2kxwh
uid: REDACTED
resourceVersion: '105278818'
uid: REDACTED
spec:
deletionPolicy: Orphan
forProvider:
rule:
- actions:
- baseBlob:
- deleteAfterDaysSinceModificationGreaterThan: 5
enabled: true
filters:
- blobTypes:
- blockBlob
prefixMatch:
- br-stage-ext/
name: br-stage-ext Delete After 5 Days
storageAccountId: >-
/subscriptions/REDACTED/resourceGroups/resource-group-one/providers/Microsoft.Storage/storageAccounts/demostorageaccountnp
storageAccountIdRef:
name: demostorageaccountnp-s6qtl-j42qv
initProvider: {}
managementPolicies:
- '*'
providerConfigRef:
name: azure-prd
status:
atProvider: {}
conditions:
- lastTransitionTime: '2023-12-21T11:24:54Z'
message: >-
observe failed: cannot run refresh: refresh failed: retrieving Storage
Account Management Policy: (Management Policy Name "default" / Storage
Account Name "<no value>" / Resource Group "<no value>"):
storage.ManagementPoliciesClient#Get: Failure responding to request:
StatusCode=403 -- Original Error: autorest/azure: Service returned an
error. Status=403 Code="AuthorizationFailed" Message="The client
'REDACTED' with object id
'REDACTED' does not have authorization to
perform action
'Microsoft.Storage/storageAccounts/managementPolicies/read' over scope
'/subscriptions/REDACTED/resourceGroups/<no
value>/providers/Microsoft.Storage/storageAccounts/<no
value>/managementPolicies/default' or the scope is invalid. If access
was recently granted, please refresh your credentials.":
reason: ReconcileError
status: 'False'
type: Synced
In my understanding, the scope shown in the status error is invalid due to the "default" and "no value" parts. Those informations should be retrieved from the Storage Account. The client mentioned in the error has permission over the scope if the scope was correct.
I have also confirmed that the creation of a management policy through Terraform works correctly with the same information.
Crossplane Version: 1.12.2 Provider Version: 0.37.1 Kubernetes Distribution: AKS
Hello folks,
I could not reproduce the issue with the provided information, could you please share with us clear reproduction steps?
> k get managementpolicy.storage.azure.upbound.io/example -o yaml -w
apiVersion: storage.azure.upbound.io/v1beta1
kind: ManagementPolicy
metadata:
annotations: <redacted>
creationTimestamp: "2024-01-22T11:48:26Z"
finalizers:
- finalizer.managedresource.crossplane.io
generation: 3
labels:
testing.upbound.io/example-name: example
name: example
resourceVersion: "152825"
uid: <redacted>
spec:
deletionPolicy: Delete
forProvider:
rule:
- actions:
- baseBlob:
- deleteAfterDaysSinceModificationGreaterThan: 100
tierToArchiveAfterDaysSinceModificationGreaterThan: 50
tierToCoolAfterDaysSinceModificationGreaterThan: 10
snapshot:
- deleteAfterDaysSinceCreationGreaterThan: 30
enabled: true
filters:
- blobTypes:
- blockBlob
prefixMatch:
- container1/prefix1
name: rule1
- actions:
- baseBlob:
- deleteAfterDaysSinceModificationGreaterThan: 101
tierToArchiveAfterDaysSinceModificationGreaterThan: 51
tierToCoolAfterDaysSinceModificationGreaterThan: 11
snapshot:
- changeTierToArchiveAfterDaysSinceCreation: 90
changeTierToCoolAfterDaysSinceCreation: 23
deleteAfterDaysSinceCreationGreaterThan: 31
version:
- changeTierToArchiveAfterDaysSinceCreation: 9
changeTierToCoolAfterDaysSinceCreation: 90
deleteAfterDaysSinceCreation: 3
enabled: false
filters:
- blobTypes:
- blockBlob
prefixMatch:
- container2/prefix1
- container2/prefix2
name: rule2
storageAccountId: /subscriptions/<redacted>/resourceGroups/example/providers/Microsoft.Storage/storageAccounts/managementpolicy
storageAccountIdRef:
name: managementpolicy
storageAccountIdSelector:
matchLabels:
testing.upbound.io/example-name: example
initProvider: {}
managementPolicies:
- '*'
providerConfigRef:
name: default
status:
atProvider:
<redacted>
conditions:
- lastTransitionTime: "2024-01-22T11:56:12Z"
reason: Available
status: "True"
type: Ready
- lastTransitionTime: "2024-01-22T11:56:12Z"
reason: UpToDate
status: "True"
type: Test
- lastTransitionTime: "2024-01-22T11:56:12Z"
reason: Success
status: "True"
type: LastAsyncOperation
- lastTransitionTime: "2024-01-22T11:56:12Z"
reason: ReconcileSuccess
status: "True"
type: Synced
Hi! I'm facing similar issue when I configure private endpoint and set publicNetworkAccessEnabled: false
. Look at this: https://support.hashicorp.com/hc/en-us/articles/21805143295379-AzureRM-Service-returned-error-StatusCode-403-ErrorCode-AuthorizationFailure-When-Public-Network-Access-Disabled or this https://github.com/hashicorp/terraform-provider-azurerm/issues/2977
This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale
. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh
will mark this issue as not stale.
This issue is being closed since there has been no activity for 14 days since marking it as stale
. If you still need help, feel free to comment or reopen the issue!
What happened?
Creating a storage management policy results in the following error. The entries are the only modification. The no value entries are part of the error on the server
How can we reproduce it?
Create a ManagementPolicy.storage.azure.upbound.io management policy
What environment did it happen in?