[Bug]: Subscription use aliases to observe external resource

chatelain-io commented 2 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Affected Resource(s)

azure.upbound.io/v1beta1 - Subscription

Resource MRs required to reproduce the bug

---
apiVersion: azure.upbound.io/v1beta1
kind: Subscription
metadata:
  annotations:
    crossplane.io/external-name: subscription-id
spec:
  managementPolicies:
  - Observe
  providerConfigRef:
    name: provider-subscription-id
  forProvider: {}

Steps to Reproduce

First case:

Create a subscription without alias.

Second case:

Create a subscription with an alias and link to an Enterprise Agreement. The creation of the subscription is delegated to an enrolment account.
Setup another user (SP) with the Owner role on the subscription, which will be use for the ProviderConfig identity.

What happened?

First case:

The subscription has no alias, cannot be retrieved.

ReconcileError: observe failed: external resource does not exist

Second case:

The owner of the subscription do not have the required permissions Microsoft.Subscription/aliases/write

ReconcileError: observe failed: failed to observe the resource: [{0 reading Subscription Alias "alias_name": subscriptions.SubscriptionsClient#AliasGet: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/write over scope providers/Microsoft.Subscription/aliases/alias_name" []}]

Relevant Error Output Snippet

No response

Crossplane Version

1.15.1

Provider Version

1.0.1

Kubernetes Version

1.29

Kubernetes Distribution

AKS

Additional Info

There are many ways of creating subscription in Azure, either with an Enterprise agreement, Pay-as-you-go, Customer Agreement, and they differ on how the delegation of the permissions to a user is done. For example, EA agreement, you need to delegate the creation of the subscription to an enrolment account, but in Pay-as-you-go, you can assign directly a user.

I think an Owner or even a Reader should be able to read the subscription without have to give them the Microsoft.Subscription/aliases/write permission.

There is also the possibility to create a subscription without an alias, so in that case MR does not work.

In externalname.go, azurerm_subscription should not use the alias but the subscription id as the external name.

turkenf commented 2 months ago

Hi @chatelain-io, thank you for this issue. Please correct me if I'm wrong, you can not import existing resources by setting managementPolicies only to Observe, right?

chatelain-io commented 2 months ago

Indeed, to import it requires an alias

turkenf commented 2 months ago

Yes, this is the same as the underlying provider, resource_id is used for import and there is an alias in the ID.

chatelain-io commented 2 months ago

Alright, I guess this is not a bug then. Thank you

crossplane-contrib / provider-upjet-azure