search

crossplane-contrib / provider-upjet-gcp

Official GCP Provider for Crossplane by Upbound.
Apache License 2.0
60 stars 61 forks source link

[Bug]: Unable to Update ServiceAccountIAMMember #518

Open brais-real-edo opened 2 months ago

brais-real-edo commented 2 months ago

Is there an existing issue for this?

Affected Resource(s)

cloudplatform.gcp.upbound.io/v1beta1 - ServiceAccountIAMMember

Resource MRs required to reproduce the bug

No response

Steps to Reproduce

Apply this manifest:

 apiVersion: cloudplatform.gcp.upbound.io/v1beta1

 kind: ServiceAccountIAMMember
 metadata:
   labels:
   ....
  name: ....
 spec:
  forProvider:
    member: 'serviceAccount:project.svc.id.goog[ns/ksa1]'
    role: roles/iam.workloadIdentityUser
    serviceAccountIdSelector:
      matchLabels:
        ....
  providerConfigRef:
    name: ...

The resource is created correctly Once it is created, apply an updated version of the same resource changing spec.forProvider.member

apiVersion: cloudplatform.gcp.upbound.io/v1beta1
kind: ServiceAccountIAMMember
metadata:
  labels:
   ....
  name: ....
spec:
  forProvider:
    member: 'serviceAccount:project.svc.id.goog[ns/ksa2]'
    role: roles/iam.workloadIdentityUser
    serviceAccountIdSelector:
      matchLabels:
        ....
  providerConfigRef:
    name: ...

What happened?

Object isn't updated and shows the following error in Status:

 conditions:
    - lastTransitionTime: '2024-04-29T17:01:55Z'
      message: >-
        update failed: async update failed: refuse to update the external
        resource because the following update requires replacing it: cannot
        change the value of the argument "member" from
        "serviceAccount:project.svc.id.goog[ns/ksa1]" to
        "serviceAccount:project.svc.id.goog[ns/ksa2]"
      reason: ReconcileError
      status: 'False'
      type: Synced
    - lastTransitionTime: '2024-04-29T16:52:36Z'
      reason: Available
      status: 'True'
      type: Ready
    - lastTransitionTime: '2024-04-29T17:01:55Z'
      message: >-
        async update failed: refuse to update the external resource because the
        following update requires replacing it: cannot change the value of the
        argument "member" from
        "serviceAccount:project.svc.id.goog[ns/ksa1]" to
        "serviceAccount:project.svc.id.goog[ns/ksa2]"
      reason: AsyncUpdateFailure
      status: 'False'
      type: LastAsyncOperation

Relevant Error Output Snippet

Now, if we try to delete the resource,we get a 404:

conditions:
    - lastTransitionTime: '2024-04-29T15:48:11Z'
      message: >-
        delete failed: async delete failed: failed to delete the resource: [{0
        Error retrieving IAM policy for service account '': googleapi: got HTTP
        response code 404 with body: <!DOCTYPE html>

        <html lang=en>
          <meta charset=utf-8>
          <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
          <title>Error 404 (Not Found)!!1</title>
          <style>
            *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
          </style>
          <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
          <p><b>404.</b> <ins>That’s an error.</ins>
          <p>The requested URL <code>/v1/:getIamPolicy?alt=json&amp;options.requestedPolicyVersion=3&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>
          []}]
      reason: ReconcileError
      status: 'False'
      type: Synced
    - lastTransitionTime: '2024-04-29T17:08:01Z'
      reason: Deleting
      status: 'False'
      type: Ready
    - lastTransitionTime: '2024-04-29T15:48:11Z'
      message: >-
        async delete failed: failed to delete the resource: [{0 Error retrieving
        IAM policy for service account '': googleapi: got HTTP response code 404
        with body: <!DOCTYPE html>

        <html lang=en>
          <meta charset=utf-8>
          <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
          <title>Error 404 (Not Found)!!1</title>
          <style>
            *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
          </style>
          <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
          <p><b>404.</b> <ins>That’s an error.</ins>
          <p>The requested URL <code>/v1/:getIamPolicy?alt=json&amp;options.requestedPolicyVersion=3&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>
          []}]

Before trying to update it, the object could be removed successfully

Crossplane Version

1.15.0

Provider Version

1.1.0

Kubernetes Version

Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.12", GitCommit:"12031002905c0410706974560cbdf2dad9278919", GitTreeState:"clean", BuildDate:"2024-03-15T02:15:31Z", GoVersion:"go1.21.8", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v5.0.1 Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.11-gke.1062000", GitCommit:"d08e2b8d118069b27c15a6a241af87c9bbba7fdc", GitTreeState:"clean", BuildDate:"2024-02-26T09:17:18Z", GoVersion:"go1.21.7 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes Distribution

GKE

Additional Info

No response