Importing AccessPolicyToken Deletes Resource

[holgerjh]

Hello,

when importing an existing object of type AccessPolicyToken.cloud.grafana.crossplane.io/v1alpha1 using the crossplane.io/external-name the remote object gets deleted and the k8s resource will transition into an error state.

Minimal Code Example:

apiVersion: cloud.grafana.crossplane.io/v1alpha1
kind: AccessPolicyToken
metadata:
  annotations:
    crossplane.io/external-name: <region>:<ID>
  name: test-import
spec:
  forProvider:
    accessPolicyId: <ID>
    name: <NAME> 
    region: <REGION>
  providerConfigRef:
    name: grafana

Applying this (with replaced IDs etc) will result in deletion of the resource.

Provider logs (with replaced IDs etc):

2024/06/19 08:52:49 [DEBUG] GET https://grafana.com/api/v1/tokens/<ID>?region=<REGION>
2024/06/19 08:52:49 [DEBUG] DELETE https://grafana.com/api/v1/tokens/<ID>?region=<REGION>
2024/06/19 08:52:50 [DEBUG] POST https://grafana.com/api/v1/tokens?region=
2024/06/19 08:52:50 [DEBUG] GET https://grafana.com/api/v1/tokens/<ID>?region=<REGION>
2024/06/19 08:52:50 [DEBUG] GET https://grafana.com/api/v1/tokens/<ID>?region=<REGION>
2024/06/19 08:52:50 [DEBUG] GET https://grafana.com/api/v1/tokens/<ID>?region=<REGION>
2024/06/19 08:52:50 [DEBUG] GET https://grafana.com/api/v1/tokens/<ID>?region=<REGION>

Note that the queried region in line 3 is really empty.

Tested with provider version v.0.17.0.

Expected outcome: Existing resource is imported.

[julienduchesne]

Expected outcome is not possible. The secret can only be read at create time, so when you import an existing policy token, it has no secret which is why crossplane recreates it

[holgerjh]

Hi Julien, thanks a lot for the clarification, that explains the behaviour. I think in an ideal world we'd transition into some error state that tells us that the intended operation is not possible and the provider would not delete the remote resource.

Closing this since import is not possible.