DBInstance update request without change (causes instance to restart in loop)

[nicolasbelanger]

What happened?

• Deployed a DBInstance along with DBParameterGroup, DBSubnetGroup and SecurityGroup
• Sync is ok for DBParameterGroup, DBSubnetGroup and SecurityGroup (External resource is up to date)
• However, some change is detected in DBInstance (Successfully requested update of external resource) forcing an apply and restart of the instance (it goes on forever until provider-aws-controller is shut down)

How can we reproduce it?

spec:
  deletionPolicy: Delete
  forProvider:
    allocatedStorage: 10
    autoMinorVersionUpgrade: true
    autogeneratePassword: true
    availabilityZone: us-east-1a
    backupRetentionPeriod: 1
    copyTagsToSnapshot: true
    dbInstanceClass: db.t2.small
    dbParameterGroupName: <name_here>
    dbSubnetGroupName: <name_here>
    deletionProtection: false
    enableIAMDatabaseAuthentication: true
    enablePerformanceInsights: false
    engine: mysql
    engineVersion: 8.0.28
    finalDBSnapshotIdentifier: <name_here>
    kmsKeyID: >-
      arn:aws:kms:us-east-1:...:key/...
    licenseModel: general-public-license
    masterUserPasswordSecretRef:
      key: master-user-password
      name: <name_here>-dbinstance-master-user-password
      namespace: <namespace_here>
    masterUsername: admin
    maxAllocatedStorage: 100
    multiAZ: false
    port: 3306
    preferredBackupWindow: 04:00-04:59
    preferredMaintenanceWindow: mon:05:00-mon:06:59
    publiclyAccessible: false
    region: us-east-1
    storageEncrypted: true
    storageType: gp2
    tags:
      - key: Name
        value: <name_here>
      - key: env
        value: ...
      - key: appName
        value: ...
      - key: businessUnit
        value: ...
      - key: contact
        value: ...
      - key: product
        value: ...
      - key: role
        value: ...
      - key: service
        value: ...
    vpcSecurityGroupIDRefs:
      - name: <name_here>
    vpcSecurityGroupIDs:
      - sg-...
  providerConfigRef:
    name: aws-provider
  writeConnectionSecretToRef:
    name: <name_here>-dbinstance-conn-string
    namespace: <namespace_here>

Subsequent request as seen in CloudTrail:

 "requestParameters": {
                "dBInstanceIdentifier": "<name_here>",
                "allocatedStorage": 10,
                "dBInstanceClass": "db.t2.small",
                "applyImmediately": false,
                "dBParameterGroupName": "<name_here>",
                "backupRetentionPeriod": 1,
                "preferredBackupWindow": "04:00-04:59",
                "preferredMaintenanceWindow": "mon:05:00-mon:06:59",
                "multiAZ": false,
                "engineVersion": "8.0.28",
                "allowMajorVersionUpgrade": false,
                "autoMinorVersionUpgrade": true,
                "licenseModel": "general-public-license",
                "storageType": "gp2",
                "cACertificateIdentifier": "rds-ca-2019",
                "copyTagsToSnapshot": true,
                "publiclyAccessible": false,
                "enableIAMDatabaseAuthentication": true,
                "enablePerformanceInsights": false,
                "deletionProtection": false,
                "maxAllocatedStorage": 100
            },

What environment did it happen in?

Crossplane version: 1.5.1
Provider-aws-controller: v0.27.0 (also reproduced with v0.26.1 and master at v0.28.0-rc.0.37.g9e1ce166)

• Cloud provider: AWS
• Kubernetes version (use kubectl version): 1.20.11
• Kubernetes distribution (e.g. Tectonic, GKE, OpenShift): EKS

Extra Notes:

Looks closely related to #960... Seems like not all the possible bools have been fixed...

[haarchri]

@chlunde do you think it's time to upstream your version sparebank1utvikling@27b71a1 to get more details for diff ?

[nicolasbelanger]

Oh Oh... just got a status I didn't see before: Resetting-master-credentials

[nicolasbelanger]

Also worth noting...

    pendingModifiedValues:
      caCertificateIdentifier: rds-ca-2019

[chlunde]

@haarchri yeah, I think that's a good idea, but I don't think I have much time this week.

[fbuchmeier-abi]

Hello there,

we are facing a similar issue where the crossplane aws-provider v0.28.1 reconciles an RDS database over and over again. The requested change is to modify the dBParameterGroups from the existing value of cluster-aurora-mysql-5-7 to the new value of cluster-aurora-mysql-5-7 (which is exactly the same). This means that the affected database instances are constantly in a Modifying status.

Before v0.28.1 our database instances could not be synchronized at all because of wrong parameter combinations (e.g. backupRetention on DBInstance which is not allowed when using a DBCluster + DBInstance). After the update the synchronization is working again, but with the above problem.

Below you can find some additional information like the CloudTrail event to modify the DBInstance and the logs from the aws-provider.

Cloudtrail Event (ModifyDbInstance)

See cloudtrail_event.json.txt

aws-provider logs

See aws-provider.txt

Kubernetes resources

example-service-rds-instance-0-dsfwv

apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata:
  annotations:
    crossplane.io/external-name: example-service-rds-instance-0
  creationTimestamp: "2022-06-20T13:38:35Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generateName: example-service-rds-instance-0-dsfwv-
  generation: 2
  labels:
    example.com/managed-by: example-service-rds-instance-0
    crossplane.io/claim-name: example-service-rds-instance-0
    crossplane.io/claim-namespace: dev
    crossplane.io/composite: example-service-rds-instance-0-dsfwv
  name: example-service-rds-instance-0-dsfwv
  ownerReferences:
  - apiVersion: example.com/v1
    controller: true
    kind: XRdsInstance
    name: example-service-rds-instance-0-dsfwv
    uid: 8d576847-52b9-4b0c-bc8d-dc84cd3d3875
  resourceVersion: "194662643"
  uid: 4228e5be-5fb2-4461-be40-de6a8e2757bc
spec:
  deletionPolicy: Orphan
  forProvider:
    autoMinorVersionUpgrade: true
    availabilityZone: eu-central-1c
    dbClusterIdentifier: example-service-rds-cluster
    dbInstanceClass: db.t3.small
    dbName: example-service-dev
    dbParameterGroupName: cluster-aurora-mysql-5-7
    dbSubnetGroupName: test.example.com
    enablePerformanceInsights: false
    engine: aurora-mysql
    engineVersion: 5.7.mysql_aurora.2.10.2
    kmsKeyID: arn:aws:kms:eu-central-1:111111111111:key/abc
    licenseModel: general-public-license
    masterUsername: master
    multiAZ: false
    port: 3306
    preferredMaintenanceWindow: tue:03:50-tue:04:20
    promotionTier: 1
    publiclyAccessible: false
    region: eu-central-1
    storageEncrypted: true
    tags:
    - key: claim-namespace
      value: dev
    - key: claim-name
      value: example-service-rds-instance-0
    - key: managed-resource-name
      value: example-service-rds-instance-0-dsfwv
    vpcSecurityGroupIDs:
    - sg-1
  providerConfigRef:
    name: aws-provider-config
status:
  atProvider:
    caCertificateIdentifier: rds-ca-2019
    customerOwnedIPEnabled: false
    dbInstanceARN: arn:aws:rds:eu-central-1:111111111:db:example-service-rds-instance-0
    dbInstanceIdentifier: example-service-rds-instance-0
    dbInstancePort: 0
    dbInstanceStatus: modifying
    dbParameterGroups:
    - dbParameterGroupName: cluster-aurora-mysql-5-7
      parameterApplyStatus: applying
    dbSubnetGroup:
      dbSubnetGroupDescription: Database subnet group for test.example.com
      dbSubnetGroupName: test.example.com
      subnetGroupStatus: Complete
      subnets:
      - subnetAvailabilityZone:
          name: eu-central-1c
        subnetIdentifier: subnet-1
        subnetOutpost: {}
        subnetStatus: Active
      - subnetAvailabilityZone:
          name: eu-central-1b
        subnetIdentifier: subnet-2
        subnetOutpost: {}
        subnetStatus: Active
      - subnetAvailabilityZone:
          name: eu-central-1a
        subnetIdentifier: subnet-3
        subnetOutpost: {}
        subnetStatus: Active
      vpcID: vpc-1
    dbiResourceID: db-HXNHMYU4AQ4MT7N2L2KSS43L4Q
    endpoint:
      address: example-service-rds-instance-0.cj71ow7e0nmu.eu-central-1.rds.amazonaws.com
      hostedZoneID: Z1RLNUO7B9Q6NB
      port: 3306
    iamDatabaseAuthenticationEnabled: false
    instanceCreateTime: "2022-05-04T14:20:43Z"
    optionGroupMemberships:
    - optionGroupName: default:aurora-mysql-5-7
      status: in-sync
    pendingModifiedValues:
      caCertificateIdentifier: rds-ca-2019
    performanceInsightsEnabled: false
    tagList:
    - key: managed-resource-name
      value: example-service-rds-instance-0-28tdw
    - key: claim-namespace
      value: dev
    - key: claim-name
      value: example-service-rds-instance-0
    vpcSecurityGroups:
    - status: active
      vpcSecurityGroupID: sg-1
  conditions:
  - lastTransitionTime: "2022-06-23T07:13:18Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2022-06-20T13:38:35Z"
    reason: Available
    status: "True"
    type: Ready

example-service-rds-cluster-rtvqp

apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
  annotations:
    crossplane.io/external-name: example-service-rds-cluster
  creationTimestamp: "2022-06-20T14:05:51Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generateName: example-service-rds-cluster-rtvqp-
  generation: 2
  labels:
    example.com/managed-by: example-service-rds-cluster
    crossplane.io/claim-name: example-service-rds-cluster
    crossplane.io/claim-namespace: dev
    crossplane.io/composite: example-service-rds-cluster-rtvqp
  name: example-service-rds-cluster-rtvqp
  ownerReferences:
  - apiVersion: example.com/v1
    controller: true
    kind: XRdsCluster
    name: example-service-rds-cluster-rtvqp
    uid: 44843b1a-e386-49b7-9e24-a7daebf195f9
  resourceVersion: "194674646"
  uid: 1132a5e6-7b6b-4199-a2c2-4b63bf86075c
spec:
  deletionPolicy: Orphan
  forProvider:
    applyImmediately: true
    backupRetentionPeriod: 35
    copyTagsToSnapshot: true
    databaseName: example-service
    dbClusterParameterGroupName: cluster-aurora-mysql-5-7
    dbSubnetGroupName: test.cluster.example.com
    deletionProtection: true
    engine: aurora-mysql
    engineMode: provisioned
    finalDBSnapshotIdentifier: example-service-rds-final-snapshot
    masterUserPasswordSecretRef:
      key: password
      name: example-service-rds-secret
      namespace: crossplane-system
    masterUsername: master
    region: eu-central-1
    skipFinalSnapshot: true
    storageEncrypted: true
    tags:
    - key: claim-namespace
      value: acp-dev
    - key: claim-name
      value: example-service-rds-cluster
    - key: managed-resource-name
      value: example-service-rds-cluster-rtvqp
    - key: secret-name
      value: example-service-rds-secret
    - key: secret-namespace
      value: crossplane-system
    vpcSecurityGroupIDs:
    - sg-1
  providerConfigRef:
    name: aws-provider-config
  writeConnectionSecretToRef:
    name: example-service-rds-cluster-rtvqp-rds-cluster-managed-resource
    namespace: crossplane-system
status:
  atProvider:
    activityStreamStatus: stopped
    allocatedStorage: 1
    clusterCreateTime: "2022-05-04T14:13:29Z"
    crossAccountClone: false
    dbClusterARN: arn:aws:rds:eu-central-1:11111111:cluster:example-service-rds-cluster
    dbClusterIdentifier: example-service-rds-cluster
    dbClusterMembers:
    - dbClusterParameterGroupStatus: in-sync
      dbInstanceIdentifier: example-service-rds-instance-0
      isClusterWriter: true
      promotionTier: 1
    dbClusterParameterGroup: cluster-aurora-mysql-5-7
    dbClusterResourceID: cluster-FQTBKWPCU3S4R3ULR4IQZ2AZNI
    dbSubnetGroup: test.cluster.example.com
    earliestRestorableTime: "2022-06-22T00:58:37Z"
    endpoint: example-service-rds-cluster.cluster-cj71ow7e0nmu.eu-central-1.rds.amazonaws.com
    hostedZoneID: 1111111
    httpEndpointEnabled: false
    iamDatabaseAuthenticationEnabled: false
    latestRestorableTime: "2022-06-23T08:23:11Z"
    multiAZ: false
    readerEndpoint: example-service-rds-cluster.cluster-ro-cj71ow7e0nmu.eu-central-1.rds.amazonaws.com
    status: available
    tagList:
    - key: managed-resource-name
      value: example-service-rds-cluster-92lgq
    - key: claim-namespace
      value: acp-dev
    - key: secret-namespace
      value: crossplane-system
    - key: claim-name
      value: example-service-rds-cluster
    - key: secret-name
      value: example-service-rds-secret
    vpcSecurityGroups:
    - status: active
      vpcSecurityGroupID: sg-1
  conditions:
  - lastTransitionTime: "2022-06-20T14:05:51Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2022-06-20T14:05:52Z"
    reason: Available
    status: "True"
    type: Ready

Any help would be greatly appreciated :-)

[fbuchmeier-abi]

So I've modified the AWS provider and ran it locally to output the actual differences between the current and desired state for my RDS DBInstances:

diff --git a/pkg/controller/rds/dbinstance/setup.go b/pkg/controller/rds/dbinstance/setup.go
index c6ed4f55..7fdc37ae 100644
--- a/pkg/controller/rds/dbinstance/setup.go
+++ b/pkg/controller/rds/dbinstance/setup.go
@@ -3,6 +3,7 @@ package dbinstance
 import (
        "context"
        "encoding/json"
+       "fmt"
        "strconv"
        "strings"
        "time"
@@ -324,7 +325,7 @@ func (e *custom) isUpToDate(cr *svcapitypes.DBInstance, out *svcsdk.DescribeDBIn
                return false, err
        }
 
-       return cmp.Equal(&svcapitypes.DBInstanceParameters{}, patch, cmpopts.EquateEmpty(),
+       diff := cmp.Diff(&svcapitypes.DBInstanceParameters{}, patch, cmpopts.EquateEmpty(),
                cmpopts.IgnoreTypes(&xpv1.Reference{}, &xpv1.Selector{}, []xpv1.Reference{}),
                cmpopts.IgnoreFields(svcapitypes.DBInstanceParameters{}, "Region"),
                cmpopts.IgnoreFields(svcapitypes.DBInstanceParameters{}, "Tags"),
@@ -334,8 +335,17 @@ func (e *custom) isUpToDate(cr *svcapitypes.DBInstance, out *svcsdk.DescribeDBIn
                cmpopts.IgnoreFields(svcapitypes.DBInstanceParameters{}, "AutogeneratePassword"),
                cmpopts.IgnoreFields(svcapitypes.DBInstanceParameters{}, "PreferredMaintenanceWindow"),
                cmpopts.IgnoreFields(svcapitypes.DBInstanceParameters{}, "PreferredBackupWindow"),
-               cmpopts.IgnoreFields(svcapitypes.CustomDBInstanceParameters{}, "ApplyImmediately"),
-       ) && !maintenanceWindowChanged && !backupWindowChanged && !pwChanged, nil
+               cmpopts.IgnoreFields(svcapitypes.CustomDBInstanceParameters{}, "ApplyImmediately"))
+       if diff == "" && !maintenanceWindowChanged && !backupWindowChanged && !pwChanged {
+               return true, nil
+       }
+
+       diff = "Found observed difference in RDS resource\n" + diff
+
+       fmt.Println(diff)
+
+       return false, nil
+
 }
 
 func createPatch(out *svcsdk.DescribeDBInstancesOutput, target *svcapitypes.DBInstanceParameters) (*svcapitypes.DBInstanceParameters, error) {

My DBInstances are updated because of the following diff:

Found observed difference in RDS resource
  &v1alpha1.DBInstanceParameters{
        ... // 1 ignored and 3 identical fields
        BackupRetentionPeriod:    nil,
        CharacterSetName:         nil,
-       CopyTagsToSnapshot:       nil,
+       CopyTagsToSnapshot:       &true,
        CustomIAMInstanceProfile: nil,
        DBClusterIdentifier:      nil,
        ... // 2 ignored and 27 identical fields
        PromotionTier:      nil,
        PubliclyAccessible: nil,
-       StorageEncrypted:   nil,
+       StorageEncrypted:   &true,
        StorageType:        nil,
        ... // 1 ignored and 4 identical fields
  }

I am still looking into how this is happening, as my cloudtrail events clearly state that both the CopyTagsToSnapshot and StorageEncrypted are present in the response to the ModifyDBInstance call.

[nicolasbelanger]

@fbuchmeier-abi Thanks for that!
@chlunde Isn't it what #971 was supposed to fix?

[fbuchmeier-abi]

So in my instance, the issue happens when using a aurora-mysql cluster (DBCluster & DBInstances) and passing unsupported parameters (e.g. copyTagsToSnapshot) to the DBInstances (forProvider).

I had the following DBInstance Composition in place:

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: CompositionRevision
metadata:
...
  labels:
    crossplane.io/composition-name: rds-instance-composition
    crossplane.io/composition-spec-hash: 5750fc1920594035
  name: rds-instance-composition-db9t2
...
spec:
  compositeTypeRef:
    apiVersion: acp.cloud.audi/v1
    kind: XRdsInstance
  publishConnectionDetailsWithStoreConfigRef:
    name: default
  resources:
  - base:
...
      spec:
        deletionPolicy: DELETION_POLICY
        forProvider:
          copyTagsToSnapshot: true
          dbClusterIdentifier: DB_CLUSTER_ID
          dbInstanceClass: INSTANCE_CLASS
          dbInstanceIdentifier: DB_INSTANCE_ID
          dbParameterGroupName: CLUSTER_PARAMETER_GROUP_NAME
          engine: aurora-mysql
          region: REGION
          storageEncrypted: true
          tags:
          - key: claim-namespace
            value: CLAIM_NAMESPACE_PLACEHOLDER
          - key: claim-name
            value: CLAIM_NAME_PLACEHOLDER
          - key: managed-resource-name
            value: MANAGED_RESOURCE_NAME_PLACEHOLDER
        providerConfigRef:
          name: aws-provider-config
    patches:
...
status:
  conditions:
  - lastTransitionTime: "2022-06-30T08:10:16Z"
    reason: CompositionSpecDiffers
    status: "False"
    type: Current

This created DBInstance resources with storageEncrypted and copyTagsToSnapshot set to true. Both do not apply to DBInstances that are part of an Aurora cluster. This is probably the cause for the aforementioned differences.

I then updated my composition, removed both fields, to this:

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: CompositionRevision
metadata:
...
  labels:
    crossplane.io/composition-name: rds-instance-composition
    crossplane.io/composition-spec-hash: fb9a7d4db8339b81
  name: rds-instance-composition-9c54m
...
spec:
  compositeTypeRef:
    apiVersion: acp.cloud.audi/v1
    kind: XRdsInstance
  publishConnectionDetailsWithStoreConfigRef:
    name: default
  resources:
  - base:
...
      spec:
        deletionPolicy: DELETION_POLICY
        forProvider:
          dbClusterIdentifier: DB_CLUSTER_ID
          dbInstanceClass: INSTANCE_CLASS
          dbInstanceIdentifier: DB_INSTANCE_ID
          dbParameterGroupName: CLUSTER_PARAMETER_GROUP_NAME
          engine: aurora-mysql
          region: REGION
          tags:
          - key: claim-namespace
            value: CLAIM_NAMESPACE_PLACEHOLDER
          - key: claim-name
            value: CLAIM_NAME_PLACEHOLDER
          - key: managed-resource-name
            value: MANAGED_RESOURCE_NAME_PLACEHOLDER
        providerConfigRef:
          name: aws-provider-config
    patches:
...
status:
  conditions:
  - lastTransitionTime: "2022-06-30T08:10:16Z"
    reason: CompositionSpecMatches
    status: "True"
    type: Current

Now any newly provisioned DBCluster & DBInstances synchronize correctly. However, all DBInstances created with the old composition revision (rds-instance-composition-db9t2) still have both fields set and are reconciling indefinitely. I am currently looking into if I need to patch this directly (kubectl patch) or if Crossplane should update the DBInstance resources automatically.

[nicolasbelanger]

ping, anything new?

[haarchri]

okay we see today the same in our instances - reboot loop

  Normal   UpdatedExternalResource       7m44s (x25 over 32m)  managed/dbinstance.rds.aws.crossplane.io  Successfully requested update of external resource
  Warning  CannotUpdateExternalResource  2m40s (x62 over 38m)  managed/dbinstance.rds.aws.crossplane.io  cannot update DBInstance in AWS: InvalidDBInstanceState: Database instance is not in available state.
           status code: 400, request id:

    Pending Modified Values:
      Ca Certificate Identifier:   rds-ca-2019

@chlunde did you running other version for dbinstance in your setup ?

and we intoduced 2 new fields:

copyTagsToSnapshot: true
storageEncrypted: true

[pandrez]

We are having the exact same issue also! Any news on this?

[haarchri]

We had an issue with the KMS Key ID / ARN - Check for latest pr reference

[pandrez]

We had an issue with the KMS Key ID / ARN - Check for latest pr reference

Hi @haarchri! Just trying to understand your comment.
Does #1481 fix this issue?

[haarchri]

Yes

[pandrez]

We have just migrated to crossplane-provider-aws 0.32.0 which contains #1481 but we still see the same problem for docdb resources.

Events:
  Type    Reason                   Age                    From                                        Message
  ----    ------                   ----                   ----                                        -------
  Normal  UpdatedExternalResource  20s (x23 over 22m)     managed/dbinstance.docdb.aws.crossplane.io  Successfully requested update of external resource

Considering the above mentioned PR fixed the issue for dbinstance.rds.aws.crossplane.io resources, is it necessary to do something similar to dbinstance.docdb.aws.crossplane.ioresources?

[haarchri]

@pandrez can you open an new issue for docd?

[haarchri]

@nicolasbelanger is your issue fixed ?

[pandrez]

@pandrez can you open an new issue for docd?

Done #1510

[haarchri]

We added a lot of more Output in debug with #1534 #1535 and #1536

so we will Close this issue - feel free to Open a Ticket with the debug messages that we can locate the issue

[nicolasbelanger]

@nicolasbelanger is your issue fixed ?

@haarchri Sorry for the late reply.

Thanks to the logs, we can see this now:

  &v1alpha1.DBInstanceParameters{
  	... // 4 ignored and 22 identical fields
  	LicenseModel:        nil,
  	MasterUsername:      nil,
- 	MaxAllocatedStorage: nil,
+ 	MaxAllocatedStorage: &200,
  	MonitoringInterval:  nil,
  	MonitoringRoleARN:   nil,
  	... // 3 ignored and 15 identical fields
  }

That's an issue in itself, but we're concerned by the DBParameterGroup which appear to be reconciled, but the instance keeps on applying this parameter group for a reason we can't see to identify...

Anything wrong in this?

apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBParameterGroup
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: '-1'
  labels:
    app.kubernetes.io/instance: _redacted_
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: _redacted_-_redacted_-_redacted_-test
    app.kubernetes.io/part-of: _redacted_-rds-test-el
    argocd.argoproj.io/instance: _redacted_-rds-test-el
    release: _redacted_-rds-test-el
  name: _redacted_-_redacted_-_redacted_-test
spec:
  deletionPolicy: Delete
  forProvider:
    dbParameterGroupFamilySelector:
      engine: mysql
      engineVersion: 8.0.28
    description: >-
      DBParameterGroup for _redacted_-_redacted_-_redacted_-test RDS Instance via Crossplane
    region: us-east-1
    tags:
      - key: Name
        value: _redacted_-_redacted_-_redacted_-test
      - key: env
        value: development
      - key: appName
        value: _redacted_
      - key: businessUnit
        value: _redacted_
      - key: contact
        value: _redacted_
      - key: product
        value: _redacted_
      - key: role
        value: database
      - key: service
        value: _redacted_
  providerConfigRef:
    name: aws-provider

[nicolasbelanger]

I think this issue should be reopened as the core issue still exists...

[haarchri]

@nicolasbelanger please open an fresh issue