Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Unable to Configure OpenSearch Domain Fine Grained Access Control #1531

Closed
1 task done
blakeromano opened this issue Oct 18, 2024 · 0 comments · Fixed by #1534
Closed
1 task done

[Bug]: Unable to Configure OpenSearch Domain Fine Grained Access Control #1531

blakeromano opened this issue Oct 18, 2024 · 0 comments · Fixed by #1534
Labels
bug Something isn't working needs:triage

Comments

@blakeromano
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

  • opensearch.aws.upbound.io/v1beta1 - Domain

Resource MRs required to reproduce the bug

apiVersion: opensearch.aws.upbound.io/v1beta1
kind: Domain
metadata:
  annotations:
    meta.upbound.io/example-id: opensearch/v1beta1/domain
  labels:
    testing.upbound.io/example-name: example
  name: example-foo
spec:
  writeConnectionSecretToRef:
    name: example-domain
    namespace: default
  forProvider:
    domainName: foo-2
    advancedSecurityOptions:
      - enabled: true
        internalUserDatabaseEnabled: false
        masterUserOptions:
          - masterUserArn: arn:aws:iam::${data.aws_account_id}:user/example
    engineVersion: OpenSearch_1.0
    domainEndpointOptions:
      - enforceHttps: true
    encryptAtRest:
      - enabled: true
    nodeToNodeEncryption:
      -  enabled: true
    region: us-east-2
    clusterConfig:
      - instanceType: m4.large.search
    ebsOptions:
      - ebsEnabled: true
        volumeType: gp2

Steps to Reproduce

Create this resource with Crossplane, notice how in AWS it does not show fine grained access control is enabled even though the Managed Resource does enable it.

If you run Crossplane Provider locally and comment out the following code in config/opensearch/config.go:

		// r.TerraformCustomDiff = func(diff *terraform.InstanceDiff, _ *terraform.InstanceState, _ *terraform.ResourceConfig) (*terraform.InstanceDiff, error) {
		// 	if diff.Attributes["advanced_security_options.#"].Old != diff.Attributes["advanced_security_options.#"].New {
		// 		delete(diff.Attributes, "advanced_security_options.#")
		// 	}
		// 	return diff, nil
		// }

And apply the same resource with the provider running locally fine grain access control is enabled.

What happened?

Fine Grain Access Control should be able to be properly configured in Crossplane without getting into a constant reconciliation loop

Relevant Error Output Snippet

No response

Crossplane Version

1.17.1

Provider Version

1.15.0

Kubernetes Version

1.31.0

Kubernetes Distribution

Local K8s

Additional Info

This bug seems to be introduced in the fix for #1420 specifically https://github.com/crossplane-contrib/provider-upjet-aws/pull/1406/files#diff-386039b89607aa9f66a8dfa172eda8c7ed1bb3e7dc94aa651f1d4dd230fbb0ebR37-R43 these lines in the PR that was merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix custom diff for Domain.opensearch ignoring valid diff erhancagirici/upbound-provider-aws
1 participant
@blakeromano