Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: KMS Alias does not become ready after import #1653

Open
1 task done
dnlopes opened this issue Jan 29, 2025 · 0 comments
Open
1 task done

[Bug]: KMS Alias does not become ready after import #1653

dnlopes opened this issue Jan 29, 2025 · 0 comments
Labels
bug Something isn't working needs:triage

Comments

@dnlopes
Copy link

dnlopes commented Jan 29, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

kms.aws.upbound.io/v1beta1 - Alias

Resource MRs required to reproduce the bug

apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
  annotations:
    crossplane.io/external-name: b892335d-c94c-4d7c-a82c-bcac16d6d612
  name: encryption-key-chainsaw-wort-encryption-key-with-impo-5cc21ce2
spec:
  forProvider:
    customerMasterKeySpec: SYMMETRIC_DEFAULT
    description: created by Compositions operator
    enableKeyRotation: false
    isEnabled: true
    keyUsage: ENCRYPT_DECRYPT
    policy: '{"Id":"key-default-1","Statement":[{"Action":"kms:*","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::000000000000:root"},"Resource":"*","Sid":"Enable
      IAM User Permissions"}],"Version":"2012-10-17"}'
    region: us-east-1

and

apiVersion: kms.aws.upbound.io/v1beta1
kind: Alias
metadata:
  name: encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1
  annotations:
    crossplane.io/external-name: test
spec:
  deletionPolicy: Delete
  forProvider:
    region: us-east-1
    targetKeyId: 5cb46d25-7286-4e5a-b64d-d493f21561e5

Steps to Reproduce

Manually create a KMS key and alias using AWS cli

export AWS_ACCESS_KEY_ID="test"
export AWS_SECRET_ACCESS_KEY="test"
export AWS_REGION="us-east-1"
export AWS_ENDPOINT_URL="http://localhost:4566"

keyId=$(aws --endpoint-url="$AWS_ENDPOINT_URL" kms create-key --query KeyMetadata.KeyId --output text)
aws --endpoint-url="$AWS_ENDPOINT_URL" kms create-alias --alias-name "alias/test" --target-key-id "$keyId" --output json

Then create the Upbound CRs so the existing Key and Alias are imported (update the keyId on the Alias CR with the output of the script above)

What happened?

The Key Upbound CR is imported properly and quickly becomes ready=true and synced=true.

However, the Alias CR becomes synced=true but not ready=true, with .status.AtProvider = {}.

Editing the Alias CR with a dummy annotation makes the Upbound provider to trigger a reconciliation again and after that the Alias CR becomes ready=true as expected and the AtProvider is also populated.

Without adding a manual annotation, I need to wait 10min for the CR to become ready because the reconciliation will be triggered at that point automatically by Upbound as well.

Relevant Error Output Snippet

2025-01-29T17:52:21Z    DEBUG    provider-aws    Starting    {"sync-interval": "1h0m0s", "poll-interval": "10m0s", "poll-jitter": "30s", "max-reconcile-rate": 100}
2025-01-29T17:54:40Z    INFO    provider-aws    Beta feature enabled    {"flag": "EnableBetaManagementPolicies"}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Calling the inner handler for Create event.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "queueLength": 0}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Calling the inner handler for Create event.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "queueLength": 0}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=alias", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Connecting to the service provider    {"uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias"}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Connecting to the service provider    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:42Z    DEBUG    provider-aws    Calling the inner handler for Update event.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "queueLength": 0}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Instance state not found in cache, reconstructing...    {"uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Instance state not found in cache, reconstructing...    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Observing the external resource    {"uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Observing the external resource    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    External resource is up to date    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=alias", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "version": "9199", "external-name": "alias-for-encryption-key-with-imported-kms", "requeue-after": "2025-01-29T18:26:46Z"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Diff detected    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "instanceDiff": "*terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{\"bypass_policy_lockout_safety_check\":*terraform.ResourceAttrDiff{Old:\"\", New:\"false\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"description\":*terraform.ResourceAttrDiff{Old:\"Created by runtime-operator\", New:\"created by Compositions operator\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags.%\":*terraform.ResourceAttrDiff{Old:\"0\", New:\"3\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags.crossplane-kind\":*terraform.ResourceAttrDiff{Old:\"\", New:\"key.kms.aws.upbound.io\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags.crossplane-name\":*terraform.ResourceAttrDiff{Old:\"\", New:\"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags.crossplane-providerconfig\":*terraform.ResourceAttrDiff{Old:\"\", New:\"default\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags_all.%\":*terraform.ResourceAttrDiff{Old:\"0\", New:\"3\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags_all.crossplane-kind\":*terraform.ResourceAttrDiff{Old:\"\", New:\"key.kms.aws.upbound.io\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags_all.crossplane-name\":*terraform.ResourceAttrDiff{Old:\"\", New:\"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"tags_all.crossplane-providerconfig\":*terraform.ResourceAttrDiff{Old:\"\", New:\"default\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, RawConfig:cty.NilVal, RawState:cty.NilVal, RawPlan:cty.NilVal, Meta:map[string]interface {}(nil)}"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Calling the inner handler for Update event.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "queueLength": 0}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Async update starting...    {"trackerUID": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "resourceName": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "tfID": "5cb46d25-7286-4e5a-b64d-d493f21561e5"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Successfully requested update of external resource    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "version": "9197", "external-name": "5cb46d25-7286-4e5a-b64d-d493f21561e5", "requeue-after": "2025-01-29T18:27:07Z"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Updating the external resource    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:16:43Z    DEBUG    provider-aws    Cannot initialize managed resource    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "version": "9211", "external-name": "5cb46d25-7286-4e5a-b64d-d493f21561e5", "error": "Operation cannot be fulfilled on keys.kms.aws.upbound.io \"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1\": the object has been modified; please apply your changes to the latest version and try again"}
2025-01-29T18:16:44Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:16:44Z    DEBUG    provider-aws    Connecting to the service provider    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:44Z    DEBUG    provider-aws    ongoing async operation    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "opType": "update"}
2025-01-29T18:16:44Z    DEBUG    provider-aws    External resource is up to date    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "version": "9214", "external-name": "5cb46d25-7286-4e5a-b64d-d493f21561e5", "requeue-after": "2025-01-29T18:26:34Z"}
2025-01-29T18:16:55Z    DEBUG    provider-aws    Async update ended.    {"trackerUID": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "resourceName": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "error": null, "tfID": "5cb46d25-7286-4e5a-b64d-d493f21561e5"}
2025-01-29T18:16:55Z    DEBUG    provider-aws    Reconcile request has been requeued.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Key", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "rateLimiterName": "", "when": "0s"}
2025-01-29T18:16:55Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:16:55Z    DEBUG    provider-aws    Connecting to the service provider    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:55Z    DEBUG    provider-aws    Observing the external resource    {"uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Key"}
2025-01-29T18:16:55Z    DEBUG    provider-aws    External resource is up to date    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=key", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "634ecd8b-91ab-421a-a591-1545ce8e69a6", "version": "9256", "external-name": "5cb46d25-7286-4e5a-b64d-d493f21561e5", "requeue-after": "2025-01-29T18:26:52Z"}
2025-01-29T18:19:12Z    DEBUG    provider-aws    Calling the inner handler for Update event.    {"gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "queueLength": 0}
2025-01-29T18:19:12Z    DEBUG    provider-aws    Reconciling    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=alias", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}}
2025-01-29T18:19:13Z    DEBUG    provider-aws    Connecting to the service provider    {"uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias"}
2025-01-29T18:19:13Z    DEBUG    provider-aws    Observing the external resource    {"uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "name": "encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1", "gvk": "kms.aws.upbound.io/v1beta1, Kind=Alias"}
2025-01-29T18:19:13Z    DEBUG    provider-aws    External resource is up to date    {"controller": "managed/kms.aws.upbound.io/v1beta1, kind=alias", "request": {"name":"encryption-key-chainsaw-know-encryption-key-with-impor-a83616c1"}, "uid": "a24c9c3b-2a7c-4e3a-bcb7-9ece19de9476", "version": "9700", "external-name": "alias-for-encryption-key-with-imported-kms", "requeue-after": "2025-01-29T18:29:02Z"}


(at 2025-01-29T18:19:12Z it was the time I manually edited the CR with a dummy annotation, which triggered the reconcile)

Crossplane Version

1.18.2

Provider Version

1.19.0

Kubernetes Version

No response

Kubernetes Distribution

No response

Additional Info

No response
@dnlopes dnlopes added bug Something isn't working needs:triage labels Jan 29, 2025
@dnlopes dnlopes changed the title [Bug]: [Bug]: KMS Alias does not become ready after import Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dnlopes