-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Instance Profile doesn't attach roles or tags: #1493
Comments
is this error still valid ?
|
Can reproduce this bug with provider-aws v0.33.0 and crossplane 1.10.1 using next steps:
Workaround so far is to recreate InstanceProfile resource. |
Bumping this issue we are also seeing this behavior the only workaround is to put the resource in a composition and use: |
I saw something similar when I started using this resource last week, and much of the odd behavior is due to the way the AWS API is implemented, combined with the fact that it's a There are some quirks related to the Role/RoleRef/RoleSelector. Role is a "required" field but it will get populated from the RoleRef or RoleSelector as long as one of the three is present. So if you specify a Role that doesn't exist yet, that passes the API checks because the Role has a value. The InstanceProfile resource gets created in AWS and the role association fails (silently!) so you end up with an InstanceProfile with no Role attached. If you specify a roleRef or a roleSelector that won't resolve because the Role doesn't exist, the Role does not get populated and the reconciliation fails until the Resolver is successful. In that case it should "wait" for the Role to get created and then associate it properly. Also if you specify a Role directly and the Role does not exist, you currently can't delete the InstanceProfile because the preDelete() function fails to disassociate the Role that doesn't exist and it fails the delete action. The only way around this is to either manually create the Role and associate it with the InstanceProfile to allow the preDelete() to succeed, or remove the finalizer from the InstanceProfile object and manually delete the InstanceProfile in AWS. Clearly there is some room for improvement in the current implementation - the Role association should not succeed if the Role doesn't exist and the role disassociation should not fail the delete processing when the Role doesn't exist. I'll see if I can open a PR for those two issues. |
I ran a test and found that it does "fail" the create step when the specified Role cannot be attached to the InstanceProfile:
but since the InstanceProfile does exist in the Observe step, it gets marked as Synced/Ready. It's just not completely Ready. We could modify postObserve() to have it check for the presence of a Role in status.atProvider.roles[] but if it's not there what do we do? Report it as "resouce does not exist"? Then the Create() step will be reexecuted and fail with a 409 Conflict. Rerun the postCreate() step to hopefully attach the role? This may not be completely solvable without upgrading the resource to v1beta to allow it to do updates. |
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
/fresh |
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
What happened?
I created an instance profile and no roles or tags were attached, even though it says it successfully synced
How can we reproduce it?
create role and instance profile with role and tags attached to instance profile and it will have neither a role nor tags attached.
What environment did it happen in?
Crossplane version: crossplane/provider-aws-controller:v0.29.0
eks version 1.23
The text was updated successfully, but these errors were encountered: