Updating RolePolicyAttachment policyArn does not detach policy

Question

Updating RolePolicyAttachment policyArn does not detach policy

eriytt opened this issue a year ago · 4 comments

What happened?

I edited a RolePolicyAttachment manifest, changing the policyArn to another policy. The new policy was really attached to the AWS role, but the old policy was not detached from the AWS role.

How can we reproduce it?

Deploy a RolePolicyAttachment, setting roleName and policyArn to some existing role and policy. Observe the policy getting attached by examining the AWS role. kubectl edit the RolePolicyAttachment policyArn to some other policy. Observe the new policy getting attached, but the old policy staying attached.

What environment did it happen in?

Crossplane version: v1.13.2
provider-aws: v0.42.0

I had a glance at the code, and if I understand it correctly, the detach should happen here: https://github.com/crossplane-contrib/provider-aws/blob/master/pkg/controller/iam/rolepolicyattachment/controller.go#L151
It also appears that the Observe method is satisfied as long as the requested policy is attached to the role, not caring if any additional policies are also attached. This leads me to believe that maybe a detach cannot be performed, because another RolePolicyAttachment might make the same role-to-policy association. On the other hand, if the RolePolicyAttachment is deleted, the policy is detached even if a second (conflicting) RolePolicyAttachment makes that very same association.

If you let me know how it should work, I can take a stab at fixing the issue.

zatricky commented 9 months ago

/fresh

Answer 1 · 2024-05-07T02:04:50.000Z

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

Answer 2 · 2024-07-24T13:47:52.000Z

RolePolicyAttachment only represents the link between role and policy and is not an AWS resource itself and therefore has no dedicated state. The controller does not reflect changes to policyArn and remove old attachements on purpose.

To attach a new policy and detach another one at the same time it is required to create a new RolePolicyAttachement and delete the existing one.

Answer 3 · 2024-10-23T02:30:33.000Z

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.