Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: BucketReplicationConfiguration replicaKmsKeyIdRef is referencing to ID and not ARN #1478

Open
1 task done
natitomattis opened this issue Sep 1, 2024 · 0 comments
Open
1 task done

[Bug]: BucketReplicationConfiguration replicaKmsKeyIdRef is referencing to ID and not ARN #1478

natitomattis opened this issue Sep 1, 2024 · 0 comments
Labels
bug Something isn't working needs:triage

Comments

@natitomattis
Copy link

natitomattis commented Sep 1, 2024
edited by mergenci
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

  • s3.aws.upbound.io/v1beta1 - BucketReplicationConfiguration

Resource MRs required to reproduce the bug

apiVersion: s3.aws.upbound.io/v1beta1
kind: BucketReplicationConfiguration
metadata:
  name: test-data-replication
spec:
  forProvider:
    region: us-east-1
    bucketRef:
      name: test-aws-cloud-resources-data
    roleRef:
      name: test-bucket-replication-iam
    rule:
      - id: test
        status: Enabled
        sourceSelectionCriteria:
          - sseKmsEncryptedObjects:
              - status: Enabled
        destination:
          - bucketRef:
              name: test-aws-cloud-resources-data-backup
            storageClass: GLACIER
            encryptionConfiguration:
              - replicaKmsKeyIdRef:
                  name: test-kms-key
---
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  name: test-bucket-replication-iam
spec:
  initProvider:
    permissionsBoundary: ""
  forProvider:
    assumeRolePolicy: |
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
---
apiVersion: s3.aws.upbound.io/v1beta1
kind: Bucket
metadata:
  name: test-aws-cloud-resources-data
spec:
  forProvider:
    region: us-east-1
---
apiVersion: s3.aws.upbound.io/v1beta1
kind: Bucket
metadata:
  name: test-aws-cloud-resources-data-backup
spec:
  forProvider:
    region: us-east-1
---
apiVersion: s3.aws.upbound.io/v1beta1
kind: BucketVersioning
metadata:
  name: test-bucket-versioning
spec:
  forProvider:
    bucketRef:
      name: test-aws-cloud-resources-data-backup
    region: us-east-1
    versioningConfiguration:
      - status: Enabled
        mfaDelete: Disabled
---
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
  name: test-kms-key
spec:
  forProvider:
    region: us-east-1

Steps to Reproduce

  1. Deploy Crossplane on the management cluster
  2. Install s3 provider (latest version, v1.13.0)
  3. Configure the provider with AWS account. I used localstack to reproduce the issue locally
  4. Deploy the previously mentioned MRs

What happened?

The resource BucketReplicationConfiguration is in a not ready state. Checking in cloudTrain I found the following error

    "errorCode": "InvalidArgument",
    "errorMessage": "Invalid ReplicaKmsKeyID ARN.",

I checked the value of .sepc.forProvider.rule.[].destination.encryptionConfiguration[].replicaKmsKeyId that should contain the ARN for the key and it contains just the key ID. Seems like AWS API is expecting the ARN instead of the the key. To get the key value we are using

            encryptionConfiguration:
              - replicaKmsKeyIdRef:
                  name: test-kms-key

Seems like replicaKmsKeyIdRef is resolving the var name using the key ID instead of the ARN

Relevant Error Output Snippet

"eventTime": "2024-09-01T15:43:06Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "PutBucketReplication",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XX.XX.XX.XX",
    "userAgent": "[APN/1.0 HashiCorp/1.0 Terraform (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.30.3 os/linux lang/go#1.22.4 md/GOOS#linux md/GOARCH#arm64 api/s3#1.58.2 crossplane-provider-aws/v1.13.0 upbound-provider-aws/v1.13.0]",
    "errorCode": "InvalidArgument",
    "errorMessage": "Invalid ReplicaKmsKeyID ARN.",
    "requestParameters": {
        "replication": "",
        "bucketName": "test-aws-cloud-resources-data",
        "Host": "s3.amazonaws.com",
        "ReplicationConfiguration": {
            "Role": "arn:aws:iam::XXXXXXX:role/test-bucket-replication-iam",
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "Rule": {
                "Status": "Enabled",
                "Destination": {
                    "Bucket": "arn:aws:s3:::test-aws-cloud-resources-data-backup",
                    "EncryptionConfiguration": {
                        "ReplicaKmsKeyID": "XXXXXXX-XXXXXX-XXXXX"
                    },
                    "StorageClass": "GLACIER"
                },
                "SourceSelectionCriteria": {
                    "SseKmsEncryptedObjects": {
                        "Status": "Enabled"
                    }
                },
                "ID": "test",
                "Prefix": ""
            }
        }
    },



### Crossplane Version

v1.16.0

### Provider Version

v1.13.0

### Kubernetes Version

1.30.3

### Kubernetes Distribution

K3d

### Additional Info

_No response_
@natitomattis natitomattis added bug Something isn't working needs:triage labels Sep 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@natitomattis