[RDS controller]: constant loop of changing the db in the cloud

[gecube]

We are using ACK Controllers to manage our database resources, and we are observing a persistent issue: after a DBinstance is created, it regularly falls back into the configuring cycle.
In the controller logs we constantly see messages like:

{"level":"info","ts":"2025-11-17T08:05:49.709Z","logger":"ackrt","msg":"desired resource state has changed","kind":"DBInstance","namespace":"infra-production","name":"database-2025-11-09","account":"966321756598","role":"arn:aws:iam::966321756598:role/ack-ec2-controller-tooling","region":"eu-west-2","is_adopted":false,"generation":2,"diff":[{"Path":{"Parts":["Spec","AutoMinorVersionUpgrade"]},"A":null,"B":true},{"Path":{"Parts":["Spec","CACertificateIdentifier"]},"A":null,"B":"rds-ca-rsa2048-g1"},{"Path":{"Parts":["Spec","LicenseModel"]},"A":null,"B":"general-public-license"},{"Path":{"Parts":["Spec","MultiAZ"]},"A":null,"B":false},{"Path":{"Parts":["Spec","PreferredBackupWindow"]},"A":null,"B":"00:56-01:26"},{"Path":{"Parts":["Spec","PreferredMaintenanceWindow"]},"A":null,"B":"sat:23:48-sun:00:18"},{"Path":{"Parts":["Spec","StorageEncrypted"]},"A":null,"B":false},{"Path":{"Parts":["Spec","StorageThroughput"]},"A":null,"B":0},{"Path":{"Parts":["Spec","StorageType"]},"A":null,"B":"gp2"}]}

This behavior clearly doesn’t seem normal. While the controller repeatedly attempts to “configure” the instance, the database may become unavailable — which is unacceptable in production.
It would be very helpful to have guidance or a built-in mechanism to prevent this repeating reconfiguration loop.
Additionally, we see a related issue when AutoMinorVersionUpgrade is enabled:
the cloud database automatically upgrades to a newer minor version, while the version in the ACK manifest remains unchanged. After that, any further changes applied via the manifest get stuck, because the version mismatch prevents updates from proceeding.
Could you please clarify whether this is expected behavior, and whether there are recommended practices to avoid these situations?

[github-actions]

Hello @gecube 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[gecube]

As an additional note:
When using Terraform, this problem does not occur. Terraform does not continuously reconcile resources after creation; instead, it detects drift only during an explicit plan or automated drift-detection workflow. Any drift is surfaced clearly in the plan output or reports, allowing DevOps/SRE engineers to take action.
With ACK, however, the only way to discover such drift is by manually inspecting the controller logs, which is far from convenient for day-to-day operations. It would be very helpful to have a more transparent or user-friendly way to detect and report drift, instead of silently entering endless reconciliation cycles.