S3 is not generating data inside secret when parameter policy is defined (v0.38.0)

[WolfGanGeRTech]

What happened?

After upgrading from v0.37.1 to 0.38.0 the S3 Bucket resource stopped outputting "Endpoint" and "Region" in the secret generated after creation.

I have used the example provided in the "examples" folder and it didn't output the values inside the secret. After performing a few tests I have identified that this only happens if parameter "policy" (new parameter introduced in 0.38.0) is defined.

How can we reproduce it?

Here are the files used for testing:

Not working example:

---
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: test-bucket-with-policy
spec:
  forProvider:
    objectOwnership: BucketOwnerEnforced
    locationConstraint: eu-central-1
    policy:
      version: '2012-10-17'
      statements:
        - action:
            - s3:ListBucket
            - s3:GetBucketLocation
            - s3:ListBucketMultipartUploads
            - s3:PutBucketCORS
          effect: Allow
          principal:
            awsPrincipals:
              - iamUserArnSelector:
                  matchLabels:
                    example: "true"
          resource:
            - "arn:aws:s3:::crossplane-example-bucket"
  providerConfigRef:
    name: example
  writeConnectionSecretToRef:
    name: secretname
    namespace: default

Working example

---
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: test-bucket-with-policy
spec:
  forProvider:
    objectOwnership: BucketOwnerEnforced
    locationConstraint: eu-central-1
#    policy:
#      version: '2012-10-17'
#      statements:
#        - action:
#            - s3:ListBucket
#            - s3:GetBucketLocation
#            - s3:ListBucketMultipartUploads
#            - s3:PutBucketCORS
#          effect: Allow
#          principal:
#            awsPrincipals:
#              - iamUserArnSelector:
#                  matchLabels:
#                    example: "true"
#          resource:
#            - "arn:aws:s3:::crossplane-example-bucket"
  providerConfigRef:
    name: example
  writeConnectionSecretToRef:
    name: secretname
    namespace: default

What environment did it happen in?

Crossplane version: v1.11.3
Crossplane AWS provider: 0.38.0

[flaviomoringa]

Same happens to me, can someone take a look?

[chlunde]

could you try kubectl describe on the bucket object, to check what events are available?

[WolfGanGeRTech]

Hello,

I tested again to check the events:

Manifest used:

---
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: test-issue-1747
spec:
  deletionPolicy: Delete
  forProvider:
    objectOwnership: BucketOwnerEnforced
    locationConstraint: eu-central-1
    policy:
      id: "S3 Bucket Policies"
      version: "2012-10-17"
      statements:
        - sid: "AllowSSLRequestsOnly"
          action:
            - "s3:*"
          effect: "Deny"
          principal:
            allowAnon: true
          condition:
            - operatorKey: StringEquals
              conditions:
                - key: "aws:SecureTransport"
                  stringValue: "false"
  providerConfigRef:
    name: example
  writeConnectionSecretToRef:
    name: issue1747
    namespace: default

It did not generate any content inside the secret "issue1747" and the output was:

Status:
  At Provider:
    Arn:  arn:aws:s3:::test-issue-1747
  Conditions:
    Last Transition Time:  2023-05-03T09:14:19Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2023-05-03T09:14:19Z
    Reason:                ReconcileSuccess
    Status:                True
    Type:                  Synced
Events:
  Type     Reason                       Age                From                                 Message
  ----     ------                       ----               ----                                 -------
  Normal   CreatedExternalResource      87s                managed/bucket.s3.aws.crossplane.io  Successfully requested creation of external resource
  Warning  CannotUpdateManagedResource  87s                managed/bucket.s3.aws.crossplane.io  Operation cannot be fulfilled on buckets.s3.aws.crossplane.io "test-issue-1747": the object has been modified; please apply your changes to the latest version and try again
  Normal   UpdatedExternalResource      85s (x3 over 86s)  managed/bucket.s3.aws.crossplane.io  Successfully requested update of external resource

[flaviomoringa]

could you try kubectl describe on the bucket object, to check what events are available?

Any idea what might be happening?

[haarchri]

it looks like that your bucket is not ready and constantly updating

[stevenhammerton]

I have the same issue with the bucket constantly reconciling and never reaching ready state. This only happens when policy is included in the bucket manifest. Version v0.39.0.

UpdatedExternalResource 87s (x282 over 4h42m) managed/bucket.s3.aws.crossplane.io Successfully requested update of external resource

The remote resource in AWS management policy seems to be correctly defined, could the provider think there's a difference between the manifest and remote spec when in fact they are equivalent?

Manifest

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: h7n-test-bucket
spec:
  deletionPolicy: Delete
  forProvider:
    locationConstraint: eu-west-1
    objectOwnership: BucketOwnerEnforced
    paymentConfiguration:
      payer: BucketOwner
    policy:
      statements:
        - sid: "DenyUnEncryptedObjectUploads"
          action:
            - "s3:PutObject"
          principal:
            awsPrincipals:
              - awsAccountId: "*"
          resource:
            - "arn:aws:s3:::h7n-test-bucket/*"
          condition:
            - conditions:
                - key: "s3:x-amz-server-side-encryption"
                  stringValue: "aws:kms"
              operatorKey: "StringNotEquals"
          effect: "Deny"
      version: "2012-10-17"
    tagging:
      tagSet:
      - key: ManagedBy
        value: crossplane/provider-aws

Bucket Policy in AWS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::h7n-test-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        }
    ]
}

[haarchri]

Same with v0.40.0 ?

[WolfGanGeRTech]

I think the issue is related with #1758 , so it should be fixed after the release.

PS: same happens with 0.40.0

[github-actions]

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.