Updating RolePolicyAttachment policyArn does not detach policy #1996
Comments
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
|
/fresh |
|
To attach a new policy and detach another one at the same time it is required to create a new |
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
What happened?
I edited a RolePolicyAttachment manifest, changing the policyArn to another policy. The new policy was really attached to the AWS role, but the old policy was not detached from the AWS role.
How can we reproduce it?
Deploy a RolePolicyAttachment, setting roleName and policyArn to some existing role and policy. Observe the policy getting attached by examining the AWS role. kubectl edit the RolePolicyAttachment policyArn to some other policy. Observe the new policy getting attached, but the old policy staying attached.
What environment did it happen in?
Crossplane version: v1.13.2
provider-aws: v0.42.0
I had a glance at the code, and if I understand it correctly, the detach should happen here: https://github.com/crossplane-contrib/provider-aws/blob/master/pkg/controller/iam/rolepolicyattachment/controller.go#L151
It also appears that the Observe method is satisfied as long as the requested policy is attached to the role, not caring if any additional policies are also attached. This leads me to believe that maybe a detach cannot be performed, because another RolePolicyAttachment might make the same role-to-policy association. On the other hand, if the RolePolicyAttachment is deleted, the policy is detached even if a second (conflicting) RolePolicyAttachment makes that very same association.
If you let me know how it should work, I can take a stab at fixing the issue.
The text was updated successfully, but these errors were encountered: