Cognito UserPoolClient becomes Synced: false or creates duplicate AWS resources when provider pod restarts

[mbbush]

What happened?

I have existing UserPoolClient.cognitoidp resources in my cluster, which were created before the changes in #762.

They have a spec.forProvider.name that contains a -.

When my provider pods restart, my managed resources get a condition like:

  - lastTransitionTime: "2023-12-30T22:35:34Z"
    message: 'observe failed: cannot run refresh: refresh failed: reading Amazon Cognito
      IDP (Identity Provider) User Pool Client (example-resource):
      InvalidParameterException: 1 validation error detected: Value ''my-client-name''
      at ''clientId'' failed to satisfy constraint: Member must satisfy regular expression
      pattern: [\w+]+'
    reason: ReconcileError
    status: "False"
    type: Synced

I can get them back to Synced: True if I exec into the pod and manually edit the id value in the terraform.tfstate file to match the id of the user pool client, which is correctly persisted in the external name annotation and in status.atProvider.id. Note that this is one of the handful of resources still using the CLI-based reconciler.

As demonstrated in #762, if my spec.forProvider.name matched the client id regex, then crossplane would create a second user pool client in aws.

How can we reproduce it?

See #1048

What environment did it happen in?

• Crossplane Version:
• Provider Version:
• Kubernetes Version:
• Kubernetes Distribution: