Use testhook to enforce ordered deletion

crossplane-contrib · Dec 10, 2023 · 05fc82b · 05fc82b
1 parent f95d15a
commit 05fc82b
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/config/iot/config.go b/config/iot/config.go
@@ -8,12 +8,12 @@ import (
 func Configure(p *config.Provider) {
 	p.AddResourceConfigurator("aws_iot_topic_rule_destination", func(r *config.Resource) {
 		r.References["vpc_configuration.security_groups"] = config.Reference{
-			Type:              "github.com/upbound/provider-aws/apis/ec2/v1beta1.SecurityGroup",
+			TerraformName:     "aws_security_group",
 			RefFieldName:      "SecurityGroupRefs",
 			SelectorFieldName: "SecurityGroupSelector",
 		}
 		r.References["vpc_configuration.subnet_ids"] = config.Reference{
-			Type:              "github.com/upbound/provider-aws/apis/ec2/v1beta1.Subnet",
+			TerraformName:     "aws_subnet",
 			RefFieldName:      "SubnetIDRefs",
 			SelectorFieldName: "SubnetIDSelector",
 		}

diff --git a/examples/iot/testhooks/delete-topicruledestination.sh b/examples/iot/testhooks/delete-topicruledestination.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -aeuo pipefail
+
+# Note(mbbush): AWS IoT uses the IAM role assigned to the TopicRuleDestination during deletion
+# of the TopicRuleDestination to remove the ENIs and other resources it created in the VPC.
+# Deletion of the TopicRuleDestination takes several minutes, and if the role is deleted before
+# it finishes, then it doesn't have permission to remove the ENIs, so the VPC deletion fails
+# because there are still resources left in it. This ordered deletion requirement could be
+# encoded in a crossplane Usage resource, but that's still alpha and not readily available
+# in the current uptest config. This also solves the problem.
+${KUBECTL} delete topicruledestination.iot.aws.upbound.io/iot-topic-rule-destination-example
diff --git a/examples/iot/topicruledestination.yaml b/examples/iot/topicruledestination.yaml
@@ -29,16 +29,11 @@ kind: Role
 metadata:
   annotations:
     meta.upbound.io/example-id: iot/v1beta1/topicruledestination
+    uptest.upbound.io/pre-delete-hook: testhooks/delete-topicruledestination.sh
   labels:
     testing.upbound.io/example-name: iot-topic-rule-destination
   name: iot-topic-rule-destination-example
 spec:
-  managementPolicies:
-    - Create
-    - Update
-    - Observe
-    - LateInitialize
-    # It is necessary to orphan-delete the role so that the TopicRuleDestination has permission to clean up after itself during deletion.
   forProvider:
     assumeRolePolicy: |
       {