Topicpolicy Gets Overwritten When Policy Field Is Empty in Topic

[transacid]

What happened?

When using TopicPolicy.sns.aws.upbound.io on a Topic.sns.aws.upbound.io where the topic field is left empty, the provider will patch the AWS default into the topic field. then there will be a battle between the TopicPolicy and the default Policy.

How can we reproduce it?

create a SNS Topic with empty policy field and a TopicPolicy for said Topic.

What environment did it happen in?

• Crossplane Version: v1.13.2-up.3
• Provider Version: v0.45.0
• Kubernetes Version: v1.25.16-eks-8cb36c9
• Kubernetes Distribution: EKS

[turkenf]

@transacid, could you please give us more information, reproduction steps, and used MRs?

[transacid]

ah apologies, I made a typo in the reproducible text. the way of reproducing it is quite simple:

• create a Topic.sns.aws.upbound.io and leave out the field spec.forProvider.policy
• create a TopicPolicy.sns.aws.upbound.io set spec.forProvider.arn to the arn of the topic created above. put the policy json into spec.forProvider.policy

expected result:
the Topic will have the policy from the TopicPolicy object.

observed result:
the Topic flaps between the AWS default policy and the policy set by TopicPolicy. my suspicion is that when the topic gets created, crossplane will populate the field with what gets returned by the AWS API (which is the default policy). then the provider will try to set it with the policy from TopicPolicy. and the two objects overwrite each other henceforth.

I hope that clears it up

[turkenf]

Thank you for your quick response @transacid,

I could not reproduce this issue in v0.47.1 with the following steps ➡️

• Applied the following Topic.sns YAML:

apiVersion: sns.aws.upbound.io/v1beta1
kind: Topic
metadata:
  annotations:
    meta.upbound.io/example-id: sns/v1beta1/topicpolicy
  labels:
    testing.upbound.io/example-name: test
  name: test
spec:
  forProvider:
    region: us-west-1

After the resource was created, I checked the policy from the AWS console and observed the default policy.

• Then applied the following TopicPolicy.sns YAML:

apiVersion: sns.aws.upbound.io/v1beta1
kind: TopicPolicy
metadata:
  annotations:
    meta.upbound.io/example-id: sns/v1beta1/topicpolicy
  labels:
    testing.upbound.io/example-name: test
  name: test
spec:
  forProvider:
    arnSelector:
      matchLabels:
        testing.upbound.io/example-name: test
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Stmt1670943316577",
            "Action": [
              "sns:RemovePermission",
              "sns:SetTopicAttributes",
              "sns:Subscribe"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:us-west-1:153891904029:test",
            "Principal": {
              "AWS": "*"
            }
          }
        ]
      }
    region: us-west-1

• Then checked the AWS console:
  

Does the issue always occur in your side, or is there anything you did other than the steps here?

[transacid]

did you refresh the AWS console several times? it is flapping in my case. it depends on the reconciliation cycle. here is an example. try refreshing the console after 5 minutes. attached is the output of querying the AWS API periodically for ~10 minutes by running:
while true ; do date ;aws sns get-topic-attributes --topic-arn "arn:aws:sns:eu-central-1:123456789:test" | jq '.Attributes.Policy' -r | jq '.Statement[].Action' ; sleep 5 ; done
res.txt

[mbbush]

This was fixed in #1213, and released in version 1.3.0