ActiveMQ User Resource is missing

[haarchri]

What problem are you facing?

We want to use ActiveMQ in the official provider (mq.aws.upbound.io/v1beta1). We noticed that the official provider does not have a User API. The inline user configuration will not help because of the following comment MQ does not return broker users preventing this resource from making user updates and drift detection. https://marketplace.upbound.io/providers/upbound/provider-aws-mq/v1.3.1/resources/mq.aws.upbound.io/Broker/v1beta1#doc:spec-forProvider-user

And the Broker is missing a status that returns the log group names.

Both of these features are integrated in the community providers and it would help us a lot if we could have similar features with the official provider.
Is it possible to integrate these features into the official providers?

How could Official AWS Provider help solve your problem?

[mergenci]

Some pointers for reference:

• Terraform registry: aws_mq_broker
• terraform-provider-aws: mq/broker.go
• AWS SDK for Go V2: MQ

[ulucinar]

We took an initial look at this:

• As @haarchri states in the description, the UpdateBroker operation in the Amazon MQ REST API does not allow updating the broker users (please search for the definition of UpdateBrokerInput object in the given link). So while one can provision broker users (with some constraints on RabbitMQ) using the CreateBroker operation, it's not possible to update them via the UpdateBroker operation.
• So, it's not possible to manage (drift detection/updates) the existing users of a broker via the Broker.mq MR.
• Amazon MQ REST API has the UpdateUser operation on the User resource that allows updating ActiveMQ users. Currently, a corresponding Terraform resource is missing in the Terraform AWS provider.
• Regarding the general log group, it's already available in the DescribeBroker output (please see the LogsSummary schema). However, the Terraform AWS provider does not extract that information from the SDK response and the Terraform resource schema does not have a corresponding attribute.

[haarchri]

@ulucinar in the community provider-aws we have a ActiveMQ User Resource - so we could implement the resource her too without tf ?

[ulucinar]

Hi @haarchri,
We are on it. @mergenci has started investigating how to implement the broker user resource.

[mergenci]

@haarchri, I was able to create, update, and delete ActiveMQ (not RabbitMQ) users, in the current provider version, using MQ Broker resource's embedded user field. RabbitMQ users cannot be managed neither using Terraform nor using AWS APIs.

I'm sharing the detailed steps below, to avoid any confusion. Does this address your needs?

Note that the reconciler enters an update loop upon applying any user updates, because updates won't take effect until next scheduled maintenance period or manual reboot of the broker.

1. Apply the following manifest (requires EC2 provider as well):

apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
  annotations:
    meta.upbound.io/example-id: mq/v1beta1/broker
  labels:
    testing.upbound.io/example-name: test-issue-1264-activemq-broker
  name: test-issue-1264-activemq-broker
spec:
  forProvider:
    # Due to an existing Terrajet limitation, we cannot use "metadata.name" for "brokerName"
    # Details can be found in https://github.com/crossplane/terrajet/issues/280
    brokerName: test-issue-1264-activemq-broker
    region: us-west-1
    securityGroupRefs:
    - name: test-issue-1264-mq-securitygroup
    engineType: ActiveMQ
    engineVersion: 5.17.6
    hostInstanceType: mq.t3.micro
    user:
    - passwordSecretRef:
        key: password
        name: test-issue-1264-mq-secret
        namespace: upbound-system
      username: admin

---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    meta.upbound.io/example-id: mq/v1beta1/broker
    uptest.upbound.io/pre-delete-hook: testhooks/delete-broker.sh
  labels:
    testing.upbound.io/example-name: test-issue-1264-mq-secret
  name: test-issue-1264-mq-secret
  namespace: upbound-system
type: Opaque
stringData:
  password: "Upboundtest!"

---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
metadata:
  annotations:
    meta.upbound.io/example-id: ec2/v1beta1/securitygroup
  labels:
    testing.upbound.io/example-name: test-issue-1264-mq-securitygroup
  name: test-issue-1264-mq-securitygroup
spec:
  forProvider:
    region: us-west-1
    description: Allow TLS inbound traffic
    name: allow_tls
    tags:
      Name: allow_tls

2. To test creation of a user, edit the broker resource and add the following block to spec.forProvider.user:

- consoleAccess: true
  passwordSecretRef:                                                                                                                                                                                                                        
    key: password                                                                                                                                                                                                                           
    name: test-issue-1264-mq-secret
    namespace: upbound-system                                                                                                                                                                                                               
  username: testuser

3. Observe the user created in MQ Console.
4. Reboot the broker from MQ Console, for new user creation to take effect.
5. To test update of a user, edit the broker resource and set consoleAccess: false for the previously created user.
6. Reboot the broker from MQ Console, for user update to take effect.
7. Observe that “Console Access” has been disabled in MQ Console.
8. To test deletion of the user, edit the broker resource and simply remove the whole block that we introduced above.
9. Again, reboot the broker.

[haarchri]

Released with https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.5.0