ecr: Instance cannot be destroyed: Resource xxx.yyy has lifecycle.prevent_destroy set (LifecyclePolicy, PullThroughCacheRule)

[druchoo]

What happened?

Unable to modify existing Crossplane ecr resources (LifecyclePolicy, PullThroughCacheRule). Attempting to do so results in lifecycle.prevent_destroy errors.

LifecyclePolicy:

observe failed: cannot run plan: plan failed: Instance cannot be destroyed: Resource aws_ecr_lifecycle_policy.test-repo has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag.

PullThroughCacheRule:

observe failed: cannot run plan: plan failed: Instance cannot be destroyed: Resource aws_ecr_pull_through_cache_rule.quay has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag.

Initially, I figured this was because resources had deletionPolicy: Orphan. However, after testing with deletionPolicy: Delete, the results were the same error.

Of the 7 resources in the ecr.aws.upbound.io group, only those 2 exhibit this behavior. All were tested with deletionPolicy: Delete.

Since it only occurs for 2/7 resource, it feels as if this is not the intended behavior. The only work-around I've found is to manually delete the resource and have Crossplane re-create it.

Registry

Resource	Result
PullThroughCacheRule	❌
RegistryPolicy	✅
RegistryScanningConfiguration	✅
ReplicationConfiguration	✅

Repository

Resource	Result
Repository	✅
RepositoryPolicy	✅
LifecyclePolicy	❌

How can we reproduce it?

• Create resources as described below
• After creation, make a minimal change to a spec.forProvider parameter. I've been using policy for LifecyclePolicy and ecrRepositoryPrefix for PullThroughCacheRule.
• Check status of resources

apiVersion: ecr.aws.upbound.io/v1beta1
kind: LifecyclePolicy
metadata:
  name: test-repo
spec:
  deletionPolicy: Delete
  forProvider:
    policy: |
      {
        "rules": [
          {
            "action": {
              "type": "expire"
            },
            "description": "Keep branch images", # Modify to reproduce issue (ex. "Keep branch images foo")
            "rulePriority": 1,
            "selection": {
              "countNumber": 9999,
              "countType": "imageCountMoreThan",
              "tagPrefixList": [
                "develop"
              ],
              "tagStatus": "tagged"
            }
          }
        ]
      }
    region: us-east-1
    repository: test-repo
  providerConfigRef:
    name: aws

apiVersion: ecr.aws.upbound.io/v1beta1
kind: PullThroughCacheRule
metadata:
  name: quay
spec:
  deletionPolicy: Delete
  forProvider:
    ecrRepositoryPrefix: quay # Modify to reproduce issue (ex. "quay_foo")
    region: us-east-1
    upstreamRegistryUrl: quay.io
  providerConfigRef:
    name: aws

What environment did it happen in?

• Universal Crossplane Version: 1.11.1, 1.10.2
• Provider Version: v0.24.0, v0.30.0
• Cloud provider or hardware configuration: AWS
• Kubernetes version (use kubectl version)

{
  "major": "1",
  "minor": "21+",
  "gitVersion": "v1.21.14-eks-ffeb93d",
  "gitCommit": "f76e2b475d1433cdb6bd546e9e8f129fde938fb7",
  "gitTreeState": "clean",
  "buildDate": "2022-11-29T18:41:00Z",
  "goVersion": "go1.16.15",
  "compiler": "gc",
  "platform": "linux/amd64"
}

• Kubernetes distribution (e.g. Tectonic, GKE, OpenShift): EKS

[github-actions]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[druchoo]

/fresh

[turkenf]

Hi @druchoo,

Thank you for raising this, the parameters you specify are immutable where we have ForceNew on the field:

• ecrRepositoryPrefix for PullThroughCacheRule
• policy for LifecyclePolicy

When you try to change immutable fields, you will get an error like the following with the latest provider version:

  - lastTransitionTime: "2024-04-16T10:04:36Z"
    message: 'async update failed: refuse to update the external resource because
      the following update requires replacing it: cannot change the value of the argument
      "ecr_repository_prefix" from "ecr-public" to "ecr-publicc"'

According to the Crossplane Resource Model, this is something we do not allow.

Similar discussion: #1061 (comment)

[turkenf]

Since this is to be expected, I am closing this issue. Upstream issue with rejecting change requests for immutable fields.