Parameter.ssm.aws.upbound.io - want to observe value for use in composites

[patrickleet]

What happened?

https://marketplace.upbound.io/providers/upbound/provider-aws-ssm/v0.38.0/resources/ssm.aws.upbound.io/Parameter/v1beta1

I want to observe a value from the aws parameter store and use it in a composite.

My plan was to use managementPolicy with ObserveOnly, which is now managementPolicies with Observe.

However this did not work in a number of ways:

1. What I hoped would work:

apiVersion: ssm.aws.upbound.io/v1beta1
kind: Parameter
metadata:
  name: test-param
  annotations:
    crossplane.io/external-name: /infra/network/devops-xdp-vpc/VpcId
spec:
  managementPolicies:
    - Observe
  forProvider:
    region: us-east-1
    type: String

I was hoping with this atProvider would be filled in with insecureValue, but it does not have that value:

> kubectl get parameters.ssm.aws.upbound.io test-param -o yaml | yq .status.atProvider
allowedPattern: ""
arn: arn:aws:ssm:us-east-1:xxx:parameter/infra/network/devops-xdp-vpc/VpcId
dataType: text
description: String
id: /infra/network/devops-xdp-vpc/VpcId
keyId: ""
tags:
  crossplane-kind: parameter.ssm.aws.upbound.io
  crossplane-name: xdp-vpc-id
  crossplane-providerconfig: default
tagsAll:
  crossplane-kind: parameter.ssm.aws.upbound.io
  crossplane-name: xdp-vpc-id
  crossplane-providerconfig: default
tier: Standard
type: String
version: 2

I tried adding forProvider.insecureValue to anything to try to trick it to display that value but that did not work.

Next I tried just import via external name:

apiVersion: ssm.aws.upbound.io/v1beta1
kind: Parameter
metadata:
  name: test-param
  annotations:
    crossplane.io/external-name: /infra/network/devops-xdp-vpc/VpcId
spec:
  deletionPolicy: Orphan
  forProvider:
    region: us-east-1
    type: String

which results in

status:
  atProvider: {}
  conditions:
  - lastTransitionTime: "2023-08-02T23:05:14Z"
    message: |-
      observe failed: cannot run refresh: refresh failed: Invalid combination of arguments: "insecure_value": one of `insecure_value,value` must be specified
      Invalid combination of arguments: "value": one of `insecure_value,value` must be specified
    reason: ReconcileError
    status: "False"
    type: Synced

If I set insecureValue and this point though it'll overwrite what I'm trying to read.

How can we reproduce it?

Try the configs I posted above to create Parameters that reference a path in AWS SSM Parameters Store as readonly to be able to access the value and use in composites.

What environment did it happen in?

• Crossplane Version: v1.12.2
• Provider Version: v0.38.0
• Kubernetes Version:

Client Version: v1.25.2
Kustomize Version: v4.5.7
Server Version: v1.26.3+k3s1

• Kubernetes Distribution: EKS

[patrickleet]

There was more conversation about this here https://crossplane.slack.com/archives/C01718T2476/p1691008466503949

[patrickleet]

Adding

    insecureValue: placeholder
    overwrite: false

seems to get the desired result but isn't intuitive

[github-actions]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[github-actions]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[github-actions]

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!

[frauke227]

We are facing a similar issue and would like to know if there has been any updates regarding this (unfortunately I cannot see the Slack conversation around it)?
We also tried to add

 insecureValue: placeholder
 overwrite: false

but it did not output the insecure value for us.

[patrickleet]

resource.status.atProvider.insecureValue

[ITler]

insecureValue: placeholder
overwrite: false

status.atProvider.insecureValue

confirmed working with upbound/[email protected] and v1.17.0