-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is not possible to import securitygroup which is created previously #782
Comments
@nujragan did you try this scenario according to the documentation in https://docs.crossplane.io/knowledge-base/guides/import-existing-resources/? The |
@jbw976 |
Just FYI: crossplane-contrib/provider-aws has already solved this issue: crossplane-contrib/provider-aws#1175 |
Hi @nujragan, Thank you for raising this issue but I could not reproduce the issue. Could you please try again?
or:
|
@turkenf you are right, I can import it with having external name as the security group Id, I am trying to use this in a composition and there seems to be no way to get the security group Id from aws in the composition, |
@nujragan then, can't you import using |
@turkenf I can, but when using in a composition, deleting the composition and recreating it, runs into this issue |
@nujragan, let's leave the composition aside to fully understand your request, what exactly do you expect from provider-aws here? |
@turkenf something similar to this: crossplane-contrib/provider-aws#1175. |
@turkenf if I can chime in. |
@ONordander, it is possible with using |
Yes, sorry if it was unclear but I mean without manual intervention, with crossplane-contrib/provider-aws it assumed ownership without adding |
@ONordander, the way you specified is currently not possible. |
@ONordander thanks for the explanation, but @turkenf that is the ask. I dont know if this is a bug or a feature request. |
Hi @ONordander, The Looking at how the importing via the security group name feature was implemented in func (e *external) getSecurityGroupByName(ctx context.Context, groupName string) (*string, error) {
groups, err := e.sg.DescribeSecurityGroups(ctx, &awsec2.DescribeSecurityGroupsInput{
Filters: []awsec2types.Filter{
{Name: aws.String("group-name"), Values: []string{groupName}},
},
})
if err != nil || len(groups.SecurityGroups) == 0 {
return nil, err
}
return groups.SecurityGroups[0].GroupId, nil
} Is it guaranteed to return an array of length at most 1? Or in other words, are security group names unique per region per account? |
@ulucinar I haven't invested the time to understand the underlying details of the Terrajet providers yet, so thank you for the explanation. It would be really nice to see this feature added, not only for security groups. I think you are right, it looks like the VPC Id should be part of the query as well to make it fully unique: |
@ulucinar can I work on this ? Can you assign this to me. |
Assigned you @nujragan, you can start working on it, thanks in advance for your contribution. 🙏 |
@nujragan, any progress here? |
This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as |
Comment to remove stale. We are too seeing this issue. If for some reason the resource is removed and set to orphan, we won't be able to automatically adopt it since we can't figure out the security group id. With terraform we can use name_prefix and deal with the left over groups using another ad-hoc method. Is there any way we can mimic |
This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as |
/fresh |
Also having this issue. One of the blockers from managing other clusters from a platform cluster without using some kind of cluster backup solution. I guess the solution from crossplane-contrib/provider-aws#1175 is not directly transferable to this provider? |
What happened?
This problem is best described with an example:
Create a managed resource with a securitygroup with deletionPolicy: Orphan
Apply the securitygroup
Delete the securitygroup
Now the securitygroup stays behind in AWS which is as expected.
Apply the securitygroup again
Now the security will have a reconcile error and cannot create a duplicate groupname.
Tried using
crossplane.io/external-name
annotation but the external name for a securitygroup is a securitygroup ID which is random and generated by aws.We expect that it can reconcile the existing securitygroup.
We want to import this created securitygroup but this is not possible this way.
This also prevents us from migrating from crossplane-contrib/provider-aws to the official provider.
This was an issue with crossplane-contrib/provider-aws(crossplane-contrib/provider-aws#1175)
but they seemed to have fixed it.
Expected behavior is for the securitygroup to reconcile based on name instead of id which is generated by aws(which we have no control over or means to get it)
How can we reproduce it?
Above steps should help to reproduce the issue
What environment did it happen in?
The text was updated successfully, but these errors were encountered: