Fails to patch AWSMachine: admission webhook denied the request

[JacobValdemar]

trafficstars

/kind bug

What steps did you take and what happened: I added a MachineDeployment to my cluster. It seems to work as expected, but the capa-controller-manager has started logging the following:

controller.go:329 "Reconciler error" err="failed to patch AWSMachine namespace_redacted/awsmachine_name_redacted: admission webhook \"validation.awsmachine.infrastructure.cluster.x-k8s.io\" denied the request: AWSMachine.infrastructure.cluster.x-k8s.io \"awsmachine_name_redacted\" is invalid: spec: Forbidden: cannot be modified" controller="awsmachine" controllerGroup="infrastructure.cluster.x-k8s.io" controllerKind="AWSMachine" AWSMachine="namespace_redacted/awsmachine_name_redacted" namespace="namespace_redacted" name="awsmachine_name_redacted" reconcileID="db20b7fe-85c2-45f6-91d8-4cbc3a0e75cc"

I don't know if it is a problem, but the error probably occurs for a reason.

What did you expect to happen:

I expected that there wasn't any error logged by the capa-controller-manager.

Anything else you would like to add:

Configuration of AWSmachine that is referred

Name:         redacted
Namespace:    redacted
Labels:       cluster.x-k8s.io/cluster-name=redacted
              cluster.x-k8s.io/deployment-name=redacted
              cluster.x-k8s.io/set-name=redacted
              machine-template-hash=redacted
              nodeType=redacted
              type=redacted
              zone=redacted
Annotations:  cluster.x-k8s.io/cloned-from-groupkind: AWSMachineTemplate.infrastructure.cluster.x-k8s.io
              cluster.x-k8s.io/cloned-from-name: redacted
              sigs.k8s.io/cluster-api-provider-aws-last-applied-tags: redacted
              sigs.k8s.io/cluster-api-provider-last-applied-tags-on-volumes: redacted
API Version:  infrastructure.cluster.x-k8s.io/v1beta2
Kind:         AWSMachine
Metadata:
  Creation Timestamp:  2025-01-30T12:32:39Z
  Finalizers:
    awsmachine.infrastructure.cluster.x-k8s.io
  Generation:  2
  Owner References:
    API Version:           cluster.x-k8s.io/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Machine
    Name:                  redacted
    UID:                   redacted
  Resource Version:        707592481
  UID:                     0389350a-dd34-4a63-8075-b0a0234a458f
Spec:
  Additional Security Groups:
    Id:  redacted
  Additional Tags:
    Domain:    redacted
    Owned By:  redacted
  Ami:
    Id:  redacted
  Cloud Init:
    Secure Secrets Backend:  redacted
  Iam Instance Profile:      nodes.cluster-api-provider-aws.sigs.k8s.io
  Instance ID:               redacted
  Instance Type:             redacted
  Provider ID:               aws:///redacted/redacted
  Root Volume:
    Encrypted:   true
    Size:        128
    Type:        gp3
  Ssh Key Name:
  Subnet:
    Id:  redacted
Status:
  Addresses:
    Address:  redacted
    Type:     InternalDNS
    Address:  redacted
    Type:     InternalIP
  Conditions:
    Last Transition Time:  2025-01-30T12:33:13Z
    Status:                True
    Type:                  Ready
    Last Transition Time:  2025-01-30T12:33:13Z
    Status:                True
    Type:                  InstanceReady
    Last Transition Time:  2025-01-30T12:32:42Z
    Status:                True
    Type:                  SecurityGroupsReady
  Instance State:          running
  Ready:                   true
Events:                    <none>

I am happy to provide any additional information you may need to troubleshoot this issue.

Environment:

• Cluster-api-provider-aws version: v2.6.1 (registry.k8s.io/cluster-api-aws/cluster-api-aws-controller)
• Kubernetes version: (use kubectl version): v1.29.12-eks-2d5f260
• OS (e.g. from /etc/os-release): n/a