provider-aws icon indicating copy to clipboard operation
provider-aws copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

Cannot update dynamodb table with kms encryption

Open ricardomiguel-os opened this issue 2 years ago • 0 comments

What happened?

  1. I've created a dynamodb table using provider-aws without explicit encryption resulting in the default Owned by Amazon DynamoDB encryption as expected.

  2. Updated the same table definition with a customer key by specifying kmsMasterKeyID with my key alias. I can see that the managed resource (table) has the correct updated encryption and the resource is synced and ready but the dynamodb table keeps the initial Owned by Amazon DynamoDB encryption - Drift between expected and actual state

  3. Finally I've added a global secondary index to the managed resource definition and somehow it triggered the change on table encryption to the one I've defined before but the index wasn't created.

So in the end (after creating the index without success) I got the encryption that I wanted but I can see this error on the managed resource:

cannot update Table in AWS: LimitExceededException: Subscriber limit exceeded: Encryption mode changes are limited in the 24h window ending at 2022-08-20T08:42:25.398Z. After the first 4 change, each subsequent change in the same window can be performed │ │ at most once every 21600 seconds. Number of updates today: 4

How can we reproduce it?

Create the dynamodb table:

apiVersion: dynamodb.aws.crossplane.io/v1alpha1
kind: Table
metadata:
  name: crossplane-table-test
spec:
  providerConfigRef:
    name: aws-provider
  forProvider:
    region: eu-west-1
    attributeDefinitions:
      - attributeName: Id
        attributeType: S
    billingMode: PAY_PER_REQUEST
    keySchema:
      - attributeName: Id
        keyType: HASH

Create a customer managed key with an alias:

apiVersion: kms.aws.crossplane.io/v1alpha1
kind: Key
metadata:
  name: crossplane-key-test
spec:
  forProvider:
    region: eu-west-1
    enableKeyRotation: true
  providerConfigRef:
    name: aws-provider
---
apiVersion: kms.aws.crossplane.io/v1alpha1
kind: Alias
metadata:
  name: crossplane-key-alias-test
spec:
  forProvider:
    region: eu-west-1
    targetKeyIdRef:
      name: crossplane-key-test
  providerConfigRef:
    name: aws-provider

Update the table definition by adding customer encryption - Encryption won't change:

#[...]
sseSpecification:
  enabled: true
  kmsMasterKeyID: alias/crossplane-key-alias-test
  sseType: "KMS"

Update table definition to add a global secondary index:

#[...]
attributeDefinitions:
  # add the bellow attribute
  - attributeName: OtherId
    attributeType: S
globalSecondaryIndexes:
   - indexName: OtherIdIndex
        keySchema:
          - attributeName: OtherId
            keyType: HASH
        projection:
          projectionType: ALL

You will see the encryption changing and the error appearing on table managed resource.

What environment did it happen in?

Crossplane version: v1.9.0 AWS Provider version: 0.30.0

  • Cloud provider or hardware configuration: M1
  • Kubernetes version: v1.24.3
  • Kubernetes distribution: Kind
  • OS: MacOs 12.3.1
  • Kernel: Darwin

ricardomiguel-os avatar Aug 22 '22 07:08 ricardomiguel-os