provider-aws icon indicating copy to clipboard operation
provider-aws copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

SQS Redrive Policy precedence results in referencing incorrect dead letter queue ARN

Open tbmetcalfe opened this issue 2 years ago • 0 comments

What happened?

I have noticed that there is an interesting order of precedence for how it determines the RedrivePolicy.

In order of highest precedence to lowest:

  1. deadLetterTargetArn
  2. deadLetterTargetArnRef
  3. deadLetterTargetArnSelector

And from some observation, deadLetterTargetArnSelector determines the deadLetterTargetArnRef which in turn determines the deadLetterTargetArn

And the deadLetterTargetArn is the only field which is only considered when setting the redrive policy within AWS. If the deadLetterTargetArn is set, then the other fields are ignored.

This has resulted in some unwanted behaviour where if you update the deadLetterTargetArnRef or deadLetterTargetArnSelector, then the deadLetterTargetArn remains unchanged.

How can we reproduce it?

Create three queues with Crossplane:

  • one called correct-dead-letter-queue
  • one called wrong-resource
  • one called main-queue

In the main-queue, set the redrivePolicy to:

redrivePolicy:
    maxReceiveCount: 3
    deadLetterTargetArnRef:
        name: wrong-resource

Apply the change and then run kubectl get queue.sqs.aws.crossplane.io main-queue -o yaml, paying attention to the redrivePolicy. You should see something like:

redrivePolicy:
    deadLetterTargetArn: arn:aws:sqs:<REGION>:<ACCOUNT_NUMBER>:wrong-resource
    deadLetterTargetArnRef:
        name: wrong-resource

Finally, try to update set the redrivePolicy to:

redrivePolicy:
    maxReceiveCount: 3
    deadLetterTargetArnRef:
        name: correct-dead-letter-queue

Apply the change and then run kubectl get queue.sqs.aws.crossplane.io main-queue -o yaml, paying attention to the redrivePolicy. You should see something like:

redrivePolicy:
    deadLetterTargetArn: arn:aws:sqs:<REGION>:<ACCOUNT_NUMBER>:wrong-resource # note this doesn't get updated and therefore references the wrong queue in AWS.
    deadLetterTargetArnRef:
        name: correct-dead-letter-queue

What environment did it happen in?

Crossplane version: 1.9.0 AWS Provider version: 0.29.0

Cloud provider or hardware configuration: AWS EKS Kubernetes version (use kubectl version): v1.21.14-eks-18ef993 Kubernetes distribution (e.g. Tectonic, GKE, OpenShift): EKS

tbmetcalfe avatar Sep 15 '22 10:09 tbmetcalfe