[RDS] pendingModifiedValues not respected - caCertificateIdentifier causes reconcile loop

[eloo-abi]

What happened?

We are right now updating our rds certificates and have discovered a similar issue like described in this ticket #1889 At least we see additional unexpected behaviour here.

We do not want to set the applyImmediatelly to true and just want to use the common maintenance window configured in our instance. But with that change in place we are getting reconcile loops caused by crossplane. It looks like the pendingModifiedValues is not respected in the calculateDiff or isUpDate function.

We are getting a lot of this diffs in our logs

Found observed difference in dbinstance
  &v1alpha1.DBInstanceParameters{
  	... // 2 ignored and 3 identical fields
  	BackupRetentionPeriod:   nil,
  	BackupTarget:            nil,
- 	CACertificateIdentifier: nil,
+ 	CACertificateIdentifier: &"rds-ca-rsa2048-g1",
  	CharacterSetName:        nil,
  	CopyTagsToSnapshot:      nil,
  	... // 7 ignored and 41 identical fields
  }

and our instance are the whole time "updating"

in the status we see the pendingModifiedValues as expected:

    pendingModifiedValues:
      caCertificateIdentifier: rds-ca-rsa2048-g1

So i would expect crossplane is checking this two values and then ignore this change. Further its weird that - CACertificateIdentifier: nil, is "nil" because in the forProvider.caCertificateIdentifier we had before the old value.

How can we reproduce it?

• Create a MR for RDS with caCertificateIdentifier: rds-ca-2019
• Apply a patch like this

k patch --patch '{"spec": {"forProvider": {"caCertificateIdentifier": "rds-ca-rsa2048-g1"}}}' --type merge <your-instance>

• Ensure applyImmediately: false
• See your dbinstance updating the whole time without any modification

What environment did it happen in?

Crossplane versions: xpkg.upbound.io/crossplane/crossplane:v1.15.2 xpkg.upbound.io/crossplane-contrib/provider-aws:v0.47.2