missing status for IAMPolicy after successful reconcile for exiting and up to date storage bucket policy

[jlgeering]

Describe the bug

status field is missing for this resource even though we see that the controller finished the reconcile in the logs

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
  name: _REDACTED_
spec:
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: _REDACTED_
  bindings:
    - members:
        - serviceAccount:_REDACTED_
      role: roles/storage.objectAdmin
    - members:
        - allUsers
      role: roles/storage.objectViewer

logs:

{
   "msg":"Running reconcile",
   "level":"info",
   "resource":{
      "namespace":"cc-ufg-infra",
      "name":"_REDACTED_"
   },
   "logger":"iampolicy-controller",
   "ts":1.5986046742256002E9
}
{
   "msg":"underlying resource is already up to date",
   "level":"info",
   "resource":{
      "namespace":"cc-ufg-infra",
      "name":"_REDACTED_"
   },
   "logger":"tfiamclient",
   "ts":1.598604674325002E9
}
{
   "msg":"Completed full reconcile",
   "level":"info",
   "resource":{
      "namespace":"cc-ufg-infra",
      "name":"_REDACTED_"
   },
   "logger":"iampolicy-controller",
   "ts":1.59860467432505E9
}

NB the policy was previously created using config connector

ConfigConnector Version
1.19.1

[jlgeering]

changing the policy a little bit and applying again, fixed the issue:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
  name: _REDACTED_
spec:
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: _REDACTED_
  bindings:
    - members:
        - serviceAccount:_REDACTED_
      role: roles/storage.objectAdmin
    - members:
        - allUsers
        - user:_REDACTED_
      role: roles/storage.objectViewer

gives us:

status:
  conditions:
  - lastTransitionTime: "2020-08-28T09:00:20Z"
    message: The resource is up to date
    reason: UpToDate
    status: "True"
    type: Ready

if I delete then re-apply the resource => same issue: status is missing

[xiaobaitusi]

Hi @jlgeering, thanks for reporting the issue. It seems to be a bug on our side; basically when the IAM policy controller detects that the underlying API is the same with the desired state, it exists the reconciliation without updating the status properly. We will look into fixing it and let you know when we have more information.

[vic614]

Hi @xiaobaitusi , I am facing the same issue. Is there any update on the fix? I am switching from IAMPolicy to IAMPolicyMember. So when doing the switch. There are chances the status block show empty. In my case it was creating IAMPolicyMember binding with roles/iam.workloadIdentityUser.

[jcanseco]

Hi @vic614, we have a fix currently in review which we should be able to put out as part of a release in the coming weeks. We'll update this issue when it is out :)

[vic614]

Hi @vic614, we have a fix currently in review which we should be able to put out as part of a release in the coming weeks. We'll update this issue when it is out :)

Thanks

[kibbles-n-bytes]

This is fixed in 1.20.1. Let us know if you have any further issues!