RDSInstance.forProvider.caCertificateIdentifier property is not working

[mateusz-lubanski-sinch]

What happened?

After setting RDSInstance.forProvider.caCertificateIdentifier property value to rds-ca-rsa2048-g1 change is not reflected in provisioned RDS Instance (it still uses rds-ca-2019)

Might be related to: #1795

How can we reproduce it?

example RDS Instance:

apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  annotations:
    crossplane.io/external-name: deploy-to-lab-mysql-0
  name: deploy-to-lab-mysql-0-x6fhs
spec:
  deletionPolicy: Delete
  forProvider:
    allocatedStorage: 20
    applyModificationsImmediately: false
    backupRetentionPeriod: 0
    caCertificateIdentifier: rds-ca-rsa2048-g1
    copyTagsToSnapshot: true
    dbInstanceClass: db.t4g.small
    dbParameterGroupName: deploy-to-lab-mysql-0
    dbSubnetGroupName: private_net_vpc-09axxx
    enableCloudwatchLogsExports:
    - audit
    enablePerformanceInsights: false
    engine: mysql
    masterUsername: root
    maxAllocatedStorage: 1000
    multiAZ: false
    preferredBackupWindow: 14:00-16:00
    preferredMaintenanceWindow: Mon:11:00-Mon:14:00
    publiclyAccessible: false
    region: eu-west-1
    skipFinalSnapshotBeforeDeletion: true
    storageEncrypted: true
    storageType: gp3
    vpcSecurityGroupIds:
    - sg-05xxx
    - sg-06xxx
    - sg-04xxx
  managementPolicies:
  - Observe
  - Create
  - Update
  - Delete
  providerConfigRef:
    name: crossplane-provider-aws

After a while resource is provisioned provisioned

kubectl get rdsinstance
NAME                          READY   SYNCED   STATE       ENGINE   VERSION   AGE
deploy-to-lab-mysql-0-x6fhs   True    True     available   mysql              26m

When we look on AWS Console we can see that our database is using rds-ca-2019 CA Certificate which is wrong because we set it to rds-ca-rsa2048-g1:

When we check RDS Instance status we can see below pendingModifiedValues:

kubectl get rdsinstance deploy-to-lab-mysql-0-x6fhs -o yaml | yq ".status.atProvider.pendingModifiedValues"
caCertificateIdentifier: rds-ca-rsa2048-g1
pendingCloudwatchLogsExports: {}

In AWS Console there is no pending modification, restarting RDS Instance also didn't help

What environment did it happen in?

• Crossplane version: 1.13.2
• provider version: xpkg.upbound.io/crossplane-contrib/provider-aws:v0.43.0
• Cloud provider: AWS
• Kubernetes version 1.24.x
• Kubernetes distribution: EKS

[MisterMX]

I tried to replicate this issue in v0.44.0 and I got a successful update from rds-ca-2019 to rds-ca-rsa2048-g1 without any issues. There is also not additional value in pendingModifiedValues.

Could it the non-update is cause by having spec.forProvider.applyModificationsImmediately: false?

[mateusz-lubanski-sinch]

You are right @MisterMX , after updating spec.forProvider.a spec.forProvider.applyMpplyModificationsImmediately: true it is working as expected!