As AWS does not allow for in-place updates of certain resources (Role, PolicyAttachment, ...) we currently delete the previous resource, and recreate it. This might cause issues, when hitting resource limits?
How to make this safe? The point is, if this happens in production due to something triggering the re-creation, this might leave a Role uncreated and cause services, using this role, to fail. Not sure about it...
|
// RECONCILE THE RESOURCE |
|
|
|
// if there is already an ARN in our status, then we recreate the object completely |
|
// (because AWS only supports description updates) |
|
if role.Status.ARN != "" { |
|
// delete the actual AWS Object and pass the cleanup function |
|
statusUpdater, err := DeleteAWSObject(iamsvc, ins, cleanupFunc) |
|
// we got a StatusUpdater function returned... let's execute it |
|
statusUpdater(ins, &role, ctx, r.Status(), log) |
|
if err != nil { |
|
// we had an error during AWS Object deletion... so we return here to retry |
|
log.Error(err, "error while deleting Role during reconciliation") |
|
return ctrl.Result{}, err |
|
} |
|
} |
|
|
|
statusUpdater, err := CreateAWSObject(iamsvc, ins, DoNothingPreFunc) |
|
statusUpdater(ins, &role, ctx, r.Status(), log) |
|
if err != nil { |
|
log.Error(err, "error while creating Role during reconciliation") |
|
return ctrl.Result{}, err |
|
} |
|
|
|
log.Info(fmt.Sprintf("Created Role '%s'", role.Status.ARN)) |
As AWS does not allow for in-place updates of certain resources (Role, PolicyAttachment, ...) we currently delete the previous resource, and recreate it. This might cause issues, when hitting resource limits?
How to make this safe? The point is, if this happens in production due to something triggering the re-creation, this might leave a Role uncreated and cause services, using this role, to fail. Not sure about it...
aws-iam-operator/controllers/role_controller.go
Lines 154 to 177 in 54e6ee5