[Bug]: Storage account always showing diff detected

[fherbert]

Is there an existing issue for this?

• I have searched the existing issues

Affected Resource(s)

storage.azure.upbound.io/v1beta1 - Account

Resource MRs required to reproduce the bug

apiVersion: storage.azure.upbound.io/v1beta1
kind: Account
metadata:
  name: lab
spec:
  providerConfigRef:
    name: azure
  forProvider:
    resourceGroupName: testRG
    location: Australia East
    accountTier: Premium
    accountKind: BlockBlobStorage
    accountReplicationType: ZRS
    allowNestedItemsToBePublic: false
    minTlsVersion: TLS1_2
    networkRules:
      - bypass:
          - Logging
          - Metrics
          - AzureServices
        defaultAction: Deny
        virtualNetworkSubnetIds:
          - /subscriptions/tenantID/resourceGroups/vnRG/providers/Microsoft.Network/virtualNetworks/vnets/subnets/subnet
        ipRules:
          - 15.25.14.0/23
    tags:
      App: TestAPP

Steps to Reproduce

kubectl apply -f MR.yaml

What happened?

Diff detected is continuously being logged, crossplane applies changes, the (we presume) azure modifies it back, crossplane detecs diff, rinse and repeat.
Nothing in the provider pod debug logs indicates what is different.

Relevant Error Output Snippet

package-runtime 2024-03-25T03:55:31Z    DEBUG    provider-azure    Diff detected    {"uid": "f1234567-1234-1234-1234-12345bc19469", "name": "lab","gvk": "storage.azure.upbound.io/v1beta1, Kind=Account", "instanceDiff": "*terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{\"queue_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"share_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, RawConfig:cty.NilVal, RawState:cty.NilVal, RawPlan:cty.NilVal, Meta:map[string]interface {}(nil)}"}

Crossplane Version

1.15.1

Provider Version

1.0.0

Kubernetes Version

1.27.9

Kubernetes Distribution

AKS

Additional Info

No response

[turkenf]

@fherbert, thank you for raising this issue.

The issue can be reproduced with the information provided, and the UpToDate condition does not come.

2024-03-26T17:39:09+03:00	DEBUG	provider-azure	Diff detected	{"uid": "ccc1f4cc-3fa5-40b4-865f-b22c6816b3bf", "name": "labtefst", "gvk": "storage.azure.upbound.io/v1beta1, Kind=Account", "instanceDiff": "*terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{\"queue_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"share_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, RawConfig:cty.NilVal, RawState:cty.NilVal, RawPlan:cty.NilVal, Meta:map[string]interface {}(nil)}"}
2024-03-26T17:39:09+03:00	DEBUG	provider-azure	Successfully requested update of external resource	{"controller": "managed/storage.azure.upbound.io/v1beta1, kind=account", "request": {"name":"labtefst"}, "uid": "ccc1f4cc-3fa5-40b4-865f-b22c6816b3bf", "version": "23939", "external-name": "labtefst", "requeue-after": "2024-03-26T17:49:36+03:00"}

[aurel333]

I think I am encountering the same issue as the storage account is continuously being reconciled.
I want to add that this causes a lot of requests on the Storage Azure API, up to the point that the Azure API request budget can be exhausted for the subscription, which impacts other people using it.

[turkenf]

@aurel33, thank you for your interest, are diff in the same fields? If the logs are recorded, can you share them?

[aurel333]

I used the following manifest (I removed some values but they do not seem important for this issue):

apiVersion: storage.azure.upbound.io/v1beta2
kind: Account
metadata:
  annotations:
    crossplane.io/external-name: accounttest
  name: account-test
spec:
  deletionPolicy: Delete
  forProvider:
    accessTier: Hot
    accountKind: FileStorage
    accountReplicationType: LRS
    accountTier: Premium
    allowNestedItemsToBePublic: false
    crossTenantReplicationEnabled: true
    enableHttpsTrafficOnly: false
    largeFileShareEnabled: true
    location: northeurope
    minTlsVersion: TLS1_2
    networkRules:
      bypass:
      - AzureServices
      defaultAction: Deny
      ipRules:
      -  ...
      -  ...
      virtualNetworkSubnetIds:
      - ...
      - ...
    publicNetworkAccessEnabled: true
    queueEncryptionKeyType: Service
    resourceGroupName: myrg
    shareProperties:
      retentionPolicy:
        days: 7
      smb: {}
    sharedAccessKeyEnabled: true
    tableEncryptionKeyType: Service
  initProvider: {}

And in the logs I got the following diff:

2024-06-10T17:36:22Z       DEBUG   provider-azure  Diff detected   {"uid": "6c1c0ed4-06cf-4412-aac7-5d24d8eaf8c2", "name": "account-test", "gvk": "storage.azure.upbound.io/v1beta1, Kind=Account", "instanceDiff": "*terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{\"blob_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"queue_properties.#\":*terraform.ResourceAttrDiff{Old:\"\", New:\"\", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, RawConfig:cty.NilVal, RawState:cty.NilVal, RawPlan:cty.NilVal, Meta:map[string]interface {}(nil)}"}

So the detected diffs are on the fields blob_properties and queue_properties. I think what we have in common with @fherbert is that we do not explicitly set the properties detected as drift (though it may depend on the accountKind of the SA).

Also I notice that in both cases it is the field something_properties that is the issue.

[github-actions]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[turkenf]

/fresh