CloudSQLInstance keeps modifying the instance

[b4nst]

What happened?

I still can see the behavior of #164

How can we reproduce it?

---
apiVersion: database.gcp.crossplane.io/v1beta1
kind: CloudSQLInstance
metadata:
  name: sre-6-db
  namespace: crossplane
spec:
  deletionPolicy: "Orphan"
  forProvider:
    databaseVersion: POSTGRES_11
    region: europe-west1
    settings:
      ipConfiguration:
        ipv4Enabled: false
        privateNetwork: default
      tier: db-custom-1-3840
  writeConnectionSecretToRef:
    name: db-connection
    namespace: default

What environment did it happen in?

• Crossplane version: v1.3.0
• Cloud provider or hardware configuration: provider-gcp-controller:v0.17.1
• K8s Rev: v1.20.8-gke.900

Workaround/Fix

Use full resource URL for spec.forProvider.settings.ipConfiguration.privateNetwork instead of name.

---
apiVersion: database.gcp.crossplane.io/v1beta1
kind: CloudSQLInstance
metadata:
  name: sre-6-db
  namespace: crossplane
spec:
  deletionPolicy: "Orphan"
  forProvider:
    databaseVersion: POSTGRES_11
    region: europe-west1
    settings:
      ipConfiguration:
        ipv4Enabled: false
-       privateNetwork: default
+       privateNetwork: projects/your-project/global/networks/default
      tier: db-custom-1-3840
  writeConnectionSecretToRef:
    name: db-connection
    namespace: default

[astraios]

Do we have any news about this one?

[turkenh]

@b4nst I am trying to reproduce the issue on my side, but I cannot create a CloudSQLInstance with the manifest you shared. Getting:

  Warning  CannotCreateExternalResource     3s (x5 over 30s)  managed/cloudsqlinstance.database.gcp.crossplane.io  cannot create new CloudSQL instance: googleapi: Error 400: Invalid request: Incorrect Service Networking config for instance: redacted-project:sre-6-db-hasan-bug352-2:NETWORK_NOT_PEERED., invalid

Tried setting privateNetwork both as default and projects/redacted-project/global/networks/default, but no luck.

When I try to created without privateNetwork field and them attempt to add it with an update, I am observing periodic updates as you mentioned but I believe this is because something wrong with the configuration. I am observing some operation logs saying something went wrong with much details.

So, my question is, do we create your instance with the manifest or attempt to update it like that after creation?
Any hints that could help me to reproduce would be nice.

[b4nst]

Hey @turkenh, thanks for working on that! I suspect the issue you're facing is you're lacking private services access. I think you can enable it directly through crossplane, but I did it manually for testing purposes.

Regarding the instance, I'm creating it from scratch with the crossplane manifest.

[turkenh]

Thanks @b4nst, this did help and I could reproduce on my side.

I also found the problem, which is privateNetwork field indeed expects the resource link for the network (which is indeed documented in the field description) but Google API still accepts VPC network name and convert it to resource link by assuming it is in the same project.

In the next reconcile, Crossplane considers this as a configuration drift, e.g. expecting to be default but it is projects/redacted-project/global/networks/default and triggers an update.

So, to fix the situation, you should use the resource link of VPC instead of its name.

[turkenh]

It is kind of working as expected (as documented), but we definitely need to improve this for a better UX.

The most straightforward solution would be to return a proper error if privateNetwork field is a resource URL.

[b4nst]

Gotcha, thanks for the details!