Skip to content

fix(runtime): do not unmanage resource if created in AWS#252

Open
Mallikarjunadevops wants to merge 1 commit into
aws-controllers-k8s:mainfrom
Mallikarjunadevops:fix-2849-unmanaged
Open

fix(runtime): do not unmanage resource if created in AWS#252
Mallikarjunadevops wants to merge 1 commit into
aws-controllers-k8s:mainfrom
Mallikarjunadevops:fix-2849-unmanaged

Conversation

@Mallikarjunadevops
Copy link
Copy Markdown

@Mallikarjunadevops Mallikarjunadevops commented Jun 2, 2026

Fixes aws-controllers-k8s/community#2849

This PR ensures that resources are not unmanaged (by removing the finalizer) if the primary resource was successfully created in AWS (indicated by "latest != nil").

Previously, any AWS API error returned from the Create flow would unmanage the resource. This is problematic for resources with post-create hooks (like SecurityGroup egress rule sync or WebACL logging configuration). If the hook fails, the primary resource is left orphaned in AWS because the finalizer is removed, and on subsequent reconciliations the controller will either try to recreate it or fail because the name already exists.

This PR fixes this by checking if "latest != nil". If it is not nil, it means the controller explicitly returned the created resource despite a subsequent hook error, so we should keep managing it.

fix(runtime): do not unmanage resource if created in AWS
98bed82 
Fixes issue #2849 and similar cases where a resource is successfully
created in AWS, but a post-creation step (like syncSGRules or LoggingConfig)
fails. Previously, any AWS API error on create flow would unmanage
the resource by removing its finalizer, leaving the resource orphaned
in AWS. We now check if latest != nil (which indicates creation succeeded)
and only unmanage if it wasn't created.
@ack-prow ack-prow Bot requested review from a-hilaly and jlbutler June 2, 2026 02:39
@ack-prow
Copy link
Copy Markdown

ack-prow Bot commented Jun 2, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Mallikarjunadevops
Once this PR has been reviewed and has the lgtm label, please assign michaelhtm for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ack-prow ack-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 2, 2026
@ack-prow
Copy link
Copy Markdown

ack-prow Bot commented Jun 2, 2026

Hi @Mallikarjunadevops. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@knottnt knottnt self-assigned this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-hilaly a-hilaly Awaiting requested review from a-hilaly

@jlbutler jlbutler Awaiting requested review from jlbutler

Assignees

@knottnt knottnt

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SecurityGroup not managed by ACK after creation if IAM role is missing ec2:RevokeSecurityGroupEgress

2 participants

@Mallikarjunadevops @knottnt