Fix DBinstance enableCloudwatchLogsExports updates (#260)

gustavodiaz7722 · web-flow · commit b16a299be6a4 · 2025-12-17T01:52:03.000Z
Issue #, if available: aws-controllers-k8s/community#2128 Description of changes: By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2025-11-29T03:44:25Z"
-  build_hash: 23c7074fa310ad1ccb38946775397c203b49f024
-  go_version: go1.25.4
-  version: v0.56.0
+  build_date: "2025-12-17T01:17:18Z"
+  build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a
+  go_version: go1.25.1
+  version: v0.56.0-3-g5c8b905
 api_directory_checksum: 90b0d1adcc91f4a1b1f1b436e3ac0c30d9271678
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
diff --git a/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml b/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml
@@ -63,6 +63,16 @@ spec:
                 required:
                 - names
                 type: object
+              resourceLabelSelector:
+                description: LabelSelector is a label query over a set of resources.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                required:
+                - matchLabels
+                type: object
               resourceTypeSelector:
                 items:
                   properties:
diff --git a/config/crd/common/kustomization.yaml b/config/crd/common/kustomization.yaml
@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - bases/services.k8s.aws_iamroleselectors.yaml
   - bases/services.k8s.aws_fieldexports.yaml
+  - bases/services.k8s.aws_iamroleselectors.yaml
diff --git a/helm/crds/services.k8s.aws_iamroleselectors.yaml b/helm/crds/services.k8s.aws_iamroleselectors.yaml
@@ -63,6 +63,16 @@ spec:
                 required:
                 - names
                 type: object
+              resourceLabelSelector:
+                description: LabelSelector is a label query over a set of resources.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                required:
+                - matchLabels
+                type: object
               resourceTypeSelector:
                 items:
                   properties:
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -51,6 +51,13 @@ spec:
         - "$(AWS_REGION)"
         - --aws-endpoint-url
         - "$(AWS_ENDPOINT_URL)"
+{{- if .Values.aws.identity_endpoint_url }}
+        - --aws-identity-endpoint-url
+        - "$(AWS_IDENTITY_ENDPOINT_URL)"
+{{- end }}
+{{- if .Values.aws.allow_unsafe_aws_endpoint_urls }}
+        - --allow-unsafe-aws-endpoint-urls
+{{- end }}
 {{- if .Values.log.enable_development_logging }}
         - --enable-development-logging
 {{- end }}
@@ -109,6 +116,8 @@ spec:
           value: {{ .Values.aws.region }}
         - name: AWS_ENDPOINT_URL
           value: {{ .Values.aws.endpoint_url | quote }}
+        - name: AWS_IDENTITY_ENDPOINT_URL
+          value: {{ .Values.aws.identity_endpoint_url | quote }}
         - name: ACK_WATCH_NAMESPACE
           value: {{ include "ack-rds-controller.watch-namespace" . }}
         - name: ACK_WATCH_SELECTORS
diff --git a/helm/values.schema.json b/helm/values.schema.json
@@ -171,9 +171,16 @@
         "region": {
           "type": "string"
         },
-        "endpoint": {
+        "endpoint_url": {
           "type": "string"
         },
+        "identity_endpoint_url": {
+          "type": "string"
+        },
+        "allow_unsafe_aws_endpoint_urls": {
+          "type": "boolean",
+          "default": false
+        },
         "credentials": {
           "description": "AWS credentials information",
           "properties": {
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -90,6 +90,8 @@ aws:
   # If specified, use the AWS region for AWS API calls
   region: ""
   endpoint_url: ""
+  identity_endpoint_url: ""
+  allow_unsafe_aws_endpoint_urls: false
   credentials:
     # If specified, Secret with shared credentials file to use.
     secretName: ""
diff --git a/pkg/resource/db_instance/hooks.go b/pkg/resource/db_instance/hooks.go
@@ -17,6 +17,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	svcapitypes "github.com/aws-controllers-k8s/rds-controller/apis/v1alpha1"
@@ -585,3 +586,22 @@ func needStorageUpdate(
 	return strings.Contains(*r.ko.Status.DBInstanceStatus, "storage-full") &&
 		delta.DifferentAt("Spec.AllocatedStorage")
 }
+
+func getCloudwatchLogExportsConfigDifferences(cloudwatchLogExportsConfigDesired []*string, cloudwatchLogExportsConfigLatest []*string) ([]*string, []*string) {
+	logsTypesToEnable := []*string{}
+	logsTypesToDisable := []*string{}
+	desired := aws.ToStringSlice(cloudwatchLogExportsConfigDesired)
+	latest := aws.ToStringSlice(cloudwatchLogExportsConfigLatest)
+
+	for _, config := range cloudwatchLogExportsConfigDesired {
+		if !slices.Contains(latest, *config) {
+			logsTypesToEnable = append(logsTypesToEnable, config)
+		}
+	}
+	for _, config := range cloudwatchLogExportsConfigLatest {
+		if !slices.Contains(desired, *config) {
+			logsTypesToDisable = append(logsTypesToDisable, config)
+		}
+	}
+	return logsTypesToEnable, logsTypesToDisable
+}
diff --git a/pkg/resource/db_instance/sdk.go b/pkg/resource/db_instance/sdk.go
diff --git a/templates/hooks/db_instance/sdk_read_many_post_set_output.go.tpl b/templates/hooks/db_instance/sdk_read_many_post_set_output.go.tpl
@@ -114,3 +114,9 @@
 			ko.Spec.DBParameterGroupName = ko.Status.DBParameterGroups[0].DBParameterGroupName
 		}
 	}
+  
+  // We currently do not set spec value for EnableCloudwatchLogsExports
+  // and instead only set the status field.
+  // Adding DBInstance.enableCloudwatchLogsExports doesn't update the RDS instance
+  // https://github.com/aws-controllers-k8s/community/issues/2128
+  ko.Spec.EnableCloudwatchLogsExports = ko.Status.EnabledCloudwatchLogsExports
diff --git a/templates/hooks/db_instance/sdk_update_post_build_request.go.tpl b/templates/hooks/db_instance/sdk_update_post_build_request.go.tpl
@@ -36,3 +36,13 @@
                 input.PreferredBackupWindow = nil
                 input.DeletionProtection = nil
         }
+	if delta.DifferentAt("Spec.EnableCloudwatchLogsExports") {
+		cloudwatchLogExportsConfigDesired := desired.ko.Spec.EnableCloudwatchLogsExports
+		cloudwatchLogExportsConfigLatest := latest.ko.Spec.EnableCloudwatchLogsExports
+		logsTypesToEnable, logsTypesToDisable := getCloudwatchLogExportsConfigDifferences(cloudwatchLogExportsConfigDesired, cloudwatchLogExportsConfigLatest)
+		f24 := &svcsdktypes.CloudwatchLogsExportConfiguration{
+			EnableLogTypes:  aws.ToStringSlice(logsTypesToEnable),
+			DisableLogTypes: aws.ToStringSlice(logsTypesToDisable),
+		}
+		input.CloudwatchLogsExportConfiguration = f24
+	}
diff --git a/test/e2e/tests/test_db_instance.py b/test/e2e/tests/test_db_instance.py
@@ -203,7 +203,45 @@ def test_crud_postgres14_t3_micro(
             }
         ]
         assert latest_tags == after_update_expected_tags
+        
+    def test_crud_cloudwatch_logs_postgres14_t3_micro(
+            self,
+            postgres14_t3_micro_instance,
+    ):
+        (ref, cr, _) = postgres14_t3_micro_instance
+        db_instance_id = cr["spec"]["dbInstanceIdentifier"]
+        db_instance.wait_until(db_instance_id, db_instance.status_matches("available"))
+        
+        current = db_instance.get(db_instance_id)
+        assert current is not None
+        enabledCloudwatchLogsExports = current.get("EnabledCloudwatchLogsExports",None)
+        assert enabledCloudwatchLogsExports is None
+        k8s.patch_custom_resource(
+            ref,
+            {"spec": {"enableCloudwatchLogsExports": ["postgresql"]}},
+        )
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
+        
+        # wait for the resource to get synced after the patch
+        assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES)
+        
+        latest = db_instance.get(db_instance_id)
+        assert latest is not None
+        assert latest["EnabledCloudwatchLogsExports"] == ["postgresql"]
+        k8s.patch_custom_resource(
+            ref,
+            {"spec": {"enableCloudwatchLogsExports": None}},
+        )
+        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
 
+        # wait for the resource to get synced after the patch
+        assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES)
+
+        latest = db_instance.get(db_instance_id)
+        assert latest is not None
+        enabledCloudwatchLogsExportsLatest = latest.get("EnabledCloudwatchLogsExports",None)
+        assert enabledCloudwatchLogsExportsLatest is None
+        
     def test_crud_postgres14_update_password(
             self,
             postgres14_t3_micro_instance,

Original file line number	Diff line number	Diff line change
`@@ -114,3 +114,9 @@`
`114`	`114`	`ko.Spec.DBParameterGroupName = ko.Status.DBParameterGroups[0].DBParameterGroupName`
`115`	`115`	`}`
`116`	`116`	`}`
	`117`	`+`
	`118`	`+ // We currently do not set spec value for EnableCloudwatchLogsExports`
	`119`	`+ // and instead only set the status field.`
	`120`	`+ // Adding DBInstance.enableCloudwatchLogsExports doesn't update the RDS instance`
	`121`	`+ // https://github.com/aws-controllers-k8s/community/issues/2128`
	`122`	`+ ko.Spec.EnableCloudwatchLogsExports = ko.Status.EnabledCloudwatchLogsExports`