DBInstance with assigned AWS Backup Plan goes into terminal condition: InvalidParameterValue #2216
Description
Describe the bug
We are trying to get the RDS controller working with AWS Backup.
We create a DBInstance with the following manifest:
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
name: rds
namespace: xxx
spec:
allocatedStorage: 10
maxAllocatedStorage: 30
# DB name have to be not set, if shapshot
dbName: dbname
dbInstanceClass: db.t4g.micro
dbInstanceIdentifier: dbidentifier
engine: postgres
engineVersion: "16"
storageEncrypted: true
kmsKeyID: xxxxxxxxxx
autoMinorVersionUpgrade: true
deletionProtection: false
multiAZ: false
backupRetentionPeriod: 32
caCertificateIdentifier: rds-ca-rsa4096-g1
copyTagsToSnapshot: true
enableCloudwatchLogsExports:
- postgresql
- upgrade
masterUsername: dbpostgres
masterUserPassword:
name: rds-secret
key: rds-secret-key
namespace: xxx
dbSubnetGroupRef:
from:
name: rds-subnet-group
performanceInsightsEnabled: true
performanceInsightsKMSKeyID: xxxxxxxxxx
performanceInsightsRetentionPeriod: 93
preferredMaintenanceWindow: Mon:01:00-Mon:02:00
port: 5460
vpcSecurityGroupRefs:
- from:
name: rds-security-group
tags:
[...]
After the first backup we get this error message from the controller and the ressource goes into a terminal condition:
Status:
Ack Resource Metadata:
Arn: xxxxxxxxxx
Owner Account ID: xxxxxxxxxx
Region: eu-central-1
Activity Stream Status: stopped
Aws Backup Recovery Point ARN: arn:aws:backup:eu-central-1:xxxxxxxxxx
Certificate Details:
C A Identifier: rds-ca-rsa4096-g1
Valid Till: 2025-11-20T10:14:20Z
Conditions:
Last Transition Time: 2024-11-21T06:06:10Z
Status: True
Type: ACK.ReferencesResolved
Message: InvalidParameterValue: Your RDS instance pen-bso is associated with an AWS Backup resource with id arn:aws:backup:eu-central-1:xxxxxxxxxx . You can leave PreferredBackupWindow blank, or you can specify it only with the current value 23:00-01:00. For more details, see the AWS Backup documentation.
status code: 400, request id: xxxxxxxxx
Status: True
Type: ACK.Terminal
Last Transition Time: 2024-11-21T06:06:11Z
Message: Resource not synced
Reason: resource is in terminal condition
Status: False
Type: ACK.ResourceSynced
We have the same problem with the backupRetentionPeriod parameter, we set it to the same value which is defined in AWS Backup, but this is also just a workaround.
When omitting the parameter we get a similar error as shown above.
The workaround we do for the backupRetentionPeriod does not work for preferredBackupWindow, as this parameter seams to change in conjunction with AWS Backup from time to time or is more or less random, which leads to a DBInstance in terminal condition.
Steps to reproduce
Create a RDS Resource, which is targeted by an AWS Backup Plan. In our case it is a continuous backup, with the following job settings:
Expected outcome
Resource should not set the omitted parameters in the API. Resource should not go in terminal condition.
Environment
- Kubernetes version: 1.31
- Using EKS (yes/no), if so version? EKS 1.31
- AWS service targeted (S3, RDS, etc.): RDS, Backup