DBInstance with assigned AWS Backup Plan goes into terminal condition: InvalidParameterValue

[mungo312]

Describe the bug
We are trying to get the RDS controller working with AWS Backup.
We create a DBInstance with the following manifest:

apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: rds
  namespace: xxx
spec:
  allocatedStorage: 10
  maxAllocatedStorage: 30
  # DB name have to be not set, if shapshot
  dbName: dbname
  dbInstanceClass: db.t4g.micro
  dbInstanceIdentifier: dbidentifier
  engine: postgres
  engineVersion: "16"
  storageEncrypted: true
  kmsKeyID: xxxxxxxxxx
  autoMinorVersionUpgrade: true
  deletionProtection: false
  multiAZ: false
  backupRetentionPeriod: 32
  caCertificateIdentifier: rds-ca-rsa4096-g1
  copyTagsToSnapshot: true
  enableCloudwatchLogsExports:
    - postgresql
    - upgrade
  masterUsername: dbpostgres
  masterUserPassword:
    name: rds-secret
    key: rds-secret-key
    namespace: xxx
  dbSubnetGroupRef:
    from:
      name: rds-subnet-group
  performanceInsightsEnabled: true
  performanceInsightsKMSKeyID: xxxxxxxxxx
  performanceInsightsRetentionPeriod: 93
  preferredMaintenanceWindow: Mon:01:00-Mon:02:00
  port: 5460
  vpcSecurityGroupRefs:
    - from:
        name: rds-security-group
  tags:
  [...]

After the first backup we get this error message from the controller and the ressource goes into a terminal condition:

Status:
  Ack Resource Metadata:
    Arn:                          xxxxxxxxxx
    Owner Account ID:             xxxxxxxxxx
    Region:                       eu-central-1
  Activity Stream Status:         stopped
  Aws Backup Recovery Point ARN:  arn:aws:backup:eu-central-1:xxxxxxxxxx
  Certificate Details:
    C A Identifier:  rds-ca-rsa4096-g1
    Valid Till:      2025-11-20T10:14:20Z
  Conditions:
    Last Transition Time:     2024-11-21T06:06:10Z
    Status:                   True
    Type:                     ACK.ReferencesResolved
    Message:                  InvalidParameterValue: Your RDS instance pen-bso is associated with an AWS Backup resource with id arn:aws:backup:eu-central-1:xxxxxxxxxx . You can leave PreferredBackupWindow blank, or you can specify it only with the current value 23:00-01:00. For more details, see the AWS Backup documentation.
                              status code: 400, request id: xxxxxxxxx
    Status:                   True
    Type:                     ACK.Terminal
    Last Transition Time:     2024-11-21T06:06:11Z
    Message:                  Resource not synced
    Reason:                   resource is in terminal condition
    Status:                   False
    Type:                     ACK.ResourceSynced

We have the same problem with the backupRetentionPeriod parameter, we set it to the same value which is defined in AWS Backup, but this is also just a workaround.
When omitting the parameter we get a similar error as shown above.

The workaround we do for the backupRetentionPeriod does not work for preferredBackupWindow, as this parameter seams to change in conjunction with AWS Backup from time to time or is more or less random, which leads to a DBInstance in terminal condition.

Steps to reproduce
Create a RDS Resource, which is targeted by an AWS Backup Plan. In our case it is a continuous backup, with the following job settings:

Expected outcome
Resource should not set the omitted parameters in the API. Resource should not go in terminal condition.

Environment

• Kubernetes version: 1.31
• Using EKS (yes/no), if so version? EKS 1.31
• AWS service targeted (S3, RDS, etc.): RDS, Backup