pulumi-aws
pulumi-aws copied to clipboard
pulumi
Permanent diff on aws.wafv2.RuleGroup
What happened?
Calling pulumi up repeatedly produces non-empty diff.
Example
// Copyright 2016-2023, Pulumi Corporation.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const config = new pulumi.Config("aws");
const providerOpts = { provider: new aws.Provider("prov", { region: <aws.Region>config.require("envRegion") }) };
new aws.wafv2.RuleGroup("waf", {
description: "RuleGroup for general purposes",
scope: "REGIONAL",
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "metric",
sampledRequestsEnabled: false,
},
capacity: 500,
rules: [{
name: 'rule-1',
action: {
block: {},
},
priority: 1,
statement: {
notStatement: {
statements: [{
andStatement: {
statements: [
{
geoMatchStatement: {
countryCodes: ["US"]
},
},
{
byteMatchStatement: {
positionalConstraint: "CONTAINS",
searchString: "word",
fieldToMatch: {
allQueryArguments: {}
},
textTransformations: [{
priority: 5,
type: "CMD_LINE",
}, {
priority: 2,
type: "LOWERCASE",
}],
},
},
],
},
}],
},
},
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: 'rule-1',
sampledRequestsEnabled: false,
},
}],
}, providerOpts);
The example is in examples/wafv2.
Output of pulumi about
CLI
Version 3.97.0
Go Version go1.21.4
Go Compiler gc
Plugins NAME VERSION aws 5.43.0 nodejs unknown
Host
OS darwin
Version 14.1.1
Arch x86_64
This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'
Current Stack: t0yv0/WafV2/wafv2awstest
TYPE URN pulumi:pulumi:Stack urn:pulumi:wafv2awstest::WafV2::pulumi:pulumi:Stack::WafV2-wafv2awstest pulumi:providers:aws urn:pulumi:wafv2awstest::WafV2::pulumi:providers:aws::prov aws:wafv2/ruleGroup:RuleGroup urn:pulumi:wafv2awstest::WafV2::aws:wafv2/ruleGroup:RuleGroup::waf
Found no pending operations associated with wafv2awstest
Backend
Name pulumi.com
URL https://app.pulumi.com/t0yv0
User t0yv0
Organizations t0yv0, pulumi
Token type personal
Dependencies: NAME VERSION @pulumi/aws 5.43.0 @pulumi/pulumi 3.99.0 @types/aws-sdk 2.7.0 @types/node 8.10.66
Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default
Additional context
This example was tested but for some historic reasons it was tested under Quick: True option of ProgramTest that disabled the checks that verify against repeated diffs.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
~ aws:wafv2/ruleGroup:RuleGroup: (update)
[id=636067c5-d5de-406c-a09a-7fa1848b2cdd]
[urn=urn:pulumi:dev::aws-3190::aws:wafv2/ruleGroup:RuleGroup::waf]
[provider=urn:pulumi:dev::aws-3190::pulumi:providers:aws::prov::599aac36-1f59-4df1-906a-42f23a95f15b]
~ rules: [
~ [0]: {
~ action : {
+ __defaults: []
~ block : {
+ __defaults: []
}
}
~ name : "rule-1" => "rule-1"
~ priority : 1 => 1
~ statement : {
+ __defaults : []
~ notStatement: {
+ __defaults: []
~ statements: [
~ [0]: {
+ __defaults : []
~ andStatement: {
+ __defaults: []
~ statements: [
~ [0]: {
+ __defaults : []
~ geoMatchStatement: {
+ __defaults : []
countryCodes: [
[0]: "US"
]
}
}
~ [1]: {
+ __defaults : []
~ byteMatchStatement: {
+ __defaults : []
~ fieldToMatch : {
+ __defaults : []
~ allQueryArguments: {
+ __defaults: []
}
- headerOrders : []
- headers : []
}
positionalConstraint: "CONTAINS"
~ searchString : "word" => "word"
~ searchString : "word" => "word"
~ textTransformations : [
~ [0]: {
+ __defaults: []
~ priority : 2 => 5
~ type : "LOWERCASE" => "CMD_LINE"
}
~ [1]: {
+ __defaults: []
~ priority : 5 => 2
~ type : "CMD_LINE" => "LOWERCASE"
}
]
}
}
]
}
}
]
}
}
~ visibilityConfig: {
+ __defaults : []
cloudwatchMetricsEnabled: false
metricName : "rule-1"
sampledRequestsEnabled : false
}
}
]
This is still a problem; it looks very similar to https://github.com/pulumi/pulumi-terraform-bridge/pull/1917 - we have a confused diff because the set element hash is perceived to be changing, and the reason for this is nil/empty array confusion:
- headerOrders : []
- headers : []
If this is the right call, something like this https://github.com/pulumi/pulumi-aws/pull/3897 could be used to work around if we cannot fix the root cause in the bridge.
This was fixed in https://github.com/pulumi/pulumi-aws/pull/3948. It'll be released in release 6.36.0
