pulumi-aws-native icon indicating copy to clipboard operation
pulumi-aws-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

WAFV2 with Go doesn't seem to import resources correctly

Open alexandr-x-ursul opened this issue 2 years ago • 2 comments
trafficstars

What happened?

My goal was to import and codify an AWS WAF resource. After the resource was successfully imported and failed to generate code as mentioned in https://github.com/pulumi/pulumi/issues/11552, I generated code with AWS Classic provider and manually converted it into AWS Native. After running pulumi up I noticed a number of changes, which didn't make a lot of sense. Consulting the actual imported state with pulumi stack export compared with JSON representation of the WAF configuration (downloaded fron AWS console) I noticed some properties were not present in the actual WAF JSON, but were present in the imported state, those were reported as changes which will result in removal.

Steps to reproduce

pulumi import aws-native:wafv2:WebACL main-web-acl-prod 'xxx|xxx|REGIONAL' --parent main='urn:xxx...'
pulumi up

Expected Behavior

Pulumi would import the WebACL resource as it is in AWS, without any extra properties

Actual Behavior

Pulumi imported the WebACL resource with extra properties and now reports unnecessary changes

Examples: In the state:

{
    "byteMatchStatement": {
        "fieldToMatch": {
            "uriPath": {}
        },
        "positionalConstraint": "EXACTLY",
        "searchString": "/login",
        "searchStringBase64": "L2xvZ2lu",
        "textTransformations": [
            {
                "priority": 0,
                "type": "NONE"
            }
        ]
    }
},

In AWS:

{
  "ByteMatchStatement": {
    "SearchString": "/login",
    "FieldToMatch": {
      "UriPath": {}
    },
    "TextTransformations": [
      {
        "Priority": 0,
        "Type": "NONE"
      }
    ],
    "PositionalConstraint": "EXACTLY"
  }
},

pulumi diff:

~ statement: {
  ~ andStatement: {
      ~ statements: [
          ~ [0]: {
                  ~ notStatement: {
                      ~ statement: {
                          ~ byteMatchStatement: {
                              - searchStringBase64: "L2xvZ2lu"
                            }
                        }
                    }
                }
        ]
    }
}

After adding the searchStringBase64 property to the code to remove the diff

$ pulumi up
Previewing update (xxx/prod)

     Type                           Name               Plan
     pulumi:pulumi:Stack            xxx-prod
     └─ xxx          main
 +      └─ aws-native:wafv2:WebACL  main-web-acl-prod  create


Outputs:
  + wafWebACLArn                : output<string>

Resources:
    + 1 to create
    49 unchanged

Do you want to perform this update? yes
Updating (xxx/prod)

     Type                           Name               Status                  Info
     pulumi:pulumi:Stack            xxx-prod   **failed**              1 error
     └─ xxx          main
 +      └─ aws-native:wafv2:WebACL  main-web-acl-prod  **creating failed**     1 error


Diagnostics:
  pulumi:pulumi:Stack (xxx-prod):
    error: update failed

  aws-native:wafv2:WebACL (main-web-acl-prod):
    error: operation CREATE failed with "GeneralServiceException": You must only specify exactly one of SearchString and SearchStringBase64

I have found similar issues with other parameters as well, some of them are ruleLabels, excludedRules, managedRuleGroupConfigs, excludedCookies, includedCookies, excludedHeaders, includedHeaders, tags, and probably others that I've missed.

Output of pulumi about

CLI Version 3.48.0 Go Version go1.19.2 Go Compiler gc

Plugins NAME VERSION aws 5.21.1 aws-native 0.43.0 go unknown

Host OS ubuntu Version 20.04 Arch x86_64

This project is written in go: executable='/usr/local/go/bin/go' version='go version go1.19.2 linux/amd64'

Found no pending operations associated with xxx/prod

Backend Name pulumi.com URL https://app.pulumi.com/xxx User xxx Organizations xxx, xxx

Dependencies: NAME VERSION github.com/pulumi/pulumi-aws-native/sdk 0.43.0 github.com/pulumi/pulumi-aws/sdk/v5 5.21.1 github.com/pulumi/pulumi/sdk/v3 3.48.0 pkg/database 0.0.0-00010101000000-000000000000 pkg/environment 0.0.0-00010101000000-000000000000 pkg/nfs 0.0.0-00010101000000-000000000000

Additional context

I first attempted to use AWS Classic provider for this, but I unfortunately reached a dead end as reported here: https://github.com/pulumi/pulumi-aws/issues/2250

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

alexandr-x-ursul avatar Dec 06 '22 12:12 alexandr-x-ursul

Hi @alexandr-x-ursul, thanks for the issue. It looks like AWS automatically adds the searchStringBase64 based off what is specified in searchString, and Pulumi is picking that up in the import. Obviously this is undesirable as it is creating diffs (and, as you point out, you cannot manually define both of these at the same time). I've raised this bug with the team to be prioritized and added to our work stack.

roothorp avatar Dec 06 '22 15:12 roothorp

Hi @alexandr-x-ursul, thanks for the issue. It looks like AWS automatically adds the searchStringBase64 based off what is specified in searchString, and Pulumi is picking that up in the import. Obviously this is undesirable as it is creating diffs (and, as you point out, you cannot manually define both of these at the same time). I've raised this bug with the team to be prioritized and added to our work stack.

Thank you :)

alexandr-x-ursul avatar Dec 06 '22 16:12 alexandr-x-ursul

This issue has not been updated in over 180 days. If you are still experiencing this, please leave a comment to let us know that the issue is active.

mjeffryes avatar Sep 04 '24 23:09 mjeffryes