Python TypeError: Don't know how to convert object to JSON: Wafv2WebAclRuleOverrideActionNone()

schematis commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

cdktf & Language Versions

terraform - v1.1.5 cdktf - v0.9.0 hashicorp/aws ~> 3.74.0 node - v16.13.2 python - v3.9.10

Affected Resource(s)

Wafv2WebAclRuleOverrideActionCount
Wafv2WebAclRuleOverrideActionNone

Debug Output

https://gist.github.com/schematis/71bf8f8f0b437c6532c68c30b75e33fe

Expected Behavior

I have a chunk of code that iterates over a list of managed rule group properties and outputs a list of Wafv2AclRules:

rule_list = []
waf_managed_rules = [
    {"priority": 1, "vendor": "AWS", "name": "AWSManagedRulesLinuxRuleSet"},
    {
        "priority": 2,
        "vendor": "AWS",
        "name": "AWSManagedRulesKnownBadInputsRuleSet",
    },
    {"priority": 3, "vendor": "AWS", "name": "AWSManagedRulesCommonRuleSet"},
    {"priority": 4, "vendor": "AWS", "name": "AWSManagedRulesAnonymousIpList"},
    {
        "priority": 5,
        "vendor": "AWS",
        "name": "AWSManagedRulesAmazonIpReputationList",
    },
    {"priority": 6, "vendor": "AWS", "name": "AWSManagedRulesUnixRuleSet"},
    {
        "priority": 7,
        "vendor": "AWS",
        "name": "AWSManagedRulesBotControlRuleSet",
    },
]

managed_rules = list(
            map(
                lambda rule: Wafv2WebAclRule(
                    name=f"{rule.get('vendor')}-{rule.get('name')}",
                    priority=rule.get("priority"),
                    statement=Wafv2WebAclRuleStatement(
                        managed_rule_group_statement=Wafv2WebAclRuleStatementManagedRuleGroupStatement(
                            name=rule.get("name"), vendor_name=rule.get("vendor")
                        )
                    ),
                    override_action=Wafv2WebAclRuleOverrideAction(
                        none=Wafv2WebAclRuleOverrideActionNone()
                    ),
                    visibility_config=Wafv2WebAclRuleVisibilityConfig(
                        cloudwatch_metrics_enabled=True,
                        metric_name=f"{rule.get('vendor')}-{rule.get('name')}",
                        sampled_requests_enabled=True,
                    ),
                ),
                waf_managed_rules,
            )
        )

rule_list.extend(managed_rules)

waf = Wafv2WebAcl(
            self,
            id="appsync_waf",
            name="AppSync-API",
            default_action=Wafv2WebAclDefaultAction(
                allow=Wafv2WebAclDefaultActionAllow()
            ),
            scope="REGIONAL",
            visibility_config=Wafv2WebAclVisibilityConfig(
                cloudwatch_metrics_enabled=True,
                metric_name="AllowedRequests",
                sampled_requests_enabled=True,
            ),
            rule=rule_list,
        )

CDKTF should complete synth successfully

Actual Behavior

If the override_action contains Wafv2WebAclRuleOverrideActionNone or Wafv2WebAclRuleOverrideActionCount then synth fails with "TypeError: Don't know how to convert object to JSON" error.

I'm lost as to what's going on here. Python code is correct and I'm conforming to the rule spec in the terraform provider docs

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#rules

jsteinich commented 2 years ago

Looks to be caused by an upstream library issue: https://github.com/aws/jsii/issues/2846.

As a workaround you could try adding an override. Something along the lines of:

waf.add_override("rule.0.override_action.none", "{}")

schematis commented 2 years ago

Thanks. I'll keep tabs on the jsii issue and hopefully we'll see a fix soon. Here's what the code ended up looking like for the workaround in case anyone comes looking for it:

for index in range(len(rule_list)):
    waf.add_override(f"rule.{index}.override_action.none", {})

DanielMSchmidt commented 2 years ago

Should be fixed by our JSII update, right @ansgarm ?

ansgarm commented 2 years ago

Yes, it should be. Haven't confirmed it though @DanielMSchmidt

DanielMSchmidt commented 1 year ago

Confirmed this is working in 0.17 (possibly for a long time now :))

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-cdk