search

pulumi / pulumi-aws-native

AWS Native Provider for Pulumi
Apache License 2.0
90 stars 17 forks source link

WAFv2 WebACL rule updates causes model validations to fail #1030

Open ericlin-nz opened 11 months ago

ericlin-nz commented 11 months ago

What happened?

When updating an existing WAFv2 WebACL's set of rules, we get model validation errors whether we are removing a rule, adding a rule, or editing an existing rule.

Expected Behavior

To be able to add/edit/delete WebACL rules without replacing the WebACL entirely.

Steps to reproduce

  1. Create a new wafv2.WebAcl

eg.

import * as awsNative from "@pulumi/aws-native";

new awsNative.wafv2.WebAcl("demo-web-acl", {
  scope: "REGIONAL",
  defaultAction: { allow: {} },
  rules: [
    {
      name: "AWSManagedRulesCommonRuleSet",
      priority: 0,
      statement: {
        managedRuleGroupStatement: { vendorName: "AWS", name: "AWSManagedRulesCommonRuleSet" },
      },
      overrideAction: { none: {} },
      visibilityConfig: {
        metricName: "aws-managed-rules-common-rule-set",
        cloudWatchMetricsEnabled: true,
        sampledRequestsEnabled: true,
      },
    },
  ],
  visibilityConfig: {
    metricName: "demo-web-acl",
    cloudWatchMetricsEnabled: true,
    sampledRequestsEnabled: true,
  },
});
  1. Attempt to add/edit/delete a rule from rules.

The following error I run into is:

     Type                        Name           Status                  Info
     pulumi:pulumi:Stack         wafv2-demo  **failed**              1 error
 ~   └─ aws-native:wafv2:WebAcl  demo-web-acl           **updating failed**     [diff: ~rules]; 1 error

Diagnostics:
  pulumi:pulumi:Stack (wafv2-demo):
    error: update failed

  aws-native:wafv2:WebAcl (demo-web-acl):
    error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: ..., api error ValidationException: Model validation failed (#/Description: failed validation constraint for keyword [pattern])

Output of pulumi about

Dependencies:
NAME                VERSION
@pulumi/pulumi      3.77.1
@pulumi/aws-native  0.72.0

Additional context

One workaround for this issue is setting the replaceOnChanges pulumi resource option to ["*"] to replace the entire wafv2.WebAcl on any change.

eg.

import * as awsNative from "@pulumi/aws-native";

new awsNative.wafv2.WebAcl(
  "demo-web-acl",
  { 
    // ...
  },
  { replaceOnChanges: ["*"] }
);

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 11 months ago

Hey @ericlin-nz. Thanks for reporting this issue. I'm sorry this isn't working as intended.

May be related to https://github.com/pulumi/pulumi-aws-native/issues/415. It's a similar error and the same resource.