Closed henriiik closed 2 weeks ago
Hi @henriiik - thank you for reporting this issue.
To more easily assist you, could you:
Hello @guineveresaenger, thank you for replying!
I have updated the issue with a minimal reproduction using the latest version, 0.14.0.
Thank you so much - I see the behavior as well.
I'm going to ask @danielrbradley or @viveklak to verify whether WebAcl
is fully supported in this package at this point in time.
In the meantime, I would recommend using the AWS Classic provider instead.
@danielrbradley this looks like a bug in CloudControl - we would expect the get to CloudControl to return the tags as well if the outputs don't contain the tags.
@henriiik could you try using an ignoreChanges
clause on tags
to get around this for now?
Edit: See https://github.com/pulumi/pulumi-aws-native/issues/415#issuecomment-1275609023 instead.
I tried to run the code in the example repo i created again, but this time i got a different error. It's complaining that the description is empty. (Same as before creating the resource worked, only updates don't). So i ran a more elaborate test.
I created one resource with each of these configurations
The creation of all resources succeeded as can be seen here:
$ pulumi up --yes
Previewing update (dev)
View Live: https://app.pulumi.com/henriiik/waf/dev/previews/ba1aa4a6-8ee8-4af1-bad8-d6993a90a44e
Type Name Plan
+ pulumi:pulumi:Stack waf-dev create
+ ├─ aws-native:wafv2:WebACL web-acl-no-description create
+ ├─ aws-native:wafv2:WebACL web-acl-no-tags-no-description create
+ ├─ aws-native:wafv2:WebACL web-acl create
+ └─ aws-native:wafv2:WebACL web-acl-no-tags create
Resources:
+ 5 to create
Updating (dev)
View Live: https://app.pulumi.com/henriiik/waf/dev/updates/20
Type Name Status
+ pulumi:pulumi:Stack waf-dev created
+ ├─ aws-native:wafv2:WebACL web-acl created
+ ├─ aws-native:wafv2:WebACL web-acl-no-tags-no-description created
+ ├─ aws-native:wafv2:WebACL web-acl-no-description created
+ └─ aws-native:wafv2:WebACL web-acl-no-tags created
Resources:
+ 5 created
Duration: 49s
However, on update the resources with one or more defined failed, with an error message indicating that the undefined property failed validation. But the resource with both defined was updated successfully.
$ pulumi up --yes
Previewing update (dev)
View Live: https://app.pulumi.com/henriiik/waf/dev/previews/b739427e-fd64-4663-aede-847f8ce2a929
Type Name Plan Info
pulumi:pulumi:Stack waf-dev
~ ├─ aws-native:wafv2:WebACL web-acl-no-tags-no-description update [diff: ~visibilityConfig]
~ ├─ aws-native:wafv2:WebACL web-acl update [diff: ~visibilityConfig]
~ ├─ aws-native:wafv2:WebACL web-acl-no-description update [diff: ~visibilityConfig]
~ └─ aws-native:wafv2:WebACL web-acl-no-tags update [diff: ~visibilityConfig]
Resources:
~ 4 to update
1 unchanged
Updating (dev)
View Live: https://app.pulumi.com/henriiik/waf/dev/updates/21
Type Name Status Info
pulumi:pulumi:Stack waf-dev **failed** 1 error
~ ├─ aws-native:wafv2:WebACL web-acl-no-description **updating failed** [diff: ~visibilityConfig]; 1 error
~ ├─ aws-native:wafv2:WebACL web-acl-no-tags **updating failed** [diff: ~visibilityConfig]; 1 error
~ ├─ aws-native:wafv2:WebACL web-acl-no-tags-no-description **updating failed** [diff: ~visibilityConfig]; 1 error
~ └─ aws-native:wafv2:WebACL web-acl updated [diff: ~visibilityConfig]
Diagnostics:
pulumi:pulumi:Stack (waf-dev):
error: update failed
aws-native:wafv2:WebACL (web-acl-no-description):
error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: 1c6219b8-25c6-4cfd-a1eb-888b03114aa9, api error ValidationException: Model validation failed (#/Description: failed validation constraint for keyword [pattern])
aws-native:wafv2:WebACL (web-acl-no-tags):
error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: d96d8ef1-9055-4562-808d-689a49ff32de, api error ValidationException: Model validation failed (#/Tags: expected minimum item count: 1, found: 0)
aws-native:wafv2:WebACL (web-acl-no-tags-no-description):
error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: c8e4dd3e-de87-452d-9584-9e00184fac5c, api error ValidationException: Model validation failed (#/Description: failed validation constraint for keyword [pattern]
#/Tags: expected minimum item count: 1, found: 0)
Resources:
~ 1 updated
1 unchanged
Duration: 12s
@viveklak I then added ignoreChanges: ["tags", "description"]
and it did not make a difference.
I have updated the code in the example repo with the changes.
Exactly same here. ignore_changes doesn't do any difference. Is it planned to be fixed anytime soon?
Apologies. IgnoreChanges is not the right suggestion. As demonstrated by @henriiik in https://github.com/pulumi/pulumi-aws-native/issues/415#issuecomment-1091063070 setting the description and some tag value at creation time avoids the overeager validation.
FWIW this is still a bug with cloudcontrol. The updates are converted to patch operations in cloudcontrol by the aws-native provider which are identical for resources with both tags and description specified and for those missing these fields, e.g.:
# Resource contains description and tags
{"ClientToken":"XXXX","Identifier":"web-acl-9ddba5e|17ba60ad-23c4-49a8-8203-b0010b86a15d|REGIONAL","PatchDocument":"[{\"op\":\"replace\",\"path\":\"/VisibilityConfig\",\"value\":{\"CloudWatchMetricsEnabled\":false,\"MetricName\":\"1665549475007\",\"SampledRequestsEnabled\":false}}]","TypeName":"AWS::WAFv2::WebACL"}
# Resource doesn't contain description or tags
{"ClientToken":"XXXX","Identifier":"web-acl-no-tags-no-description-b4af193|a9091717-d347-4ed6-9b03-d6fee20e45c6|REGIONAL","PatchDocument":"[{\"op\":\"replace\",\"path\":\"/VisibilityConfig\",\"value\":{\"CloudWatchMetricsEnabled\":false,\"MetricName\":\"1665549474961\",\"SampledRequestsEnabled\":false}}]","TypeName":"AWS::WAFv2::WebACL"}
However, cloudcontrol's translation to wafv2 service endpoints seems to tickle the validation checks in latter but not the former.
Thanks @henriiik for the excellent repro. I am raising this again with our AWS contacts.
According to our contacts at AWS this has now been addressed and should be rolled out to regions within the next 7-10 days.
Internal ref: 10998445201
This issue is still not addressed, error can still be reproduced.
Please fix
We have re-raised this with AWS and are awaiting a fix.
This is still an issue. Any update on timeline to fix?
I just tested this out and was unable to reproduce. The only error I received was related the the description
field which is resolved if description
is provided.
Hello!
Issue details
When i try to make changes to the
rules
property of myawsnative.wafv2.WebAcl
, pulumi reports that it can make an update (rather than a replace). However when the update runs i get the following error:I believe that this is related to the fact that the
tags
output of my resource is an empty array. I do have tags for my resource, but the wafv2 api does not return them, so i think that is why they are not in the outputs. (the tags are present in the inputs when looking at the stack state, but not the outputs.)Steps to reproduce
awsnative.wafv2.WebAcl
pulumi up
rules
are changed.pulumi up
againExpected: My rule should be updated and my update succeed. Actual: The api call crashes and the update fails.
here the code for a minimal reproduction (repo link):
here is the output of running when pulumi up to create the acl:
and then another one to trigger the bug: