Open TheoGenially opened 1 year ago
Hi, @TheoGenially, thanks for the issue. First, RE:
First of all, I am trying to investigate on your AWS WAFv2 documentation and the webpage is to heavy, so it never stops loading: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/
I'm happy to report that that has been fixed! We've limited what shows on that page to the first 200 entries for massive types like wafv2.WebAcl (#12070). So the page https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/ actually loads and is browseable.
Regarding your issue: Yes, this looks like a legitimate issue in the AWS provider.
Documentation for ByteMatchStatement states that FieldToMatch is required, but in our generated type for it, it's marked as optional:
interface WebAclRuleStatementAndStatementStatementOrStatementStatementByteMatchStatement {
/**
* Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details.
*/
fieldToMatch?: pulumi.Input<inputs.wafv2.WebAclRuleStatementAndStatementStatementOrStatementStatementByteMatchStatementFieldToMatch>;
I'll move this over to the AWS provider repository. Provider friends, here's a smaller repro:
import * as aws from "@pulumi/aws";
new aws.wafv2.WebAcl("test-acl", {
defaultAction: {allow: {}},
scope: "CLOUDFRONT",
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "foo",
sampledRequestsEnabled: true,
},
rules: [
{
name: "OWASP-LFI-RFI-Rules-Exclude",
priority: 9,
overrideAction: {none: {}},
statement: {
byteMatchStatement: {
positionalConstraint: "CONTAINS",
searchString: "://",
textTransformations: [
{priority: 1, type: "URL_DECODE"},
{priority: 2, type: "HTML_ENTITY_DECODE"},
],
},
},
visibilityConfig: {
cloudwatchMetricsEnabled: true, metricName: "OWASP-LFI-RFI-Rules-Exclude", sampledRequestsEnabled: true,
},
}
],
})
Thanks for the great repro @abhinav !
This appears to be an issue in the upstream implementation - which incorrectly models fieldToMatch as an optional field.
field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See field_to_match below for details.
I'll close this as our provider mapping is behaving correct. I would suggest opening an issue to address this in the upstream terraform repository.
Hey @TheoGenially - thank you for opening this issue! I'm going to reopen it for now as the issue persists in the upstream, and I would echo what @danielrbradley mentioned regarding opening a corresponding issue in the upstream repository. When you've done that, feel free to reference that issue for their context! Thanks again!
What happened?
First of all, I am trying to investigate on your AWS WAFv2 documentation and the webpage is to heavy, so it never stops loading: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/
Then, I have created the project/stack (
pulumi syack init <STACK-NAME>
), imported an AWS WAF ACLs (pulumi import aws:wafv2/webAcl:WebAcl WebAcl <WAF-ID>/<WAF-NAME>/REGIONAL
) into pulumi. The others WAF worked properly but one configuration gives error at the moment to apply the configuration (pulumi up
).ValidationException: 8 validation errors detected: Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.1.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.2.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.3.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.4.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.2.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.3.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.8.member.statement.andStatement.statements.1.member.sqliMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.8.member.statement.andStatement.statements.2.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null
I suppose the error is related to this code presents in teh index.ts of this project:
Let me know if you need more information.
Expected Behavior
Successful applied.
Steps to reproduce
Set up a WAF ACL configuration containing in the index.ts the following rules:
{ name: "OWASP-LFI-RFI-Rules-Exclude", priority: 9, overrideAction: { none: {} }, statement: { andStatement: { statements: [ { orStatement: { statements: [ { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "://", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "../", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "://", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "../", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, ], }, }, { notStatement: { statements: [{ byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "query=query", textTransformations: [{ priority: 1, type: "URL_DECODE", }], }, }], }, }, { notStatement: { statements: [{ byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "url=https", textTransformations: [{ priority: 1, type: "URL_DECODE", }], }, }], }, }, ], }, }, visibilityConfig: { cloudwatchMetricsEnabled: true, metricName: "OWASP-LFI-RFI-Rules-Exclude", sampledRequestsEnabled: true, }, },
Output of
pulumi about
`CLI
Version 3.53.1 Go Version go1.19.5 Go Compiler gc
Plugins NAME VERSION nodejs unknown
Host
OS fedora Version 36 Arch x86_64
This project is written in nodejs: executable='/home/to/.nvm/versions/node/v18.13.0/bin/node' version='v18.13.0'
Current Stack: waf-name
TYPE URN pulumi:pulumi:Stack urn:pulumi:waf-editor-resources-api-gateway-eu-west-1-pro::waf-editor-resources-api-gateway-eu-west-1-pro::pulumi:pulumi:Stack::waf-name pulumi:providers:aws urn:pulumi:waf-name::pulumi:providers:aws::default_5_28_0 aws:wafv2/webAcl:WebAcl urn:pulumi:waf-name::waf-name::aws:wafv2/webAcl:WebAcl::WebAcl pulumi:providers:aws urn:pulumi:waf-name::waf-name::pulumi:providers:aws::default
Found no pending operations associated with waf-editor-resources-api-gateway-eu-west-1-pro
Backend
Name NAME URL s3://pulumi-state-backends User USERNAME Organizations
Pulumi locates its logs in /tmp by default warning: Failed to get information about the Pulumi program's dependencies: could not find either home repos`
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).