ValidationException: Value null at '...' failed to satisfy constraint: Member must not be null

[TheoGenially]

What happened?

First of all, I am trying to investigate on your AWS WAFv2 documentation and the webpage is to heavy, so it never stops loading: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/

Then, I have created the project/stack (pulumi syack init <STACK-NAME>), imported an AWS WAF ACLs (pulumi import aws:wafv2/webAcl:WebAcl WebAcl <WAF-ID>/<WAF-NAME>/REGIONAL) into pulumi. The others WAF worked properly but one configuration gives error at the moment to apply the configuration (pulumi up).

ValidationException: 8 validation errors detected: Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.1.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.2.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.3.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.1.member.orStatement.statements.4.member.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.2.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.4.member.statement.andStatement.statements.3.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.8.member.statement.andStatement.statements.1.member.sqliMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null; Value null at 'rules.8.member.statement.andStatement.statements.2.member.notStatement.statement.byteMatchStatement.fieldToMatch' failed to satisfy constraint: Member must not be null

I suppose the error is related to this code presents in teh index.ts of this project:

Let me know if you need more information.

Expected Behavior

Successful applied.

Steps to reproduce

Set up a WAF ACL configuration containing in the index.ts the following rules: { name: "OWASP-LFI-RFI-Rules-Exclude", priority: 9, overrideAction: { none: {} }, statement: { andStatement: { statements: [ { orStatement: { statements: [ { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "://", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "../", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "://", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, { byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "../", textTransformations: [ { priority: 1, type: "URL_DECODE", }, { priority: 2, type: "HTML_ENTITY_DECODE", }, ], }, }, ], }, }, { notStatement: { statements: [{ byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "query=query", textTransformations: [{ priority: 1, type: "URL_DECODE", }], }, }], }, }, { notStatement: { statements: [{ byteMatchStatement: { positionalConstraint: "CONTAINS", searchString: "url=https", textTransformations: [{ priority: 1, type: "URL_DECODE", }], }, }], }, }, ], }, }, visibilityConfig: { cloudwatchMetricsEnabled: true, metricName: "OWASP-LFI-RFI-Rules-Exclude", sampledRequestsEnabled: true, }, },

Output of pulumi about

`CLI
Version 3.53.1 Go Version go1.19.5 Go Compiler gc

Plugins NAME VERSION nodejs unknown

Host
OS fedora Version 36 Arch x86_64

This project is written in nodejs: executable='/home/to/.nvm/versions/node/v18.13.0/bin/node' version='v18.13.0'

Current Stack: waf-name

TYPE URN pulumi:pulumi:Stack urn:pulumi:waf-editor-resources-api-gateway-eu-west-1-pro::waf-editor-resources-api-gateway-eu-west-1-pro::pulumi:pulumi:Stack::waf-name pulumi:providers:aws urn:pulumi:waf-name::pulumi:providers:aws::default_5_28_0 aws:wafv2/webAcl:WebAcl urn:pulumi:waf-name::waf-name::aws:wafv2/webAcl:WebAcl::WebAcl pulumi:providers:aws urn:pulumi:waf-name::waf-name::pulumi:providers:aws::default

Found no pending operations associated with waf-editor-resources-api-gateway-eu-west-1-pro

Backend
Name NAME URL s3://pulumi-state-backends User USERNAME Organizations

Pulumi locates its logs in /tmp by default warning: Failed to get information about the Pulumi program's dependencies: could not find either home repos`

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[abhinav]

Hi, @TheoGenially, thanks for the issue. First, RE:

First of all, I am trying to investigate on your AWS WAFv2 documentation and the webpage is to heavy, so it never stops loading: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/

I'm happy to report that that has been fixed! We've limited what shows on that page to the first 200 entries for massive types like wafv2.WebAcl (#12070). So the page https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/ actually loads and is browseable.

Regarding your issue: Yes, this looks like a legitimate issue in the AWS provider.

Documentation for ByteMatchStatement states that FieldToMatch is required, but in our generated type for it, it's marked as optional:

    interface WebAclRuleStatementAndStatementStatementOrStatementStatementByteMatchStatement {
        /**
         * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details.
         */
        fieldToMatch?: pulumi.Input<inputs.wafv2.WebAclRuleStatementAndStatementStatementOrStatementStatementByteMatchStatementFieldToMatch>;

I'll move this over to the AWS provider repository. Provider friends, here's a smaller repro:

import * as aws from "@pulumi/aws";

new aws.wafv2.WebAcl("test-acl", {
  defaultAction: {allow: {}},
  scope: "CLOUDFRONT",
  visibilityConfig: {
    cloudwatchMetricsEnabled: false,
    metricName: "foo",
    sampledRequestsEnabled: true,
  },
  rules: [
    {
      name: "OWASP-LFI-RFI-Rules-Exclude",
      priority: 9,
      overrideAction: {none: {}},
      statement: {
        byteMatchStatement: {
          positionalConstraint: "CONTAINS",
          searchString: "://",
            textTransformations: [
              {priority: 1, type: "URL_DECODE"},
              {priority: 2, type: "HTML_ENTITY_DECODE"},
          ],
        },
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: true, metricName: "OWASP-LFI-RFI-Rules-Exclude", sampledRequestsEnabled: true,
      },
    }
  ],
})

[danielrbradley]

Thanks for the great repro @abhinav !

This appears to be an issue in the upstream implementation - which incorrectly models fieldToMatch as an optional field.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#byte_match_statement

field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See field_to_match below for details.

I'll close this as our provider mapping is behaving correct. I would suggest opening an issue to address this in the upstream terraform repository.

[kpitzen]

Hey @TheoGenially - thank you for opening this issue! I'm going to reopen it for now as the issue persists in the upstream, and I would echo what @danielrbradley mentioned regarding opening a corresponding issue in the upstream repository. When you've done that, feel free to reference that issue for their context! Thanks again!