Importing WAF WebAcl fails with resource does not exist

[MitchellGerdisch]

What happened?

Tried to import a WAF WebACL and get error: error: Preview failed: resource 'xxxxxx-yyyyy-zzzzz-aaaa-bbbbbbbb' does not exist

Example

1. Create a WebACL (Global)
2. Note the UUID in the main Web ACLs page it is of the form xxxxxx-yyyyy-zzzzz-aaaa-bbbbbbbb
3. Run pulumi import aws:wafv2/webAcl:WebAcl acl xxxxxx-yyyyy-zzzzz-aaaa-bbbbbbbb
4. See error message that xxxxxx-yyyyy-zzzzz-aaaa-bbbbbbbb does not exist

Output of pulumi about

CLI
Version 3.108.0 Go Version go1.22.0 Go Compiler gc

Plugins NAME VERSION python unknown random 4.16.0

Host
OS darwin Version 13.6.3 Arch x86_64

Current Stack: python-import-test/dev

Found no resources associated with dev

Found no pending operations associated with dev

Backend
Name pulumi.com

Dependencies: NAME VERSION pip 24.0 pulumi_random 4.16.0 setuptools 69.1.1 wheel 0.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[VenelinMartinov]

The issue here is that the import command is wrong. You need pulumi import aws:wafv2/webAcl:WebAcl acl {ID}/{NAME}/{SCOPE}. Unfortunately I don't see how one would reasonably find that out.

Our docs don't have an import section: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/#forwardedipconfig_yaml

I checked it in the upstream docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#import

I suspect that the unusual scheme here is probably what tripped up conversion.

here is the program I used:

name: aws_webacl
runtime: yaml
resources:
  prov:
    type: pulumi:providers:aws
    defaultProvider: true
    options:
      version: 6.27.0
  exampleWebAcl:
    type: aws:wafv2:WebAcl
    properties:
      scope: "REGIONAL" # either CLOUDFRONT or REGIONAL
      defaultAction:
        block: {}
      rules:
        # List of rules to include in the ACL
        - name: "rateLimitRule"
          priority: 1
          statement:
            rateBasedStatement:
              limit: 2000 
              aggregateKeyType: "FORWARDED_IP"
              forwardedIpConfig:
                fallbackBehavior: NO_MATCH
                headerName: "X-Forwarded-For"
          action:
            count: {}
          visibilityConfig:
            sampledRequestsEnabled: true
            cloudwatchMetricsEnabled: true
            metricName: "rateLimitRule"

      visibilityConfig:
        sampledRequestsEnabled: true
        cloudwatchMetricsEnabled: true
        metricName: "exampleWebAcl"
outputs:
  exampleWebAclId: "${exampleWebAcl.id}"
  exampleWebAclName: "${exampleWebAcl.name}"
  exampleWebAclScope: "${exampleWebAcl.scope}"

And then ran pulumi import aws:wafv2/webAcl:WebAcl main 38850b8f-2cbc-441e-9cb4-7d529b1b49d6/exampleWebAcl-8121fe8/REGIONAL which generated:

resources:
  main:
    type: aws:wafv2:WebAcl
    properties:
      defaultAction: {}
      name: exampleWebAcl-8121fe8
      rules:
        - name: rateLimitRule
          priority: 1
          statement:
            rateBasedStatement:
              aggregateKeyType: FORWARDED_IP
              forwardedIpConfig:
                fallbackBehavior: NO_MATCH
                headerName: X-Forwarded-For
              limit: 2000
          visibilityConfig:
            cloudwatchMetricsEnabled: true
            metricName: rateLimitRule
            sampledRequestsEnabled: true
      scope: REGIONAL
      visibilityConfig:
        cloudwatchMetricsEnabled: true
        metricName: exampleWebAcl
        sampledRequestsEnabled: true
    options:
      protect: true

That looks roughly correct. I'm going to close this issue and raise an issue in the bridge for the docs.

[VenelinMartinov]

Raised https://github.com/pulumi/pulumi-terraform-bridge/issues/1769 for the docs issue.