search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
459 stars 155 forks source link

wafv2 rules are modified on every up. #3880

Closed gmarkowski closed 4 months ago

gmarkowski commented 5 months ago

What happened?

I created a new wafv2.WebAcl. Everything gets built properly but subsequent pulumi up commands output differences in that are unexpected. I also see some changes doubled. See cloudwatchMetricsEnabled and metricName in the output below.

Example

const mainAcl = new aws.wafv2.WebAcl("main-acl", {
    scope: "REGIONAL",
    defaultAction: {
        allow: {},
    },
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "myWebAclMetrics",
        sampledRequestsEnabled: false,
    },
    captchaConfig: {
        immunityTimeProperty: {
            immunityTime: 1800
        }
    },
    tokenDomains: [],
    rules: [
        {
            action: {
                block: {},
            },
            name: "IPAllowRule",
            priority: 0,
            statement: {
                ipSetReferenceStatement: {
                    arn: allowedIpSet.arn,
                },
            },
            visibilityConfig: {
                cloudwatchMetricsEnabled: true,
                metricName: "IPAllowRule",
                sampledRequestsEnabled: true,
            },
        },

Output of pulumi about

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:poc::MY-COMPANY::pulumi:pulumi:Stack::MY-COMPANY-poc]
    ~ aws:wafv2/webAcl:WebAcl: (update)
        [id=ded6d29d-5318-4e98-aa14-740f31dbc4f4]
        [urn=urn:pulumi:poc::MY-COMPANY::aws:wafv2/webAcl:WebAcl::main-acl]
        [provider=urn:pulumi:poc::MY-COMPANY::pulumi:providers:aws::default_6_31_0::911e0d16-9224-481c-8e0c-62b88c6aa82b]
      ~ rules: [
          ~ [0]: {
                  ~ action          : {
                      + __defaults: []
                      ~ allow     : {
                          + __defaults: []
                        }
                    }
                  ~ name            : "IPAllowRule" => "IPAllowRule"
                  ~ priority        : 0 => 0
                  ~ statement       : {
                      + __defaults             : []
                      ~ ipSetReferenceStatement: {
                          + __defaults: []
                        }
                    }
                  ~ visibilityConfig: {
                      + __defaults              : []
                      ~ cloudwatchMetricsEnabled: true => true
                      ~ cloudwatchMetricsEnabled: true => true
                      ~ metricName              : "IPAllowRule" => "IPAllowRule"
                      ~ metricName              : "IPAllowRule" => "IPAllowRule"
                    }
                }
        ]

Additional context

CLI          
Version      3.114.0
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.31.0
resource  aws-native  0.62.0
language  nodejs      unknown

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/home/greg_ev/.nvm/versions/node/v20.2.0/bin/node' version='v20.2.0'

Dependencies:

NAME                VERSION
@pulumi/aws-native  0.62.0
@pulumi/aws         6.31.0
@pulumi/pulumi      3.103.1
@types/node         16.18.75
versions            12.0.1

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 5 months ago

Complete repro: 

import * as aws from "@pulumi/aws";

const allowedIpSet = new aws.wafv2.IpSet("example", {
    name: "example",
    description: "Example IP set",
    scope: "REGIONAL",
    ipAddressVersion: "IPV4",
    addresses: [
        "1.2.3.4/32",
        "5.6.7.8/32",
    ],
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
});

const mainAcl = new aws.wafv2.WebAcl("main-acl", {
    scope: "REGIONAL",
    defaultAction: {
        allow: {},
    },
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "myWebAclMetrics",
        sampledRequestsEnabled: false,
    },
    captchaConfig: {
        immunityTimeProperty: {
            immunityTime: 1800
        }
    },
    tokenDomains: [],
    rules: [
        {
            action: {
                block: {},
            },
            name: "IPAllowRule",
            priority: 0,
            statement: {
                ipSetReferenceStatement: {
                    arn: allowedIpSet.arn,
                },
            },
            visibilityConfig: {
                cloudwatchMetricsEnabled: true,
                metricName: "IPAllowRule",
                sampledRequestsEnabled: true,
            },
        },
    ]
});
blakeromano commented 5 months ago

We are also running into this issue so we are looking forward to a fix for this 😃

flostadler commented 4 months ago

This was fixed in https://github.com/pulumi/pulumi-aws/pull/3948. It'll be released in release 6.36.0