search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
460 stars 155 forks source link

checkCertificateRevocationStatus does not get set properly when creating a Network Firewall TLS Inspection resource #4345

Closed mhamill2 closed 1 month ago

mhamill2 commented 2 months ago

Describe what happened

When creating a TLS Inspection resource for network firewall, the certificate revocation checking does not get set properly when setting it through code. The input for the resource is being configured like so:

      checkCertificateRevocationStatus: {
        revokedStatusAction: 'REJECT',
        unknownStatusAction: 'REJECT',
      },

However, it is not enabled on the AWS console:

Image Image

Sample program

import * as aws from '@pulumi/aws';
import * as tls from '@pulumi/tls';

const key = new tls.PrivateKey('pca-key', { algorithm: 'RSA' });
const cert = new tls.SelfSignedCert('selfSignedCertResource', {
  allowedUses: ['digital_signature', 'cert_signing', 'crl_signing'],
  privateKeyPem: key.privateKeyPem,
  validityPeriodHours: 9000,
  dnsNames: ['firewall.test.com'],
  isCaCertificate: true,
  setSubjectKeyId: true,
  setAuthorityKeyId: true,
  subject: {
    commonName: 'test',
    country: 'us',
    organization: 'testing',
  },
});

const acmCert = new aws.acm.Certificate(
  'acm-cert',
  {
    privateKey: cert.privateKeyPem,
    certificateBody: cert.certPem,
    certificateChain: cert.certPem,
  },
  { replaceOnChanges: ['certificateBody'] },
);

new aws.networkfirewall.TlsInspectionConfiguration('tls-inspection-test', {
  description: 'Configuration for outbound TLS inspection in Network Firewall',
  tlsInspectionConfiguration: {
    serverCertificateConfiguration: {
      certificateAuthorityArn: acmCert.arn,
      checkCertificateRevocationStatus: {
        revokedStatusAction: 'REJECT',
        unknownStatusAction: 'REJECT',
      },
      scopes: [
        {
          protocols: [6],
          destinationPorts: [
            {
              fromPort: 443,
              toPort: 443,
            },
          ],
          destinations: [
            {
              addressDefinition: '0.0.0.0/0',
            },
          ],
          sourcePorts: [
            {
              fromPort: 0,
              toPort: 65535,
            },
          ],
          sources: [
            {
              addressDefinition: '0.0.0.0/0',
            },
          ],
        },
      ],
    },
  },
});

Log output

Previewing update (product-network.test.us-gov-west-1):
     Type                                               Name                                                  Plan       
 +   pulumi:pulumi:Stack                                product-network-product-network.test.us-gov-west-1  create     
 +   ├─ tls:index:SelfSignedCert                        selfSignedCertResource                                create     
 +   ├─ tls:index:PrivateKey                            pca-key                                               create     
 +   ├─ aws:acm:Certificate                             acm-cert                                              create     
 +   └─ aws:networkfirewall:TlsInspectionConfiguration  tls-inspection-test                                   create     

Resources:
    + 5 to create

Do you want to perform this update? yes
Updating (product-network.test.us-gov-west-1):
     Type                                               Name                                                  Status              
 +   pulumi:pulumi:Stack                                product-network-product-network.test.us-gov-west-1  created (49s)       
 +   ├─ tls:index:PrivateKey                            pca-key                                               created (0.72s)     
 +   ├─ tls:index:SelfSignedCert                        selfSignedCertResource                                created (0.67s)     
 +   ├─ aws:acm:Certificate                             acm-cert                                              created (1s)        
 +   └─ aws:networkfirewall:TlsInspectionConfiguration  tls-inspection-test                                   created (36s)       

Resources:
    + 5 created

Duration: 52s

Affected Resource(s)

aws.networkfirewall.TlsInspectionConfiguration

Output of pulumi about

╰─❯ pulumi about
CLI          
Version      3.122.0
Go Version   go1.22.4
Go Compiler  gc

Plugins
KIND      NAME    VERSION
language  nodejs  unknown

Host     
OS       darwin
Version  14.5
Arch     arm64

This project is written in nodejs: executable='/Users/michaelhamill/.nvm/versions/node/v20.5.0/bin/node' version='v20.5.0'

Current Stack: product-network.test.us-gov-west-1

TYPE                                                                       URN
pulumi:pulumi:Stack                                                        urn:pulumi:product-network.test.us-gov-west-1::product-network::pulumi:pulumi:Stack::product-network-product-network.test.us-gov-west-1
pulumi:providers:tls                                                       urn:pulumi:product-network.test.us-gov-west-1::product-network::pulumi:providers:tls::default_5_0_4
tls:index/privateKey:PrivateKey                                            urn:pulumi:product-network.test.us-gov-west-1::product-network::tls:index/privateKey:PrivateKey::pca-key
tls:index/selfSignedCert:SelfSignedCert                                    urn:pulumi:product-network.test.us-gov-west-1::product-network::tls:index/selfSignedCert:SelfSignedCert::selfSignedCertResource
pulumi:providers:aws                                                       urn:pulumi:product-network.test.us-gov-west-1::product-network::pulumi:providers:aws::default_6_43_0
aws:acm/certificate:Certificate                                            urn:pulumi:product-network.test.us-gov-west-1::product-network::aws:acm/certificate:Certificate::acm-cert
aws:networkfirewall/tlsInspectionConfiguration:TlsInspectionConfiguration  urn:pulumi:product-network.test.us-gov-west-1::product-network::aws:networkfirewall/tlsInspectionConfiguration:TlsInspectionConfiguration::tls-inspection-test

Found no pending operations associated with product-network.test.us-gov-west-1

Backend        
Name           Michael-test.local
URL            s3://pulumi-backend-dev-583efc5
User           michaelhamill
Organizations  
Token type     personal

Pulumi locates its logs in /var/folders/zb/f2t22zb10lvdjw4_nw4spt3m0000gp/T/ by default
warning: Failed to get information about the Pulumi program's dependencies

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 2 months ago

Thanks for letting us know @mhamill2 - for this particular use case, the bridged provider behavior closely tracks upstream behavior of the Terraform AWS provider. I've attempted to translate your program to TF and the behavior seems to hold there. I have filed this issue: https://github.com/hashicorp/terraform-provider-aws/issues/38690 in the hope of getting some help from upstream. If upstream releases a fix it will propagate to the Pulumi provider in subsequent releases.

t0yv0 commented 1 month ago

Awaiting v5.67.0 to close this, as the fix has been implemented upstream.