search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
465 stars 157 forks source link

Can not change AWS WAF association once created #4782

Open cody2094 opened 1 week ago

cody2094 commented 1 week ago

Describe what happened

I have a WAF Web ACL and an association for that ACL that associates it with an application load balancer. The initial deploy of this worked great. However, once I changed the name of the association from webAclAssociation to opsWebAclAssociationLB, the delete and create options seem to step on each others toes. It creates the new association correctly as I can see it in the browser after the state of that action hits "created" in the pulumi up output, but once the deletion finishes it gets rid of the newly created association.

In the AWS UI, I noticed the following :

  1. Create two web acls -- we will call them ACL-A and ACL-B
  2. Associate an application load balancer to ACL-A. Confirm association is finished
  3. Now, navigate to ACL-B in the UI and associate the same load balancer to ACL-B. Confirm association is finished. This should finish without any errors.
  4. If you navigate back to ACL-A, the previous association will be gone.

I almost wonder if the same thing is happening with the pulumi create/delete steps here. The new resource association is created which AWS likely approves and auto deletes the previous association. Then, pulumi gets to the delete step on the old association resource, which actually deletes the newly created association?

I was able to solve the problem by commenting out the resource, deploying, and then redeploying after uncommenting again.

Sample program

  // Create a WAF Web ACL with best practice rules
  const webAcl = new aws.wafv2.WebAcl(
    "opsWebAcl",
    {
      ....
    },
    { provider },
  );

  // Associate the WAFv2 Web ACL with the Application Load Balancer
  new aws.wafv2.WebAclAssociation(
    "opsWebAclAssociationLB",
    {
      resourceArn: lb.loadBalancer.arn,
      webAclArn: webAcl.arn,
    },
    { provider },
  );

Log output

The following final log output appears in an order which would almost make you believe the delete happens first -- but the order of live output is definitely creation then deletion 

     pulumi:pulumi:Stack                  ops-stack                                
 ~   ├─ aws:wafv2:WebAcl                  opsWebAcl                updated (9s)         [diff: ~rules,visibilityConfig]
 -   ├─ aws:wafv2:WebAclAssociation       opsWebAclAssociation     deleted (0.00s)      
 +   └─ aws:wafv2:WebAclAssociation       opsWebAclAssociationLB   created (0.00s)

Affected Resource(s)

No response

Output of pulumi about

@pulumi/aws NPM package is version 6.49.0. Will have to modify ci runner to output the full about if necessary.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

corymhall commented 3 days ago

@cody2094 it looks like this is the same issue as #1923. The only available workarounds are also the same as in that issue:

The more permanent fix is being tracked in https://github.com/pulumi/pulumi/issues/15982

cody2094 commented 3 days ago

Awesome -- good to know that there is a workaround aside from deleting and redeploying manually. Thanks for the speedy response