Importing a gcp.compute.Firewall resource that has logging disabled is broken

[aryehb]

What happened?

Importing a gcp.compute.Firewall resource that has logging disabled does not complete successfully, and the generated code is invalid.

Steps to reproduce

Import a gcp.compute.Firewall resource that has logging disabled.

Expected Behavior

I expected the resource to be imported correctly, and the generated code to be valid.

Actual Behavior

I received the following error when running the import:

    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `gcp` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: gcp:compute/firewall:Firewall resource 'FIREWALL-RESOURCE-NAME' has a problem: expected log_config.0.metadata to be one of [EXCLUDE_ALL_METADATA INCLUDE_ALL_METADATA], got . Examine values at 'Firewall.LogConfig.Metadata'.

I received the following error when running pulumi preview:

error: gcp:compute/firewall:Firewall resource 'FIREWALL-RESOURCE-NAME' has a problem: expected log_config.0.metadata to be one of [EXCLUDE_ALL_METADATA INCLUDE_ALL_METADATA], got . Examine values at 'Firewall.LogConfig.Metadata'.

Output of pulumi about

CLI
Version      3.41.1
Go Version   go1.19.1
Go Compiler  gc

Plugins
NAME    VERSION
gcp     6.39.0
nodejs  unknown

Host
OS       ubuntu
Version  20.04
Arch     x86_64

Dependencies:
NAME            VERSION
@pulumi/gcp     6.39.0
@pulumi/pulumi  3.40.2
@types/node     18.7.23

Additional context

The GCP API returns the following schema for the log_config property of a compute#firewall resource (using Typescript notation to demonstrate):

{
  enable: boolean;
  metadata?: 'EXCLUDE_ALL_METADATA' | 'INCLUDE_ALL_METADATA';
}

metadata is undefined if enable is false.

The Pulumi GCP schema for FirewallLogConfig is the following (it's included in sdk/nodejs/types/input.ts, but I can't link directly to the lines because the file is too big):

{
  metadata: pulumi.Input<string>;
}

This means 2 things:

• There's no way with Pulumi GCP to set logging as disabled.
• Importing a gcp.compute.Firewall resource that has logging disabled will create invalid state since logConfig will be set to null in the state, and the generated code will be invalid because logConfig will not be included.

The correct schema for FirewallLogConfig should be:

{
  enabled: pulumi.Input<boolean>;
  metadata?: pulumi.Input<string>;
}

In addition, whatever mechanism is used to parse the GCP API response needs to be changed to parse the enabled property, and the generated code should output the logConfig property regardless.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mjeffryes]

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it?