Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wafv2 rules are modified on every up. #3880

Closed
gmarkowski opened this issue Apr 30, 2024 · 3 comments
Closed

wafv2 rules are modified on every up. #3880

gmarkowski opened this issue Apr 30, 2024 · 3 comments
Assignees
@flostadler
Labels
bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed service/wafv2 Issues with aws.wafv2 resources

Comments

@gmarkowski
Copy link

gmarkowski commented Apr 30, 2024
edited by t0yv0
Loading

What happened?

I created a new wafv2.WebAcl. Everything gets built properly but subsequent pulumi up commands output differences in that are unexpected. I also see some changes doubled. See cloudwatchMetricsEnabled and metricName in the output below.

Example

const mainAcl = new aws.wafv2.WebAcl("main-acl", {
    scope: "REGIONAL",
    defaultAction: {
        allow: {},
    },
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "myWebAclMetrics",
        sampledRequestsEnabled: false,
    },
    captchaConfig: {
        immunityTimeProperty: {
            immunityTime: 1800
        }
    },
    tokenDomains: [],
    rules: [
        {
            action: {
                block: {},
            },
            name: "IPAllowRule",
            priority: 0,
            statement: {
                ipSetReferenceStatement: {
                    arn: allowedIpSet.arn,
                },
            },
            visibilityConfig: {
                cloudwatchMetricsEnabled: true,
                metricName: "IPAllowRule",
                sampledRequestsEnabled: true,
            },
        },

Output of pulumi about

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:poc::MY-COMPANY::pulumi:pulumi:Stack::MY-COMPANY-poc]
    ~ aws:wafv2/webAcl:WebAcl: (update)
        [id=ded6d29d-5318-4e98-aa14-740f31dbc4f4]
        [urn=urn:pulumi:poc::MY-COMPANY::aws:wafv2/webAcl:WebAcl::main-acl]
        [provider=urn:pulumi:poc::MY-COMPANY::pulumi:providers:aws::default_6_31_0::911e0d16-9224-481c-8e0c-62b88c6aa82b]
      ~ rules: [
          ~ [0]: {
                  ~ action          : {
                      + __defaults: []
                      ~ allow     : {
                          + __defaults: []
                        }
                    }
                  ~ name            : "IPAllowRule" => "IPAllowRule"
                  ~ priority        : 0 => 0
                  ~ statement       : {
                      + __defaults             : []
                      ~ ipSetReferenceStatement: {
                          + __defaults: []
                        }
                    }
                  ~ visibilityConfig: {
                      + __defaults              : []
                      ~ cloudwatchMetricsEnabled: true => true
                      ~ cloudwatchMetricsEnabled: true => true
                      ~ metricName              : "IPAllowRule" => "IPAllowRule"
                      ~ metricName              : "IPAllowRule" => "IPAllowRule"
                    }
                }
        ]

Additional context

CLI          
Version      3.114.0
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.31.0
resource  aws-native  0.62.0
language  nodejs      unknown

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/home/greg_ev/.nvm/versions/node/v20.2.0/bin/node' version='v20.2.0'

Dependencies:

NAME                VERSION
@pulumi/aws-native  0.62.0
@pulumi/aws         6.31.0
@pulumi/pulumi      3.103.1
@types/node         16.18.75
versions            12.0.1

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@gmarkowski gmarkowski added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Apr 30, 2024
@t0yv0 t0yv0 added service/wafv2 Issues with aws.wafv2 resources bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. and removed needs-triage Needs attention from the triage team labels Apr 30, 2024
@t0yv0
Copy link
Member

t0yv0 commented Apr 30, 2024

Complete repro:

import * as aws from "@pulumi/aws";

const allowedIpSet = new aws.wafv2.IpSet("example", {
    name: "example",
    description: "Example IP set",
    scope: "REGIONAL",
    ipAddressVersion: "IPV4",
    addresses: [
        "1.2.3.4/32",
        "5.6.7.8/32",
    ],
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
});

const mainAcl = new aws.wafv2.WebAcl("main-acl", {
    scope: "REGIONAL",
    defaultAction: {
        allow: {},
    },
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "myWebAclMetrics",
        sampledRequestsEnabled: false,
    },
    captchaConfig: {
        immunityTimeProperty: {
            immunityTime: 1800
        }
    },
    tokenDomains: [],
    rules: [
        {
            action: {
                block: {},
            },
            name: "IPAllowRule",
            priority: 0,
            statement: {
                ipSetReferenceStatement: {
                    arn: allowedIpSet.arn,
                },
            },
            visibilityConfig: {
                cloudwatchMetricsEnabled: true,
                metricName: "IPAllowRule",
                sampledRequestsEnabled: true,
            },
        },
    ]
});

This was referenced Apr 30, 2024
Closed
Closed
Merged
t0yv0 added a commit to pulumi/pulumi-terraform-bridge that referenced this issue May 6, 2024
@t0yv0 @VenelinMartinov
Fix overeager diffs (#1927)
012ac65 
With AWS 3880 there is some evidence (derivation in
#1917) that
sometimes TF has entries in the InstanceDiff.Attributes while still
planning to take the resource to the end-state that is identical to the
original state. IN these cases, TF does not display a diff but Pulumi
does.

The root cause here remains unfixed
(#1895) - Pulumi
bridge is editing terraform-pulgin-sdk to expose the InstanceDiff
structure to connect it to the makeDetailedDiff machinery. Pulumi
should, like TF, stick to the gRPC protocol and rely only on the
PlannedState value.

We can incrementally approach the desired behavior with this change
though which detects PlannedState=PriorState case and suppresses any
diffs in this case.

Fixes:

- pulumi/pulumi-aws#3880
- pulumi/pulumi-aws#3306
- pulumi/pulumi-aws#3190
- pulumi/pulumi-aws#3454

---------

Co-authored-by: Venelin <[email protected]>
@t0yv0 t0yv0 mentioned this issue May 7, 2024
Closed
5 tasks
@blakeromano
Copy link

We are also running into this issue so we are looking forward to a fix for this 😃

@t0yv0 t0yv0 mentioned this issue May 13, 2024
Closed
@flostadler flostadler mentioned this issue May 15, 2024
Merged
flostadler added a commit that referenced this issue May 15, 2024
@flostadler
Enroll aws_wafv2_rule_group in PlanResourceChange (#3948)
d820cca 
WAFv2 RuleGroups used to have a perma diff for the rules property.
Enrolling the resource in PlanResourceChange fixes that.

Fixes #3306,
#3880,
#3190,
#3454
@flostadler
Copy link
Contributor

This was fixed in #3948. It'll be released in release 6.36.0

@flostadler flostadler added the resolution/fixed This issue was fixed label May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flostadler flostadler

Labels
bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed service/wafv2 Issues with aws.wafv2 resources
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

wafv2.WebAcl: tweak Set identity to suppress resource cycling pulumi/pulumi-aws
4 participants
@t0yv0 @flostadler @blakeromano @gmarkowski