WafV2 issues 3.2.0

[slikk66]

Working with wafV2 today, I've hit several issues. Here are some of them:

• trying to deploy the example code in the git repo
  was getting duplicate URN in use, even when I called it: example-jadsfu3fkasdfdfkjajafkasjhf

• mixups of resources in backend
  when refreshing stack it was thinking things that werent there were not, and vice versa, errors creating and deleting items

• "multiple values" not allowed for RULES and STATEMENTS

• attempting to replace an existing wafV2 even though nothing has changed

• attempting to associate WAF to CLOUDFRONT failing due to invalid ARN (might be missing the double colons in the ARN)

in general, there seems to be some issues with the resource tracking on the backend

sorry cant be more clear, my scrollback lines capped out very low for some reason so I couldn't get better examples, I figure there's probably some common reason why all of these are occurring so wanted to give some light on the issues I've been having trying to implement it.

[slikk66]

current issue, running this code:

  var web_acl_flood_name = `${distro_name}-http-flood`;
  var web_acl = new aws.wafv2.WebAcl(distro_name, {
        name: distro_name,
        defaultAction: {
            allow: {},
        },
        rules: [{
            action: {
                block: {},
            },
            name: web_acl_flood_name,
            priority: 1,
            statement: {
                rateBasedStatement: {
                    aggregateKeyType: "IP",
                    limit: 200,
                    scopeDownStatement: {}
                },
            },
            visibilityConfig: {
                cloudwatchMetricsEnabled: true,
                metricName: web_acl_flood_name,
                sampledRequestsEnabled: true,
            },
        }],
        scope: "CLOUDFRONT",
        visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: distro_name,
            sampledRequestsEnabled: true,
        },
    });

I get:

    error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement                                                                 
    {                                                                                                                                                                                                                                                                           
      RespMetadata: {                                                                                                                                                                                                                                                           
        StatusCode: 400,                                                                                                                                                                                                                                                        
        RequestID: "31f2d618-99bc-4ad4-8857-0b4535b812a3"                                                                                                                                                                                                                       
      },                                                                                                                                                                                                                                                                        
      Field: "STATEMENT",                                                                                                                                                                                                                                                       
      Message_: "Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement",                                                                                                                    
      Parameter: "Statement",                                                                                                                                                                                                                                                   
      Reason: "Your statement has multiple values set for a field that requires exactly one value."                                                                                                                                                                             
    }   

[slikk66]

this was after I had done a refresh. this did need to be deleted: mycompany-distro-api-stage-http-flood, but I was getting "replace" on a resource that didn't exist mycompany-distro-api-stage which then failed when trying to replace it, because it didn't exist.. not sure why the refresh wasnt catching that it was gone.

Previewing update (mycompany-cloudfront.us-east-1.dev):                                                                                                                                                                                                                         
     Type                 Name                                                     Plan        Info                                                                                                                                                                             
     pulumi:pulumi:Stack  mycompany-cloudfront-mycompany-cloudfront.us-east-1.dev                                                                                                                                                                                               
 +-  ├─ aws:wafv2:WebAcl  mycompany-distro-api-dev                                 replace     [diff: ~rules]                                                                                                                                                                   
 +-  ├─ aws:wafv2:WebAcl  mycompany-distro-api-stage                               replace     [diff: ~rules]                                                                                                                                                                   
 -   ├─ aws:wafv2:WebAcl  mycompany-distro-api-stage-http-flood                    delete                                                                                                                                                                                       
 -   └─ aws:wafv2:WebAcl  mycompany-distro-api-dev-http-flood                      delete                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                
Resources:                                                                                                                                                                                                                                                                      
    - 2 to delete                                                                                                                                                                                                                                                               
    +-2 to replace                                                                                                                                                                                                                                                              
    4 changes. 6 unchanged                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                
Updating (mycompany-cloudfront.us-east-1.dev):                                                                                                                                                                                                                                  
     Type                 Name                                                     Status                   Info                                                                                                                                                                
     pulumi:pulumi:Stack  mycompany-cloudfront-mycompany-cloudfront.us-east-1.dev  **failed**               1 error                                                                                                                                                             
 +-  ├─ aws:wafv2:WebAcl  mycompany-distro-api-dev                                 **replacing failed**     1 error                                                                                                                                                             
 +-  └─ aws:wafv2:WebAcl  mycompany-distro-api-stage                               **replacing failed**     1 error                                                                                                                                                             
                                                                                                                                                                                                                                                                                
Diagnostics:                                                                                                                                                                                                                                                                    
  aws:wafv2:WebAcl (mycompany-distro-api-stage):                                                                                                                                                                                                                                
    error: deleting urn:pulumi:mycompany-cloudfront.us-east-1.dev::mycompany-cloudfront::aws:wafv2/webAcl:WebAcl::mycompany-distro-api-stage: Error deleting WAFv2 WebACL: WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exi
st.                                                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                                
  pulumi:pulumi:Stack (mycompany-cloudfront-mycompany-cloudfront.us-east-1.dev):                                                                                                                                                                                                
    error: update failed                                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                
  aws:wafv2:WebAcl (mycompany-distro-api-dev):                                                                                                                                                                                                                                  
    error: deleting urn:pulumi:mycompany-cloudfront.us-east-1.dev::mycompany-cloudfront::aws:wafv2/webAcl:WebAcl::mycompany-distro-api-dev: Error deleting WAFv2 WebACL: WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist
.      

[slikk66]

Also, earlier attempted replacements on rules that hadn't been changed, diff shows identical:

    ++aws:wafv2/webAcl:WebAcl: (create-replacement)
        [id=f6341589-01f2-42ee-8a8f-e645a6d8dcbc]
        [urn=urn:pulumi:mycompany-cloudfront.us-east-1.dev::mycompany-cloudfront::aws:wafv2/webAcl:WebAcl::mycompany-distro-api-stage]
        [provider=urn:pulumi:mycompany-cloudfront.us-east-1.dev::mycompany-cloudfront::pulumi:providers:aws::default_3_2_0::c7c4fa01-32bd-4cb0-938d-a7e3ce3fe9e7]
      ~ rules: [
          ~ [0]: {
                  ~ name            : "mycompany-distro-api-stage-http-flood" => "mycompany-distro-api-stage-http-flood"
                  ~ priority        : 1 => 1
                  ~ statement       : {
                      ~ rateBasedStatement: {
                          ~ aggregateKeyType: "IP" => "IP"
                          ~ limit           : 200 => 200
                        }
                    }
                  ~ visibilityConfig: {
                      ~ cloudwatchMetricsEnabled: true => true
                      ~ metricName              : "mycompany-distro-api-stage-http-flood" => "mycompany-distro-api-stage-http-flood"
                      ~ sampledRequestsEnabled  : true => true
                    }
                }
        ]

[jkodroff]

@slikk66 First, let me express that I'm bummed you are (or were) having a difficult time working with this resource in Pulumi. I'm going to close this issue as "not reproducible" because you've outlined multiple problems in a single issue and this issue is approaching 2 years old.

#1423 is now a known issue (and we're actively working on it). If any of the other issues you've outlined here are still problems for you, please open a new issue with minimal steps to reproduce and we'll take a look. Thanks!