WAFV2 WebACL detects change when there are none in v6 alpha.5

[sunilshahi]

What happened?

I create a wafv2 web acl using following csharp code.

var webAcl = new Aws.WafV2.WebAcl("my-web-acl", new()
{
    Name = "my-web-acl",
    DefaultAction = new Aws.WafV2.Inputs.WebAclDefaultActionArgs
    {
        Block = new Aws.WafV2.Inputs.WebAclDefaultActionBlockArgs(),
    },
    Rules = new[]
    {
        new Aws.WafV2.Inputs.WebAclRuleArgs
        {
            Name = "US-access-only",
            Priority = 0,
            Statement = new Aws.WafV2.Inputs.WebAclRuleStatementArgs
            {
                GeoMatchStatement = new Aws.WafV2.Inputs.WebAclRuleStatementGeoMatchStatementArgs
                {
                    CountryCodes = new[]
                    {
                        "US",
                    },
                },
            },
            VisibilityConfig = new Aws.WafV2.Inputs.WebAclRuleVisibilityConfigArgs
            {
                CloudwatchMetricsEnabled = true,
                MetricName = "US-access-only",
                SampledRequestsEnabled = true,
            },
            Action = new Aws.WafV2.Inputs.WebAclRuleActionArgs
            {
                Allow = new Aws.WafV2.Inputs.WebAclRuleActionAllowArgs()
            }
        }
    },
    Scope = "REGIONAL",
    VisibilityConfig = new Aws.WafV2.Inputs.WebAclVisibilityConfigArgs
    {
        CloudwatchMetricsEnabled = true,
        MetricName = "my-web-acl",
        SampledRequestsEnabled = true,
    },
}, new CustomResourceOptions
{
    Protect = false,
}); 

When I run the pulumi up command for the first time, It creates web acl without any issue.

But then if I run pulumi up command again without making changes to code it shows following difference to update.

Previewing update (prod)

View in Browser (Ctrl+O): https://app.pulumi.com/........

     Type                 Name               Plan       Info
     pulumi:pulumi:Stack  my-stack
 ~   └─ aws:wafv2:WebAcl  my-web-acl         update     [diff: ~rules]

Resources:
    ~ 1 to update
    1 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prod::my-stack::pulumi:pulumi:Stack::my-stack]
    ~ aws:wafv2/webAcl:WebAcl: (update)
        [id=19aa70cf-6e12-3334-815d-b3d702eca70a]
        [urn=urn:pulumi:prod::my-stack::aws:wafv2/webAcl:WebAcl::my-web-acl]
        [provider=urn:pulumi:prod::my-stack::pulumi:providers:aws::default_5_42_0::......]
      ~ rules: [
          ~ [0]: {
                  + name            : "US-access-only"
                  + priority        : 0
                  ~ statement       : {
                      ~ geoMatchStatement: {
                          ~ countryCodes: [
                              + [0]: "US"
                            ]
                        }
                    }
                  ~ visibilityConfig: {
                      + cloudwatchMetricsEnabled: true
                      + metricName              : "US-access-only"
                      + sampledRequestsEnabled  : true
                    }
                }
        ]

Expected Behavior

When running pulumi up without any code change, it should not show any updates/differences.

Steps to reproduce

see details above.

Output of pulumi about

'dotnet build -nologo .' completed successfully
CLI
Version 3.76.1
Go Version go1.20.6
Go Compiler gc

Plugins
NAME VERSION
aws 5.42.0
dotnet unknown

Host
OS Microsoft Windows 11 Pro
Version 10.0.22621 Build 22621
Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='7.0.306'

Current Stack: xxx/xxx/prod

TYPE URN
pulumi:pulumi:Stack urn:pulumi:prod::xxx::pulumi:pulumi:Stack::xxx
pulumi:providers:aws urn:pulumi:prod::xxx::pulumi:providers:aws::default_5_42_0
aws:wafv2/webAcl:WebAcl urn:pulumi:prod::xxx::aws:wafv2/webAcl:WebAcl::my-web-acl

Found no pending operations associated with prod

Backend
Name pulumi.com
URL https://app.pulumi.com/xxx
User xxx
Organizations xxx

Dependencies:
NAME VERSION
Pulumi 3.55.1
Pulumi.Aws 5.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[danielrbradley]

Thanks for reporting this @sunilshahi

I can confirm that I can reproduce this issue - there's a persistent diff on every subsequent update. It's not yet clear where this is coming from. It could be a bug in the upstream implementation or possibly an issue with the diff'ing mechanism.

[danielrbradley]

Actually, it looks like this is a duplicate of #1423 which has already been addressed and will be shipped in v6. There's currently an alpha version of v6 available if you want to confirm that this is now resolved.

Please do comment back if you can still reproduce this issue on v6. Thank you!

[sunilshahi]

Actually, it looks like this is a duplicate of #1423 which has already been addressed and will be shipped in v6. There's currently an alpha version of v6 available if you want to confirm that this is now resolved.

Please do comment back if you can still reproduce this issue on v6. Thank you!

Thanks @danielrbradley for prompt reply.

I updated my pulumi.aws nuget pacakge to alpha

<PackageReference Include="Pulumi.Aws" Version="6.0.0-alpha.5" />

I noticed that for AWS managed rules the issues seems to be resolved. However, the above code still shows constant diff.

this is what the constant diff looks like now for the code above.

[danielrbradley]

Thanks for the re-test and confirmation. I've raised this internally for the team working on the release.

[t0yv0]

I can reproduce the issue, lifted to unit test in pulumi/pulumi-terraform-bridge#1330, will continue investigating.

[t0yv0]

I'm going to merge this into #1423 we've reopened as a duplicate. The fix is not quite making it the 6.0 release timeline but we'll be targeting a patch release shortly after the initial 6.0 to fix comprehensively.