Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAF rules show diff and update on every preview / up #2945

Closed
paul-hicks-mahana opened this issue Oct 31, 2023 · 2 comments
Closed

WAF rules show diff and update on every preview / up #2945

paul-hicks-mahana opened this issue Oct 31, 2023 · 2 comments
Labels
kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team resolution/duplicate This issue is a duplicate of another issue

Comments

@paul-hicks-mahana
Copy link

What happened?

I have some unchanging WAF rules that show as changing every time my project is deployed. See the example section below for the details on one rule.
I note that the code defines an ordered array, in which rules go from priority 0 to priority 6. The inputs section of the exported stack agrees. However, the outputs section of the stack has the (correct) rules in order 2, 6, 1, 3, 4, 5, 0. If that was important I would expect to see more updates or replaces in the diff below; instead, it shows only adds.

Example

Just one of the rules:

    const ipReputationList: aws.types.input.wafv2.WebAclRule = {
      name: "AWS-AWSManagedRulesAmazonIpRepulationList",
      priority: 0,
      statement: {
        managedRuleGroupStatement: {
          name: "AWSManagedRulesAmazonIpReputationList",
          vendorName: "AWS",
        },
      },
      overrideAction: {
        none: {},
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: `AWS-AWSManagedRulesAmazonIpReputationList`,
        sampledRequestsEnabled: true,
      },
    };

Which produces this diff every time:

          ~ rules: [
              ~ [0]: {
                      + name            : "AWS-AWSManagedRulesAmazonIpRepulationList"
                      + priority        : 0
                      ~ statement       : {
                          ~ managedRuleGroupStatement: {
                              + name      : "AWSManagedRulesAmazonIpReputationList"
                              + vendorName: "AWS"
                            }
                        }
                      ~ visibilityConfig: {
                          + cloudwatchMetricsEnabled: true
                          + metricName              : "AWS-AWSManagedRulesAmazonIpReputationList"
                          + sampledRequestsEnabled  : true
                        }
                    }
 ...

Which shows correctly in the AWS WAF console:

{
  "Name": "AWS-AWSManagedRulesAmazonIpRepulationList",
  "Priority": 0,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesAmazonIpReputationList"
    }
  },
  "OverrideAction": {
    "None": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AWS-AWSManagedRulesAmazonIpReputationList"
  }
}

I've exported the state, here's that rule in the inputs section:

                        {
                            "__defaults": [],
                            "name": "AWS-AWSManagedRulesAmazonIpRepulationList",
                            "overrideAction": {
                                "__defaults": [],
                                "none": {
                                    "__defaults": []
                                }
                            },
                            "priority": 0,
                            "statement": {
                                "__defaults": [],
                                "managedRuleGroupStatement": {
                                    "__defaults": [],
                                    "name": "AWSManagedRulesAmazonIpReputationList",
                                    "vendorName": "AWS"
                                }
                            },
                            "visibilityConfig": {
                                "__defaults": [],
                                "cloudwatchMetricsEnabled": true,
                                "metricName": "AWS-AWSManagedRulesAmazonIpReputationList",
                                "sampledRequestsEnabled": true
                            }
                        },

And here it is in the outputs section:

                        {
                            "action": null,
                            "name": "AWS-AWSManagedRulesAmazonIpRepulationList",
                            "overrideAction": {
                                "count": null,
                                "none": null
                            },
                            "priority": 0,
                            "ruleLabels": [],
                            "statement": {
                                "andStatement": null,
                                "byteMatchStatement": null,
                                "geoMatchStatement": null,
                                "ipSetReferenceStatement": null,
                                "labelMatchStatement": null,
                                "managedRuleGroupStatement": {
                                    "excludedRules": [],
                                    "name": "AWSManagedRulesAmazonIpReputationList",
                                    "scopeDownStatement": null,
                                    "vendorName": "AWS"
                                },
                                "notStatement": null,
                                "orStatement": null,
                                "rateBasedStatement": null,
                                "regexPatternSetReferenceStatement": null,
                                "ruleGroupReferenceStatement": null,
                                "sizeConstraintStatement": null,
                                "sqliMatchStatement": null,
                                "xssMatchStatement": null
                            },
                            "visibilityConfig": {
                                "cloudwatchMetricsEnabled": true,
                                "metricName": "AWS-AWSManagedRulesAmazonIpReputationList",
                                "sampledRequestsEnabled": true
                            }
                        }
                    ],

Output of pulumi about

pulumi about doesn't show plugin versions (except of my default unused plugins -- why are they even there?), and it does show strings I don't want posted here. Can you update either pulumi about to show only what's needed here, or change the tip on this section of the bug form?

I'm currently using Pulumi 3.86.0, pulumi-aws 4.38.1.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@paul-hicks-mahana paul-hicks-mahana added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Oct 31, 2023
@mikhailshilkov
Copy link
Member

@paul-hicks-mahana This sounds like a duplication of #1775 or #1423. You would need to upgrade to a modern version of the provider (6.x) to get those fixed. Is that an option for you?

@mikhailshilkov mikhailshilkov added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Nov 1, 2023
@t0yv0 t0yv0 added the resolution/duplicate This issue is a duplicate of another issue label Dec 13, 2023
@t0yv0 t0yv0 closed this as completed Dec 13, 2023
@paul-hicks-mahana
Copy link
Author

Hi Mikhail, yes probably. I'll let the team know. I don't think this project has been deployed in a few months, so we haven't come up against it lately.

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team resolution/duplicate This issue is a duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@t0yv0 @mikhailshilkov @pulumi-bot @paul-hicks-mahana