Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can not change AWS WAF association once created #4782

Open
cody2094 opened this issue Nov 15, 2024 · 2 comments
Open

Can not change AWS WAF association once created #4782

cody2094 opened this issue Nov 15, 2024 · 2 comments
Labels
awaiting/core Blocked on a missing bug or feature in pulumi/pulumi (except codegen) kind/bug Some behavior is incorrect or out of spec

Comments

@cody2094
Copy link

Describe what happened

I have a WAF Web ACL and an association for that ACL that associates it with an application load balancer. The initial deploy of this worked great. However, once I changed the name of the association from webAclAssociation to opsWebAclAssociationLB, the delete and create options seem to step on each others toes. It creates the new association correctly as I can see it in the browser after the state of that action hits "created" in the pulumi up output, but once the deletion finishes it gets rid of the newly created association.

In the AWS UI, I noticed the following :

  1. Create two web acls -- we will call them ACL-A and ACL-B
  2. Associate an application load balancer to ACL-A. Confirm association is finished
  3. Now, navigate to ACL-B in the UI and associate the same load balancer to ACL-B. Confirm association is finished. This should finish without any errors.
  4. If you navigate back to ACL-A, the previous association will be gone.

I almost wonder if the same thing is happening with the pulumi create/delete steps here. The new resource association is created which AWS likely approves and auto deletes the previous association. Then, pulumi gets to the delete step on the old association resource, which actually deletes the newly created association?

I was able to solve the problem by commenting out the resource, deploying, and then redeploying after uncommenting again.

Sample program

  // Create a WAF Web ACL with best practice rules
  const webAcl = new aws.wafv2.WebAcl(
    "opsWebAcl",
    {
      ....
    },
    { provider },
  );

  // Associate the WAFv2 Web ACL with the Application Load Balancer
  new aws.wafv2.WebAclAssociation(
    "opsWebAclAssociationLB",
    {
      resourceArn: lb.loadBalancer.arn,
      webAclArn: webAcl.arn,
    },
    { provider },
  );

Log output

The following final log output appears in an order which would almost make you believe the delete happens first -- but the order of live output is definitely creation then deletion

     pulumi:pulumi:Stack                  ops-stack                                
 ~   ├─ aws:wafv2:WebAcl                  opsWebAcl                updated (9s)         [diff: ~rules,visibilityConfig]
 -   ├─ aws:wafv2:WebAclAssociation       opsWebAclAssociation     deleted (0.00s)      
 +   └─ aws:wafv2:WebAclAssociation       opsWebAclAssociationLB   created (0.00s)


Affected Resource(s)

No response

Output of pulumi about

@pulumi/aws NPM package is version 6.49.0. Will have to modify ci runner to output the full about if necessary.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@cody2094 cody2094 added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 15, 2024
@corymhall
Copy link
Contributor

@cody2094 it looks like this is the same issue as #1923. The only available workarounds are also the same as in that issue:

  • Use DeleteBeforeReplace
  • Use aliases

The more permanent fix is being tracked in pulumi/pulumi#15982

@corymhall corymhall added blocked The issue cannot be resolved without 3rd party action. awaiting/core Blocked on a missing bug or feature in pulumi/pulumi (except codegen) and removed needs-triage Needs attention from the triage team labels Nov 19, 2024
@cody2094
Copy link
Author

Awesome -- good to know that there is a workaround aside from deleting and redeploying manually. Thanks for the speedy response

@t0yv0 t0yv0 removed the blocked The issue cannot be resolved without 3rd party action. label Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting/core Blocked on a missing bug or feature in pulumi/pulumi (except codegen) kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Development

No branches or pull requests

3 participants