Hi all, I'm loving Pulumi so far but I have run in...
# awss
sticky-shoe-47337
06/12/2023, 9:59 AMHi all, I'm loving Pulumi so far but I have run into a stumbling block when trying to deploy an AWS CLassic wafv2 acl using Python.
Specifically, I'm trying to deploy the AWS Managed Rule group called
AWSManagedRulesCommonRuleSetSizeRestrictions_BODYrule_action_override Copy code
"Rules": [
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 3,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"RuleActionOverrides": [
{
"Name": "SizeRestrictions_BODY",
"ActionToUse": {
"Allow": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesCommonRuleSet"
}
}
]c
calm-queen-58154
06/13/2023, 8:55 AMyou could try to import it to see what the generated code looks like.
s
sticky-shoe-47337
06/13/2023, 8:57 AMokay, thanks, I'll see if I can do that. I wasn't aware that an import would generate the pulumi code
c
calm-queen-58154
06/13/2023, 9:10 AMI've only been using Pulumi for a few weeks but usually I will search their blog as sometimes there are buried articles that are great, run an import to see the generated code, and look at the source code which has helpful comments.
s
sticky-shoe-47337
06/13/2023, 9:13 AMYeah, I was under the impression that an import just imported the resource into the stack. I wasn't aware that it would spit out the code too, very handy! Thanks very much, it worked and there was no way I would have worked out the code on my own 😄
sticky-shoe-47337
06/13/2023, 3:37 PMI deleted my previous findings on this because the import seemed to work and would deploy over the existing resource but the import was not translating everything to code. It seemed to be missing the default rule actions so if you copied the code to deploy a similar resource, it would fail.
I eventually got it to work using aws-native package instead using
Copy code
pulumi import aws-native:wafv2:WebACL imported-sandbox3-wafv2 "sandbox3-test-native|f57sds2b-9770-493d-9d23-dcd76werf08f1|REGIONAL"sticky-shoe-47337
06/13/2023, 3:39 PMThis correctly imported and translated it (I added a default block action and a count to one rule just to test):
Copy code
kv_web_acl = aws_native.wafv2.WebACL(env_name + "-waf-alb",
default_action=aws_native.wafv2.WebACLDefaultActionArgs(
block=aws_native.wafv2.WebACLBlockActionArgs(),
),
description="waf for alb deployed via pulumi",
name=f"{env_name}-waf-alb",
rules=[aws_native.wafv2.WebACLRuleArgs(
name="AWS-AWSManagedRulesCommonRuleSet",
override_action=aws_native.wafv2.WebACLOverrideActionArgs(
none={},
),
priority=0,
rule_labels=[],
statement=aws_native.wafv2.WebACLStatementArgs(
managed_rule_group_statement=aws_native.wafv2.WebACLManagedRuleGroupStatementArgs(
excluded_rules=[],
managed_rule_group_configs=[],
name="AWSManagedRulesCommonRuleSet",
rule_action_overrides=[aws_native.wafv2.WebACLRuleActionOverrideArgs(
action_to_use=aws_native.wafv2.WebACLRuleActionArgs(
count=aws_native.wafv2.WebACLCountActionArgs(),
),
name="SizeRestrictions_BODY",
)],
vendor_name="AWS",
),
),
visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
cloud_watch_metrics_enabled=True,
metric_name="AWS-AWSManagedRulesCommonRuleSet",
sampled_requests_enabled=True,
),
)],
scope=aws_native.wafv2.WebACLScope.REGIONAL,
visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
cloud_watch_metrics_enabled=True,
metric_name=f"{env_name}-waf-alb",
sampled_requests_enabled=True,
)
)sticky-shoe-47337
06/13/2023, 3:42 PMBecasue the web acl association to an alb takes longer than 5 minutes, I had to tweak the timeout to 15 mins. I used AWS Classic for this but I'm sure it would work with aws-native too:
Copy code
web_acl_assoc = wafv2.WebAclAssociation(
env_name + "-web-acl-alb-assoc",
resource_arn=<alb-arn>,
web_acl_arn=kv_web_acl.arn,
opts=pulumi.ResourceOptions(custom_timeouts=pulumi.CustomTimeouts(create='15m'))
)56 Views