Hi all. I'm new to Pulumi. I'm creating a Web Application Firewall using Python. When I create a WebAcl and want to use default_action=aws.wafv2.WebAclDefaultActionArgs, the intellisense tells me that there is no such thing. What I'm missing? Thank you! I'm referring to the KB doc below. https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/

Can you show the complete code, preferably as text so that it can be copied and pasted? In your screenshot, even the specific line you ask about is cut off.

Kilian, thanks for your reply. I'm sorry for delayed answer - the notifications on my Slack were turned off. The snippet below creates an ACL. I got help from Pulumi AI for some parts. --------------- import pulumi import pulumi_aws as aws from pulumi import ResourceOptions # Fetch the existing API Gateway api_gateway = aws.apigatewayv2.get_api(api_gateway_name) # Create IP Set 1 ip_set_1 = aws.wafv2.IpSet( "ipset1", name="ipset_1", description="IP set containing 10.9.8.77/32", ip_address_version="IPV4", scope="REGIONAL", # Use "CLOUDFRONT" for global addresses=["10.9.8.77/32"], ) # Create IP Set 2 ip_set_2 = aws.wafv2.IpSet( "ipset2", name="ipset_2", description="IP set containing 5.6.7.8/24", ip_address_version="IPV4", scope="REGIONAL", addresses=["5.6.7.8/24"], ) # Create the Web ACL web_acl = aws.wafv2.WebAcl("waf-dev", name="waf-dev", description="Web ACL for API Gateway", scope="REGIONAL", default_action=aws.wafv2.WebAclDefaultActionArgs( allow={}, ), visibility_config=aws.wafv2.WebAclVisibilityConfigArgs( cloudwatch_metrics_enabled=True, metric_name="WAFv2Metric", sampled_requests_enabled=True, ), rules=[ # User-Defined Rule 1: AllowIP aws.wafv2.WebAclRuleArgs( name="AllowIP", priority=0, action=aws.wafv2.WebAclRuleActionArgs( allow={} ), statement=aws.wafv2.WebAclRuleStatementArgs( ip_set_reference_statement=aws.wafv2.WebAclRuleStatementIpSetReferenceStatementArgs( arn=ip_set_1.arn ) ), visibility_config=aws.wafv2.WebAclRuleVisibilityConfigArgs( cloudwatch_metrics_enabled=True, metric_name="AllowIPMetric", sampled_requests_enabled=True, ), ), # User-Defined Rule 2: BlockIP aws.wafv2.WebAclRuleArgs( name="BlockIP", priority=1, action=aws.wafv2.WebAclRuleActionArgs( block={} ), statement=aws.wafv2.WebAclRuleStatementArgs( ip_set_reference_statement=aws.wafv2.WebAclRuleStatementIpSetReferenceStatementArgs( arn=ip_set_2.arn ) ), visibility_config=aws.wafv2.WebAclRuleVisibilityConfigArgs( cloudwatch_metrics_enabled=True, metric_name="BlockIPSet2Metric", sampled_requests_enabled=True, ), ), # AWS Managed Rules - Amazon IP Reputation List aws.wafv2.WebAclRuleArgs( name="AWSManagedRulesAmazonIpReputationList", priority=2, override_action=aws.wafv2.WebAclRuleOverrideActionArgs( none={} ), statement=aws.wafv2.WebAclRuleStatementArgs( managed_rule_group_statement=aws.wafv2.WebAclRuleStatementManagedRuleGroupStatementArgs( name="AWSManagedRulesAmazonIpReputationList", vendor_name="AWS", ) ), visibility_config=aws.wafv2.WebAclRuleVisibilityConfigArgs( cloudwatch_metrics_enabled=True, metric_name="AmazonIpReputationListMetric", sampled_requests_enabled=True, ), ), ] # Enable CloudWatch Logs visibility_config=aws.wafv2.WebAclVisibilityConfigArgs( cloudwatch_metrics_enabled=True, metric_name="WebACLMetric", sampled_requests_enabled=True, ), Logging Configuration logging_configuration=aws.wafv2.WebAclLoggingConfigurationArgs( log_destination_configs=[ "arnawslogsus east 1123456789012log group/aws/wafv2/webacl" ], resource_arn="", # wait for Web ACL creation ), ) # Update Logging Configuration with Web ACL ARN web_acl_logging = aws.wafv2.WebAclLoggingConfiguration( "webAclLogging", resource_arn=web_acl.arn, log_destination_configs=[ "arnawslogsus east 1123456789012log group/aws/wafv2/webacl" ], web_acl_id=web_acl.id, opts=ResourceOptions(depends_on=[web_acl]), ) # Associate Web ACL with API Gateway web_acl_association = aws.wafv2.WebAclAssociation( "webAclAssociation", resource_arn=api_gateway.arn, web_acl_arn=web_acl.arn, ) # Export the Web ACL ARN pulumi.export("web_acl_arn", web_acl.arn)

Is the problem that this doesn't work, or "just" that Intellisense is complaining?

The code eventually works. My frustration is that I cannot find anything about "aws.wafv2.WebAclDefaultActionArgs" in Pulumi KB. I do find "WebAclDefaultAction". I want to understand how to use it. Thanks

Here are the docs: https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/#webacldefaultaction

Thanks for taking the time to find the link. 👍

You might also find it useful to look at the docs for the Terraform provider that

pulumi-aws

uses as well: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#default_action-block

Very much appreciated. I've no Terraform experience, this will help in understanding how things work in Terraform as well. Cheers!

You don't need Terraform experience, you'll be able to match the names of the arguments. I think the "See

allow

below for details." note doesn't make a lot of sense in the context of the Pulumi docs. (You'll notice that the Pulumi docs are generated from the Terraform docs.)

Ah....that makes a lot of sense now. I was frustrated by that note. 🙂 Thanks for the explanation!

Happy to help 🙂 In general, when you're using a Pulumi provider that wraps a Terraform provider under the hood, it's often helpful to look at the Terraform docs as well, they might contain additional notes or examples. There's also a lot more Terraform than Pulumi code out there, in case you're looking for examples or need an alternative to Pulumi AI to generate code for you.

Good point - I will adjust my learning methods.