WAFV2 with Go doesn't seem to import resources correctly

[alexandr-x-ursul]

What happened?

My goal was to import and codify an AWS WAF resource. After the resource was successfully imported and failed to generate code as mentioned in pulumi/pulumi#11552, I generated code with AWS Classic provider and manually converted it into AWS Native. After running pulumi up I noticed a number of changes, which didn't make a lot of sense. Consulting the actual imported state with pulumi stack export compared with JSON representation of the WAF configuration (downloaded fron AWS console) I noticed some properties were not present in the actual WAF JSON, but were present in the imported state, those were reported as changes which will result in removal.

Steps to reproduce

pulumi import aws-native:wafv2:WebACL main-web-acl-prod 'xxx|xxx|REGIONAL' --parent main='urn:xxx...'
pulumi up

Expected Behavior

Pulumi would import the WebACL resource as it is in AWS, without any extra properties

Actual Behavior

Pulumi imported the WebACL resource with extra properties and now reports unnecessary changes

Examples:
In the state:

{
    "byteMatchStatement": {
        "fieldToMatch": {
            "uriPath": {}
        },
        "positionalConstraint": "EXACTLY",
        "searchString": "/login",
        "searchStringBase64": "L2xvZ2lu",
        "textTransformations": [
            {
                "priority": 0,
                "type": "NONE"
            }
        ]
    }
},

In AWS:

{
  "ByteMatchStatement": {
    "SearchString": "/login",
    "FieldToMatch": {
      "UriPath": {}
    },
    "TextTransformations": [
      {
        "Priority": 0,
        "Type": "NONE"
      }
    ],
    "PositionalConstraint": "EXACTLY"
  }
},

pulumi diff:

~ statement: {
  ~ andStatement: {
      ~ statements: [
          ~ [0]: {
                  ~ notStatement: {
                      ~ statement: {
                          ~ byteMatchStatement: {
                              - searchStringBase64: "L2xvZ2lu"
                            }
                        }
                    }
                }
        ]
    }
}

After adding the searchStringBase64 property to the code to remove the diff

$ pulumi up
Previewing update (xxx/prod)

     Type                           Name               Plan
     pulumi:pulumi:Stack            xxx-prod
     └─ xxx          main
 +      └─ aws-native:wafv2:WebACL  main-web-acl-prod  create


Outputs:
  + wafWebACLArn                : output<string>

Resources:
    + 1 to create
    49 unchanged

Do you want to perform this update? yes
Updating (xxx/prod)

     Type                           Name               Status                  Info
     pulumi:pulumi:Stack            xxx-prod   **failed**              1 error
     └─ xxx          main
 +      └─ aws-native:wafv2:WebACL  main-web-acl-prod  **creating failed**     1 error


Diagnostics:
  pulumi:pulumi:Stack (xxx-prod):
    error: update failed

  aws-native:wafv2:WebACL (main-web-acl-prod):
    error: operation CREATE failed with "GeneralServiceException": You must only specify exactly one of SearchString and SearchStringBase64

I have found similar issues with other parameters as well, some of them are ruleLabels, excludedRules, managedRuleGroupConfigs, excludedCookies, includedCookies, excludedHeaders, includedHeaders, tags, and probably others that I've missed.

Output of pulumi about

CLI
Version 3.48.0
Go Version go1.19.2
Go Compiler gc

Plugins
NAME VERSION
aws 5.21.1
aws-native 0.43.0
go unknown

Host
OS ubuntu
Version 20.04
Arch x86_64

This project is written in go: executable='/usr/local/go/bin/go' version='go version go1.19.2 linux/amd64'

Found no pending operations associated with xxx/prod

Backend
Name pulumi.com
URL https://app.pulumi.com/xxx
User xxx
Organizations xxx, xxx

Dependencies:
NAME VERSION
github.com/pulumi/pulumi-aws-native/sdk 0.43.0
github.com/pulumi/pulumi-aws/sdk/v5 5.21.1
github.com/pulumi/pulumi/sdk/v3 3.48.0
pkg/database 0.0.0-00010101000000-000000000000
pkg/environment 0.0.0-00010101000000-000000000000
pkg/nfs 0.0.0-00010101000000-000000000000

Additional context

I first attempted to use AWS Classic provider for this, but I unfortunately reached a dead end as reported here: pulumi/pulumi-aws#2250

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[roothorp]

Hi @alexandr-x-ursul, thanks for the issue. It looks like AWS automatically adds the searchStringBase64 based off what is specified in searchString, and Pulumi is picking that up in the import. Obviously this is undesirable as it is creating diffs (and, as you point out, you cannot manually define both of these at the same time). I've raised this bug with the team to be prioritized and added to our work stack.

[alexandr-x-ursul]

Hi @alexandr-x-ursul, thanks for the issue. It looks like AWS automatically adds the searchStringBase64 based off what is specified in searchString, and Pulumi is picking that up in the import. Obviously this is undesirable as it is creating diffs (and, as you point out, you cannot manually define both of these at the same time). I've raised this bug with the team to be prioritized and added to our work stack.

Thank you :)