awscc_wafv2_ip_set - API error ValidationException

[jackywong-amazon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

Terraform v1.4.6 & v1.5.0 - both experience the same issue
on darwin_arm64

• provider registry.terraform.io/hashicorp/awscc v0.53.0

• awscc_wafv2_ip_set

Terraform Configuration Files

Example 1
`resource awscc_wafv2_ip_set "this" {
name = "example"
description = "Example IP Set"
addresses = ["10.1.1.0/32", "10.2.1.0/32"]
ip_address_version = "IPV4"
scope = "REGIONAL"

}`

Example 2
`resource awscc_wafv2_ip_set "this" {
addresses = ["10.1.1.0/32", "10.2.1.0/32"]
ip_address_version = "IPV4"
scope = "CLOUDFRONT"

}`

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

awscc_wafv2_ip_set.this will be created

• resource "awscc_wafv2_ip_set" "this" {
  • addresses = [
    • "10.1.1.0/32",
    • "10.2.1.0/32",
      ]
  • arn = (known after apply)
  • description = (known after apply)
  • id = (known after apply)
  • ip_address_version = "IPV4"
  • name = (known after apply)
  • scope = "REGIONAL"
  • tags = (known after apply)
    }

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

awscc_wafv2_ip_set.this: Creating...
awscc_wafv2_ip_set.this: Creation complete after 8s [id=d728ee28-5d84-4cb9-9147-ba3d4478feed]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Actual Behavior

The resource has successfully provision. However, if Terraform Plan or Terraform Destroy command is used, Terraform failed to fetch the existing resource as it failed at Identifier is not valid for identifier /properties/Name, /properties/Id, /properties/Scope

Steps to Reproduce

1. Terraform Plan
2. Terraform Apply
3. Resource provision
4. Terraform Plan

awscc_wafv2_ip_set % terraform plan
awscc_wafv2_ip_set.this: Refreshing state... [id=d728ee28-5d84-4cb9-9147-ba3d4478feed]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│
│ with awscc_wafv2_ip_set.this,
│ on wafv2_ip_set.tf line 14, in resource "awscc_wafv2_ip_set" "this":
│ 14: resource awscc_wafv2_ip_set "this" {
│
│ Calling Cloud Control API service GetResource operation returned: operation error CloudControl: GetResource, https response error StatusCode: 400, RequestID: cd8b48e1-5782-45ea-96b6-b59406daa0f0, api error
│ ValidationException: Identifier d728ee28-5d84-4cb9-9147-ba3d4478feed is not valid for identifier [/properties/Name, /properties/Id, /properties/Scope]
╵

1. terraform apply

Important Factoids

References

TFState file

{
"version": 4,
"terraform_version": "1.5.0",
"serial": 1,
"lineage": "140cf1bf-b2cb-3656-397f-0174637cf8d2",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "awscc_wafv2_ip_set",
"name": "this",
"provider": "provider["registry.terraform.io/hashicorp/awscc"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"addresses": [
"10.1.1.0/32",
"10.2.1.0/32"
],
"arn": "arn:aws:wafv2:us-east-1:**********:regional/ipset/0RbRyadLqMXBaUxuZUGsjvBVa-jkZfpEcqdscc/d728ee28-5d84-4cb9-9147-ba3d4478feed",
"description": "",
"id": "d728ee28-5d84-4cb9-9147-ba3d4478feed",
"ip_address_version": "IPV4",
"name": "0RbRyadLqMXBaUxuZUGsjvBVa-jkZfpEcqdscc",
"scope": "REGIONAL",
"tags": null
},
"sensitive_attributes": []
}
]
}
],
"check_results": null
}

• #0000

[kadrach]

The resource generator disables synthetic ids due to the Id property the resource itself has at the root.

terraform-provider-awscc/internal/provider/generators/shared/generator.go

Lines 153 to 155 in 6b432d1

	if codeFeatures.HasIDRootProperty {
	templateData.SyntheticIDAttribute = false
	}

terraform-provider-awscc/internal/provider/generators/shared/codegen/emitter.go

Lines 91 to 102 in 6b432d1

	if naming.CloudFormationPropertyToTerraformAttribute(name) == "id" {
	// Ensure that any schema-declared top-level ID property is of type String and is the primary identifier.
	if propertyType := property.Type.String(); propertyType != cfschema.PropertyTypeString {
	return features, fmt.Errorf("top-level property %s has type: %s", name, propertyType)
	}
	if !cfResource.PrimaryIdentifier.ContainsPath([]string{name}) {
	return features, fmt.Errorf("top-level property %s is not a primary identifier", name)
	}
	features.HasIDRootProperty = true
	}

Overriding this manually in the generated resource to test "works", but that's certainly not the intended way :) I'm not across the details of #156 and #125 and why we would (or not) want to do this. I suspect generation for these resources should not have been enabled, as they don't work as-is.

terraform-provider-awscc/internal/aws/wafv2/ip_set_resource_gen.go

Line 239 in 6b432d1

opts = opts.WithSyntheticIDAttribute(false)

[wellsiau-aws]

Running my own test via Cloud Control API, here is what I found:

aws cloudcontrol create-resource \
  --type-name AWS::WAFv2::IPSet \
  --desired-state "{\"Addresses\": [],\"IPAddressVersion\":\"IPV4\",\"Scope\":\"REGIONAL\"}"

{
    "ProgressEvent": {
        "TypeName": "AWS::WAFv2::IPSet",
        "RequestToken": "62846fa7-102c-4411-911d-65ddba84a069",
        "Operation": "CREATE",
        "OperationStatus": "IN_PROGRESS",
        "EventTime": "2023-06-19T07:52:01.120000-07:00"
    }
}

aws cloudcontrol get-resource-request-status --request-token 62846fa7-102c-4411-911d-65ddba84a069

{
    "ProgressEvent": {
        "TypeName": "AWS::WAFv2::IPSet",
        "Identifier": "O0os3me5SsDJhjoA9544aUYQg-khduQxFomGlM|df4f27df-734a-443e-abb7-dfce916a1a36|REGIONAL",
        "RequestToken": "62846fa7-102c-4411-911d-65ddba84a069",
        "Operation": "CREATE",
        "OperationStatus": "SUCCESS",
        "EventTime": "2023-06-19T07:52:01.522000-07:00"
    }
}

Notice how the Identifier contains several strings merged with "|"
"Identifier": "O0os3me5SsDJhjoA9544aUYQg-khduQxFomGlM|df4f27df-734a-443e-abb7-dfce916a1a36|REGIONAL",

[wellsiau-aws]

likely upstream issue