google-cloud-platform google-cloud-armor pulumi-typescript

How best to update a cloudarmor rule using pulumi

We're using pulumi to manage our cloudarmor (WAF) solution.

When attempting to edit a rule, even with deleteBeforeReplace: true, we get the error:

  CommandError: code: -2
   stdout: 
   stderr: Command failed with exit code 255: pulumi up --yes --skip-preview --diff --exec-agent pulumi/actions@v5 --color auto --suppress-outputs --suppress-progress --exec-kind auto.local --stack dev --non-interactive
  error:   sdk-v2/provider2.go:566: sdk.helper_schema: Error creating SecurityPolicyRule: googleapi: Error 400: Invalid value for field 'resource.priority': '6003'. Cannot have rules with the same priorities., invalid: provider=google-beta@8.31.0
  
  error: 1 error occurred:
    * Error creating SecurityPolicyRule: googleapi: Error 400: Invalid value for field 'resource.priority': '6003'. Cannot have rules with the same priorities., invalid

The only path forward seems to be to:

increment/change the priority of the rule to be updated
do a pulumi up (pulumi creates a [tmp] rule with the new paramerters & deletes the old one)
return priority to its original/intended value
do a pulumi up (pulumi creates the rule with the new paramerters & deletes the [tmp] one)

Is there a better way? (other than juggling rule .priority values?)

EDIT: Updated initial post's process from delete/up/create/up

NOTE: when faced with a deletion+creation, default behaviour seems to be for Pulumi to create new resources before deleting the existing ones; at least there's no gap in coverage.

Solution

So a few observations:

the right way to update CloudArmor rules is likely to use the google API's patchRule as pointed out by @DazWilkin (and also mentioned in one Pulumi error message or another, IIRC),
- this does not seem to be implemented/supported in Pulumi
no combination of replaceOnChanges: ['*'] and/or deleteBeforeReplace is able to achieve the objective, and
when making creation+deletion in the same pulumi up, it does automatically create new resources, before deleting the old ones, alleviating any risk of not having WAF rules enforced for [any] period of time while applying changes 👌 (probably why the deleteBeforeReplace option exists)

So in the end, the best solution seems to be the one above:

Edit + apply #1:
- Make changes to target rule(s)' definition(s), including an increment of the priority value (to any available value)
- Result: Pulumi will create a new [temporary] rule, and delete the original one
Edit + apply #2:
- Keeping the desired changes, revert the priority back to the original value
- Result: Pulumi will create a new rule, with the original priority value, and delete the temporary one