pulumi import aws:alb/targetGroup fails wanting a boolean that doesn't exist on ALB TGs

[jmthomas73]

What happened?

Attempted to import a CloudFormation-created Target Group for an Application Load Balancer serving an ECS Fargate Cluster. Import added the state to the state tracking in Pulumi Cloud, but then produced this error:

error: anonymous.pp:30,25-31,14: cannot assign expression of type (null) to location of type list( { enableUnhealthyConnectionTermination: bool | output(bool) }
| output({ enableUnhealthyConnectionTermination: bool }))
| output(list({ enableUnhealthyConnectionTermination: bool }))?: ;

This boolean value is present on Network Load Balancer Target Groups, but not on ALB ones, so mine doesn't have it, nor is there anywhere I've found to set it.

Example

aws elbv2 describe-target-groups --target-group-arns arn:aws:elasticloadbalancing:us-east-1:000000000000:targetgroup/dev-hsauth-lbtg/afddf68c0e73f786
{
"TargetGroups": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:000000000000:targetgroup/dev-hsauth-lbtg/afddf68c0e73f786",
"TargetGroupName": "dev-hsauth-lbtg",
"Protocol": "HTTP",
"Port": 80,
"VpcId": "vpc-260b5e42",
"HealthCheckProtocol": "HTTP",
"HealthCheckPort": "traffic-port",
"HealthCheckEnabled": true,
"HealthCheckIntervalSeconds": 60,
"HealthCheckTimeoutSeconds": 30,
"HealthyThresholdCount": 2,
"UnhealthyThresholdCount": 2,
"HealthCheckPath": "/",
"Matcher": {
"HttpCode": "200-299"
},
"LoadBalancerArns": [
"arn:aws:elasticloadbalancing:us-east-1:000000000000:loadbalancer/app/dev-hsauth-lb/d18f11b7c836d603"
],
"TargetType": "ip",
"ProtocolVersion": "HTTP1",
"IpAddressType": "ipv4"
}
]
}

pulumi import aws:alb/targetGroup:TargetGroup dev-hsauth-lbtg arn:aws:elasticloadbalancing:us-east-1:000000000000:targetgroup/dev-hsauth-lbtg/afddf68c0e73f786

Previewing import (dev)

View in Browser (Ctrl+O): https://app.pulumi.com/hsgovtech/hsauth/dev/previews/266f71a1-fd38-4f94-b950-4b76c8d66421

 Type                    Name             Plan
 pulumi:pulumi:Stack     hsauth-dev

= └─ aws:alb:TargetGroup dev-hsauth-lbtg import
Resources:
= 1 to import
6 unchanged

Do you want to perform this import? yes
Importing (dev)

View in Browser (Ctrl+O): https://app.pulumi.com/hsgovtech/hsauth/dev/updates/6

 Type                    Name             Status
 pulumi:pulumi:Stack     hsauth-dev

= └─ aws:alb:TargetGroup dev-hsauth-lbtg imported (0.70s)
Resources:
= 1 imported
6 unchanged

Duration: 3s

error: anonymous.pp:30,25-31,14: cannot assign expression of type (null) to location of type list( { enableUnhealthyConnectionTermination: bool | output(bool) }
| output({ enableUnhealthyConnectionTermination: bool }))
| output(list({ enableUnhealthyConnectionTermination: bool }))?: ;

Output of pulumi about

pulumi about
CLI
Version 3.96.2
Go Version go1.21.4
Go Compiler gc

Plugins
NAME VERSION
aws 6.13.3
awsx 2.3.0
docker 4.5.0
docker 3.6.1
nodejs unknown

Host
OS Microsoft Windows 11 Home
Version 10.0.22631 Build 22631
Arch x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.17.1'

Current Stack: mycompany/hsauth/dev

TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev::hsauth::pulumi:pulumi:Stack::hsauth-dev
pulumi:providers:aws urn:pulumi:dev::hsauth::pulumi:providers:aws::default_6_13_3
aws:ecs/cluster:Cluster urn:pulumi:dev::hsauth::aws:ecs/cluster:Cluster::dev-hsauth
aws:ecs/service:Service urn:pulumi:dev::hsauth::aws:ecs/service:Service::dev-hsauth-service
aws:ecs/taskDefinition:TaskDefinition urn:pulumi:dev::hsauth::aws:ecs/taskDefinition:TaskDefinition::dev-hsauth-td
aws:ecs/clusterCapacityProviders:ClusterCapacityProviders urn:pulumi:dev::hsauth::aws:ecs/clusterCapacityProviders:ClusterCapacityProviders::dev-hsauth-cluster-capacity
aws:alb/targetGroup:TargetGroup urn:pulumi:dev::hsauth::aws:alb/targetGroup:TargetGroup::dev-hsauth-tg
aws:alb/targetGroup:TargetGroup urn:pulumi:dev::hsauth::aws:alb/targetGroup:TargetGroup::dev-hsauth-lbtg
(note, the two above TGs from two attempts to import this same TG under different Pulumi names)

Found no pending operations associated with dev

Backend
Name pulumi.com
URL https://app.pulumi.com/username
User username
Organizations username, hsgovtech
Token type personal

Pulumi locates its logs in C:\Users\darkm\AppData\Local\Temp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

This looks very similar to #2534 and #2517

If the root cause is need the same the issue here is that null inhabits all types in TF bridged providers, including required output properties, but codegen rejects that. We're working around the other AWS issue of this sort with a patch, which is not ideal. I'm actually a little surprised that it doesn't happen more often, but if it does we might need to at some point make codegen tolerate this condition since bridged providers cannot guarantee the will not be any nulls in required output properties, and changing them to optional output properties is a big breaking change for working programs.

Related issue search:

https://github.com/search?q=org%3Apulumi+cannot+assign+expression+of+type+%28null%29+to+location+of+type++&type=issues

@justinvp LMK if you want to move this to pulumi-aws for us to workaround in a similar way to 2534.

[Frassle]

I'm actually a little surprised that it doesn't happen more often, but if it does we might need to at some point make codegen tolerate this condition since bridged providers cannot guarantee the will not be any nulls in required output properties, and changing them to optional output properties is a big breaking change for working programs.

We could run codegen in non-strict mode which should already allow that sort of conversion, but those programs won't work in strict languages. null is only really valid for optionals, but might happen to work for lists/maps/objects in most languages, and will even work for int/bools/etc in something like javascript/python.

This does feel like a provider issue more than codegen to me. Might be as simple as normalising null to zero values in the bridge for non-optional properties though? Like if a property is list[bool] and TF state says it's null just convert it to []?

[t0yv0]

Yes that's true, let's transfer to pulumi-aws till I take a deeper look at the possible discrepancy or chase this down to the bridge before we generalize.

The bits of relevant info here are:

> $schema Resources aws:alb/targetGroup:TargetGroup inputProperties targetHealthStates

description:
    text: |
        Target health state block. Only applicable for Network Load Balancer target groups when `protocol` is `TCP` or `TLS`. See target_health_state for more information.
items:
    $ref:
        text: '#/types/aws:alb/TargetGroupTargetHealthState:TargetGroupTargetHealthState'
    properties:
        enableUnhealthyConnectionTermination:
            description:
                text: |
                    Indicates whether the load balancer terminates connections to unhealthy targets. Possible values are `true` or `false`. Default: `true`.
            type:
                text: boolean
    required:
        - text: enableUnhealthyConnectionTermination
    type:
        text: object
type:
    text: array

and

> $schema Resources aws:alb/targetGroup:TargetGroup required
- text: arn
- text: arnSuffix
- text: connectionTermination
- text: healthCheck
- text: ipAddressType
- text: loadBalancerArns
- text: loadBalancingAlgorithmType
- text: loadBalancingAnomalyMitigation
- text: loadBalancingCrossZoneEnabled
- text: name
- text: namePrefix
- text: preserveClientIp
- text: protocolVersion
- text: stickiness
- text: tagsAll
- text: targetFailovers
- text: targetHealthStates

The field definition is Optional+Computed:
https://github.com/hashicorp/terraform-provider-aws/blob/master/internal/service/elbv2/target_group.go#L316

I'm curious why this got projected to required in the bridge, this does not feel right, but also may be a big breaking change to fix it. As you say though we could substitute en empty value at import time for the nil of a required property in the bridge, this sounds reasonable.

[t0yv0]

A little digging into how Computed+Optional attributes map: pulumi/pulumi-terraform-bridge#1901

We currently map them to optional input but a required output (possibly that latter bit is in error, but locked in by bw-compat constraints for now).

So it seems like this issue, if it still present, would have the import type-checking pass reference output Required bit instead of input (Optional) as it should. I'm going to try to repro, have a hope that it's been fixed.

[t0yv0]

It doesn't seem to reproduce anymore.

I have provisioned a T

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const main = new aws.ec2.Vpc("main", {cidrBlock: "10.0.0.0/16"});
const test = new aws.alb.TargetGroup("test", {
    name: "tf-example-lb-tg-2",
    port: 80,
    protocol: "HTTP",
    vpcId: main.id,
    healthCheck: {
        protocol: "HTTP",
        port: "traffic-port",
        enabled: true,
        interval: 60,
        timeout: 30,
        healthyThreshold: 2,
        unhealthyThreshold: 2,
        path: "/",
        matcher: "200-299",
    },
    targetType: "ip",
    protocolVersion: "HTTP1",
    ipAddressType: "ipv4",
});

export const arn = test.arn;

and

pulumi import aws:alb/targetGroup:TargetGroup dev-hsauth-lbtg arn:aws:elasticloadbalancing:us-east-1:616138583583:targetgroup/tf-example-lb-tg-2/7fd7424e3ae11a32

succeeds.

[t0yv0]

CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.32.0
awsx    2.9.0
docker  4.5.3
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  14.4.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'

Current Stack: anton-pulumi-corp/aws-3862/dev

TYPE                             URN
pulumi:pulumi:Stack              urn:pulumi:dev::aws-3862::pulumi:pulumi:Stack::aws-3862-dev
pulumi:providers:aws             urn:pulumi:dev::aws-3862::pulumi:providers:aws::default_6_32_0
aws:ec2/vpc:Vpc                  urn:pulumi:dev::aws-3862::aws:ec2/vpc:Vpc::main
aws:alb/targetGroup:TargetGroup  urn:pulumi:dev::aws-3862::aws:alb/targetGroup:TargetGroup::test
aws:alb/targetGroup:TargetGroup  urn:pulumi:dev::aws-3862::aws:alb/targetGroup:TargetGroup::dev-hsauth-lbtg


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, pulumi
Token type     personal

Dependencies:
NAME            VERSION
typescript      5.4.5
@pulumi/aws     6.32.0
@pulumi/awsx    2.9.0
@pulumi/pulumi  3.113.3
@types/node     18.19.31

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default