AWS Network firewall endpoint is not generated properly

waynechong1995 · September 26, 2022, 3:36pm

I’m currently using typescript for CDKTF, the below lines

 const firewall = new DataAwsNetworkfirewallFirewall(this, "test", {
      name: "firewall"
 });
firewall.firewallStatus.get(0).syncStates.get(0).attachment.get(0).endpointId;

seems to generate the following lines under cdk.tf.json

 "${tolist(data.aws_networkfirewall_firewall.test.firewall_status[0].sync_states)[0][\"attachment[0].endpoint_id\"]}"

in which ["attachment[0].endpoint_id"] is incorrect, the correct way to access should be

"${tolist(data.aws_networkfirewall_firewall.test.firewall_status[0].sync_states)[0].attachment[0].endpoint_id}"

ansgarm · September 26, 2022, 5:37pm

Hi @waynechong1995

This looks like a bug ! Would you mind filing it in our repository over here?

I think that one might have to do with the underlying type of sync_states being a set, but the code you have should work

kingemn · October 14, 2023, 8:59pm

@waynechong1995 Did you ever get around to resolving this? I’m running into the same issue.

waynechong1995 · October 15, 2023, 7:57am

There you go

Fn.lookup(
          Fn.element(networkFirewall.firewallStatus.get(0).syncStates.get(index).attachment.toString(), 0),
          'endpoint_id',
          ''
        );

kingemn · October 25, 2023, 2:51pm

Thanks alot for this Wayne. It looks like when you have more than 1 firewall endpoint, this resource is still problematic. The sync states look something like this:

            sync_states = [
                {
                    attachment        = [
                        {
                            endpoint_id = "vpce-031ed3c5d848"
                            subnet_id   = "subnet-0b6782fac271"
                        },
                    ]
                    availability_zone = "ap-south-1b"
                },
                {
                    attachment        = [
                        {
                            endpoint_id = "vpce-044aa97a9fb8"
                            subnet_id   = "subnet-032b155aadf6"
                        },
                    ]
                    availability_zone = "ap-south-1a"
                },
                {
                    attachment        = [
                        {
                            endpoint_id = "vpce-0a77b53c9bd7"
                            subnet_id   = "subnet-03472e827cc0"
                        },
                    ]
                    availability_zone = "ap-south-1c"
                },
            ]
        },

As you can see it’s un ordered so getting the endpoint id by index isn’t really great. I’ve tried something like:

      let vpcEndpointId: string | null = null; 

      for (let i = 0; i < 2; i++) {
        const syncState = this.nonProdFirewall.firewallStatus.get(0).syncStates.get(i);
      
        // Using the lookup function to get availability_zone
        const syncStateAZ = Fn.lookup(syncState.toString(), "availability_zone", "");
        
        if (syncStateAZ === this.prodFirewallSubnets[index].availabilityZone) {
          // Extract the endpoint_id when a match is found
          vpcEndpointId = Fn.lookup(Fn.element(syncState.attachment.toString(), 0), 'endpoint_id', '');
          break; // Exit the loop once you've found the match
        }
      }

No luck, any chance you’ve solved for this as well?