terraform-provider-azurerm: Updating firewall policy rule collection group fails

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

v2.96.0

Affected Resource(s)

azurerm_firewall_policy azurerm_firewall_policy_rule_collection_group

Terraform Configuration Files

# Firewall policies
resource "azurerm_firewall_policy" "firewallpolicy" {
  name                = "test-firewall-uksouth-policy"
  resource_group_name = var.resource_group
  location            = var.location
}

# Policy rule collection groups
resource "azurerm_firewall_policy_rule_collection_group" "policycollectiongroup" {
  name               = "test-firewall-uksouth-policy-rcg"
  firewall_policy_id = azurerm_firewall_policy.firewallpolicy.id
  priority           = 500
  application_rule_collection {
    name     = "app_rule_collection1"
    priority = 500
    action   = "Deny"
    rule {
      name = "app_rule_collection1_rule1"
      protocols {
        type = "Http"
        port = 80
      }
      protocols {
        type = "Https"
        port = 443
      }
      source_addresses  = ["10.0.0.2"]
      destination_fqdns = ["*.microsoft.com"]
    }
  }

  network_rule_collection {
    name     = "network_rule_collection1"
    priority = 400
    action   = "Deny"
    rule {
      name                  = "network_rule_collection1_rule1"
      protocols             = ["TCP", "UDP"]
      source_addresses      = ["10.0.0.1"]
      destination_addresses = ["192.168.1.1", "192.168.1.2"]
      destination_ports     = ["80", "1000-2000"]
    }
  }

  nat_rule_collection {
    name     = "nat_rule_collection1"
    priority = 300
    action   = "Dnat"
    rule {
      name                = "nat_rule_collection1_rule1"
      protocols           = ["TCP", "UDP"]
      source_addresses    = ["10.0.0.1", "10.0.0.2"]
      destination_address = azurerm_public_ip.firewallpip.ip_address
      destination_ports   = ["80"]
      translated_address  = "192.168.0.1"
      translated_port     = "8080"
    }
  }

  depends_on = [azurerm_firewall_policy.firewallpolicy]
}

Debug Output

2022-02-15T15:22:01.3778543Z │ Error: creating Firewall Policy Rule Collection Group “test-firewall-uksouth-policy-rcg” (Resource Group “test-connectivity-uksouth” / Policy: “test-firewall-uksouth-policy”): network.FirewallPolicyRuleCollectionGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 – Original Error: Code=“FirewallPolicyRuleCollectionGroupUpdateNotAllowed” Message="Rule Collection Group test-firewall-uksouth-policy-rcg can not be updated because Parent Firewall Policy test-firewall-uksouth-policy is in Updating state from previous operation ID : 5a0c64f8-0a5d-413e-a2d8-ed373c425506." 2022-02-15T15:22:01.3780559Z │  2022-02-15T15:22:01.3782035Z │  with module.azure-firewall.azurerm_firewall_policy_rule_collection_group.policycollectiongroup, 2022-02-15T15:22:01.3783025Z │  on azure-firewall/main.tf line 48, in resource “azurerm_firewall_policy_rule_collection_group” “policycollectiongroup”: 2022-02-15T15:22:01.3784004Z │  48: resource “azurerm_firewall_policy_rule_collection_group” “policycollectiongroup” { 2022-02-15T15:22:01.3784664Z │ 

Panic Output

N/A

Expected Behaviour

When the rules inside a policy rule collection group are updated, these should apply. We cannot seem to achieve this without tearing everything down again and redeploying it.

Actual Behaviour

When changes are made to the rules in the policy rule collection group the terraform apply fails stating that the policy it is tied in with is stuck in an updating state. This is because the apply triggers the policy into an updating state even when no changes are made to it.

Steps to Reproduce

  1. Deploy an Azure Firewall with a firewall policy with a policy rule collection group.
  2. Update a rule in the policy rule collection group and redeploy.

Important Factoids

N/A

References

None that I could find.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 25

Most upvoted comments

@magodo, unfortunately, we don’t have such a policy in our environment. We use this subscription as a test environment and everything is created by terraform.

I have found a similar issue on the link below and this explanation:

Only one Rule Collection Group can be updated at a time with Azure Firewall Policy. Since the update refreshes all of the connected Azure Firewall instances, the amount of time it takes to update is non-deterministic. Therefore you will need to serialize the deployment using the batchSize decorator.

https://github.com/Azure/bicep/issues/1013#issuecomment-932126524

Does it make sense? If so, how to do that with terraform?

+1
robsoncloud on Feb 21, 2022

@danailedms I’ve just tried again with above change, using the following cfg: https://gist.github.com/magodo/c45fbf9a097c2a695d10151741c654a6. But the update is still successful. Do you get this error even with a fresh new provision? Have you checked whether the policy is stuck in the update state all the time?

+1
magodo on Feb 17, 2022
Read more comments on GitHub
← terraform-provider-azurerm: Updating an `azurerm_automation_runbook` causes subsequent `terraform apply` to want to recreate the associated `azurerm_automation_job_schedule`
terraform-provider-azurerm: v3.0.1: azurerm_key_vault: Cannot read the ressource with KeyVault: keyvault.BaseClient#GetCertificateContacts →