Bug: Azure Firewall deployment does not configure specified Firewall Polices

[OmnipotentOwl]

Summary

When attempting to configure the module deployed Azure Firewall with a specified Firewall Policy the policy is not deployed to the firewall. Looking into the module code it looks like the firewall_policy_id argument is missing from the firewall resource.

Reproduction

"aue-vhub-fw" = {
      sku_name         = "AZFW_Hub"
      sku_tier         = "Standard"
      name             = "aue-hub-fw"
      virtual_hub_name = "aue-vhub"
      firewall_policy_id = "/subscriptions/***/resourceGroups/tvmVwanRg/providers/Microsoft.Network/firewallPolicies/afwp-tvmhub-aue-001"
    }

Remediation

resource "azurerm_firewall" "fw" {
  for_each = var.firewalls

  name                = each.value.name
  location            = azurerm_virtual_hub.virtual_hub[each.value.virtual_hub_name].location
  resource_group_name = azurerm_virtual_hub.virtual_hub[each.value.virtual_hub_name].resource_group_name
  sku_name            = each.value.sku_name
  sku_tier            = each.value.sku_tier
  firewall_policy_id  = each.value.firewall_policy_id
  tags                = try(each.value.tags, {})

  virtual_hub {
    virtual_hub_id  = azurerm_virtual_hub.virtual_hub[each.value.virtual_hub_name].id
  }
}

[JefferyMitchell]

@OmnipotentOwl Thank you for the feedback we have this request in our backlog.

[ChrisSidebotham]

+1 :D

[matt-FFFFFF]

@khushal08 ease can you take a look?

[philipstreet]

I just discovered this too. It also doesn't set dns_servers (but you need to do that if policy is not set). Interesting to note that the firewalls variable object includes attributes that I thought were not relevant for Azure Firewalls in VWAN Hubs, e.g. threat_intel_mode; they don't appear as configurable options in the Portal unless the Firewall is not deploy in a VWAN Hub.

FYI @cshea-msft

[cshea-msft]

@philipstreet If you are not using the Firewall Policy with the Azure Firewall then you are using Firewall "Classic" where you can set the DNS servers, threat_intel_mode, and other settings. I am removing those attributes on the FIrewall module so there is no confusion and will need to use the Azure Firewall Policy to set those settings.

When deploying the Azure Firewall with a Virtual Hub in the Portal, you do not have an option to deploy the Firewall Policy at the same time and VWan creates a DefaultDeny Policy to attach to the Firewall. You can change the DefaultDeny Policy to your Policy once the Firewall is deployed to the Virtual Hub in the Portal. I believe the same happens when deploying a Firewall, Firewall Policy with Virtual Hub with Terraform. Because of that default policy, it cannot attach the Firewall Policy to the Firewall.

I need to look into it to see if there is a way around it.

[philipstreet]

Thanks @cshea-msft, we'll need to look at this more.

The purpose of this exercise from our side was mainly to assess the viability of recommending Azure VWAN as a LZ solution option for our customers now that it properly supports multi-region secure hubs with routing intent. Being able to fully automate the deployment with Firewall Policies would be an important part of that (whether that be using AVMs or the native Terraform resources).

[philipstreet]

@cshea-msft Could the policy be linked to the Firewalls using azapi after they've been deployed?

I'm looking at writing the code to do that right now from my repo. Unfortunately, the VWAN AVM module only outputs FW names, whereas it outputs resource IDs for all the other resources, which is not ideal.

[philipstreet]

BTW @cshea-msft My AZAPI code works linking the FWP to the FWs, although I've not yet tested it on a clean deployment, which is the next thing for us to try.

Here's my code so far;

module "firewall_policy" {
  source              = "Azure/avm-res-network-firewallpolicy/azurerm"
  resource_group_name = local.resource_group_name
  location            = var.location
  name                = local.firewall_policy_name
  firewall_policy_sku = var.firewall_sku_tier
  tags                = local.tags
}

locals {
  firewall_ids = {
    for fw in module.vwan_with_vhub.fw : fw => "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Network/azureFirewalls/${fw}"
  }
}

resource "azapi_update_resource" "fwp" {
  for_each = local.firewall_ids

  type        = "Microsoft.Network/azureFirewalls@2023-09-01"
  resource_id = each.value

  body = jsonencode({
    properties = {
      firewallPolicy = {
        id = module.firewall_policy.resource.id
      }
    }
  })

  depends_on = [module.firewall_policy, module.vwan_with_vhub]
}

[cshea-msft]

@philipstreet just an update as well, I was deploying my example again, and this time the FW policy is attached to the firewall. I did not do anything different as far as I know. Will continue to test but wanted to give you an update.

[philipstreet]

@cshea-msft Funny you should mention that because I suddenly noticed that my FW policy was disconnected from our Firewalls, after definitely being connected! 🤷 🤔 Not sure if that coincided with me pushing some simple Application & Network rules to the Policy. We're currently destroying the environment so I can really test this now, so it might have to wait until next week.

[cshea-msft]

@philipstreet just destroyed and recreated and it deployed the policy with the firewall again. so not sure why it didn't attach the first time. Will add some rules to see if I get the same issue you just ran into.

[philipstreet]

@cshea-msft There's already an PR to fix the FWP association, https://github.com/Azure/terraform-azurerm-avm-ptn-virtualwan/pull/53

[khushal08]

Fixed changes in release v0.4.2