Unable to change the firewall SKU from Standard to Premium

thijstijsma commented 11 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.5.7

azure provider: 3.75.0

module: 4.2.0

Description

Describe the bug

When I change the firewall SKU from "" (the configuration uses "Standard" in that case) to "Premium", I get an error regarding a Policy that can't be destroyed because it's in use by the Firewall.

Steps to Reproduce

Follow the wiki example: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Connectivity-Resources-With-Custom-Settings
Change configure_connectivity_resources.settings.hub_networks[0].config.azure_firewall.config.sku_tier from "" to "Premium"
Deploy

Context

Anonymized subscription GUIDs and organization name.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.landing_zones.azurerm_firewall.connectivity["/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/azureFirewalls/organization-fw-westeurope"] will be updated in-place
  ~ resource "azurerm_firewall" "connectivity" {
        id                  = "/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/azureFirewalls/organization-fw-westeurope"
        name                = "organization-fw-westeurope"
      ~ sku_tier            = "Standard" -> "Premium"
        tags                = {
            "deployedBy" = "terraform/azure/caf-enterprise-scale"
        }
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.landing_zones.azurerm_firewall_policy.connectivity["/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/firewallPolicies/organization-fw-westeurope-policy"] must be replaced
-/+ resource "azurerm_firewall_policy" "connectivity" {
      - auto_learn_private_ranges_enabled = false -> null
      ~ child_policies                    = [] -> (known after apply)
      ~ firewalls                         = [
          - "/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/azureFirewalls/organization-fw-westeurope",
        ] -> (known after apply)
      ~ id                                = "/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/firewallPolicies/organization-fw-westeurope-policy" -> (known after apply)
        name                              = "organization-fw-westeurope-policy"
      - private_ip_ranges                 = [] -> null
      ~ rule_collection_groups            = [] -> (known after apply)
      ~ sku                               = "Standard" -> "Premium" # forces replacement
        tags                              = {
            "deployedBy" = "terraform/azure/caf-enterprise-scale"
        }
        # (3 unchanged attributes hidden)

      ~ dns {
          - servers       = [] -> null
            # (1 unchanged attribute hidden)
        }
    }

Plan: 1 to add, 1 to change, 1 to destroy.
module.landing_zones.azurerm_firewall_policy.connectivity["/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/firewallPolicies/organization-fw-westeurope-policy"]: Destroying... [id=/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/firewallPolicies/organization-fw-westeurope-policy]
╷
│ Error: deleting Firewall Policy (Subscription: "60a28589-0ddd-48c1-888e-3c6271d279f2"
│ Resource Group Name: "organization-connectivity-westeurope"
│ Firewall Policy Name: "organization-fw-westeurope-policy"): performing Delete: unexpected status 400 with error: FirewallPolicyHasAzureFirewallReferences: Firewall Policy '/subscriptions/60a28589-0ddd-48c1-888e-3c6271d279f2/resourceGroups/organization-connectivity-westeurope/providers/Microsoft.Network/firewallPolicies/organization-fw-westeurope-policy' can not be deleted since there are Azure Firewalls using this policy.

matt-FFFFFF commented 11 months ago

Hi @thijstijsma

Thanks for reporting this - it seems that we you might need to manually unlink the policy from the firewall to get around this.

We will look into fixing this in a future release.

AErmie commented 1 week ago

@matt-FFFFFF, I'm encountering this error for a client. Has this issue been added to the backlog, and/or fixed in a release since being reported?

Azure / terraform-azurerm-caf-enterprise-scale