Open DII-dsward opened 3 days ago
@DII-dsward I test locally, the resource will be created successfully, and configure the corresponding 'private_id', can you try according to the following script?
- name: Create virtual network
azure_rm_virtualnetwork:
name: "{{ virtual_network_name }}"
address_prefixes_cidr:
- 10.1.0.0/16
- 172.100.0.0/16
dns_servers:
- 127.0.0.1
- 127.0.0.3
tags:
testing: testing
delete: on-exit
resource_group: "{{ resource_group }}"
- name: Create subnet
azure_rm_subnet:
name: "{{ subnet_name }}"
virtual_network_name: "{{ virtual_network_name }}"
resource_group: "{{ resource_group }}"
address_prefix_cidr: "10.1.0.0/24"
- name: Create public IP address
azure_rm_publicipaddress:
resource_group: "{{ resource_group }}"
allocation_method: Static
name: "{{ public_ipaddress_name }}"
sku: Standard
register: pip_output
- name: Create Azure Firewall
azure_rm_azurefirewall:
resource_group: '{{ resource_group }}'
name: '{{ azure_firewall_name }}'
ip_configurations:
- subnet:
virtual_network_name: "{{ virtual_network_name }}"
name: "{{ subnet_name }}"
public_ip_address:
name: "{{ public_ipaddress_name }}"
name: azureFirewallIpConfiguration
register: output
- name: Get info of the Azure Firewall
azure_rm_azurefirewall_info:
resource_group: '{{ resource_group }}'
name: '{{ azure_firewall_name }}'
register: output
- name: Print the azure firewall facts
debug:
var: output
"output": {
"changed": false,
"failed": false,
"firewalls": {
"etag": "W/\"55f620c1-d4c4-4a77-ab34-a3dc7e3d6bec\"",
"id": "/subscriptions/xxx/resourceGroups/v-xisuRG01/providers/Microsoft.Network/azureFirewalls/myFirewall",
"ip_configurations": [
{
"etag": "W/\"55f620c1-d4c4-4a77-ab34-a3dc7e3d6bec\"",
"id": "/subscriptions/xxx/resourceGroups/v-xisuRG01/providers/Microsoft.Network/azureFirewalls/myFirewall/azureFirewallIpConfigurations/azureFirewallIpConfiguration",
"name": "azureFirewallIpConfiguration",
"properties": {
"privateIPAddress": "10.1.0.4",
"privateIPAllocationMethod": "Dynamic",
"provisioningState": "Succeeded",
"publicIPAddress": {
"id": "/subscriptions/xxx/resourceGroups/v-xisuRG01/providers/Microsoft.Network/publicIPAddresses/myPublicIpAddress"
},
"subnet": {
"id": "/subscriptions/xxx/resourceGroups/v-xisuRG01/providers/Microsoft.Network/virtualNetworks/myVirtualNetwork/subnets/AzureFirewallSubnet"
}
},
"type": "Microsoft.Network/azureFirewalls/azureFirewallIpConfigurations"
}
],
"location": "eastus",
"name": "myFirewall",
"nat_rule_collections": [],
"network_rule_collections": [],
"provisioning_state": "Succeeded",
"tags": null
}
}
}
@DII-dsward Your creation failure should be due to the fact that your subnet, public IP address and azure firewall are not in the same region. Thank you!
I have switched from using id to name as you suggested. These deployments don't show up under the resource group deployments list, so I cannot provide any output from Azure. When this deploys and provisioning shows as failed, there is a migrate to firewall policy button. If I click through that it also fails because the firewall has a provisioning state of failed. But it does then provide an output from azure in the deployment list of the resource group showing this:
{
"code": "InternalServerError",
"message": "An error occurred.",
"details": []
}
Here is the playbook
# 1. Create or update the public IP if none is available
- name: Create public IP if none is available
azure.azcollection.azure_rm_publicipaddress:
resource_group: "VnetRSG"
name: "PIP-AZFWUSC1-1"
location: "southcentralus"
allocation_method: "Static"
sku: "Standard"
state: "present"
register: new_public_ip
# 2. Create or update the Azure Firewall using names instead of IDs
- name: Create or update the Azure Firewall
azure.azcollection.azure_rm_azurefirewall:
resource_group: "VnetRSG"
name: "AZFWUSC1"
location: "southcentralus"
ip_configurations:
- name: "azureFirewallIpConfiguration"
public_ip_address:
name: "{{ new_public_ip.name }}"
subnet:
virtual_network_name: "FW_VNET"
name: "AzureFirewallSubnet"
state: "present"
Here is the ansible output
{
"changed": true,
"id": "/subscriptions/<omitted>/resourceGroups/VnetRSG/providers/Microsoft.Network/azureFirewalls/AZFWUSC1",
"invocation": {
"module_args": {
"resource_group": "VnetRSG",
"name": "AZFWUSC1",
"location": " southcentralus \n",
"ip_configurations": [
{
"name": "azureFirewallIpConfiguration",
"public_ip_address": {
"name": "PIP-AZFWUSC1-1"
},
"subnet": {
"virtual_network_name": "FW_VNET",
"name": "AzureFirewallSubnet"
}
}
],
"state": "present",
"auth_source": "auto",
"cloud_environment": "AzureCloud",
"api_profile": "latest",
"disable_instance_discovery": false,
"append_tags": true,
"profile": null,
"subscription_id": null,
"client_id": null,
"secret": null,
"tenant": null,
"ad_user": null,
"password": null,
"cert_validation_mode": null,
"adfs_authority_url": null,
"log_mode": null,
"log_path": null,
"x509_certificate_path": null,
"thumbprint": null,
"tags": null,
"application_rule_collections": null,
"nat_rule_collections": null,
"network_rule_collections": null
}
},
"_ansible_no_log": false
}
Should I be using azure.azcollection.azure_rm_firewallpolicy to deploy these firewalls instead?
@DII-dsward I have not been able to simulate the error you encountered, so I am not sure whether the connection (--) solves the problem you encountered, you can refer to the following way to try, thank you!
![aure_fireawll](https://github.com/user-attachments/assets/acc6f9c3-89fa-404e-a10e-4c490f081bb1)
SUMMARY
New Azure Firewall deployment with Ansible does not generate a private Ip address and provisioning state shows as failed.
ISSUE TYPE
COMPONENT NAME
azure.azcollection.azure_rm_azurefirewall
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
From AAP
EXPECTED RESULTS
Azure firewall should use an Ip on the AzureFirewallSubnet Ip range and provisioning should reflect succeeded.
ACTUAL RESULTS
Azure firewall does deploy but it does not have a private Ip address and the provisioning state shows as failed. Azure vnet shows the firewall object without a private Ip address as well.