search

aztfmod / terraform-azurerm-caf

Terraform supermodule for the Terraform platform engineering for Azure
https://aztfmod.github.io/documentation/
MIT License
555 stars 698 forks source link

Firewall manager child policies keys don't seem to work with firewall_policy_key #748

Open kiebrew opened 2 years ago

kiebrew commented 2 years ago

We are in the process of deploying a set of Firewall policies (Firewall Manager) and need to associate them with corresponding firewalls.

We've come across some strange behaviour when trying to attach a child firewall policy to our firewall. I'm not sure if this is a bug or not as my config code looks to okay and matches the examples given to us in the CAF supermodule.

Some context:

production_policy is a child of base_policy and the policies have been deployed successfully, we then have a firewall deployed and want to associate the production_policy to it.

For some reason, using the code below, the rover container/Terraform doesnt detect the value

The firewall policy code:

azurerm_firewall_policies = {
  base_policy = {
    name               = "Base-Policy"
    resource_group_key = "rg_hub_1"
    region             = "region1"
  }
  production_policy = {
    name               = "Production-Policy"
    resource_group_key = "rg_hub_1"
    region             = "region1"
    base_policy = {
      key = "base_policy"
    }
  }
}
azurerm_firewalls = {
  fw_hub = {
    name               = "hub"
    resource_group_key = "rg_hub_1"
    vnet_key           = "vnet_hub"
    sku_tier           = "Standard"
    zones              = [1, 2, 3]

    firewall_policy_key = "production_policy"  # Works with base_policy but not production_policy

    public_ips = {
      fw_pip_hub = {
        name          = "main"
        public_ip_key = "pip_firewall"
        vnet_key      = "vnet_hub"
        subnet_key    = "AzureFirewallSubnet"
      }
    }
  }

In my testing I changed firewall_policy_key to be "base_policy" instead of "production_policy" and the policy is detected correctly. But this is not our intended design.

I can workaround the issue by hardcoding the resource id of the production_policy using the code below instead

    firewall_policy = {
      id = "<prod_pol_id>"
    }

I've tried the various options available to us as defined in the CAF supermodule

snippet from https://github.com/aztfmod/terraform-azurerm-caf/blob/master/networking_firewall.tf

  firewall_policy_id = try(coalesce(
    try(local.combined_objects_azurerm_firewall_policies[each.value.firewall_policy.lz_key][each.value.firewall_policy.key].id, null),
    try(local.combined_objects_azurerm_firewall_policies[local.client_config.landingzone_key][each.value.firewall_policy.key].id, null),
    try(local.combined_objects_azurerm_firewall_policies[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.firewall_policy_key].id, null),
    try(each.value.firewall_policy.id, null)
  ), null)
}

Any help or guidance would be greatly appreciated!

kiebrew commented 2 years ago

The workaround method I mentioned in the post above doesn't work either, i'm getting an Azure provider error when applying the changes:

##[error]Bash exited with code '1'.
##[error]Bash wrote one or more lines to the standard error stream.
##[error]
Error: creating/updating Azure Firewall "fw-hub" (Resource Group "rg-hub"): network.AzureFirewallsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InternalServerError" Message="An error occurred." Details=[]

  with module.solution.module.azurerm_firewalls["fw_hub"].azurerm_firewall.fw,
  on /tf/caf/modules/solution/modules/networking/firewall/module.tf line 13, in resource "azurerm_firewall" "fw":
  13: resource "azurerm_firewall" "fw" {

##[error]Error on or near line 374: Error running terraform apply; exiting with status 1

I've reverted and re-applied these changes twice thinking it might have been a blip, but I've had the same error twice now

jleonelion commented 2 years ago

Upvote for this problem. I can see the root cause of the issue. In short, only local.combined_objects_azurerm_firewall_policies is being examined to determine the firewall_id. With that said, local.combined_objects_azurerm_firewall_policies only consists of policies from remote tfstate files or module.azurerm_firewall_policies. module.azurerm_firewall_policies only includes policies that do not have a base_policy defined.

In this situation, the policy being assigned is a child policy so the search needs to examine policies in module.azure_rm_firewall_policies_child

Assign to me and I can submit fix. I'll also submit fix for https://github.com/aztfmod/terraform-azurerm-caf/issues/1101