Open shlomimn opened 1 year ago
shlomimn
commented
1 year ago I have added rule bbb, and the result is seen above.
"bbb" = { source_addresses = ["10.10.10.10/32"] destination_ports = ["443"] destination_addresses = ["10.21.21.21/32"] protocols = ["TCP"] }
wuxu92
commented
1 year ago @shlomimn thanks for filing this issue. This should be a by-design as the rule is a List insteaf of Set. could you add the bbb to the end of the rules list? I believe that won't recreating the existing rules. Insert an element into a List would update all elements after it.
Tim-herbie
commented
7 months ago @wuxu92 Yes, that is right. But if you want to change an already existing rule, you get the same problem.
Because of this we can´t use Terraform right now for the azure firewall policy deployment. We maintain the firewall policies in the Azure Portal.
@catriona-m Is there maybe a workaround for this or a timeline when it will be fixed?
Tim-herbie
commented
7 months ago Use the azurerm_resource_group_template_deployment resource instead of azurerm_firewall_policy_rule_collection_group for the rule-collection deployment.
provider "azurerm" {
features {}
}
data "azurerm_resource_group" "rg" {
name = "<Your-RG>"
}
resource "azurerm_resource_group_template_deployment" "example2" {
name = "firewall-rulecollectiongroup"
resource_group_name = data.azurerm_resource_group.rg.name
deployment_mode = "Incremental"
template_content = jsonencode({
"$schema" : "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"resources" : [
{
"type" : "Microsoft.Network/firewallPolicies",
"apiVersion" : "2022-01-01",
"name" : "firewall-policy-test",
"location" : "West Europe",
"properties" : {
"threatIntelMode" : "Alert"
}
},
{
"type" : "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion" : "2023-04-01",
"name" : "firewall-policy-test/fwrulecollectiontype1",
"properties" : {
"priority" : "100",
"ruleCollections" : [
{
"name" : "test1",
"priority" : "100",
"ruleCollectionType" : "FirewallPolicyFilterRuleCollection"
"action" : {
"type" : "Allow"
},
"rules" : [
{
"ruleType" : "NetworkRule",
"name" : "rule0",
"ipProtocols" : [
"UDP"
],
"destinationAddresses" : [
"13.86.101.172"
],
"sourceAddresses" : [
"13.86.101.172"
],
"destinationPorts" : [
"123"
]
},
{
"ruleType" : "NetworkRule",
"name" : "rule1",
"ipProtocols" : [
"UDP"
],
"destinationAddresses" : [
"13.86.101.172"
],
"sourceAddresses" : [
"13.86.101.172"
],
"destinationPorts" : [
"123"
]
},
{
"ruleType" : "NetworkRule",
"name" : "rule3",
"ipProtocols" : [
"UDP"
],
"destinationAddresses" : [
"13.86.101.172"
],
"sourceAddresses" : [
"13.86.101.172"
],
"destinationPorts" : [
"123"
]
},
{
"ruleType" : "NetworkRule",
"name" : "rule2",
"ipProtocols" : [
"UDP"
],
"destinationAddresses" : [
"13.86.101.172"
],
"sourceAddresses" : [
"13.86.101.172"
],
"destinationPorts" : [
"123"
]
}
]
}
]
}
"dependsOn" : [
"[resourceId('Microsoft.Network/firewallPolicies', 'firewall-policy-test)]"
],
}
]
})
}Here you see only the changes that you have done. If you delete a rule between two existing rules, only the rule that you would like to delete will be highlighted to delete. In this example, I removed the rule3:
Terraform will perform the following actions:
# azurerm_resource_group_template_deployment.example2 will be updated in-place
~ resource "azurerm_resource_group_template_deployment" "example2" {
id = "/subscriptions/.../resourceGroups/.../providers/Microsoft.Resources/deployments/firewall-rulecollectiongroup"
name = "firewall-rulecollectiongroup"
tags = {}
~ template_content = jsonencode(
~ {
~ resources = [
{
apiVersion = "2022-01-01"
location = "West Europe"
name = "firewall-policy-test1"
properties = {
threatIntelMode = "Alert"
}
type = "Microsoft.Network/firewallPolicies"
},
~ {
name = "firewall-policy-test1/fwrulecollectiontype1"
~ properties = {
~ ruleCollections = [
~ {
name = "test1"
~ rules = [
# (1 unchanged element hidden)
{
destinationAddresses = [
"13.86.101.172",
]
destinationPorts = [
"123",
]
ipProtocols = [
"UDP",
]
name = "rule1"
ruleType = "NetworkRule"
sourceAddresses = [
"13.86.101.172",
]
},
- {
- destinationAddresses = [
- "13.86.101.172",
]
- destinationPorts = [
- "123",
]
- ipProtocols = [
- "UDP",
]
- name = "rule3"
- ruleType = "NetworkRule"
- sourceAddresses = [
- "13.86.101.172",
]
},
{
destinationAddresses = [
"13.86.101.172",
]
destinationPorts = [
"123",
]
ipProtocols = [
"UDP",
]
name = "rule2"
ruleType = "NetworkRule"
sourceAddresses = [
"13.86.101.172",
]
},
]
# (3 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
# (3 unchanged attributes hidden)
},
]
# (2 unchanged attributes hidden)
}
)
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Is there an existing issue for this?
Community Note
Terraform Version
1.4.6
AzureRM Provider Version
3.58.0
Affected Resource(s)/Data Source(s)
azurerm_firewall_policy_rule_collection_group
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Adding a new rule in any of the rule collections should only add the rule.
Actual Behaviour
It seems terraform deleting all the existing rules then recreating them along with the new ones
Steps to Reproduce
No response
Important Factoids
No response
References
https://github.com/hashicorp/terraform-provider-azurerm/issues/10083