Bug: Azure Firewall policy differences between primary and secondary secured VWAN hub results in error

[chianw]

Is there an existing issue for this?

• I have searched the existing issues

Infrastructure as Code Type? (Required)

terraform

PowerShell Module Version (Optional)

No response

Bootstrap Module Version (Optional)

No response

Starter Module? (Required)

terraform - platform_landing_zone

Starter Module Version (Optional)

No response

Input arguments of the ALZ-PowerShell-Module (Optional)

Primary and secondary secured VWAN hubs deployed each with Azure Firewall. However, there are differences between the AzureFirewall Policy attached to AzureFW in primary and secondary VWAN hub

Only AzureFW in primary hub should have parent policy and threat intelligence set to Alert, but AzureFW in secondary hub does not have parent policy or threat intelligence settings.

Below code snippet in tfvars results in error when run

virtual_wan_virtual_hubs = {
  primary = {

    firewall_policy = {
      name           = "$${primary_firewall_policy_name}"
      base_policy_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Network/firewallPolicies/myfwparentpolicy"
      dns = {
        servers       = ["x.x.x.x"]
        proxy_enabled = true
      }
      threat_intelligence_mode = "Alert"
    }
}

  secondary = {

    firewall_policy = {
      name           = "$${secondary_firewall_policy_name}"
      dns = {
        servers       = ["x.x.x.x"]
        proxy_enabled = true
      }
    }
}

As a workaround, a parent policy has to be attached to the secondary FW policy and threat inteligence enabled even when these are not needed

Debug Output/Panic Output (Optional)

The error is below


╷
│ Error: Invalid value for input variable
 
 
 
│ The given value is not suitable for var.virtual_wan_virtual_hubs declared
│ at variables.connectivity.virtual.wan.tf:16,1-36: cannot find a common base
│ type for all elements.

Expected Behaviour (Required)

Firewall policies attached to primary and secondary AzureFW in vwan hubs can have different policy settings, e.g. parent policy, threat intelligence etc

Actual Behaviour (Required)

The error is below when primary and secondary FW policies are different

╷
│ Error: Invalid value for input variable

│ The given value is not suitable for var.virtual_wan_virtual_hubs declared
│ at variables.connectivity.virtual.wan.tf:16,1-36: cannot find a common base
│ type for all elements

Steps to Reproduce (Optional)

No response

Important Factoids (Optional)

No response

References (Optional)

No response

[jaredfholgate]

Hi @chianw. Thanks for raising this. This is a fundamental issue with how Terraform handles maps as we've discussed previously. However, I have raised this with the core team given it is a recurring issue due to our use of any. We will consider making the module variables inputs explicit types to overcome this, but need to balance this against the potentially significant overhead to maintain this.