-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for rule_collection as resources for azurerm_firewall_policy_rule_collection_group #16586
Comments
Hi @HSoulat, even though I would like to see this feature implemented as well, I don't think it is possible as of now. Looking through the documentation of the Azure API and the Azure Go SDK the required API endpoints for this feature simply do not seem to exist (yet?). So currently there is no other way to create rule collections as separate resources in conjunction with a Firewall Policy. What I noticed however is that you can manage regards |
Hi, Is this still the case? I see now with azure cli you can split the creation between rule collection group (the rule collection itself) and rule collection group collection (the network/application group + all the rules). The Best regards |
We are also seeing a need for this functionality. Managing firewall rules at scale with one (or a few) very large |
The use of IP Groups makes it little bit easier where you create a set of default rules with ip groups. And you only change the ip groups when new ip ranges need to be added or deleted. This way you don't touch the firewall config when changes need to be done. |
I agree that not having each rule collection as an individual resource is frustrating and limiting to our ability to manage a large number of rule collections at scale. But this is not a limitation of how Terraform deploys the rule collection; rather a limitation of how Microsoft has designed the Rule Collection Groups. We have been able to get around some of this limitation by breaking the rule collections into individual yaml files and then joining the files and using a dynamic block to loop through the list of rule collections. The piece that we are unable to overcome is that the rule collections are in Azure Rule Collection Group, and thus in the Terraform State file, as an ordered list. This means that making an update to a rule in the middle of the list results in every rule below it being modified. To help reduce the potential impact of a reorder, we have opted to order the list by priority number rather than by rule name. This ordered list approach by Microsoft also means that rules within a rule collection are also subject to reordering if updates are made. It is unfortunate that Microsoft has chosen this path for firewall rule management. I even had a Microsoft Support rep admit that the way Classic Rules are managed is a more efficient way to manage a large number of rules. Microsoft went with a Azure Portal UI focus for managing the firewall rule collection groups, which might work for smaller organizations. But this approach makes it extremely difficult to manage IaC at a large scale. |
Is there an existing issue for this?
Community Note
Description
Hi,
For now all application, network and nat rules collections must be listed as arguments in a single azurerm_firewall_policy_rule_collection_group resource. This could lead to a very long resource configuration.
Like for other resources, theses arguments could be created as separate resources. This could allow to create more readable configuration file.
New or Affected Resource(s)/Data Source(s)
azurerm_firewall_policy_rule_collection_group, application_rule_collection, network_rule_collection, nat_rule_collection
Potential Terraform Configuration
References
No response
The text was updated successfully, but these errors were encountered: