Azure Firewall is recreated when Resource Group and/or the VNET-name contains uppercase letters

[Exchizz]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.3.9

AzureRM Provider Version

3.92.0

Affected Resource(s)/Data Source(s)

azurerm_firewall

Terraform Configuration Files

resource "azurerm_firewall" "firewall" {
  name                = local.full_firewall_name
  location            = local.location
  resource_group_name = local.resource_group_name
  sku_name            = local.firewall_sku
  sku_tier            = local.firewall_tier

  firewall_policy_id = local.create_policy ? azurerm_firewall_policy.policy[0].id : data.azurerm_firewall_policy.policy[0].id

  ip_configuration {
    name                 = "AzureFirewallIpConfiguration0"
    subnet_id            = local.subnet_id
    public_ip_address_id = local.public_ip_address_id
  }

  management_ip_configuration {
    name                 = "AzureFirewallMgmtIpConfiguration"
    subnet_id            = local.management_subnet_id            
    public_ip_address_id = local.management_public_ip_address_id 
}

Debug Output/Panic Output

-/+ resource "azurerm_firewall" "firewall" {
    ~ dns_proxy_enabled   = false -> (known after apply)
    - dns_servers         = [] -> null
    ~ id                  = "/subscriptions/<subscription id>/resourceGroups/my-resource-group/providers/Microsoft.Network/azureFirewalls/BPS-shared-prod-FW" -> (known after apply)
    name                = "BPS-shared-prod-FW"
    - private_ip_ranges   = [] -> null
    - tags                = {} -> null
    ~ threat_intel_mode   = "Alert" -> (known after apply)
    - zones               = [] -> null
    # (5 unchanged attributes hidden)

    ~ ip_configuration {
        name                 = "AzureFirewallIpConfiguration0"
        ~ private_ip_address   = "10.1.22.4" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

    ~ management_ip_configuration {
        name                 = "AzureFirewallMgmtIpConfiguration"
        + private_ip_address   = (known after apply)
        ~ subnet_id            = "/subscriptions/<subscription id>/resourceGroups/my-shared-aadds-rg/providers/Microsoft.Network/virtualNetworks/my-shared-aadds-vnet/subnets/AzureFirewallManagementSubnet" -> "/subscriptions/<subscription id>/resourceGroups/MY-SHARED-AADDS-RG/providers/Microsoft.Network/virtualNetworks/MY-SHARED-AADDS-vnet/subnets/AzureFirewallManagementSubnet" # forces replacement
        # (1 unchanged attribute hidden)
    }
}

Expected Behaviour

I would expect the firewall not to be recreated as the subnet_id is the same (except for the casing of the Resource Group and casing of the VNET name)

Actual Behaviour

The firewall is recreated

Steps to Reproduce

terraform plam/apply to create the firewall. Then running terraform plan/apply again causes this bug to happen.

Important Factoids

No response

References

No response

[wuxu92]

Hi @Exchizz, thank you for bringing up this issue. Unfortunately, this is an intentional behavior of Terraform: it is case sensitive and AzureRM will standardize the API response to remove any differences in casing. In this situation, could you please use the correct casing for local.management_subnet_id to resolve the problem?

[Exchizz]

Hi @wuxu92,

Unfortunately I cannot change local.management_subnet_id as I'm getting the subnet_id from a azurerm_subnet resource.

This is only an problem in the management_ip_configuration but not in the ip_configuration and not elsewhere in terraform where I'm using the subnet_id.

[wuxu92]

‌‌‌‌‌@Exchizz, could you please provide the definition of local.management_subnet_id and local.subnet_id? I would like to understand how these two variables were obtained from the azurerm_subnet resource. Additionally, it would be beneficial to have the configuration details for the azurerm_subnet resource.

[Exchizz]

resource "azurerm_subnet" "subnets" {
  for_each             = var.vnet.subnets
  name                 = each.key
  resource_group_name  = var.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = [each.value.address_prefix]
  service_endpoints    = each.value.service_endpoints
  enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
  enforce_private_link_service_network_policies = each.value.enforce_private_link_service_network_policies
}

locals {
  local.management_subnet_id = azurerm_subnet.subnets["AzureFirewallManagementSubnet"].id
  local.subnet_id = azurerm_subnet.subnets["AzureFirewallSubnet"].id
}

This is the output from the azurerm_subnet.subnets resource:

"AzureFirewallManagementSubnet" = {
  "address_prefixes" = tolist([
    "x.y.z.w/26",
  ])
  "delegation" = tolist([])
  "enforce_private_link_endpoint_network_policies" = false
  "enforce_private_link_service_network_policies" = false
  "id" = "/subscriptions/<subscription id>/resourceGroups/MY-SHARED-AADDS-RG/providers/Microsoft.Network/virtualNetworks/MY-SHARED-AADDS-vnet/subnets/AzureFirewallManagementSubnet"
  "name" = "AzureFirewallManagementSubnet"
  "private_endpoint_network_policies_enabled" = true
  "private_link_service_network_policies_enabled" = true
  "resource_group_name" = "MY-SHARED-AADDS-RG"
  "service_endpoint_policy_ids" = toset([])
  "service_endpoints" = toset([])
  "timeouts" = null /* object */
  "virtual_network_name" = "MY-SHARED-AADDS-vnet"
}
"AzureFirewallSubnet" = {
  "address_prefixes" = tolist([
    "a.b.c.d/26",
  ])
  "delegation" = tolist([])
  "enforce_private_link_endpoint_network_policies" = false
  "enforce_private_link_service_network_policies" = false
  "id" = "/subscriptions/<subscription id>/resourceGroups/MY-SHARED-AADDS-RG/providers/Microsoft.Network/virtualNetworks/MY-SHARED-AADDS-vnet/subnets/AzureFirewallSubnet"
  "name" = "AzureFirewallSubnet"
  "private_endpoint_network_policies_enabled" = true
  "private_link_service_network_policies_enabled" = true
  "resource_group_name" = "MY-SHARED-AADDS-RG"
  "service_endpoint_policy_ids" = toset([])
  "service_endpoints" = toset([])
  "timeouts" = null /* object */
  "virtual_network_name" = "MY-SHARED-AADDS-vnet"
}

(I've updated the issue description. It is both the name of the VNET that contains uppercase letters and the name of the resource group. When I created the issue, I accidentally replace the resource group name with lowercase letters)

[wuxu92]

@Exchizz xxrr Could you please help me if my understand is correct: the resource group name and vnet name were created in UPPER CASE, but the management_ip_configuration.subnet_id in the firewall resource came to lower cased, so terraform wants to update the firewall to the upper case? I'll try to repro it locally, but if that is the case, this is a API issue instead of a Terraform one.

[Exchizz]

Exactly, yes 👍

[hwwilliams]

I ran into this today, and unfortunately, I think it is an Azure API issue because if you look at the export template blade on the firewall resource within Azure you can see the VNET resource ID under parameters is in lowercase while the ID for public IP and firewall policy is using the correct casing.