Firewall creation is failing while creating through terraform.

Question

Firewall creation is failing while creating through terraform.

Naveen Vanamadi 5

Firewall deployment is failing through Terraform

Status: "InternalServerError" │ Code: "" │ Message: "An error occurred." │ Activity Id: "" │ │ --- │ │ API Response: │ │ ----[start]---- │ {"status":"Failed","error":{"code":"InternalServerError","message":"An error occurred.","details":[]}} │ -----[end]----- │ │ │ with module.network_landing_zone.azurerm_firewall.firewall, │ on ......\modules\lz\network-lz\resources.tf line 193, in resource "azurerm_firewall" "firewall": │ 193: resource "azurerm_firewall" "firewall" {

GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-15T04:56:07.8433333+00:00
Hello @Naveen Vanamadi ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to deploy an Azure Firewall using Terraform but it is failing with an InternalServerError message.

May I know in which region you are trying to deploy the Azure Firewall?

Have you tried deploying the Azure Firewall using any other tools such as Azure portal/PowerShell/CLI in the same region? If yes, was it successfull?

Could you please share the Terraform script that you are using to deploy the Azure Firewall?

Regards,

Gita

Naveen Vanamadi 5

Hi @GitaraniSharma-MSFT ,

below is my response.

version.tf:
--------------------------------------
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "<=3.91.0"
    }
    vault = {
      source  = "hashicorp/vault"
      version = "<=3.10.0"
    }
  }
  required_version = ">= 1.3.0"
}
resource.tf
-------------------------------
resource "azurerm_firewall" "firewall" {
  name                = local.fw_name
  resource_group_name = local.rg_name
  location            = local.location
  sku_name            = var.fw_sku_name
  sku_tier            = var.fw_sku_tier
  firewall_policy_id  = var.fw_firewall_policy_id != null ? var.fw_firewall_policy_id : azurerm_firewall_policy.firewall_policy.id

  dynamic "ip_configuration" {
    for_each = var.fw_ip_configuration != null ? [var.fw_ip_configuration] : []
    content {
      name                 = lookup(ip_configuration.value, "name", null)
      subnet_id            = lookup(ip_configuration.value, "subnet_id", null)
      public_ip_address_id = lookup(ip_configuration.value, "public_ip_address_id", null)
    }
  }

  dns_servers = var.fw_dns_servers

  dynamic "management_ip_configuration" {
    for_each = var.fw_management_ip_configuration != null ? [var.fw_management_ip_configuration] : []
    content {
      name                 = lookup(management_ip_configuration.value, "name", null)
      subnet_id            = lookup(management_ip_configuration.value, "subnet_id", null)
      public_ip_address_id = lookup(management_ip_configuration.value, "public_ip_address_id", null)
    }
  }

  threat_intel_mode = var.fw_threat_intel_mode

  dynamic "virtual_hub" {
    for_each = var.fw_virtual_hub != null ? [var.fw_virtual_hub] : []
    content {
      virtual_hub_id  = lookup(var.virtual_hub, "virtual_hub_id", null)
      public_ip_count = lookup(var.virtual_hub, "public_ip_count", null)
    }
  }

  zones      = var.fw_zones
  tags       = var.fw_tags
  depends_on = [azurerm_public_ip.public_ip, azurerm_subnet.subnet, azurerm_firewall_policy.firewall_policy]
}

variables.tf:
----------------------------
variable "fw_sku_name" {
  type        = string
  description = "(Optional) Sku name of the Firewall. Possible values are AZFW_Hub and AZFW_VNet. Changing this forces a new resource to be created."
  default     = "AZFW_VNet"
}

variable "fw_sku_tier" {
  type        = string
  description = "(Optional) Sku tier of the Firewall. Possible values are Premium and Standard. Changing this forces a new resource to be created."
  default     = "Standard"
}

variable "fw_firewall_policy_id" {
  type        = string
  description = "(Optional) The ID of the Firewall Policy applied to this Firewall."
  default     = null
}

variable "fw_ip_configuration" {
  type = object({
    name                 = string # (Required) Specifies the name of the IP Configuration.
    subnet_id            = string # (Optional) Reference to the subnet associated with the IP Configuration.
    public_ip_address_id = string # (Optional) The ID of the Public IP Address associated with the firewall.
  })
  description = "(Optional) An ip_configuration block as documented below."
  default     = null
}

variable "fw_dns_servers" {
  type        = list(string)
  description = "(Optional) A list of DNS servers that the Azure Firewall will direct DNS traffic to the for name resolution."
  default     = null
}

variable "fw_management_ip_configuration" {
  type = object({
    name                 = string # (Required) Specifies the name of the IP Configuration.
    subnet_id            = string # (Required) Reference to the subnet associated with the IP Configuration. Changing this forces a new resource to be created.
    public_ip_address_id = string # (Required) The ID of the Public IP Address associated with the firewall.
  })
  description = "(Optional) A management_ip_configuration block as documented below, which allows force-tunnelling of traffic to be performed by the firewall. Adding or removing this block or changing the subnet_id in an existing block forces a new resource to be created."
  default     = null
}

variable "fw_threat_intel_mode" {
  type        = string
  description = "(Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert,Deny and (empty string). Defaults to Alert."
  default     = null
}

variable "fw_virtual_hub" {
  type = object({
    virtual_hub_id  = string # (Required) Specifies the ID of the Virtual Hub where the Firewall resides in.
    public_ip_count = number # (Optional) Specifies the number of public IPs to assign to the Firewall. Defaults to 1.
  })
  description = "(Optional) A virtual_hub block as documented below."
  default     = null
}

variable "fw_zones" {
  type        = list(string)
  description = "(Optional) Specifies the availability zones in which the Azure Firewall should be created. Changing this forces a new resource to be created."
  default     = null
}

variable "fw_tags" {
  type        = map(string)
  description = "(Optional) A mapping of tags to assign to the resource."
  default     = {}
}

locals.tf:
----------------------
locals {
  rg_name                                              = "network-rg"
  location                                             = "eastus2"
  tags                                                 = {}
  vnet_name                                            = "lz-vnet"
  vnet_address_space                                   = ["10.0.0.0/16"]
  subnet_name                                          = "GatewaySubnet"
  subnet_address_prefixes                              = ["10.0.0.0/24"]
  subnet_private_endpoint_network_policies_enabled     = false
  subnet_private_link_service_network_policies_enabled = false
  pip_name                                             = "lz-pip"
  vnet_gateway_name                                    = "lz-vnet-gateway"
  fw_policy_name                                       = "lz-firewall-policy"
  fw_name                                              = "lz-firewall"
  vnet_peering_name                                    = "lz-vnet-peering"
  wan_name                                             = "lz-wan"
  vhub_name                                            = "lz_vhub"
  vhub_address_prefix                                  = "10.3.0.0/23"
  express_route_gateway_name                           = "lz-exp-route-gw"
  vpn_gateway_name                                     = "lz-vpn-gateway"
  virtual_hub_connection_name                          = "lz-vhub-conn"
  create_ddos                                          = false
  network_ddos_name                                    = "lz-ddos"
  dns_zone_name                                        = "matildacloudtest.com"
  private_dns_zone_name                                = "matildacloudprivate.com"
  private_dns_zone_virtual_network_link_name           = "lz-vnet-link"
}

Tfvars file:
----------------------------------------
  "fw_ip_configuration": {
        "name": "testfirewall",
        "subnet_id": "/subscriptions/9a932bb4-2ec3-45b9-87f9-8f7409b7830f/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/lz-vnet/subnets/AzureFirewallSubnet",
        "public_ip_address_id": "/subscriptions/9a932bb4-2ec3-45b9-87f9-8f7409b7830f/resourceGroups/TerraformTestingRG/providers/Microsoft.Network/publicIPAddresses/firewall-pip1"
    },
    "fw_management_ip_configuration": {
        "name": "firewallmanagement",
        "subnet_id": "/subscriptions/9a932bb4-2ec3-45b9-87f9-8f7409b7830f/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/lz-vnet/subnets/AzureFirewallManagementSubnet",
        "public_ip_address_id": "/subscriptions/9a932bb4-2ec3-45b9-87f9-8f7409b7830f/resourceGroups/TerraformTestingRG/providers/Microsoft.Network/publicIPAddresses/firewall-pip"
    },

May I know in which region you are trying to deploy the Azure Firewall? - EastUs2
Have you tried deploying the Azure Firewall using any other tools such as Azure portal/PowerShell/CLI in the same region? If yes, was it successfull? - Yes, I'm able to create through portal to same region.
Could you please share the Terraform script that you are using to deploy the Azure Firewall? Yes

Also to elaborate more on this issue, I was combined all network related resources into one module and deploying them through terraform. Only Firewall creation is causing the issue and rest everything deployed successfully. I tried adding the configuration files in .zip format unfortunately the site not supporting the format hence provided code snippet only for Firewall creation.

Firewall Public IP config:

SKU: Standard

Tier: Regional

Naveen Vanamadi 5 Reputation points

2024-05-15T13:06:41.3733333+00:00

Hi @GitaraniSharma-MSFT ,

Thank you for providing the response. I will raise a support ticket but not sure I have the support plan or not. Kindly help me to get the one-time free tech support.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-16T04:54:48.0133333+00:00

@Naveen Vanamadi , thank you for the update. Please check the private message for next steps.
Naveen Vanamadi 5 Reputation points

2024-05-22T13:35:11.2733333+00:00

@GitaraniSharma-MSFT I have raised a support ticket and got the below fix for the issue.

I reviewed the error that appears and it states that the VPN gateway is not in provisioning state. I observed the TerraForm code that you share I see that it that there is a depends_on variable that is set to depend on subnet, so I would ask you to add another depends_on variable and set it to depend on VPN Gateway and then try to deploy Azure Firewall again.

Just like I mentioned in my previous email Terra Form codes scope are only partially in scope of our team, so we are working it on best practice. But based on my knowledge, it seems like you’re encountering an issue where the creation of a VPN Gateway is affecting the creation of a Firewall in your Terraform configuration. This can happen if there are dependencies or resource constraints defined in your Terraform code that link these resources together. For example, if you have a firewall policy that specifies routing to be sent over a VPN connection provided by a VPN Gateway, then logically, you cannot create the firewall until after the VPN Gateway is available. Similarly, if there are shared network interfaces or other resources required by both services before they can be created independently.

Just to add, my Terraform configuration contains the multiple resource creation(network resources). So the firewall creation was impacted by VPN Gateway resource creation. Hence I have added depends_on conditions to firewall block for VPN_Gateway which is the fix for this issue.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-27T13:01:58.5466667+00:00

Hello @Naveen Vanamadi ,

Apologies for the delay in response.

Since you mentioned, "Only Firewall creation is causing the issue and rest everything deployed successfully", I suggested creating a support ticket to check the backend logs for more details as there is an ongoing issue with few Azure Firewall deployments and your issue could be related.

I'm glad that the support team was able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

If you have any other questions or are still running into more issues, please let me know.

Thank you again for your time and patience throughout this issue.

P.S. I have updated my answer below to include the solution for better visibility.

Regards,

Gita

3 answers

Your answer

GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-15T04:56:07.8433333+00:00

Hello @Naveen Vanamadi ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to deploy an Azure Firewall using Terraform but it is failing with an InternalServerError message.

May I know in which region you are trying to deploy the Azure Firewall?

Have you tried deploying the Azure Firewall using any other tools such as Azure portal/PowerShell/CLI in the same region? If yes, was it successfull?

Could you please share the Terraform script that you are using to deploy the Azure Firewall?

Regards,

Gita
Naveen Vanamadi 5 Reputation points

2024-05-15T13:06:41.3733333+00:00

Hi @GitaraniSharma-MSFT ,

Thank you for providing the response. I will raise a support ticket but not sure I have the support plan or not. Kindly help me to get the one-time free tech support.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-16T04:54:48.0133333+00:00

@Naveen Vanamadi , thank you for the update. Please check the private message for next steps.
Naveen Vanamadi 5 Reputation points

2024-05-22T13:35:11.2733333+00:00

@GitaraniSharma-MSFT I have raised a support ticket and got the below fix for the issue.

I reviewed the error that appears and it states that the VPN gateway is not in provisioning state. I observed the TerraForm code that you share I see that it that there is a depends_on variable that is set to depend on subnet, so I would ask you to add another depends_on variable and set it to depend on VPN Gateway and then try to deploy Azure Firewall again.

Just like I mentioned in my previous email Terra Form codes scope are only partially in scope of our team, so we are working it on best practice. But based on my knowledge, it seems like you’re encountering an issue where the creation of a VPN Gateway is affecting the creation of a Firewall in your Terraform configuration. This can happen if there are dependencies or resource constraints defined in your Terraform code that link these resources together. For example, if you have a firewall policy that specifies routing to be sent over a VPN connection provided by a VPN Gateway, then logically, you cannot create the firewall until after the VPN Gateway is available. Similarly, if there are shared network interfaces or other resources required by both services before they can be created independently.

Just to add, my Terraform configuration contains the multiple resource creation(network resources). So the firewall creation was impacted by VPN Gateway resource creation. Hence I have added depends_on conditions to firewall block for VPN_Gateway which is the fix for this issue.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-05-27T13:01:58.5466667+00:00

Hello @Naveen Vanamadi ,

Apologies for the delay in response.

Since you mentioned, "Only Firewall creation is causing the issue and rest everything deployed successfully", I suggested creating a support ticket to check the backend logs for more details as there is an ongoing issue with few Azure Firewall deployments and your issue could be related.

I'm glad that the support team was able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

If you have any other questions or are still running into more issues, please let me know.

Thank you again for your time and patience throughout this issue.

P.S. I have updated my answer below to include the solution for better visibility.

Regards,

Gita

Answer 1

tldr; Try omitting zones, or setting zones=null.

I bumped into the following behavior:

resource "azurerm_firewall" {

...
zones: [1, 2] # bc zone outage in zone 3 in southcentralus
...

which when applied begets the same message that led me to this attempt:

Deployment of Standard SKU firewall with the specified availability zones is currently not supported in 'southcentralus'. You may retry different availability zones settings or a different SKU / region.

I did a little googling and came across https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues#:~:text=Physical%20zone%203%20in%20South%20Central,I%20configure%20availability%20zones%20after%20deployment%3F which states "You can't deploy a new Azure Firewall in zone 3. ... We recommend you deploy a new Azure Firewall to the remaining availability zones or use a different region."

I did not see a default value for zones property, so I thought, "well, what happens if I leave it null or just remove it altogether?" Et voila! My Az Firewall resource created without a (further) hitch.

Hope this helps!

Answer 2

Naveen Vanamadi 5

Just to add, my Terraform configuration contains the multiple resource creation(network resources). So the firewall creation was impacted by VPN Gateway resource creation. Hence I have added depends_on conditions to firewall block for VPN_Gateway which is the fix for this issue.

0 comments

Answer 3

Hello @Naveen Vanamadi ,

I understand that you are trying to deploy an Azure Firewall using Terraform, but it is failing with an InternalServerError message.

You are trying to deploy an Azure Firewall in East US 2 region and it works fine when you create one through the Azure portal but fails via Terraform.

I checked internally and found that there is an ongoing issue with few Azure Firewall deployments, where sometimes the Azure Firewall is going into a failed state due to a transient known issue with an underlying Azure Firewall service.

The Azure Firewall Product Group team is already working on a fix but there is no ETA available as of yet.

I requested you to create a support request if you need help in recovering the failed Azure Firewall deployment using Terraform, as this will enable the support team to engage with the backend team for further assistance.

We also offered you a one-time free technical support, in case you don't have a support plan.

You created a support request for this issue and the support team investigated it from their end. When checking the backend logs, they found an error which mentioned that the VPN gateway is not in provisioning state.

From the backend error, it seems like you were encountering an issue where the creation of a VPN Gateway was affecting the creation of a Firewall in your Terraform configuration. This can happen if there are dependencies or resource constraints defined in your Terraform code that link these resources together. For example, if you have a firewall policy that specifies routing to be sent over a VPN connection provided by a VPN Gateway, then logically, you cannot create the firewall until after the VPN Gateway is available. Similarly, if there are shared network interfaces or other resources required by both services before they can be created independently.

So, the support team checked the Terraform code that you shared and found that there is a depends_on variable that is set to depend on subnet, and they asked you to add another depends_on variable and set it to depend on VPN Gateway and then try to deploy Azure Firewall again.

You added depends_on conditions to the firewall block for VPN_Gateway and this fixed the issue.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Firewall creation is failing while creating through terraform.

3 answers

Your answer