https://pulumi.com logo
Join Slack
Powered by
not sure if I should ask here or in <#CDE799L1M|> ...
# azure
k
not sure if I should ask here or in #CDE799L1M I try to update a FirewallPolicyRuleCollectionGroup via 
rcg = network.FirewallPolicyRuleCollectionGroup(
imported_rcg_result.name,
resource_group_name=resource_group_name,
firewall_policy_name=firewall_policy.name,
priority=priority,
rule_collections=merged_rule_collections,
opts=ResourceOptions(provider=virtual_wan_provider, id=existing_rcg.id)
)
this rcg is imported programatically in case it is not existing and that seams to work preview(shows the read)/up runs through. goal is that the rule collections are getting updated with new ones but somehow no change is detected while at the moment there is no rule collection present and merged_rule_collections have content: 
Merged rule collections: [{'name': 'network-rule-collection-smallnet-dev-002', 'priority': 1000, 'action': 'Allow', 'rules': [{'name': 'network-rule-smallnet-dev-002-0', 'direction': 'Inbound', 'protocol': '*', 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': ['10.0.0.0/8'], 'destinationPorts': ['*'], 'sourcePorts': []}]}, {'name': 'application-rule-collection-smallnet-dev-002', 'priority': 26000, 'action': 'Allow', 'rules': [{'name': 'application-rule-smallnet-dev-002-0', 'priority': 26000, 'direction': 'Inbound', 'protocol': '*', 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': [], 'destinationPorts': [], 'sourcePorts': [], 'fqdns': []}, {'name': 'application-rule-smallnet-dev-002-1', 'priority': 26001, 'direction': 'Inbound', 'protocol': '*', 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': [], 'destinationPorts': [], 'sourcePorts': [], 'fqdns': []}, {'name': 'application-rule-smallnet-dev-002-2', 'priority': 26002, 'direction': 'Inbound', 'protocol': '*', 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': [], 'destinationPorts': [], 'sourcePorts': [], 'fqdns': []}]}, {'name': 'nat-rule-collection-smallnet-dev-002', 'priority': 55000, 'action': 'Dnat', 'rules': []}]
that are dummy rules but should be actually working. aynone an idea?
f
did you try running 
pulumi up --refresh
?
k
how can I do this within the app?
f
Are you not using pulumi cli to provision the infrastructure?
k
the rule collection groups are created beforehand by terraform in a different project. we just want to update the rule collection groups with this pulumi app
f
Can you add another rule collection group with the updates you wanted in pulumi so we dont have to manipulate the TF created ones?
k
no, the whole idea is to pre-provision them and the pulumi is choosing the one with the least amount of rule collections in it and then sticks to it. (we have n landing zones/pipelines that will add their own rule collections to the rule collection groups)
80 rcg x landing zones each rcg can contain rule collection for multiple landing zones
rcgs are numbered 1-80 rule collections are named after the landing zone
the logic to select the "right" rcg is finished
just updating the rcg is still an issue for me
Copy code
try:
        existing_rcg = network.FirewallPolicyRuleCollectionGroup.get(
            selected_rcg.name,
            id=selected_rcg.id,
            # resource_group_name=resource_group_name,
            # firewall_policy_name=firewall_policy.name,
            # rule_collection_group_name=selected_rcg.name,
            opts=pulumi.ResourceOptions(provider=virtual_wan_provider)
        )
        existing_rcg.name.apply(lambda name: <http://pulumi.log.info|pulumi.log.info>(f"Successfully retrieved existing Rule Collection Group: {name}"))

    except Exception as e:
        pulumi.log.error(f"Error getting collection group: {e}")
Copy code
try:
        updated_rcg = network.FirewallPolicyRuleCollectionGroup(
            "imported_rcg",
            name=selected_rcg.name,
            resource_group_name=resource_group_name,
            firewall_policy_name=firewall_policy.name,
            priority=selected_rcg.priority,
            rule_collections=merged_rule_collections,
            opts=ResourceOptions(provider=virtual_wan_provider, id=selected_rcg.id),
        )
        updated_rcg.id.apply(lambda id: <http://pulumi.log.info|pulumi.log.info>(f"Updated rule collection group: {id}"))
    except Exception as e:
        pulumi.log.error(f"Rule Collection Group not updated for LZ {lz_full_id}. error: {str(e)}")
        raise
but it just don't update the rule collections
f
The pulumi resource 
network.FirewallPolicyRuleCollectionGroup
- You cannot update an existing resource if it is managed by a different project. I would recommend to fall back on Azure CLI where you can safely get the existing rules then update the rules and finally update it. The problem with this approach is that if TF runs again which might remove the rule you just added.
k
of course TF will ignore the changes but it is sad that it's not possible that way.
all this trouble just because the stupid firewall policy limits the amount of rcgs. it's just a waste to dedicate a single rcg to a single landing zone. a whole firewall for just 90 landing zones. sorry, for the rant haha
f
Yeah Azure sometimes PIA.
k
thank you for the reply
it confirms what I already started to think myself
f
There is another approach. You could create a new pulumi resource that does this through the api. Pulumi provides a dynamic resource where you can add custom logic to create a new resource.
k
you mean a custom pulumi resource? (custom: true)
f
This way you can keep this in current pulumi state and update if it is modified by TF
k
thanks, I will read further. might be another rabbit hole
f
best of luck
If you go down the route of dynamic provider, i am interested how you get on with that.
k
time might be a constraint but in case I find some I will follow up
just to test the resource I decided to create a new rcg and try the example code from the docs:
Copy code
rcg = network.FirewallPolicyRuleCollectionGroup(
            "fwpolrcg-" + lz_full_id,
            name="fwpolrcg-" + lz_full_id,
            resource_group_name=resource_group_name,
            firewall_policy_name=firewall_policy.name,
            priority=101,
            rule_collections=[{
                "action": {
                    "type": network.FirewallPolicyFilterRuleCollectionActionType.DENY,
                },
                "name": "Example-Filter-Rule-Collection",
                "priority": 100,
                "rule_collection_type": "FirewallPolicyFilterRuleCollection",
                "rules": [{
                    "destination_addresses": ["*"],
                    "destination_ports": ["*"],
                    "ip_protocols": [network.FirewallPolicyRuleNetworkProtocol.TCP],
                    "name": "network-rule1",
                    "rule_type": "NetworkRule",
                    "source_addresses": ["10.1.25.0/24"],
                }],
            }],
            opts=ResourceOptions(provider=virtual_wan_provider),
        )
and it seems there is a general issue:
Copy code
~  azure-native:network:FirewallPolicyRuleCollectionGroup fwpolrcg-smallnet-dev-002 updating (0s) [diff: ~ruleCollections]
@ updating....
 ~  azure-native:network:FirewallPolicyRuleCollectionGroup fwpolrcg-smallnet-dev-002 updating (0s) [diff: ~ruleCollections]; error: Status=400 Message="{
 ~  azure-native:network:FirewallPolicyRuleCollectionGroup fwpolrcg-smallnet-dev-002 **updating failed** [diff: ~ruleCollections]; error: Status=400 Message="{
    pulumi:pulumi:Stack hub-networking-smallnet-dev-002 running error: update failed
    pulumi:pulumi:Stack hub-networking-smallnet-dev-002 **failed** 1 error; 6 messages
Diagnostics:
  pulumi:pulumi:Stack (hub-networking-smallnet-dev-002):
    Creating Network Rule Dict: NetworkRule(name='allow-internal-traffic', description='Allow traffic to internal network', ip_protocols=['TCP', 'UDP', 'ICMP'], destination_ports=['*'], source_addresses=['10.238.8.0/27'], destination_addresses=['10.0.0.0/8'], source_ip_groups=[], destination_ip_groups=[], rule_type='Network')
    Created Network Rule Dict: {'name': 'allow-internal-traffic', 'description': 'Allow traffic to internal network', 'ipProtocols': ['TCP', 'UDP', 'ICMP'], 'destinationPorts': ['*'], 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': ['10.0.0.0/8'], 'sourceIpGroups': [], 'destinationIpGroups': [], 'ruleType': 'Network'}
    Merged rule collections: [{'name': 'network-rule-collection-smallnet-dev-002', 'priority': 1000, 'action': {'type': 'Allow'}, 'ruleCollectionType': 'FirewallPolicyNetworkRuleCollection', 'rules': [{'name': 'allow-internal-traffic', 'description': 'Allow traffic to internal network', 'ipProtocols': ['TCP', 'UDP', 'ICMP'], 'destinationPorts': ['*'], 'sourceAddresses': ['10.238.8.0/27'], 'destinationAddresses': ['10.0.0.0/8'], 'sourceIpGroups': [], 'destinationIpGroups': [], 'ruleType': 'Network'}]}, {'name': 'application-rule-collection-smallnet-dev-002', 'priority': 26000, 'action': {'type': 'Allow'}, 'ruleCollectionType': 'FirewallPolicyApplicationRuleCollection', 'rules': []}, {'name': 'nat-rule-collection-smallnet-dev-002', 'priority': 55000, 'action': {'type': 'Dnat'}, 'ruleCollectionType': 'FirewallPolicyNatRuleCollection', 'rules': []}]
    Using priority 1000 for network rule collection
    Using priority 26000 for application rule collection
    Using priority 55000 for NAT rule collection
    error: update failed

  azure-native:network:FirewallPolicyRuleCollectionGroup (fwpolrcg-smallnet-dev-002):
    error: Status=400 Message="{
      "Message": "The request is invalid.",
      "ModelState": {
        "resource.properties.ruleCollections[0]": [
          "An error has occurred."
        ]
      }
    }"
I've tried also a nat rule. nothing works
f
Go with local command and run az cli to update this. That will be the quickest solution for now.
k
it's not an option for us
IaC is mandatory. that is what my customer pays me for haha
creating the rcg with an empty rules_collection([]) worked but it seems the api expects something different than documented
f
hmm. If you really want that to be native to pulumi then create a custom dynamic provider. This will help you to keep a record of the update in pulumi state and add your custom validation to detect if there is any changes to the rule that warrants an update.
If you are flexible then you could run a job in azure container apps or if you use kubernetes then as kubernetes job which does the update.
k
just to share my progress. after I learned that the docs don't give a working example for a firewall policy rule collection group for the azure native provider, I just tried the azure classic one. it worked normally to create rcgs. my solution for now. I do an pulumi stack export --file state.json before running the preview/up in the pipeline. that way I check if the urn for the rcg is already present in my app. if it is not present I import the rcg, if present I just update it. works
2 Views
Open in Slack
PreviousNext
Powered by