[FEATURE Request] - Deploy Azure Firewall without Azure Firewall Policy and locks

[GregCodeRepos]

Describe the feature end to end, including deployment scenario details under which the feature would occur.

Current code will deploy Azure Firewall and expects Azure Firewall policy id is always present:

 firewallPolicy: {
      id: resFirewallPolicies.id
    }

In scenario where Azure Firewall policy can not be deployed (it was the case in Austria East region) this will cause deployment to fail, regardless from parAzFirewallPoliciesEnabled value

// AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy.
// There is a minimum subnet requirement of /26 prefix.
resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = if (parAzFirewallEnabled) {
  dependsOn: [
    resGateway
  ]
  name: parAzFirewallName
  location: parLocation
  tags: parTags
  zones: !empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : []
  properties: {
    ipConfigurations: varAzFirewallUseCustomPublicIps
      ? map(parAzFirewallCustomPublicIps, ip => {
          name: 'ipconfig${uniqueString(ip)}'
          properties: ip == parAzFirewallCustomPublicIps[0]
            ? {
                subnet: {
                  id: resAzureFirewallSubnetRef.id
                }
                publicIPAddress: {
                  id: parAzFirewallEnabled ? ip : ''
                }
              }
            : {
                publicIPAddress: {
                  id: parAzFirewallEnabled ? ip : ''
                }
              }
        })
      : [
          {
            name: 'ipconfig1'
            properties: {
              subnet: {
                id: resAzureFirewallSubnetRef.id
              }
              publicIPAddress: {
                id: parAzFirewallEnabled ? modAzureFirewallPublicIp.?outputs.outPublicIpId : ''
              }
            }
          }
        ]
    managementIpConfiguration: {
      name: 'mgmtIpConfig'
      properties: {
        subnet: {
          id: resAzureFirewallMgmtSubnetRef.id
        }
        publicIPAddress: {
          id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId : ''
        }
      }
    }
    sku: {
      name: 'AZFW_VNet'
      tier: parAzFirewallTier
    }
    firewallPolicy: {
      id: resFirewallPolicies.id
    }
  }
}

change like below would solve the issue:

 firewallPolicy: (parAzFirewallPoliciesEnabled) 
      ? {
      id: resFirewallPolicies.id
    }
    : null

Additionally Azure Firewall Policy lock is deployed if parAzFirewallEnabled is true and locks are set either with parAzureFirewallLock or parGlobalResourceLock , even if Azure Firewall policy is not enabled:

// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None'
resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabled && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
  scope: resFirewallPolicies
  name: parAzureFirewallLock.?name ?? '${resFirewallPolicies.name}-lock'
  properties: {
    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind
    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes
  }
}

In scenario where only Azure Firewall is deployed with locks module will attempt to deploy lock on non-existing policy and will fail.

Module should use existing parameter parAzFirewallPoliciesEnabled and new parameter parAzureFirewallPolicyLock to provide control on deployment of Azure Firewall policies and its locks

@sys.description(''' Resource Lock Configuration for Azure Firewall Policy.

- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
- `notes` - Notes about this lock.

''')
param parAzureFirewallPolicyLock lockType = {
  kind: 'None'
  notes: 'This lock was created by the ALZ Bicep Hub Networking Module.'
}

// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzFirewallPoliciesLock.kind != 'None'
resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabled && (parAzureFirewallPolicyLock .kind != 'None' || parGlobalResourceLock.kind != 'None')) {
  scope: resFirewallPolicies
  name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPolicies.name}-lock'
  properties: {
    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind
    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes
  }
}

Why is this feature important. Describe why this would be important for your organization and others. Would this impact similar orgs in the same way?

In recent ALZ deployment this code caused issues with deployment and we had to either

1. deploy Azure Firewall manually
2. set locks manually after deployment

This results in broken flow of ALZ deployment, need to troubleshoot issues, multiple pipeline restarts, manual interventions and poor experience for customer.

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Can you describe any alternatives that you have taken since this feature does not exist?

No response

Feature Implementation

Check previous GitHub issues

• I have searched the issues for this item and found no duplicate

Code of Conduct

• I agree to follow this project's Code of Conduct