Issue creating Azure Firewall using Terraform HCL

Question

When I try and create a firewall using Terraform HCL, I receive the following error message. Just a note about the #{variables}#, I am passing tokens via Azure DevOps and that part is working fine:

#Create public ip for load balancer
resource "azurerm_public_ip" "#{application}##{vertical}#PublicIPforLB" {
    name = "lbip#{application}##{vertical}#"
    location = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.location
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name
    allocation_method = "Static"
    #sku = "Standard"
}

#Create firewall for public ip
resource "azurerm_firewall" "#{application}##{vertical}#Firewall" {
    name = "fw#{application}##{vertical}#"
    location = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.location
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name
  
    ip_configuration {
        name = "ipconfFW"
        subnet_id = azurerm_subnet.AzureFirewallSubnet.id
        public_ip_address_id = azurerm_public_ip.#{application}##{vertical}#PublicIPforLB.id
    }
}

#Create security group and rule for accessing web application
resource "azurerm_network_security_group" "#{application}##{vertical}#SecurityGroup" {
    name = "sg#{application}##{vertical}#"
    location = "canadaeast"
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name
    
    security_rule {
        name = "SSH"
        priority = 1001
        direction = "Inbound"
        access = "Allow"
        protocol = "Tcp"
        source_port_range = "*"
        destination_port_range = "443"
        source_address_prefix = "*"
        destination_address_prefix = "*"
    }
}

#Create load balancer for 2 front-end web server VMs
resource "azurerm_lb" "#{application}##{vertical}#LoadBalancer" {
    name = "lb#{application}##{vertical}#"
    location = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.location
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name

    frontend_ip_configuration {
        name = "ipconfLB"
        public_ip_address_id = azurerm_public_ip.#{application}##{vertical}#PublicIPforLB.id
    }
}

Error: Code="AzureFirewallPublicIPNotStandard" Message="AzureFirewall fwMyTest references a non standard Public IP Address

I have tried specifying the sku to Standard; however I receive the following error:

Error: Code="PublicIPAndLBSkuDoNotMatch" Message="Basic sku load balancer cannot reference Standard sku publicIP

Any help would be greatly appreciated!!

Thanks!! :)

Answer 1

I suggest looking at the SKU that's currently set on the PublicIp. Azure wants the SKU from the LB to match the SKU of the PublicIP resource you're trying to use (in this case 'Standard'). It's currently commented out for the PublicIp. Both PublicIp and LB default to "Basic" sku.

#Create public ip for load balancer
resource "azurerm_public_ip" "#{application}##{vertical}#PublicIPforLB" {
    name = "lbip#{application}##{vertical}#"
    location = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.location
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name
    allocation_method = "Static"
    sku = "Standard"
}

and

#Create load balancer for 2 front-end web server VMs
resource "azurerm_lb" "#{application}##{vertical}#LoadBalancer" {
    name = "lb#{application}##{vertical}#"
    location = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.location
    resource_group_name = azurerm_resource_group.#{application}##{vertical}#ResourceGroup.name
    sku = "Standard"

    frontend_ip_configuration {
        name = "ipconfLB"
        public_ip_address_id = azurerm_public_ip.#{application}##{vertical}#PublicIPforLB.id
    }
}