No way to delete a Firewall Policy Rule Collection Group in Bicep/ARM

[ChristopherGLewis]

Is there any way to delete an Rule Collection Group in ARM/Bicep??? - I've added an issue (#17989), but thought starting a discussion may help

I'm in the process of creating bicep templates for Azure Firewall Policies and have encountered what I consider a bug in the RP/API for Rule Collection Groups.

If I create an Azure Firewall Policy in code and add a rule collection group to it if I ever remove that rule collection group it does not get deleted and there's no way to delete it in Bicep/ARM.

The problem is that parent/child relationship of the Policy to Rule Collection Groups is only defined in the RCG, not the policy.

Create two RCGs

// ------------------------------------------------------------
// Get the FW policy
// ------------------------------------------------------------
resource azFwPol 'Microsoft.Network/firewallPolicies@2024-05-01' existing = {
  name: fwPolicyName
}

// ------------------------------------------------------------
// add RuleCollectionGroup 1
// ------------------------------------------------------------
resource azFwRCG1 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-05-01' = {
  name: 'Rule1'
  parent: azFwPol
  properties: {
    priority: ruleCollectionGroupPriority
    //ruleCollections: ruleCollections
  }
}

// ------------------------------------------------------------
// add RuleCollectionGroup 2
// ------------------------------------------------------------
resource azFwRCG2 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-05-01' = {
  name: 'Rule2'
  parent: azFwPol
  properties: {
    priority: ruleCollectionGroupPriority
    //ruleCollections: ruleCollections
  }
}

Remove RCG 1 - but there's no way to delete Rule1

// ------------------------------------------------------------
// Get the FW policy
// ------------------------------------------------------------
resource azFwPol 'Microsoft.Network/firewallPolicies@2024-05-01' existing = {
  name: fwPolicyName
}

// ------------------------------------------------------------
// add RuleCollectionGroup 2
// ------------------------------------------------------------
resource azFwRCG2 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-05-01' = {
  name: 'Rule2'
  parent: azFwPol
  properties: {
    priority: ruleCollectionGroupPriority
    //ruleCollections: ruleCollections
  }
}

Incremental vs Complete.

A potential solution is to use a complete Resource Group deployment; however, with the Azure Firewall, this becomes problematic since the Azure Firewall is required to be in the same Resource Group as the network it's in. I haven't looked at a separate RG just for policies, but that could be a solution, but not ideal.

Better Solution

A better solution would be to have the AzFWPolicy have a list of RGC's and have the removal of an RCG from that list result in that RCG being deleted. This is more logical since a RCG can't exist as an Azure object on its own.

[slavizh]

Use deployment stacks https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell

[ChristopherGLewis]

Well, that only works if you can deploy everything with Deployment Stacks. My specific example was for policies that were created outside of Stacks.

[slavizh]

in such case there is no other option. My recommendation is to use deployment stack and restrict access to avoid someone adding resources outside of your stack.