Cannot destroy Azure Firewall

[TamasSzerb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.15.1
on linux_amd64

Affected Resource(s)

• azurerm_firewall

Terraform Configuration Files

resource "azurerm_firewall" "azfw" {
  name = format("%s-%s-%s-%s", var.name_prefix, var.environment, var.location_[redacted]_name, "fw")
  location = var.location
  resource_group_name = var.resource_group_name
  tags = var.tags
  ip_configuration {
    name = "IpConf"
    subnet_id = azurerm_subnet.azfw-subnet.id
    public_ip_address_id = azurerm_public_ip.azfw-public-ip.id
  }
}

Debug Output

• Reusing previous version of hashicorp/kubernetes from the dependency lock file
• Reusing previous version of hashicorp/helm from the dependency lock file
• Reusing previous version of hashicorp/null from the dependency lock file
• Reusing previous version of hashicorp/external from the dependency lock file
• Reusing previous version of hashicorp/azurerm from the dependency lock file
• Reusing previous version of hashicorp/tls from the dependency lock file
• Installing hashicorp/kubernetes v1.13.3...
• Installed hashicorp/kubernetes v1.13.3 (signed by HashiCorp)
• Installing hashicorp/helm v1.3.2...
• Installed hashicorp/helm v1.3.2 (signed by HashiCorp)
• Installing hashicorp/null v3.0.0...
• Installed hashicorp/null v3.0.0 (signed by HashiCorp)
• Installing hashicorp/external v2.0.0...
• Installed hashicorp/external v2.0.0 (signed by HashiCorp)
• Installing hashicorp/azurerm v2.92.0...
• Installed hashicorp/azurerm v2.92.0 (signed by HashiCorp)
• Installing hashicorp/tls v3.0.0...
• Installed hashicorp/tls v3.0.0 (signed by HashiCorp)
• Installing hashicorp/http v2.0.0...
• Installed hashicorp/http v2.0.0 (signed by HashiCorp)

Terraform has been successfully initialized!

Error: deleting Azure Firewall Firewall: (Azure Firewall Name "[redacted]" / Resource Group "[redacted]") : network.AzureFirewallsClient#Delete: Failure sending request: StatusCode=415 -- Original Error: Code="UnsupportedMediaType" Message="The content media type '' is not supported. Only 'application/json' is supported."

Panic Output

Expected Behaviour

Azure Firewall resource should be successfully destroyed.

Actual Behaviour

Terraform destroy failed.

Steps to Reproduce

• terraform destroy

Important Factoids

References

• Deletion of azurerm_firewall failing due to "UnsupportedMediaType" #14866

[tombuildsstuff]

hey @TamasSzerb

Thanks for opening this issue - apologies for the confusion on our part here, looking into #14866 I read that as FrontDoor and not Firewall 🤦

Taking a look into this one this appears to be a similar issue in the Azure SDK for Go where the Content-Type field isn't being sent during the deletion of this resource - https://github.com/Azure/azure-sdk-for-go/blob/ff3a653623e72d5d9a54bdb89cbd1b5646623974/services/network/mgmt/2021-05-01/network/azurefirewalls.go#L154-L173

Comparing the current Swagger version that that's generated from and an older version these appear comparable - so my guess is this is actually a breaking change to the API behaviour that's rolling out, where the Content-Type was previously implied, but now isn't.

@jhendrixMSFT @JeffreyRichter heads up I think there's a breaking API change here which'll affects other SDK clients - although it's strange this isn't outputting a Json Content Type in the Go SDK here too, since the Swagger looks fine?

Thanks!

[jhendrixMSFT]

Sorry for the delay.

The SDK doesn't set a content type as there is no body being sent as part of the request. Did this used to work in the past?

[earthquakesan]

The firewall client is using azure go sdk 2021-05-01. There is a DeletePreparer function, which configures request using autorest, but does not include autorest.AsContentType("application/json; charset=utf-8") line as in this PR.

What's weird for me: in the same azurefirewalls.go, the content type is set for request when creating/updating Azure Firewall.

For me it looks like the azure-go-sdk library needs a fix - it is a one-line fix, not sure about release process here - and how to bump versions in this terraform provider afterwards.

P.S. I am here, because we have the same issue.

[jhendrixMSFT]

Can anybody comment if this used to work though? We've never added the Content-Type header in the past for APIs that don't send a body in the request. If the service team changed the behavior here it would be great to know so I can follow up on that too.

[earthquakesan]

@jhendrixMSFT I was developing/deploying Firewall using terraform in January this year and did not have this problem. I can not say exactly when it happened, but it looks like a recent problem (i.e. we encountered it first time last week~).

[rowco]

Likewise, I've been adding/removing Azure firewalls with Terraform without incident over the last few months. Not tried in the last week or so though.

[athiththan11]

@jhendrixMSFT I have been deploying and destroying Azure Firewall resources using Terraform (with azurerm: 2.79) since December 2021, and I was able to destroy and deploy the resources successfully without any issue until mid of January 2022. For the last two weeks, I was not able to destroy the Azure Firewall resources due to the mentioned error (and have also tried bumping the azurerm to 2.92 as well)

[geekzter]

Same here, it worked ever since the resource azurerm_firewall existed, until recently/

[j-chao]

I can also confirm that this was recent, and I opened #14866 when I had first encountered this.

[byteknacker]

I also have the same issue and got stuck here. Is there any update on this? Is that more of a problem that Microsoft or Go has to fix or something to do with azurerm?

[awterra]

Can anybody comment if this used to work though? We've never added the Content-Type header in the past for APIs that don't send a body in the request. If the service team changed the behavior here it would be great to know so I can follow up on that too.

@jhendrixMSFT We developed a module middle of last year that includes a firewall. The module updates the Azurerm Version automatically every week and runs tests. This issue just appeared this week when the test pipeline failed but we had the issue in another module 2 weeks ago. I'm trying to locate right now what resource caused it.

Edit:
I just checked the pipeline runs. This also happened January 13th in another Module but also with the azurerm_firewall resource. Funny thing is it doesn't happen every time. Last week the pipeline built and destroyed the resource with no errors.

[arnaudlh]

Same on our end for CAF TF module we can more and more consisently repro in regions: https://github.com/aztfmod/terraform-azurerm-caf/runs/5051813780?check_suite_focus=true

[dan-dimitrov]

Bump... just experienced this consistently in terraform 1.1.5. Is there an update on a fix?

[llgjermeni]

Same problem here. Does anyone solved the issue?

[earthquakesan]

As a workaround you can invoke az network firewall delete with AZ cli before terraform destroy. Not the best solution, but it worked in our case.

[ramsateesh]

This is happening to us as well, our terraform modules were working just fine and this started to happen very recently.

[rohithegde]

Faced the same issue of "Error deleting Azure Firewall" today.
To confirm the impact of the issue based on above comments, I tried out the sample Firewall code from the official Terraform docs. I was able to replicate the issue for various combinations of Terraform versions (1.0.2, 0.14.11) and AzureRM providers (2.92.0, 2.80.0, 2.63.0, 2.25.0, 2.2.0). Since different versions of the Azure Go SDK are used in the various AzureRM versions, this doesn't look to be an issue related to a version but something common to most of them.

This is quite scary since we use versions to avoid exactly this kind of scenario.

[magodo]

@jhendrixMSFT As @earthquakesan has indicated that the az network firewall delete works, I inspected the request and noticed that it contains the Accept: application/json header (while no Content-Type header), though the response actually still has no payload.

[tombuildsstuff]

@magodo whilst this is being fixed within the Azure SDK/API's, would you mind updating the Delete call to manually set this header for the moment? We've done this in a few other places by lifting the Azure SDK method into an azuresdkhacks package and customizing it as necessary fwiw e.g.: https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/securitycenter/azuresdkhacks/security_center_contact.go

[github-actions]

This functionality has been released in v2.96.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.