Feature Request - override firewall policy location in hub_networks azure_firewall settings

[Greg-Court]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add firewall policy location override in the configure_connectivity_resources.

Is your feature request related to a problem?

Azure allows chaining firewall policies. However, parent policies must reside in the same location as child policies in order to be eligible for chaining.

Describe the solution you'd like

Add a "firewall_policy_location" override argument to the config block of the azurerm_firewall in hub_networks

This would allow us to deploy all firewall policies to one location (with firewalls themselves in various regions), enabling selection the same parent firewall policy for all.

Firewall policies support cross-region assignment, so this would not cause any issues.

I understand it is possible to set firewall_policy_id and deploy this separately, but this would be a cleaner solution to the problem, allowing the policies to still be created and managed by the CAF ES module.

Azure firewalls need a policy assigned at creation. If creating and managing the firewall policy externally, this can lead to a circular dependency situation whereby the CAF ES module cannot be deployed, and neither can the external policy due to reliance on CAF ES deployed resources.