Troubleshooting a Network Firewall removal with Delete Protection Enabled

April 11, 2024 2 min read Troubleshooting Barny Baron

Journey: đź“Š Community Builder đź“Š

Subject matter: đź’ˇ Troubleshooting đź’ˇ

Following on from the last project I completed, which was building a VPC and installing a Network Firewall, I needed to conduct various troubleshooting.

One thing caught me out during the teardown though… deleting a Network Firewall.

Read on for more…

I documented how the project went Here, but I thought I would write separately about an issue that I needed to troubleshoot that popped up during the teardown.

Content

After I had completed the Network Firewall installation and started removing it again, what I didn’t anticipate was for the Network Firewall to have Deletion Protection enabled.

The issue was straightforward, the Network Firewall is a protected resource and it cannot be changed at the AWS Management Console once the resource has been provisioned. Only, I didn’t know this when I created it!

In my haste to investigate, I forgot to take a screenshot of the actual error I saw, but the error looked a little like this one below:

Content

The big red error banner should be enough to know there is a problem though and not what you want to see!

Investigations commence!

I managed to find two important pieces of information on how to fix this online:

  • It needed to be via an API call via the AWS CLI.
  • It needed to be targeted to the region and the exact resource.

Resources: These two articles helped me: Identify the issue and Identify the switch.

Identifying the issue:

Command required:

  • aws network-firewall update-firewall-delete-protection –region –firewall-name <FIREWALL_NAME>

Here we can see that the Network Firewall protection is “true”. It cannot be touched.

Identify

Executing the fix:

Command required:

  • aws network-firewall update-firewall-delete-protection –region –firewall-name <FIREWALL_NAME> –no-delete-protection

Here we can see that the Network Firewall protection is now “false”. I can now delete the resource.

Fix

Once I had identified and issued this command, I was able to manually delete the Network Firewall, and all dependant/attached services, and then complete the IaC terraform destroy successfully.

Content

I hope this helps someone else in the future!