Hi @simonmacpherson,
The error message includes the context that module.azurerm_firewall_policies is an empty object, which suggests that the if clause in your for_each expression for that module is filtering out all of the elements of var.azurerm_firewall_policies. Because of that, there is no attribute named "policy1" and therefore the lookup fails.
It seems that the for_each expression for module.azurerm_firewall_policy_rule_collection_groups includes a value whose firewall_policy_key is "policy1", and so Terraform is reporting that those two collections don’t agree with one another and so there’s no way to resolve that expression.
I’m not sure exactly what to suggest without understanding better the underlying goal, but mechanically the requirement here would be for you to make sure that the for_each expressions for these two module calls agree about which “firewall policy keys” should exist. That could mean writing a similar if clause for module.azurerm_firewall_policy_rule_collection_groups to filter out the ones that aren’t declared, or it could mean changing the definition of var.azurerm_firewall_policy_rule_collection_groups so that it only refers to policies which meet the condition of not including a value for the attribute base_policy.