EDITED NEW POST TO ADD MORE CLARIFICATION:
In current architecture we run ansible playbook (infrastructure.yml) to deploy infrastructure in Azure. We are ABLE TO CREATE resources with no problems including many other NSG rules.
With new NSG rule, our terraform run fails with following information below:
I have Azurerm version as:
provider "azurerm" {
version = "2.58.0"
...
Terraform version:
Terraform v0.13.4
I am able to create same rule through Azure CLI command as following:
az network nsg rule create -g 'MyGroup' --nsg-name 'MyNSG' -n 'AllowAzureMonitorOutbound' --priority 1200 --source-address-prefixes "*" --destination-address-prefixes AzureMonitor --destination-port-ranges 443 --direction Outbound --access Allow --protocol Tcp --description "AzureMonitor rule CLI creation."
But I am getting this ERROR while creating an NSG rule through Terraform :
**-- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter DestinationAddressPrefix for rule with Id /subscriptions/XXXXXXXXXXXXXX/resourceGroups/MyGroup/providers/Microsoft.Network/networkSecurityGroups/UMyNSG/securityRules/AllowAzureMonitorOutbound cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: AzureMonitor."**
<------------- Code and HashicoVault values--------------->
The code snip for terraform:
resource "azurerm_network_security_group" "prx" {
name = "${var.prx_hosts.name}-NSG"
resource_group_name = azurerm_resource_group.MYPROJECT.name
location = var.location
dynamic "security_rule" {
for_each = var.prx_hosts.security_group.rules
content {
name = security_rule.value.name
description = security_rule.value.description
access = security_rule.value.access
direction = security_rule.value.direction
protocol = security_rule.value.protocol
priority = security_rule.value.priority
source_address_prefix = security_rule.value.source_address_prefixes == ["any"] ? "*" : null
source_address_prefixes = security_rule.value.source_address_prefixes == ["any"] ? null : tolist(security_rule.value.source_address_prefixes)
destination_address_prefix = security_rule.value.destination_address_prefixes == ["any"] ? "*" : null
destination_address_prefixes = security_rule.value.destination_address_prefixes == ["any"] ? null : tolist(security_rule.value.destination_address_prefixes)
source_port_range = security_rule.value.source_port_ranges == ["any"] ? "*" : null
source_port_ranges = security_rule.value.source_port_ranges == ["any"] ? null : tolist(security_rule.value.source_port_ranges)
destination_port_range = security_rule.value.destination_port_ranges == ["any"] ? "*" : null
destination_port_ranges = security_rule.value.destination_port_ranges == ["any"] ? null : tolist(security_rule.value.destination_port_ranges)
}
}
}
The HashicoVault values we pass to terraform like:
"security_group": {
"name": "MY_PROJECT_NAME",
"rules": [
{
"access": "allow",
"description": "AzureMonitor rule CLI creation.",
"destination_address_prefixes": ["AzureMonitor"],
"destination_port_ranges": [
443
],
"direction": "Outbound",
"name": "AllowAzureMonitorOutbound",
"priority": 100,
"protocol": "TCP",
"source_address_prefixes": [
"any"
],
"source_port_ranges": [
"any"
]
}
]
}
I think it's actually stated in the provider that the source_address_prefix will take tags whereas the source_address_prefixes will only take CIDR blocks and IPs
Source:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#source_address_prefixes