0

EDITED NEW POST TO ADD MORE CLARIFICATION:

In current architecture we run ansible playbook (infrastructure.yml) to deploy infrastructure in Azure. We are ABLE TO CREATE resources with no problems including many other NSG rules.

With new NSG rule, our terraform run fails with following information below:

I have Azurerm version as:

provider "azurerm" {
  version = "2.58.0"
  ...

Terraform version:

Terraform v0.13.4

I am able to create same rule through Azure CLI command as following:

az network nsg rule create -g 'MyGroup' --nsg-name 'MyNSG' -n 'AllowAzureMonitorOutbound' --priority 1200 --source-address-prefixes "*" --destination-address-prefixes AzureMonitor --destination-port-ranges 443  --direction Outbound --access Allow --protocol Tcp --description "AzureMonitor rule CLI creation."

But I am getting this ERROR while creating an NSG rule through Terraform :

**-- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter DestinationAddressPrefix for rule with Id /subscriptions/XXXXXXXXXXXXXX/resourceGroups/MyGroup/providers/Microsoft.Network/networkSecurityGroups/UMyNSG/securityRules/AllowAzureMonitorOutbound cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: AzureMonitor."**

<------------- Code and HashicoVault values--------------->

The code snip for terraform:

resource "azurerm_network_security_group" "prx" {
  name                = "${var.prx_hosts.name}-NSG"
  resource_group_name = azurerm_resource_group.MYPROJECT.name
  location            = var.location
  dynamic "security_rule" {
    for_each = var.prx_hosts.security_group.rules
    content {
      name                         = security_rule.value.name
      description                  = security_rule.value.description
      access                       = security_rule.value.access
      direction                    = security_rule.value.direction
      protocol                     = security_rule.value.protocol
      priority                     = security_rule.value.priority
      source_address_prefix        = security_rule.value.source_address_prefixes == ["any"] ? "*" : null
      source_address_prefixes      = security_rule.value.source_address_prefixes == ["any"] ? null : tolist(security_rule.value.source_address_prefixes)
      destination_address_prefix   = security_rule.value.destination_address_prefixes == ["any"] ? "*" : null
      destination_address_prefixes = security_rule.value.destination_address_prefixes == ["any"] ? null : tolist(security_rule.value.destination_address_prefixes)
      source_port_range            = security_rule.value.source_port_ranges == ["any"] ? "*" : null
      source_port_ranges           = security_rule.value.source_port_ranges == ["any"] ? null : tolist(security_rule.value.source_port_ranges)
      destination_port_range       = security_rule.value.destination_port_ranges == ["any"] ? "*" : null
      destination_port_ranges      = security_rule.value.destination_port_ranges == ["any"] ? null : tolist(security_rule.value.destination_port_ranges)
    }
  }
}

The HashicoVault values we pass to terraform like:

        "security_group": {
          "name": "MY_PROJECT_NAME",
          "rules": [
            {
              "access": "allow",
              "description": "AzureMonitor rule CLI creation.",
              "destination_address_prefixes": ["AzureMonitor"],
              "destination_port_ranges": [
                443
              ],
              "direction": "Outbound",
              "name": "AllowAzureMonitorOutbound",
              "priority": 100,
              "protocol": "TCP",
              "source_address_prefixes": [
                "any"
              ],
              "source_port_ranges": [
                "any"
              ]
            }
          ]
        }
MustafaNY
  • 1
  • 2
  • Can you provide more information about the code you are using to try and deploy this? – Ked Mardemootoo Jun 01 '21 at 10:42
  • @KedMardemootoo tried to add more info to question. Thanks – MustafaNY Jun 02 '21 at 15:48
  • I'll need to spend a bit more time to look into it, hopefully someone else can figure it out earlier. You mentioned that it worked with other NSG rules but with 'new' rule it doesn't. What's the difference? The old rule isn't a template but this one is? – Ked Mardemootoo Jun 02 '21 at 18:57
  • It fails because of "destination_address_prefix ": "AzureMonitor" Terraform somehow does not accept "AzureMonitor" as destination_address_prefix. I have included Original Error within the question as well. – MustafaNY Jun 02 '21 at 19:49
  • So if you create a simple NSG that's not parameterised, just all with static values does it work? With the same values as above for example – Ked Mardemootoo Jun 03 '21 at 01:52
  • For example, when we use value "Internet" as following or some static IP, it works. It only does not work with "AzureMonitor". Following is a working sample rule: "access": "deny", "description": "deny outbound internet", "destination_address_prefixes": [ "Internet" ], – MustafaNY Jun 03 '21 at 14:17
  • Ok did you also try to delete the .terraform and re-run an init? Also what about other service tags, like AzureLoadBalancer, Storage... etc, same thing happens? – Ked Mardemootoo Jun 03 '21 at 14:26
  • Yes, deleted the .terraform and run init from scratch. Still errors out with same message. We use one more tag which is "VirtualNetwork" and that works fine too. – MustafaNY Jun 03 '21 at 16:04

2 Answers2

0

I had the same problem with "AzureLoadBalancer" - e. g. it works with "source_address_prefix", but not with "source_address_prefixes" - probably a provider bug

alexander_vie
  • 1
  • 1
0

I think it's actually stated in the provider that the source_address_prefix will take tags whereas the source_address_prefixes will only take CIDR blocks and IPs

Source:

source_address_prefix - (Optional) CIDR or source IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. This is required if source_address_prefixes is not specified.

source_address_prefixes - (Optional) List of source address prefixes. Tags may not be used. This is required if source_address_prefix is not specified.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#source_address_prefixes

matic
  • 301
  • 2
  • 3
  • 10