AzureRM_Network_Security_Rule only maps to one NSG

[DanielMabbett]

Hey guys,

After separating out the security rules from the network security groups, I noticed that you can only map one security rule resource to one nsg resource. Is there any way you could allow it so you can map it to multiple nsg's (i.e. Have the exact same security rules across multiple security groups in azure).

I know I can do it manually at the moment, but where is the fun in that?

If there are short term workarounds let me know, otherwise it would be a great feature to add in so that you can specify multiple nsgs it can be deployed to.

Many thanks!

[tombuildsstuff]

Hi @ExplodingTurkey

Thanks for the feature request :)

After separating out the security rules from the network security groups, I noticed that you can only map one security rule resource to one nsg resource. Is there any way you could allow it so you can map it to multiple nsg's (i.e. Have the exact same security rules across multiple security groups in azure).

As you've mentioned, there's a 1:1 relationship between Network Security Groups and Network Security Rule's in Azure.

Within Terraform we map Resources to those cloud resources, which means there's also a 1:1 relationship between each object in code and the associated remote resource.

Whilst we might be able to do something here around mapping one NSR to multiple NSG's, it raises a ton of challenging questions:

• How do you handle conflicts between multiple Resources managing the same state?
• What happens if it crashes half way through, does Terraform manage the resource?

As such, I don't believe it's a feature we're likely to add to Terraform anytime soon, sorry!

My suggestion here would be to open a feature request with Microsoft - there may be something they can do to enable a NSR to be reused, or attached in some form

If there are short term workarounds let me know, otherwise it would be a great feature to add in so that you can specify multiple nsgs it can be deployed to.

The simplest option which comes to mind would be a module which contains the common Network Security Rule's you need to apply to a Network Security Group. Whilst that's not ideal due to the code duplication, you could potentially wrap the Network Security Group in it's own module, which would help to reduce the duplication even further - for the tradeoff of complexity.

I'd also recommend tracking this PR / this issue which adds support for count to module's - which would be another way around this.

Apologies that we can't help you further here - as such I'm going to close this issue.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.