CODEWITHSUNDEEP
azureterraformterraform-provider-azure
Kiran
Kiran

Reputation: 81

How do I create multiple Security rules using Terraform in Azure?

I am trying to create a Network security group with multiple security rules in it. The idea is to create a list variable (of port ranges) and interpolate the list items in .tf file. The below script throws an error that "priority.

"Error: azurerm_network_security_group.k8hway: security_rule.0: invalid or unknown key: count"

Below is the Terraform code:

resource "azurerm_network_security_group" "NSG" {
  name     = "NSG-Demo"
  location = "${azurerm_resource_group.main.location}"
  resource_group_name  = "${azurerm_resource_group.main.name}"

  security_rule  {
      count = "${length(var.inbound_port_ranges)}"
      name                       = "sg-rule-${count.index}"
      direction                  = "Inbound"
      access                     = "Allow"
      priority                   = "(100 * (${count.index} + 1))"
      source_address_prefix      = "*"
      source_port_range          = "*"
      destination_address_prefix = "*"
      destination_port_range     = "${element(var.inbound_port_ranges, count.index)}"
      protocol                   = "TCP"
    }
}

Upvotes: 2

Views: 13174

Answers (4)

javierlga
javierlga

Reputation: 1652

For those who may want to use a dynamic block instead of hardcoded values; Define a new terraform variable such as:

variable "security_rules" {
  description = "A list of security rules to be created."
  type = list(object({
    name      = string
    priority  = number
    direction = string 
    ...
  }))
}

Then on the resource:

resource "azurerm_network_security_group" "nsg" {
  name                = "example-nsg"
  location            = "example"
  resource_group_name = "example"

  dynamic "security_rule" {
  for_each = { for sg in var.security_rules : sg.name => sg } 
  content {
     name      = security_rule.value.name
     priority  = security_rule.value.priority
     direction = security_rule.value.direction 
     ...
  }
  ...
 }
}

Upvotes: 1

Aatif Akhter
Aatif Akhter

Reputation: 2206

Though the answer by @4c74356b41 is working but I am providing a simple solution:

UPDATE:

resource "azurerm_network_security_group" "nsg" {
  name                = "nsg"
  location            = "westeurope"
  resource_group_name = "resorceGroup"
    
  security_rule {
    name                       = "allow-ssh"
    priority                   = 500
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
    }
  security_rule {
    name                       = "allow-kibana-service"
    priority                   = 400
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
     }
  security_rule {
    name                       = "allow-es-service"
    priority                   = 300
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "9200-9300"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
     }
}

Upvotes: 1

RadeZ
RadeZ

Reputation: 25

# Create Network Security Group and rule
resource "azurerm_network_security_group" "mynsg" {
  name                = "networksg"
  location            = var.rgLocation
  resource_group_name = var.rgName

  security_rule {
    name                       = "SSH"
    priority                   = 1001
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
   security_rule    {
    name                       = "SSHnew"
    priority                   = 1101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "6666"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Upvotes: 1

4c74356b41
4c74356b41

Reputation: 72171

I dont think properties support count, but resources do. Use network security group rule:

resource "azurerm_network_security_rule" "test" {
  count = "${length(var.inbound_port_ranges)}"
  name                       = "sg-rule-${count.index}"
  direction                  = "Inbound"
  access                     = "Allow"
  priority                   = "(100 * (${count.index} + 1))"
  source_address_prefix      = "*"
  source_port_range          = "*"
  destination_address_prefix = "*"
  destination_port_range     = "${element(var.inbound_port_ranges, count.index)}"
  protocol                   = "TCP"
}

Reading:

https://www.terraform.io/docs/providers/azurerm/r/network_security_rule

Upvotes: 5

Related Questions