Conditionally create nsg security rule | Parametrise source IP ranges

[rginev]

I would want some control on nsg security rule for remote_port:

• Create it only if remote_port is specified

• Add ability to control source IP ranges

[ghost]

All CLA requirements met.

[GarethOates]

Any chance you could make the priority a little higher, to allow flexibility to overwrite it if necessary? 110 or something instead of the lowest value of 100?

[GarethOates]

Can this please be reviewed and included in the next release?

[DaemonDude23]

I need this functionality as well. I'd like to disable this module's NSG and instead attach my own for greater control.

[anhqqt]

Hello, I also need to disable this feature because I want to apply my own NSG in the scope of the subnet. Or you can provide a more flexible way to edit and control the NSG created by this compute module?

[yupwei68]

Hi @rginev , thanks for opening this PR. 🚀 . Would you mind updating your code to merge the latest code?

[rginev]

Hi @yupwei68, thanks for attending the PR - code has been synced

[yupwei68]

LGTM 👍

[GarethOates]

Any indication on when the new version will be pushed to the terraform registry?

[DaemonDude23]

I get this error since my fork of master today, relating to this PR I believe:

cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: *."

The docs say that you can't use "*" as a prefix ("Tags may not be used"), which is this module's default value for this variable if not specified. I set module variable source_address_prefixes = ["0.0.0.0/0"] and that worked fine.

I need to be able to disable the association of this module's NSG with a VM's NIC, so I'm going to be creating a PR for that in the next day or two. I need more granularity with the NSG.

[yupwei68]

Hi @chicken231 , sorry that I can not reproduce your error with the example in the README and my test CI shows success. Would you mind providing a more detailed reproducing steps and opening an issue for it? Thanks.

[yupwei68]

@GarethOates Thanks for your comment. It has been released in 3.4.0.

[DaemonDude23]

@yupwei68
The bug can only be reproduced when remote_ports is not empty. From what I can tell, in the tests and in the 'simple usage' example, neither of those populate that variable, which is why this bug doesn't appear there. This is the conditional that must be triggered to result in the error I have mentioned:

terraform-azurerm-compute/main.tf

Line 174 in c068a84

count = var.remote_port != "" ? 1 : 0

One way to fix it would be to change the default value of source_address_prefixes to be 0.0.0.0/0 or something similar, but the current default value is invalid per Azure's API and Terraform's docs that I referenced earlier.

I just grabbed the example from the README (the advanced one since it's the only example/test which specifies remote_ports), and heres the error I get when applying it (same as what I get with my own terraform code):

Error: Error Creating/Updating Network Security Rule "allow_remote_22_in_all" (NSG "mylinuxvm-nsg" / Resource Group "Sandbox"): network.SecurityRulesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter SourceAddressPrefix for rule with Id /subscriptions/REDACTED/resourceGroups/Sandbox/providers/Microsoft.Network/networkSecurityGroups/mylinuxvm-nsg/securityRules/allow_remote_22_in_all cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: *." Details=[]

  on .terraform/modules/linuxservers/terraform-azurerm-compute-3.4.0/main.tf line 173, in resource "azurerm_network_security_rule" "vm":
 173: resource "azurerm_network_security_rule" "vm" {