azurerm_network_security_rule, rule name not resource name must be unique?

[abdelhegazi]

Terraform Version

Terraform v0.8.8

I know that 0.9.3 is out but for some backward compatibility I have to use 0.8.x version

Affected Resource(s)

Please list the resources as a list, for example:

• azurerm_network_security_rule

Terraform Configuration Files

resource "azurerm_network_security_rule" "httpRule" {
  name                        = "HTTP"
  priority                    = 120
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "80"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${var.cbox_resource_group_name}"
  network_security_group_name = "${azurerm_network_security_group.consul-sg.name}"
}

resource "azurerm_network_security_rule" "httpsRule" {
  name                        = "HTTPS"
  priority                    = 130
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "443"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${var.cbox_resource_group_name}"
  network_security_group_name = "${azurerm_network_security_group.consul-sg.name}"
}

resource "azurerm_network_security_rule" "httpsRule2" {
  name                        = "HTTPS2"
  priority                    = 140
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "8080"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${var.cbox_resource_group_name}"
  network_security_group_name = "${azurerm_network_security_group.consul-sg.name}"
}

resource "azurerm_network_security_rule" "consulrule1" {
  name                        = "HTTP-HTTPS-Consul"
  priority                    = 150
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "8300-8600"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${var.cbox_resource_group_name}"
  network_security_group_name = "${azurerm_network_security_group.consul-sg.name}"
}

resource "azurerm_network_security_rule" "denyRule" {
  name                        = "deny-all"
  priority                    = 1000
  direction                   = "Inbound"
  access                      = "Deny"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${var.cbox_resource_group_name}"
  network_security_group_name = "${azurerm_network_security_group.consul-sg.name}"
}

Expected Behavior

As I make sure the resource name sshRule, httpRule, httpsRule ...etc should be unique which I made sure it is, regardless the name of each rule is unique or not as I use it as a tag to classify all related rules with the same name. So the expected behavior is to create all the mentioned rules in order with no issues

Actual Behavior

Terraform basically creates only one of the rules have same name for example httpRule resource has name of "HTTP" and consulRule resource has also the same name of "HTTP". Also "httpsrule" which allows inboud for 443 has same value of "httpsrule2" which allows inbound for 8080 and both rules had same name value "HTTPS", what happens is terraform only creates one of them and when running
terrafrom plan is shows that it needs to add some more resources and when terraform apply it deletes for example the rule of 443 and adds the rule for 8080 or vice versa

It took me some time till I tried to make everything unique which made it succeed, I guess this needs to be added clearly to the documentation (https://www.terraform.io/docs/providers/azurerm/r/network_security_rule.html#name) in addition it is REQUIRED it also needs to be unique value for each rule we add into out hcl code.

[AnthonyStainer]

In addition, it doesn't look like Terraform is actually enforcing Name to be 'required', it'll happily try to provision without a Name, and die with

network.SecurityRulesClient#CreateOrUpdate: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="Unknown" Message="Unknown service error

[tombuildsstuff]

Hi @abdelhegazi

Thanks for reporting this issue.

I've taken the partial configuration that you've posted, and filled in the missing pieces to get this config:

resource "azurerm_resource_group" "test" {
  name     = "tharvey-bug13773rg"
  location = "West Europe"
}

resource "azurerm_network_security_group" "test" {
  name                = "tharvey-bug13773nsg"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
}

resource "azurerm_network_security_rule" "httpRule" {
  name                        = "HTTP"
  priority                    = 120
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "80"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.test.name}"
  network_security_group_name = "${azurerm_network_security_group.test.name}"
}

resource "azurerm_network_security_rule" "httpsRule" {
  name                        = "HTTPS"
  priority                    = 130
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "443"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.test.name}"
  network_security_group_name = "${azurerm_network_security_group.test.name}"
}

resource "azurerm_network_security_rule" "httpsRule2" {
  name                        = "HTTPS2"
  priority                    = 140
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "8080"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.test.name}"
  network_security_group_name = "${azurerm_network_security_group.test.name}"
}

resource "azurerm_network_security_rule" "consulrule1" {
  name                        = "HTTP-HTTPS-Consul"
  priority                    = 150
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "8300-8600"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.test.name}"
  network_security_group_name = "${azurerm_network_security_group.test.name}"
}

resource "azurerm_network_security_rule" "denyRule" {
  name                        = "deny-all"
  priority                    = 1000
  direction                   = "Inbound"
  access                      = "Deny"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.test.name}"
  network_security_group_name = "${azurerm_network_security_group.test.name}"
}

However I'm having a hard time replicating this issue on either TF 0.8.8 or TF 0.9.3 - would it be possible for you to post a full reproduceable TF config so that we can investigate this further?

Thanks!

---

Hi @AnthonyStainer

In addition, it doesn't look like Terraform is actually enforcing Name to be 'required', it'll happily try to provision without a Name, and die with..

I've opened PR #13900 to fix this (and a couple of other issues with this resource) 😄

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.