module "mod_dmz_spoke" {
source = "azurenoops/overlays-workload-spoke/azurerm"
version = ">= 2.0.0"
# By default, this module will create a resource group.
# To use an existing resource group, specify the existing resource group name,
# and set the argument to `create_resource_group = false`. Location will be same as existing RG.
create_resource_group = var.create_resource_group
custom_spoke_resource_group_name = var.custom_dmz_resource_group_name
location = "eastus"
deploy_environment = var.deploy_environment
org_name = var.org_name
environment = var.environment
workload_name = var.wl_name
# Collect Hub network details for peering.
hub_virtual_network_id = var.hub_virtual_network_id
hub_firewall_private_ip_address = var.hub_firewall_private_ip_address
hub_storage_account_id = var.hub_storage_account_id
# (Required) Log Analytics information for Azure monitoring and flow logs.
# The log_analytics_logs_retention_in_days values range between 30 and 730
log_analytics_workspace_id = var.hub_managmement_logging_log_analytics_id
log_analytics_customer_id = var.hub_managmement_logging_workspace_id
log_analytics_logs_retention_in_days = 30
# Provide valid VNet CIDR Address space for the DMZ virtual network.
virtual_network_address_space = var.wl_vnet_address_space # (Required) Spoke Virtual Network Parameters
# (Required) Specify if you are deploying the DMZ VNet to the same subscription as the Hub VNet
is_spoke_deployed_to_same_hub_subscription = var.is_wl_spoke_deployed_to_same_hub_subscription
# (Required) Definition of Subnets, Service delegation, Service Endpoints, Network security groups to be created
# This list includes the Default subnet. If not specified, no Subnets will be added to the VNet
# Check README.md for more details
# Route_table and NSG association to be added automatically for all subnets listed here.
# subnet name will be set as per Azure naming convention by defaut. expected value here is: <App or project name>
spoke_subnets = var.wl_subnets
# Enable Flow Logs
# By default, this will enable the traffic analytics flow logs for all subnets.
enable_traffic_analytics = var.enable_traffic_analytics
# By default, forced tunneling is disabled for the DMZ spoke.
# If you want to enable forced tunneling from the DMZ VNet to the Hub VNet via the DMZ spoke route table,
# set `enable_forced_tunneling = true`.
enable_forced_tunneling_on_route_table = var.enable_forced_tunneling_on_wl_route_table
# Private DNS Zone Settings
# By default, Azure NoOps will create Private DNS Zones for Logging in Hub VNet.
# If you want to create additional Private DNS Zones,
# then add them into the list of private_dns_zones to be created.
# else, remove the private_dns_zones argument.
private_dns_zones = var.wl_private_dns_zones
# Peering
# By default, Azure NoOps will create peering between the Hub and the DMZ spoke.
# Since is using a gateway, set the argument to `use_source_remote_spoke_gateway = true`, to enable gateway traffic.
use_source_remote_spoke_gateway = var.use_source_remote_spoke_gateway
# By default, this will apply resource locks to all resources created by this module.
# To disable resource locks, set the argument to `enable_resource_locks = false`.
enable_resource_locks = var.enable_resource_locks
# Tags
add_tags = local.workload_resources_tags # Tags to be applied to all resources
}
Error: creating/updating Network Security Group: (Name "ssj-eus-codex-dev-default-nsg" / Resource Group "ssj-eus-codex-dev-rg"): network.SecurityGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter SourceAddressPrefix for rule with Id /subscriptions/c24647bf-0c86-4408-8d29-6a67262a2701/resourceGroups/ssj-eus-codex-dev-rg/providers/Microsoft.Network/networkSecurityGroups/ssj-eus-codex-dev-default-nsg/securityRules/allow-code-x-55555-to-proxy cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: *." Details=[]
│
│ with module.dmz_spoke.module.mod_dmz_spoke.azurerm_network_security_group.nsg["default"],
│ on .terraform/modules/dmz_spoke.mod_dmz_spoke/resources.workload.spoke.nsg.tf line 4, in resource "azurerm_network_security_group" "nsg":
│ 4: resource "azurerm_network_security_group" "nsg" {
│
Expected Behaviour
The NSG should have created the rules successfully using the * for the source and destination addresses.
Actual Behaviour
The error above is thrown and the NSG rule is not updated.
Steps to Reproduce
Placing ["*"] in the source_address_prefixes or destination_address_prefixes location for the Inbound or Outbound NSG rules in a Subnet will cause this problem.
["allow-code-x-4444-to-proxy", "Allow access to port 4444", 300, "Inbound", "Allow", "*", ["4444"], ["*"], ["*"]]
The problem is that the Workload Spoke NSG module, lines 21 & 22 call azurerm_network_security_group's rule creation but only uses the source_address_prefixes and destination_address_prefixes parameters. These can't take the , only source_address_prefix and destination_address_prefix can take and that's not available in the NoOps version.
Is there an existing issue for this?
Greenfield/Brownfield provisioning
brownfield
Terraform Version
1.4.6
Module Version
2.0.3
AzureRM Provider Version
3.60.0
Affected Resource(s)/Data Source(s)
azurerm_network_security_group.nsg
Terraform Configuration Files
tfvars variables values
Debug Output/Panic Output
Expected Behaviour
The NSG should have created the rules successfully using the * for the source and destination addresses.
Actual Behaviour
The error above is thrown and the NSG rule is not updated.
Steps to Reproduce
Placing
["*"]
in thesource_address_prefixes
ordestination_address_prefixes
location for the Inbound or Outbound NSG rules in a Subnet will cause this problem.["allow-code-x-4444-to-proxy", "Allow access to port 4444", 300, "Inbound", "Allow", "*", ["4444"], ["*"], ["*"]]
The problem is that the Workload Spoke NSG module, lines 21 & 22 call azurerm_network_security_group's rule creation but only uses the
source_address_prefixes
anddestination_address_prefixes
parameters. These can't take the , onlysource_address_prefix
anddestination_address_prefix
can take and that's not available in the NoOps version.Important Factoids
No response
References
AzureRM Network Security Group Docs has the info needed to fix this.