Error: Error Building list of Network Security Group Rules

[johnathon-b]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.5
AzureRM v2.17

Affected Resource(s)

• azurerm_network_security_group

Terraform Configuration Files

I am creating Network Security Groups using dynamic blocks like this:

resource "azurerm_network_security_group" "nsg-satellite" {
  count = var.enabled == true ? 1 : 0

  name                = "${var.name_suffix}-${var.vnet_hub}"
  location            = var.location
  resource_group_name = var.resource_group_name

  dynamic "security_rule" {
    for_each = var.hub_sg_default
    content {
      name = security_rule.value.rule_name
      priority                      = security_rule.value.priority
      direction                     = security_rule.value.direction
      access                        = security_rule.value.access
      protocol                      = security_rule.value.protocol
      source_port_range             = security_rule.value.source_port_range
      destination_port_range        = security_rule.value.destination_port_range
      source_address_prefix         = security_rule.value.source_address_prefix == "" ? null : security_rule.value.source_address_prefix
      source_address_prefixes       = security_rule.value.source_address_prefixes == [""] ? null : security_rule.value.source_address_prefixes
      destination_address_prefix    = security_rule.value.destination_address_prefix == "" ? null : security_rule.value.destination_address_prefix
      destination_address_prefixes  = security_rule.value.destination_address_prefixes == [""] ? null : security_rule.value.destination_address_prefixes 
    }
  }
}

The NSG Rules variable is setup as following:

variable "hub_sg_default" {
  default = [
    {
      rule_name                       = "Allow-ICMP-in"
      priority                        = 100
      direction                       = "Inbound"
      access                          = "Allow"
      protocol                        = "ICMP"
      source_port_range               = "*"
      destination_port_range          = "*"
      source_address_prefix           = ""
      source_address_prefixes         = ["1.1.1.0/12","2.2.2.2/16","3.3.3.3/23"]
      destination_address_prefix      = "VirtualNetwork"
      destination_address_prefixes    = [""]
    },
    {
      rule_name                       = "Allow-RDP-in"
      priority                        = 200
      direction                       = "Inbound"
      access                          = "Allow"
      protocol                        = "TCP"
      source_port_range               = "*"
      destination_port_range          = "3389"
      source_address_prefix           = ""
      source_address_prefixes         = ["1.1.1.0/12","2.2.2.2/16","3.3.3.3/23"]
      destination_address_prefix      = "VirtualNetwork"
      destination_address_prefixes    = [""]
    }
  ]
}

Debug Output

Panic Output

Expected Behaviour

Create Network Security Group with the following Security Rules. That is what the plan states it is going to do.

Actual Behaviour

Error: Error Building list of Network Security Group Rules: 1 error occurred:
    * only one of "source_address_prefix" and "source_address_prefixes" can be used per security rule

  on .terraform/modules/cyberlabs-eu-hub/modules/local/security-groups/nsg.tf line 16, in resource "azurerm_network_security_group" "nsg-satellite":
  16: resource "azurerm_network_security_group" "nsg-satellite" {

Error: Error Building list of Network Security Group Rules: 1 error occurred:
    * only one of "source_address_prefix" and "source_address_prefixes" can be used per security rule

  on .terraform/modules/cyberlabs-us-hub/modules/local/security-groups/nsg.tf line 16, in resource "azurerm_network_security_group" "nsg-satellite":
  16: resource "azurerm_network_security_group" "nsg-satellite" {

Steps to Reproduce

1. create variable block
2. create Network Security Group using dynamic security_rules
3. Terraform Apply

Important Factoids

Deploying from modules.

References

Where Error originates: https://github.com/terraform-providers/terraform-provider-azurerm/blob/76a112f5c206835e0b945305022112ffe8e939de/azurerm/internal/services/network/network_security_group_resource.go#L494-L497

I've noticed this doesn't have the same error for destination_address_prefixes and destination_address_prefix even though they are identical in the source code.

[LaurentLesle]

Have you tried to replace [""] with [] when optional are empty? ref: https://www.terraform.io/language/attr-as-blocks

[rcskosir]

Thanks for opening this issue. This was a problem in the 2.x version of the provider which is no longer actively maintained. If this is still an issue with the 3.x version of the provider please do let us know by opening a new issue, thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.