azure with terraform multiple rules for security group

1
votes

I need to setup multiple security rules for Azure resources.

On AWS, I could just do multiple ingress:

  resource "aws_security_group" "mygroup" {
      name        = "mygroup"

      ingress {
        description = "allow all on ssh port"
        from_port   = var.ssh 
        to_port     = var.ssh 
        protocol    = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
      }

      ingress {
        description = "public port"
        from_port   = var.public
        to_port     = var.public
        protocol    = "tcp"
        cidr_blocks =  ["0.0.0.0/0"]
      }

      ingress {
        description = "restricted"
        from_port   = var.restricted
        to_port     = var.restricted
        protocol    = "tcp"
        cidr_blocks =  ["<restricted-ip>/32"]
      }

But I do not know how to do this on Azure.

As far as I can see azurerm_network_security_group allows only one security_rule (is this correct?).

Maybe I would be able to create multiple azurerm_network_interface_security_group_association for the same network_interface_id but different network_security_group_id?

1
azureterraform

1 Answers

1
votes

You use an azurerm_network_security_rule resource per rule you add as follows: (example quoted from azurerm_network_security_rule resource docs)

resource "azurerm_network_security_group" "example" {
  name                = "acceptanceTestSecurityGroup1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_network_security_rule" "example" {
  name                        = "test123"
  priority                    = 100
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.example.name
  network_security_group_name = azurerm_network_security_group.example.name
}

Technically, you can define them inline, but you shouldn't as it makes it impossible for other modules to add security group rules if needed. This happens pretty often in practice in my experience, so please don't use inline rule, use separate resources. Your colleagues, including your future self, will thank you.