Support for setting nsg association when creating azurerm_subnet

[sturwin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please can we add the security_group or security_group_id field back into azurerm_subnet. Using azurerm_subnet_network_security_group_association is nice, but it doesn't work when the client has a security policy in place which denies the creation of a subnet without an associated NSG.

You can create the association if you use the "subnet" block in a azurerm_virtual_network, so why not have it as an option on azurerm_subnet?

Thanks!

New or Affected Resource(s)

• azurerm_subnet

Potential Terraform Configuration

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  security_group = azurerm_network_security_group.example.id

  delegation {
    name = "delegation"

    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
    }
  }
}

References

• #0000

[tjcorr]

I've run into this exact same scenario where Azure Policy prevents you from separating out creating NSGs from the subnets. I looked back in the history and saw that this once possible but was deprecated (see #1933 ) several years back. I'm thinking the only option here would be to allow you to either specify NSGs within the subnet or as a separate association resource. If you used both bad things would happen. This would match how subnets can be either standalone or part of vnet but not both. Before I go ahead and code that up does anyone have any objections or better suggestions?

[tjcorr]

@tombuildsstuff I think you were the one who originally implemented all these changes. Care to weigh in?

[tombuildsstuff]

hi @sturwin

As @tj-corrigan has mentioned this field has been intentionally removed in #3054 to workaround issues within the Azure Platform during the deletion of resources, as such this field has been intentionally removed and isn't something we plan to reintroduce.

Instead #9022 is tracking adding an example of how to use Azure Policy with the separate resources, which'll fix this Azure Policy issue - as such whilst I'd like to thank you for opening this issue I'm going to close this in favour of #9022 - would you mind subscribing to that issue for updates?

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.