Extra Validation for the Network Security Rule

[tombuildsstuff]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Affected Resource(s)

• azurerm_network_security_rule

Terraform Configuration Files

resource "azurerm_resource_group" "test" {
  name     = "tom-nsgtest"
  location = "West Europe"
}

resource "azurerm_network_security_group" "test" {
  name                = "tom-nsgdev"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"

  tags {
    "Hello" = "World"
  }

  security_rule {
    name                       = "ldap"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_ranges    = ["636", "389"]
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Expected Behavior

Terraform should detect the destination_port_ranges field as invalid

Actual Behavior

Terraform doesn't detect the destination_port_ranges field as invalid and fails with the following API error:

* azurerm_network_security_group.ldap_nsg: Error creating/updating NSG "smenatest_nsg" (Resource Group "smenatest"): network.SecurityGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="SecurityRuleInvalidPortRange" Message="Security rule has invalid Port range. Value provided: 636, 389. Value should be an integer OR integer range with '-' delimiter. Valid range 0-65535." Details=[]

Steps to Reproduce

1. terraform apply

References

• Update azurerm_nsg port ranges notation #1531

[rerime]

@tombuildsstuff
Still not works in terraform 0.12, azurerm provider 1.39.0
Code="SecurityRuleInvalidPortRange" Message="Security rule has invalid Port range. Value provided: 80,443. Value should be an integer OR integer range with '-' delimiter.

[danmanrique]

I would not consider this an enhancement, but is a feature defect. The provider allows single and multiple values for example: 80,443,8888-8889 in the field. Any eta on a resolution as I am having this issue as well?

[Haratsu]

According to portal.azure.com you can also provide a comma separated list as port range:

Also the arm template documentation indicates that a list of strings representing a port can be used, which I did not yet have time to test. https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=json

This is natively being used when setting up rules for bastion subnets, where ports 8080 and 5701 are grouped in a single rule, so there should be a way to set it up. cmp: https://github.com/microsoft/azure-docs/blob/master/articles/bastion/media/bastion-nsg/inbound.png