Unable to create subnet due to Azure policy deny subnet with NSG, need NSG parameter

[RN00007]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I am using Terraform to deploy Azure vnet, subnets and NSG. If a Azure policy has “deny subnet with NSG” set in Azure Tenant\managmengroup, then the “azurerm_subnet” wont work. Because there is no NSG parameter in the resource “azurerm_subnet” in Terraform.

Recently in our organization, a new Azure security policy was applied “deny subnet with NSG”. This policy does not allow subnet to be created unless the NSG is linked to it at the time of creation. This is our security requirement to connect the subnet to an existing NSG when the the Subnet is created.

Due to this policy all of the existing Terraform code is broken.

Is there any way or option whereby I can link NSG at the Subnet Creation level. I do not want to revert the code to ARM template which will fix it.

My sample code looks like as below which uses azurerm_subnet_network_security_group_association:

#Create a new subnet
resource “azurerm_subnet” “test_subnets” {
count = length(var.totalsubnets)
name = lookup((var.csubnets[count.index]), “name”)
resource_group_name = azurerm_resource_group.our_rg.name
virtual_network_name = azurerm_virtual_network.our_vnet.name
address_prefixes = [lookup((var.our_subnets[count.index]), “address_prefix”)]
service_endpoints = var.service_endpoints
}

#Create a new nsg
resource “azurerm_network_security_group” “nsgs” {
count = length(var.our_subnets)
name = "${var.ourvnet["name"]}−nsg−${lookup((var.our_subnets[count.index]), “name”)}"
location = azurerm_resource_group.our_rg.location
resource_group_name = azurerm_resource_group.our_rg.name
}

Associate the NSG to the Subnet

resource “azurerm_subnet_network_security_group_association” “nsg_associations” {
count = length(var.our_subnets)
subnet_id = azurerm_subnet.our_subnets[count.index].id
network_security_group_id = azurerm_network_security_group.nsgs[count.index].id

depends_on = [azurerm_network_security_group.nsgs, azurerm_subnet.our_subnets]

}

New or Affected Resource(s)/Data Source(s)

resource “azurerm_subnet”

Potential Terraform Configuration

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  azurerm_subnet_network_security_group_association = nsg_config_variable   <==== This is needed

}

References

No response

[tombuildsstuff]

hi @RN00007

This field has been intentionally removed from the azurerm_subnet resource to workaround issues within the Azure Platform during the deletion of resources, as this field has been intentionally removed unfortunately this isn't something we plan to reintroduce.

Instead #9022 is tracking adding an example of how to use Azure Policy with the separate resources, and #3917 is tracking adding additional fields within the azurerm_virtual_network resource - as such whilst I'd like to thank you for opening this issue I'm going to close this in favour of #9022 - would you mind subscribing to that issue for updates?

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.