azure_security_group_rule

Creates a new network Security Group Rule to be associated with a number of given Security Groups.

~> NOTE on Security Group Rules: for usability purposes; Terraform allows the addition of a single Security Group Rule to multiple Security Groups, despite it having to define each rule individually per Security Group on Azure. As a result; in the event that one of the Rules on one of the Groups is modified by external factors, Terraform cannot reason as to whether or not that change should be propagated to the others; let alone choose one changed Rule configuration over another in case of a conflic. As such; terraform refresh only checks that the rule is still defined for each of the specified security_group_names; ignoring the actual parameters of the Rule and not updating the state with regards to them.

Example Usage

resource "azure_security_group" "web" {
    ...
}

resource "azure_security_group" "apps" {
    ...
}

resource "azure_security_group_rule" "ssh_access" {
    name = "ssh-access-rule"
    security_group_names = ["${azure_security_group.web.name}", "${azure_security_group.apps.name}"]
    type = "Inbound"
    action = "Allow"
    priority = 200
    source_address_prefix = "100.0.0.0/32"
    source_port_range = "*"
    destination_address_prefix = "10.0.0.0/32"
    destination_port_range = "22"
    protocol = "TCP"
}

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the security group rule.

  • security_group_names - (Required) A list of the names of the security groups the rule should be applied to. Changing this list forces the creation of a new resource.

  • type - (Required) The type of the security rule. Valid options are: Inbound and Outbound.

  • priority - (Required) The priority of the network security rule. Rules with lower priority are evaluated first. This value can be between 100 and 4096.

  • action - (Optional) The action that is performed when the security rule is matched. Valid options are: Allow and Deny.

  • source_address_prefix - (Required) The address prefix of packet sources that that should be subjected to the rule. An asterisk (*) can also be used to match all source IPs.

  • source_port_range - (Required) The source port or range. This value can be between 0 and 65535. An asterisk (*) can also be used to match all ports.

  • destination_address_prefix - (Required) The address prefix of packet destinations that should be subjected to the rule. An asterisk (*) can also be used to match all destination IPs.

  • destination_port_range - (Required) The destination port or range. This value can be between 0 and 65535. An asterisk (*) can also be used to match all ports.

  • protocol - (Optional) The protocol of the security rule. Valid options are: TCP, UDP and *.

The following attributes are exported:

  • id - The security group rule ID. Coincides with its given name.