Merge pull request #10 from schubergphilis/security_rule_defaults

bug: Security rule defaults

README.md

@@ -32,6 +32,7 @@ No modules.
 | [azurerm_network_security_rule.additional](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
 | [azurerm_network_security_rule.azbastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
 | [azurerm_network_security_rule.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
+| [azurerm_network_security_rule.simple](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
 | [azurerm_private_dns_zone.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
 | [azurerm_private_dns_zone_virtual_network_link.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
 | [azurerm_public_ip.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |

locals.tf

@@ -53,6 +53,31 @@ locals {
     ]
   ])
 
+  nsg_with_default_security_rules = flatten([
+    for subnet_key, subnet in local.subnets_with_nsg_azure_default : [
+      for rule_key, rule in local.preprocessed_security_rules : {
+        subnet_key                                 = subnet_key
+        name                                       = rule_key
+        description                                = rule.description
+        priority                                   = rule.priority
+        direction                                  = rule.direction
+        access                                     = rule.access
+        protocol                                   = rule.protocol
+        source_port_range                          = rule.source_port_range
+        source_port_ranges                         = rule.source_port_ranges
+        destination_port_range                     = rule.destination_port_range
+        destination_port_ranges                    = rule.destination_port_ranges
+        source_address_prefix                      = rule.source_address_prefix
+        source_address_prefixes                    = rule.source_address_prefixes
+        source_application_security_group_ids      = rule.source_application_security_group_ids
+        destination_address_prefix                 = rule.destination_address_prefix
+        destination_address_prefixes               = rule.destination_address_prefixes
+        destination_application_security_group_ids = rule.destination_application_security_group_ids
+        timeouts                                   = rule.timeouts
+      }
+    ]
+  ])
+
   azure_bastion_with_rules = flatten([
     for subnet_key, subnet in local.azure_bastion_subnet : [
       for rule_key, rule in local.azure_bastion_rules_map : {

security.tf

@@ -12,7 +12,7 @@ resource "azurerm_network_security_group" "this" {
 }
 
 resource "azurerm_network_security_rule" "default" {
-  for_each = var.default_rules
+  for_each = local.security_rules
 
   name                        = each.value.name
   priority                    = each.value.priority
@@ -52,6 +52,44 @@ resource "azurerm_network_security_group" "simple" {
   )
 }
 
+resource "azurerm_network_security_rule" "simple" {
+  for_each = {
+    for item, rule in local.nsg_with_default_security_rules : lower("${rule.subnet_key}_${rule.priority}_${rule.access}_${rule.direction}") => rule
+  }
+
+  access                                     = each.value.access
+  direction                                  = each.value.direction
+  name                                       = each.value.name
+  network_security_group_name                = azurerm_network_security_group.additional[each.value.subnet_key].name
+  priority                                   = each.value.priority
+  protocol                                   = each.value.protocol
+  resource_group_name                        = azurerm_network_security_group.this.resource_group_name
+  description                                = each.value.description
+  destination_address_prefix                 = each.value.destination_address_prefix
+  destination_address_prefixes               = each.value.destination_address_prefixes
+  destination_application_security_group_ids = each.value.destination_application_security_group_ids
+  destination_port_range                     = each.value.destination_port_range
+  destination_port_ranges                    = each.value.destination_port_ranges
+  source_address_prefix                      = each.value.source_address_prefix
+  source_address_prefixes                    = each.value.source_address_prefixes
+  source_application_security_group_ids      = each.value.source_application_security_group_ids
+  source_port_range                          = each.value.source_port_range
+  source_port_ranges                         = each.value.source_port_ranges
+
+  dynamic "timeouts" {
+    for_each = each.value.timeouts == null ? [] : [each.value.timeouts]
+    content {
+      create = timeouts.value.create
+      delete = timeouts.value.delete
+      read   = timeouts.value.read
+      update = timeouts.value.update
+    }
+  }
+
+  # Do not remove this `depends_on` block. It is required to ensure the NSG is created before the rule.
+  depends_on = [azurerm_network_security_group.simple]
+}
+
 resource "azurerm_subnet_network_security_group_association" "simple" {
   for_each = {
     for key, subnet in local.subnets_with_nsg_azure_default : key => subnet