Issue with NSG Rules Not Being Removed When nsg_rule_names is Empty

[satenderrathee]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description:

There is an issue with the NSG module where security rules are not being removed when nsg_rule_names is set to an empty list. This behavior is inconsistent with the initial creation of NSG rules, where no rules are added if nsg_rule_names is empty.

Terraform Version

1.9.4

AzureRM Provider Version

3.117.0

Affected Resource(s)/Data Source(s)

azurerm_network_security_group

Terraform Configuration Files

vnet_name     = "example-vnet"
address_space = ["10.0.0.0/16"]
subnets = {
  subnet1 = {
    name                                          = "subnet-test-inbound"
    address_prefixes                              = ["10.0.1.0/24"]
    default_outbound_access_enabled               = true
    private_endpoint_network_policies             = "Disabled"
    private_link_service_network_policies_enabled = true
    service_endpoints                             = ["Microsoft.Storage", "Microsoft.KeyVault"]
    nsg_rule_names                                = ["allow_http", "allow_ssh"]
    # nsg_rule_names = []
  }
}

nsg_rules = {
  allow_ssh = {
    name                       = "allow_ssh"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
  allow_http = {
    name                       = "allow_http"
    priority                   = 200
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

Debug Output/Panic Output

No changes. Your infrastructure matches the configuration.

Expected Behaviour

The NSG rules should be removed when nsg_rule_names is set to an empty list.

Actual Behaviour

The NSG rules are not removed when nsg_rule_names is set to an empty list.

Initial Behavior

When nsg_rule_names is initially set to an empty list, no NSG rules are added, which works as expected.

Steps to Reproduce

Define a subnet with nsg_rule_names containing some rules.
Apply the Terraform configuration to create the NSG and rules.
Update the subnet to set nsg_rule_names to an empty list.
Apply the Terraform configuration again.

Important Factoids

No response

References

No response