Terraform-provider-azurerm: NSG rule conflicts for prefix and prefixes, but does not ignore empty values

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7
+ provider.azurerm v1.13.0

Affected Resource(s)

• azurerm_network_security_rule

Terraform Configuration Files

resource "azurerm_network_security_rule" "custom_rules" {
  count                        = "${length(var.custom_rules)}"
  name                         = "${lookup(var.custom_rules[count.index], "name", "default_rule_name")}"
  priority                     = "${lookup(var.custom_rules[count.index], "priority")}"
  direction                    = "${lookup(var.custom_rules[count.index], "direction", "Any")}"
  access                       = "${lookup(var.custom_rules[count.index], "access", "Allow")}"
  protocol                     = "${lookup(var.custom_rules[count.index], "protocol", "*")}"
  source_port_ranges           = "${split(",", replace(  "${lookup(var.custom_rules[count.index], "source_port_range", "*" )}"  ,  "*" , "0-65535" ) )}"
  destination_port_ranges      = "${split(",", replace(  "${lookup(var.custom_rules[count.index], "destination_port_range", "*" )}"  ,  "*" , "0-65535" ) )}"
  source_address_prefixes      = "${compact(split(",", lookup(var.custom_rules[count.index], "source_address_prefixes","")))}"
  source_address_prefix        = "${lookup(var.custom_rules[count.index], "source_address_prefix", "")}"
  destination_address_prefixes = "${compact(split(",", lookup(var.custom_rules[count.index], "destination_address_prefixes","")))}"
  destination_address_prefix   = "${lookup(var.custom_rules[count.index], "destination_address_prefix", "")}"
  description                  = "${lookup(var.custom_rules[count.index], "description", "Security rule for ${lookup(var.custom_rules[count.index], "name", "default_rule_name")}")}"
  resource_group_name          = "${var.resource_group_name}"
  network_security_group_name  = "${azurerm_network_security_group.nsg.name}"
}

Expected Behavior

If only one of prefix or prefixes for source or destination is not empty, then Terraform shouldn't detect a conflict.

Actual Behavior

I'm using this in a module, and when say prefixes is empty, it still conflicts.

so if the following is set in the map based on the code above:

source_address_prefix = "*"

I get these errors:

Error: module.nsg0.azurerm_network_security_rule.custom_rules[1]: "source_address_prefix": conflicts with source_address_prefixes ([]interface {}(nil))

Error: module.nsg0.azurerm_network_security_rule.custom_rules[1]: "source_address_prefixes": conflicts with source_address_prefix ("*")

I think a relevant code example is here:
https://github.com/terraform-providers/terraform-provider-azurerm/blob/7f21ce6f8bfe0aadd26be28f998d879b4704614f/azurerm/resource_arm_network_security_rule.go#L88-L94

Whereas, when the rules specified within the NSG creation itself, it does not specify conflicts. The azurerm_network_security_group resource with rules specified appears to take a different approach. It checks if the values are empty, and manually checks for conflicts later.

https://github.com/terraform-providers/terraform-provider-azurerm/blob/7f21ce6f8bfe0aadd26be28f998d879b4704614f/azurerm/resource_arm_network_security_group.go#L93-L98

https://github.com/terraform-providers/terraform-provider-azurerm/blob/7f21ce6f8bfe0aadd26be28f998d879b4704614f/azurerm/resource_arm_network_security_group.go#L471-L474