Search code examples
azureterraform

Terraform and Azure: Problems with association between NetworkSecurityGroups and Subnets

While applying my terraform script, I'm getting the following error:

╷
│ Error: A resource with the ID "/subscriptions/***/resourceGroups/rg-subnet-test/providers/Microsoft.Network/virtualNetworks/subnet-test-vnet/subnets/subnet-test-subnet" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_subnet_network_security_group_association" for more information.
│
│   with azurerm_subnet_network_security_group_association.association1,
│   on main.tf line 47, in resource "azurerm_subnet_network_security_group_association" "association1":
│   47: resource "azurerm_subnet_network_security_group_association" "association1" {
│
╵

This is my script:

# Resource Group
resource "azurerm_resource_group" "rg_subnet_test" {
  location = "germanywestcentral"
  name     = "rg-subnet-test"
}

# VNET
resource "azurerm_virtual_network" "vnet_subnet_test" {
  address_space       = ["10.100.2.0/24"]
  location            = azurerm_resource_group.rg_subnet_test.location
  name                = "subnet-test-vnet"
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Subnet
resource "azurerm_subnet" "subnet_germany" {
  name                 = "subnet-test-subnet"
  address_prefixes     = ["10.100.2.0/24"]
  resource_group_name  = azurerm_virtual_network.vnet_subnet_test.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet_subnet_test.name
}

# First Network Security Group
resource "azurerm_network_security_group" "app_server_nsg_1" {
  name                = "subnet-test-nsg-1"
  location            = azurerm_resource_group.rg_subnet_test.location
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Second Network Security Group
resource "azurerm_network_security_group" "app_server_nsg_2" {
  name                = "subnet-test-nsg-2"
  location            = azurerm_resource_group.rg_subnet_test.location
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Association between first NSG to subnet
resource "azurerm_subnet_network_security_group_association" "association1" {
  subnet_id                 = azurerm_subnet.subnet_germany.id
  network_security_group_id = azurerm_network_security_group.app_server_nsg_1.id
}

# Association between second NSG to subnet
resource "azurerm_subnet_network_security_group_association" "association2" {
  subnet_id                 = azurerm_subnet.subnet_germany.id
  network_security_group_id = azurerm_network_security_group.app_server_nsg_2.id
}

I don't understand the error, because I only create the subnet once. Why is the second association trying to create the subnet again? What am I doing wrong here?

Solution

  • The problem was, that I was associating multiple Network Security Groups to one and the same subnet resource. This is apparently not possible, you'll have to create a subnet for each Network Security Group.

    A correct example using the code in my question would be (notice the changed address space in the VNET and the additional subnet):

    # Resource Group
resource "azurerm_resource_group" "rg_subnet_test" {
  location = "germanywestcentral"
  name     = "rg-subnet-test"
}

# VNET
resource "azurerm_virtual_network" "vnet_subnet_test" {
  address_space       = ["10.100.0.0/16"]
  location            = azurerm_resource_group.rg_subnet_test.location
  name                = "subnet-test-vnet"
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Subnet
resource "azurerm_subnet" "subnet1" {
  name                 = "subnet-test-subnet1"
  address_prefixes     = ["10.100.2.0/24"]
  resource_group_name  = azurerm_virtual_network.vnet_subnet_test.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet_subnet_test.name
}

resource "azurerm_subnet" "subnet2" {
  name                 = "subnet-test-subnet2"
  address_prefixes     = ["10.100.3.0/24"]
  resource_group_name  = azurerm_virtual_network.vnet_subnet_test.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet_subnet_test.name
}

# First Network Security Group
resource "azurerm_network_security_group" "app_server_nsg_1" {
  name                = "subnet-test-nsg-1"
  location            = azurerm_resource_group.rg_subnet_test.location
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Second Network Security Group
resource "azurerm_network_security_group" "app_server_nsg_2" {
  name                = "subnet-test-nsg-2"
  location            = azurerm_resource_group.rg_subnet_test.location
  resource_group_name = azurerm_resource_group.rg_subnet_test.name
}

# Association between first NSG to subnet
resource "azurerm_subnet_network_security_group_association" "association1" {
  subnet_id                 = azurerm_subnet.subnet1.id
  network_security_group_id = azurerm_network_security_group.app_server_nsg_1.id
}

# Association between second NSG to subnet
resource "azurerm_subnet_network_security_group_association" "association2" {
  subnet_id                 = azurerm_subnet.subnet2.id
  network_security_group_id = azurerm_network_security_group.app_server_nsg_2.id
}