network_security_group_id not expected in azurerm_network_interface

gionna

I'm following a lecture on terraform for azure. They add a property network_security_group_id to an azurerm_network_interface

resource "azurerm_network_interface" "demo-instance" {
    name                        = "${var.prefix}-instance1"
    location                    = var.location
    resource_group_name         = azurerm_resource_group.demo.name
    network_security_group_id   = azurerm_network_security_group.allow-ssh.id
ip_configuration {
  .....
}

}

But 'terraform plan' spits out

Error: Unsupported argument │ │ on instance.tf line 43, in resource "azurerm_network_interface" "demo-instance": │ 43:
network_security_group_id = azurerm_network_security_group.allow-ssh.id │ │ An argument named "network_security_group_id" is not expected here.

I'm guessing that this has moved somewhere else in some version, but I can't find the setting in the docs anywhere.

Where does network_security_group_id belong?

resource "azurerm_network_security_group" "allow-ssh" {
    name                    = "${var.prefix}-allow-ssh"
    location                = var.location
    resource_group_name     = azurerm_resource_group.demo.name
security_rule {
    name                    = "SSH"
    priority                = 1001
    direction               = "Inbound"
    access                  = "Allow"
    protocol                = "Tcp"
    source_port_range       = "*"
    destination_port_range  = var.ssh-source-address
    destination_address_prefix  = "*"
}

}

Just removing these resources and settings and it works anyway. The resources get created and I'm able to login with a key. So is this not needed anymore at all?

emerson

Found the answer, this has changed at some point.

What's needed is a network_security_group_association which relates to a subnet_id and a network_security_group_id (the one that was in the network_security_group before)

resource "azurerm_subnet" "subnet-internal-1" {
  name                 = "${var.prefix}-internal-1"
  resource_group_name  = azurerm_resource_group.geofriends.name
  virtual_network_name = azurerm_virtual_network.vn.name
  address_prefixes     = ["10.0.0.0/24"]
}
resource "azurerm_network_security_group" "allow-ssh" {

name                    = "${var.prefix}-allow-ssh"

location                = var.location

resource_group_name     = azurerm_resource_group.geofriends.name
security_rule {

name                    = "SSH"

priority                = 1001

direction               = "Inbound"

access                  = "Allow"

protocol                = "Tcp"

source_port_range       = var.ssh-source-address

destination_port_range       = var.ssh-destination-address

source_address_prefix        = var.ssh-source-address

destination_address_prefix   = var.ssh-destination-address

}

}
resource "azurerm_subnet_network_security_group_association" "sec-group-association" {

subnet_id                 = azurerm_subnet.subnet-internal-1.id

network_security_group_id = azurerm_network_security_group.allow-ssh.id

}

Now the subnet subnet-internal-1 contains the allow ssh security_group