Scaffold the Azure RM Network Security Rule resource

11 years ago · 719f3ad2ce
parent f4e138f2db
commit 719f3ad2ce
9 changed files with 696 additions and 157 deletions
--- a/builtin/providers/azurerm/network_security_rule.go
+++ b/builtin/providers/azurerm/network_security_rule.go
@ -0,0 +1,46 @@
+package azurerm
+
+import (
+	"fmt"
+	"strings"
+)
+
+func validateNetworkSecurityRuleProtocol(v interface{}, k string) (ws []string, errors []error) {
+	value := strings.ToLower(v.(string))
+	protocols := map[string]bool{
+		"tcp": true,
+		"udp": true,
+		"*":   true,
+	}
+
+	if !protocols[value] {
+		errors = append(errors, fmt.Errorf("Network Security Rule Protocol can only be Tcp, Udp or *"))
+	}
+	return
+}
+
+func validateNetworkSecurityRuleAccess(v interface{}, k string) (ws []string, errors []error) {
+	value := strings.ToLower(v.(string))
+	accessTypes := map[string]bool{
+		"allow": true,
+		"deny":  true,
+	}
+
+	if !accessTypes[value] {
+		errors = append(errors, fmt.Errorf("Network Security Rule Access can only be Allow or Deny"))
+	}
+	return
+}
+
+func validateNetworkSecurityRuleDirection(v interface{}, k string) (ws []string, errors []error) {
+	value := strings.ToLower(v.(string))
+	directions := map[string]bool{
+		"inbound":  true,
+		"outbound": true,
+	}
+
+	if !directions[value] {
+		errors = append(errors, fmt.Errorf("Network Security Rule Directions can only be Inbound or Outbound"))
+	}
+	return
+}
--- a/builtin/providers/azurerm/network_security_rule_test.go
+++ b/builtin/providers/azurerm/network_security_rule_test.go
@ -0,0 +1,115 @@
+package azurerm
+
+import "testing"
+
+func TestResourceAzureRMNetworkSecurityRuleProtocol_validation(t *testing.T) {
+	cases := []struct {
+		Value    string
+		ErrCount int
+	}{
+		{
+			Value:    "Random",
+			ErrCount: 1,
+		},
+		{
+			Value:    "tcp",
+			ErrCount: 0,
+		},
+		{
+			Value:    "TCP",
+			ErrCount: 0,
+		},
+		{
+			Value:    "*",
+			ErrCount: 0,
+		},
+		{
+			Value:    "Udp",
+			ErrCount: 0,
+		},
+		{
+			Value:    "Tcp",
+			ErrCount: 0,
+		},
+	}
+
+	for _, tc := range cases {
+		_, errors := validateNetworkSecurityRuleProtocol(tc.Value, "azurerm_network_security_rule")
+
+		if len(errors) != tc.ErrCount {
+			t.Fatalf("Expected the Azure RM Network Security Rule protocol to trigger a validation error")
+		}
+	}
+}
+
+func TestResourceAzureRMNetworkSecurityRuleAccess_validation(t *testing.T) {
+	cases := []struct {
+		Value    string
+		ErrCount int
+	}{
+		{
+			Value:    "Random",
+			ErrCount: 1,
+		},
+		{
+			Value:    "Allow",
+			ErrCount: 0,
+		},
+		{
+			Value:    "Deny",
+			ErrCount: 0,
+		},
+		{
+			Value:    "ALLOW",
+			ErrCount: 0,
+		},
+		{
+			Value:    "deny",
+			ErrCount: 0,
+		},
+	}
+
+	for _, tc := range cases {
+		_, errors := validateNetworkSecurityRuleAccess(tc.Value, "azurerm_network_security_rule")
+
+		if len(errors) != tc.ErrCount {
+			t.Fatalf("Expected the Azure RM Network Security Rule access to trigger a validation error")
+		}
+	}
+}
+
+func TestResourceAzureRMNetworkSecurityRuleDirection_validation(t *testing.T) {
+	cases := []struct {
+		Value    string
+		ErrCount int
+	}{
+		{
+			Value:    "Random",
+			ErrCount: 1,
+		},
+		{
+			Value:    "Inbound",
+			ErrCount: 0,
+		},
+		{
+			Value:    "Outbound",
+			ErrCount: 0,
+		},
+		{
+			Value:    "INBOUND",
+			ErrCount: 0,
+		},
+		{
+			Value:    "Inbound",
+			ErrCount: 0,
+		},
+	}
+
+	for _, tc := range cases {
+		_, errors := validateNetworkSecurityRuleDirection(tc.Value, "azurerm_network_security_rule")
+
+		if len(errors) != tc.ErrCount {
+			t.Fatalf("Expected the Azure RM Network Security Rule direction to trigger a validation error")
+		}
+	}
+}
--- a/builtin/providers/azurerm/provider.go
+++ b/builtin/providers/azurerm/provider.go
@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strings"

+	"github.com/hashicorp/terraform/helper/mutexkv"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
 )
@ -44,9 +45,9 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_local_network_gateway":  resourceArmLocalNetworkGateway(),
 			"azurerm_availability_set":       resourceArmAvailabilitySet(),
 			"azurerm_network_security_group": resourceArmNetworkSecurityGroup(),
+			"azurerm_network_security_rule":  resourceArmNetworkSecurityRule(),
 			"azurerm_public_ip":              resourceArmPublicIp(),
 		},
-
 		ConfigureFunc: providerConfigure,
 	}
 }
@ -110,3 +111,6 @@ func azureRMNormalizeLocation(location interface{}) string {
 	input := location.(string)
 	return strings.Replace(strings.ToLower(input), " ", "", -1)
 }
+
+// armMutexKV is the instance of MutexKV for ARM resources
+var armMutexKV = mutexkv.NewMutexKV()
--- a/builtin/providers/azurerm/resource_arm_network_security_group.go
+++ b/builtin/providers/azurerm/resource_arm_network_security_group.go
@ -7,8 +7,6 @@ import (
 	"net/http"
 	"time"

-	"strings"
-
 	"github.com/Azure/azure-sdk-for-go/arm/network"
 	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/resource"
@ -132,7 +130,7 @@ func resourceArmNetworkSecurityGroupCreate(d *schema.ResourceData, meta interfac
 	location := d.Get("location").(string)
 	resGroup := d.Get("resource_group_name").(string)

-	sgRules, sgErr := expandAzureRmSecurityGroupRules(d)
+	sgRules, sgErr := expandAzureRmSecurityRules(d)
 	if sgErr != nil {
 		return fmt.Errorf("Error Building list of Network Security Group Rules: %s", sgErr)
 	}
@ -185,6 +183,10 @@ func resourceArmNetworkSecurityGroupRead(d *schema.ResourceData, meta interface{
 		return fmt.Errorf("Error making Read request on Azure Network Security Group %s: %s", name, err)
 	}

+	if resp.Properties.SecurityRules != nil {
+		d.Set("security_rule", flattenNetworkSecurityRules(resp.Properties.SecurityRules))
+	}
+
 	return nil
 }

@ -229,7 +231,30 @@ func securityGroupStateRefreshFunc(client *ArmClient, resourceGroupName string,
 	}
 }

-func expandAzureRmSecurityGroupRules(d *schema.ResourceData) ([]network.SecurityRule, error) {
+func flattenNetworkSecurityRules(rules *[]network.SecurityRule) []map[string]interface{} {
+	result := make([]map[string]interface{}, 0, len(*rules))
+	for _, rule := range *rules {
+		sgRule := make(map[string]interface{})
+		sgRule["name"] = *rule.Name
+		sgRule["destination_address_prefix"] = *rule.Properties.DestinationAddressPrefix
+		sgRule["destination_port_range"] = *rule.Properties.DestinationPortRange
+		sgRule["source_address_prefix"] = *rule.Properties.SourceAddressPrefix
+		sgRule["source_port_range"] = *rule.Properties.SourcePortRange
+		sgRule["priority"] = int(*rule.Properties.Priority)
+		sgRule["access"] = rule.Properties.Access
+		sgRule["direction"] = rule.Properties.Direction
+		sgRule["protocol"] = rule.Properties.Protocol
+
+		if rule.Properties.Description != nil {
+			sgRule["description"] = *rule.Properties.Description
+		}
+
+		result = append(result, sgRule)
+	}
+	return result
+}
+
+func expandAzureRmSecurityRules(d *schema.ResourceData) ([]network.SecurityRule, error) {
 	sgRules := d.Get("security_rule").(*schema.Set).List()
 	rules := make([]network.SecurityRule, 0, len(sgRules))

@ -268,43 +293,3 @@ func expandAzureRmSecurityGroupRules(d *schema.ResourceData) ([]network.Security

 	return rules, nil
 }
-
-func validateNetworkSecurityRuleProtocol(v interface{}, k string) (ws []string, errors []error) {
-	value := strings.ToLower(v.(string))
-	viewTypes := map[string]bool{
-		"tcp": true,
-		"udp": true,
-		"*":   true,
-	}
-
-	if !viewTypes[value] {
-		errors = append(errors, fmt.Errorf("Network Security Rule Protocol can only be Tcp, Udp or *"))
-	}
-	return
-}
-
-func validateNetworkSecurityRuleAccess(v interface{}, k string) (ws []string, errors []error) {
-	value := strings.ToLower(v.(string))
-	viewTypes := map[string]bool{
-		"allow": true,
-		"deny":  true,
-	}
-
-	if !viewTypes[value] {
-		errors = append(errors, fmt.Errorf("Network Security Rule Access can only be Allow or Deny"))
-	}
-	return
-}
-
-func validateNetworkSecurityRuleDirection(v interface{}, k string) (ws []string, errors []error) {
-	value := strings.ToLower(v.(string))
-	viewTypes := map[string]bool{
-		"inbound":  true,
-		"outbound": true,
-	}
-
-	if !viewTypes[value] {
-		errors = append(errors, fmt.Errorf("Network Security Rule Directions can only be Inbound or Outbound"))
-	}
-	return
-}
--- a/builtin/providers/azurerm/resource_arm_network_security_group_test.go
+++ b/builtin/providers/azurerm/resource_arm_network_security_group_test.go
@ -9,118 +9,6 @@ import (
 	"github.com/hashicorp/terraform/terraform"
 )

-func TestResourceAzureRMNetworkSecurityGroupProtocol_validation(t *testing.T) {
-	cases := []struct {
-		Value    string
-		ErrCount int
-	}{
-		{
-			Value:    "Random",
-			ErrCount: 1,
-		},
-		{
-			Value:    "tcp",
-			ErrCount: 0,
-		},
-		{
-			Value:    "TCP",
-			ErrCount: 0,
-		},
-		{
-			Value:    "*",
-			ErrCount: 0,
-		},
-		{
-			Value:    "Udp",
-			ErrCount: 0,
-		},
-		{
-			Value:    "Tcp",
-			ErrCount: 0,
-		},
-	}
-
-	for _, tc := range cases {
-		_, errors := validateNetworkSecurityRuleProtocol(tc.Value, "azurerm_network_security_group")
-
-		if len(errors) != tc.ErrCount {
-			t.Fatalf("Expected the Azure RM Network Security Group protocol to trigger a validation error")
-		}
-	}
-}
-
-func TestResourceAzureRMNetworkSecurityGroupAccess_validation(t *testing.T) {
-	cases := []struct {
-		Value    string
-		ErrCount int
-	}{
-		{
-			Value:    "Random",
-			ErrCount: 1,
-		},
-		{
-			Value:    "Allow",
-			ErrCount: 0,
-		},
-		{
-			Value:    "Deny",
-			ErrCount: 0,
-		},
-		{
-			Value:    "ALLOW",
-			ErrCount: 0,
-		},
-		{
-			Value:    "deny",
-			ErrCount: 0,
-		},
-	}
-
-	for _, tc := range cases {
-		_, errors := validateNetworkSecurityRuleAccess(tc.Value, "azurerm_network_security_group")
-
-		if len(errors) != tc.ErrCount {
-			t.Fatalf("Expected the Azure RM Network Security Group access to trigger a validation error")
-		}
-	}
-}
-
-func TestResourceAzureRMNetworkSecurityGroupDirection_validation(t *testing.T) {
-	cases := []struct {
-		Value    string
-		ErrCount int
-	}{
-		{
-			Value:    "Random",
-			ErrCount: 1,
-		},
-		{
-			Value:    "Inbound",
-			ErrCount: 0,
-		},
-		{
-			Value:    "Outbound",
-			ErrCount: 0,
-		},
-		{
-			Value:    "INBOUND",
-			ErrCount: 0,
-		},
-		{
-			Value:    "Inbound",
-			ErrCount: 0,
-		},
-	}
-
-	for _, tc := range cases {
-		_, errors := validateNetworkSecurityRuleDirection(tc.Value, "azurerm_network_security_group")
-
-		if len(errors) != tc.ErrCount {
-			t.Fatalf("Expected the Azure RM Network Security Group direction to trigger a validation error")
-		}
-	}
-}
-
 func TestAccAzureRMNetworkSecurityGroup_basic(t *testing.T) {

 	resource.Test(t, resource.TestCase{
--- a/builtin/providers/azurerm/resource_arm_network_security_rule.go
+++ b/builtin/providers/azurerm/resource_arm_network_security_rule.go
@ -0,0 +1,219 @@
+package azurerm
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/arm/network"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceArmNetworkSecurityRule() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceArmNetworkSecurityRuleCreate,
+		Read:   resourceArmNetworkSecurityRuleRead,
+		Update: resourceArmNetworkSecurityRuleCreate,
+		Delete: resourceArmNetworkSecurityRuleDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"resource_group_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"network_security_group_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"description": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
+					value := v.(string)
+					if len(value) > 140 {
+						errors = append(errors, fmt.Errorf(
+							"The network security rule description can be no longer than 140 chars"))
+					}
+					return
+				},
+			},
+
+			"protocol": &schema.Schema{
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateNetworkSecurityRuleProtocol,
+			},
+
+			"source_port_range": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"destination_port_range": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"source_address_prefix": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"destination_address_prefix": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"access": &schema.Schema{
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateNetworkSecurityRuleAccess,
+			},
+
+			"priority": &schema.Schema{
+				Type:     schema.TypeInt,
+				Required: true,
+				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
+					value := v.(int)
+					if value < 100 || value > 4096 {
+						errors = append(errors, fmt.Errorf(
+							"The `priority` can only be between 100 and 4096"))
+					}
+					return
+				},
+			},
+
+			"direction": &schema.Schema{
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateNetworkSecurityRuleDirection,
+			},
+		},
+	}
+}
+
+func resourceArmNetworkSecurityRuleCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient)
+	secClient := client.secRuleClient
+
+	name := d.Get("name").(string)
+	nsgName := d.Get("network_security_group_name").(string)
+	resGroup := d.Get("resource_group_name").(string)
+
+	source_port_range := d.Get("source_port_range").(string)
+	destination_port_range := d.Get("destination_port_range").(string)
+	source_address_prefix := d.Get("source_address_prefix").(string)
+	destination_address_prefix := d.Get("destination_address_prefix").(string)
+	priority := d.Get("priority").(int)
+	access := d.Get("access").(string)
+	direction := d.Get("direction").(string)
+	protocol := d.Get("protocol").(string)
+
+	armMutexKV.Lock(nsgName)
+	defer armMutexKV.Unlock(nsgName)
+
+	properties := network.SecurityRulePropertiesFormat{
+		SourcePortRange:          &source_port_range,
+		DestinationPortRange:     &destination_port_range,
+		SourceAddressPrefix:      &source_address_prefix,
+		DestinationAddressPrefix: &destination_address_prefix,
+		Priority:                 &priority,
+		Access:                   network.SecurityRuleAccess(access),
+		Direction:                network.SecurityRuleDirection(direction),
+		Protocol:                 network.SecurityRuleProtocol(protocol),
+	}
+
+	if v, ok := d.GetOk("description"); ok {
+		description := v.(string)
+		properties.Description = &description
+	}
+
+	sgr := network.SecurityRule{
+		Name:       &name,
+		Properties: &properties,
+	}
+
+	resp, err := secClient.CreateOrUpdate(resGroup, nsgName, name, sgr)
+	if err != nil {
+		return err
+	}
+	d.SetId(*resp.ID)
+
+	log.Printf("[DEBUG] Waiting for Network Security Rule (%s) to become available", name)
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{"Accepted", "Updating"},
+		Target:  "Succeeded",
+		Refresh: securityRuleStateRefreshFunc(client, resGroup, nsgName, name),
+		Timeout: 10 * time.Minute,
+	}
+	if _, err := stateConf.WaitForState(); err != nil {
+		return fmt.Errorf("Error waiting for Network Securty Rule (%s) to become available: %s", name, err)
+	}
+
+	return resourceArmNetworkSecurityRuleRead(d, meta)
+}
+
+func resourceArmNetworkSecurityRuleRead(d *schema.ResourceData, meta interface{}) error {
+	secRuleClient := meta.(*ArmClient).secRuleClient
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+	resGroup := id.ResourceGroup
+	networkSGName := id.Path["networkSecurityGroups"]
+	sgRuleName := id.Path["securityRules"]
+
+	resp, err := secRuleClient.Get(resGroup, networkSGName, sgRuleName)
+	if resp.StatusCode == http.StatusNotFound {
+		d.SetId("")
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("Error making Read request on Azure Network Security Rule %s: %s", sgRuleName, err)
+	}
+
+	return nil
+}
+
+func resourceArmNetworkSecurityRuleDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient)
+	secRuleClient := client.secRuleClient
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+	resGroup := id.ResourceGroup
+	nsgName := id.Path["networkSecurityGroups"]
+	sgRuleName := id.Path["securityRules"]
+
+	armMutexKV.Lock(nsgName)
+	defer armMutexKV.Unlock(nsgName)
+
+	_, err = secRuleClient.Delete(resGroup, nsgName, sgRuleName)
+
+	return err
+}
+
+func securityRuleStateRefreshFunc(client *ArmClient, resourceGroupName string, networkSecurityGroupName string, securityRuleName string) resource.StateRefreshFunc {
+	return func() (interface{}, string, error) {
+		res, err := client.secRuleClient.Get(resourceGroupName, networkSecurityGroupName, securityRuleName)
+		if err != nil {
+			return nil, "", fmt.Errorf("Error issuing read request in securityGroupStateRefreshFunc to Azure ARM for network security rule '%s' (RG: '%s') (NSG: '%s'): %s", securityRuleName, resourceGroupName, networkSecurityGroupName, err)
+		}
+
+		return res, *res.Properties.ProvisioningState, nil
+	}
+}
--- a/builtin/providers/azurerm/resource_arm_network_security_rule_test.go
+++ b/builtin/providers/azurerm/resource_arm_network_security_rule_test.go
@ -0,0 +1,203 @@
+package azurerm
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAzureRMNetworkSecurityRule_basic(t *testing.T) {
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAzureRMNetworkSecurityRule_basic,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMNetworkSecurityRule_addingRules(t *testing.T) {
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMNetworkSecurityRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAzureRMNetworkSecurityRule_updateBasic,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test1"),
+				),
+			},
+
+			resource.TestStep{
+				Config: testAccAzureRMNetworkSecurityRule_updateExtraRule,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMNetworkSecurityRuleExists("azurerm_network_security_rule.test2"),
+				),
+			},
+		},
+	})
+}
+
+func testCheckAzureRMNetworkSecurityRuleExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		sgName := rs.Primary.Attributes["network_security_group_name"]
+		sgrName := rs.Primary.Attributes["name"]
+		resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"]
+		if !hasResourceGroup {
+			return fmt.Errorf("Bad: no resource group found in state for network security rule: %s", sgName)
+		}
+
+		conn := testAccProvider.Meta().(*ArmClient).secRuleClient
+
+		resp, err := conn.Get(resourceGroup, sgName, sgrName)
+		if err != nil {
+			return fmt.Errorf("Bad: Get on secRuleClient: %s", err)
+		}
+
+		if resp.StatusCode == http.StatusNotFound {
+			return fmt.Errorf("Bad: Network Security Rule %q (resource group: %q) (network security group: %q) does not exist", sgrName, sgName, resourceGroup)
+		}
+
+		return nil
+	}
+}
+
+func testCheckAzureRMNetworkSecurityRuleDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*ArmClient).secRuleClient
+
+	for _, rs := range s.RootModule().Resources {
+
+		if rs.Type != "azurerm_network_security_rule" {
+			continue
+		}
+
+		sgName := rs.Primary.Attributes["network_security_group_name"]
+		sgrName := rs.Primary.Attributes["name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		resp, err := conn.Get(resourceGroup, sgName, sgrName)
+
+		if err != nil {
+			return nil
+		}
+
+		if resp.StatusCode != http.StatusNotFound {
+			return fmt.Errorf("Network Security Rule still exists:\n%#v", resp.Properties)
+		}
+	}
+
+	return nil
+}
+
+var testAccAzureRMNetworkSecurityRule_basic = `
+resource "azurerm_resource_group" "test" {
+    name = "acceptanceTestResourceGroup1"
+    location = "West US"
+}
+
+resource "azurerm_network_security_group" "test" {
+    name = "acceptanceTestSecurityGroup1"
+    location = "West US"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_network_security_rule" "test" {
+	name = "test123"
+    	priority = 100
+    	direction = "Outbound"
+    	access = "Allow"
+    	protocol = "Tcp"
+    	source_port_range = "*"
+    	destination_port_range = "*"
+    	source_address_prefix = "*"
+    	destination_address_prefix = "*"
+    	resource_group_name = "${azurerm_resource_group.test.name}"
+    	network_security_group_name = "${azurerm_network_security_group.test.name}"
+}
+`
+
+var testAccAzureRMNetworkSecurityRule_updateBasic = `
+resource "azurerm_resource_group" "test1" {
+    name = "acceptanceTestResourceGroup2"
+    location = "West US"
+}
+
+resource "azurerm_network_security_group" "test1" {
+    name = "acceptanceTestSecurityGroup2"
+    location = "West US"
+    resource_group_name = "${azurerm_resource_group.test1.name}"
+}
+
+resource "azurerm_network_security_rule" "test1" {
+	name = "test123"
+    	priority = 100
+    	direction = "Outbound"
+    	access = "Allow"
+    	protocol = "Tcp"
+    	source_port_range = "*"
+    	destination_port_range = "*"
+    	source_address_prefix = "*"
+    	destination_address_prefix = "*"
+    	resource_group_name = "${azurerm_resource_group.test1.name}"
+    	network_security_group_name = "${azurerm_network_security_group.test1.name}"
+}
+`
+
+var testAccAzureRMNetworkSecurityRule_updateExtraRule = `
+resource "azurerm_resource_group" "test1" {
+    name = "acceptanceTestResourceGroup2"
+    location = "West US"
+}
+
+resource "azurerm_network_security_group" "test1" {
+    name = "acceptanceTestSecurityGroup2"
+    location = "West US"
+    resource_group_name = "${azurerm_resource_group.test1.name}"
+}
+
+resource "azurerm_network_security_rule" "test1" {
+	name = "test123"
+    	priority = 100
+    	direction = "Outbound"
+    	access = "Allow"
+    	protocol = "Tcp"
+    	source_port_range = "*"
+    	destination_port_range = "*"
+    	source_address_prefix = "*"
+    	destination_address_prefix = "*"
+    	resource_group_name = "${azurerm_resource_group.test1.name}"
+    	network_security_group_name = "${azurerm_network_security_group.test1.name}"
+}
+
+resource "azurerm_network_security_rule" "test2" {
+	name = "testing456"
+    	priority = 101
+    	direction = "Inbound"
+    	access = "Deny"
+    	protocol = "Tcp"
+    	source_port_range = "*"
+    	destination_port_range = "*"
+    	source_address_prefix = "*"
+    	destination_address_prefix = "*"
+    	resource_group_name = "${azurerm_resource_group.test1.name}"
+    	network_security_group_name = "${azurerm_network_security_group.test1.name}"
+}
+`
--- a/website/source/docs/providers/azurerm/r/network_security_rule.html.markdown
+++ b/website/source/docs/providers/azurerm/r/network_security_rule.html.markdown
@ -0,0 +1,75 @@
+---
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_network_security_rule"
+sidebar_current: "docs-azurerm-resource-network-security-rule"
+description: |-
+  Create a Network Security Rule.
+---
+
+# azurerm\_network\_security\_rule
+
+Create a Network Security Rule.
+
+## Example Usage
+
+```
+resource "azurerm_resource_group" "test" {
+    name = "acceptanceTestResourceGroup1"
+    location = "West US"
+}
+
+resource "azurerm_network_security_group" "test" {
+    name = "acceptanceTestSecurityGroup1"
+    location = "West US"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_network_security_rule" "test" {
+	name = "test123"
+    priority = 100
+    direction = "Outbound"
+    access = "Allow"
+    protocol = "Tcp"
+    source_port_range = "*"
+    destination_port_range = "*"
+    source_address_prefix = "*"
+    destination_address_prefix = "*"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    network_security_group_name = "${azurerm_network_security_group.test.name}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the security rule.
+
+* `resource_group_name` - (Required) The name of the resource group in which to
+    create the Network Security Rule.
+ 
+* `network_security_group_name` - (Required) The name of the Network Security Group that we want to attach the rule to.
+
+* `description` - (Optional) A description for this rule. Restricted to 140 characters.
+
+* `protocol` - (Required) Network protocol this rule applies to. Can be Tcp, Udp or * to match both.
+
+* `source_port_range` - (Required) Source Port or Range. Integer or range between 0 and 65535 or * to match any.
+
+* `destination_port_range` - (Required) Destination Port or Range. Integer or range between 0 and 65535 or * to match any.
+
+* `source_address_prefix` - (Required) CIDR or source IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used.
+
+* `destination_address_prefix` - (Required) CIDR or destination IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used.
+
+* `access` - (Required) Specifies whether network traffic is allowed or denied. Possible values are “Allow” and “Deny”.
+
+* `priority` - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
+
+* `direction` - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are “Inbound” and “Outbound”.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The Network Security Rule ID.
--- a/website/source/layouts/azurerm.erb
+++ b/website/source/layouts/azurerm.erb
@ -33,6 +33,10 @@
                          <a href="/docs/providers/azurerm/r/network_security_group.html">azurerm_network_security_group</a>
                        </li>

+                        <li<%= sidebar_current("docs-azurerm-resource-network-security-rule") %>>
+                          <a href="/docs/providers/azurerm/r/network_security_rule.html">azurerm_network_security_rule</a>
+                        </li>
+
                        <li<%= sidebar_current("docs-azurerm-resource-public-ip") %>>
                          <a href="/docs/providers/azurerm/r/public_ip.html">azurerm_public_ip</a>
                        </li>