NSG security rules are displayed with before/after comparison tables showing which rules changed in a single view.
Reviewing changes to Network Security Groups (NSGs) can be tedious. tfplan2md aggregates changes to inline rules and standalone rule resources into a single, easy-to-read table.
# module.network.azurerm_network_security_group.app must be replaced
-/+ resource "azurerm_network_security_group" "app" {
name = "nsg-app"
# (2 unchanged attributes hidden)
- security_rule {
- access = "Allow" -> null
- destination_address_prefix = "*" -> null
- destination_port_range = "80" -> null
- direction = "Inbound" -> null
- name = "allow-http" -> null
- priority = 100 -> null
- protocol = "Tcp" -> null
- source_address_prefix = "*" -> null
- source_port_range = "*" -> null
}
+ security_rule {
+ access = "Allow"
+ destination_address_prefix = "*"
+ destination_port_range = "443"
+ direction = "Inbound"
+ name = "allow-https"
+ priority = 100
+ protocol = "Tcp"
+ source_address_prefix = "*"
+ source_port_range = "*"
}
+ security_rule {
+ access = "Deny"
+ description = "Block RDP from internet"
+ destination_address_prefix = "*"
+ destination_port_range = "3389"
+ direction = "Inbound"
+ name = "deny-rdp"
+ priority = 200
+ protocol = "Tcp"
+ source_address_prefix = "*"
+ source_port_range = "*"
}
+ security_rule {
+ access = "Allow"
+ description = "Allow outbound HTTPS"
+ destination_address_prefix = "*"
+ destination_port_range = "443"
+ direction = "Outbound"
+ name = "allow-outbound-https"
+ priority = 300
+ protocol = "Tcp"
+ source_address_prefix = "*"
+ source_port_range = "*"
}
}Hard to scan—rules are scattered across the diff with all fields shown.
Network Security Group: nsg-app
| Change | Name | Priority | Direction | Access | Protocol | Source Addresses | Source Ports | Destination Addresses | Destination Ports | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| ➕ | 🆔 allow-https |
100 |
⬇️ Inbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 443 |
- |
| ➕ | 🆔 deny-rdp |
200 |
⬇️ Inbound |
⛔ Deny |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 3389 |
Block RDP from internet |
| ➕ | 🆔 allow-outbound-https |
300 |
⬆️ Outbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 443 |
Allow outbound HTTPS |
| ❌ | 🆔 allow-http |
100 |
⬇️ Inbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 80 |
- |
### ♻️ module.network.azurerm_network_security_group.app
**Network Security Group:** `nsg-app`
#### Security Rules
| Change | Name | Priority | Direction | Access | Protocol | Source Addresses | Source Ports | Destination Addresses | Destination Ports | Description |
| -------- | ------ | ---------- | ----------- | -------- | ---------- | ------------------ | ------------ | ---------------------- | ------------------- | ------------- |
| ➕ | `🆔 allow-https` | `100` | `⬇️ Inbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 443` | `-` |
| ➕ | `🆔 deny-rdp` | `200` | `⬇️ Inbound` | `⛔ Deny` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 3389` | `Block RDP from internet` |
| ➕ | `🆔 allow-outbound-https` | `300` | `⬆️ Outbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 443` | `Allow outbound HTTPS` |
| ❌ | `🆔 allow-http` | `100` | `⬇️ Inbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 80` | `-` |Clear table view: 3 rules added, 1 removed—easy to review at a glance.
azurerm_network_security_group - Full NSG with inline rulesazurerm_network_security_rule - Individual security rulesNSG rule diffing uses resource-specific templates to provide clear, table-based views of security rule changes.