Network Security Group Rule Diffing
NSG security rules are displayed with before/after comparison tables showing which rules changed in a single view.
azurerm
Reviewing changes to Network Security Groups (NSGs) can be tedious. tfplan2md aggregates changes to inline rules and standalone rule resources into a single, easy-to-read table.
❌ Without tfplan2md
Raw Terraform Output
# module.network.azurerm_network_security_group.app must be replaced
-/+ resource "azurerm_network_security_group" "app" {
name = "nsg-app"
- security_rule {
- name = "allow-http" -> null
- destination_port_range = "80" -> null
- priority = 100 -> null
}
+ security_rule {
+ name = "allow-https"
+ destination_port_range = "443"
+ priority = 100
}
+ security_rule {
+ name = "deny-rdp"
+ destination_port_range = "3389"
+ priority = 200
}
+ security_rule {
+ name = "allow-outbound-https"
+ destination_port_range = "443"
+ priority = 300
}
}Hard to scan. Rules are scattered across the diff and every field is mixed together.
✅ With tfplan2md
Network Security Group Output
♻️ module.network.azurerm_network_security_group.app
Network Security Group: nsg-app
Security Rules
| Change | Name | Priority | Direction | Access | Protocol | Source Addresses | Source Ports | Destination Addresses | Destination Ports | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| ➕ | 🆔 allow-https |
100 |
⬇️ Inbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 443 |
- |
| ➕ | 🆔 deny-rdp |
200 |
⬇️ Inbound |
⛔ Deny |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 3389 |
Block RDP from internet |
| ➕ | 🆔 allow-outbound-https |
300 |
⬆️ Outbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 443 |
Allow outbound HTTPS |
| ❌ | 🆔 allow-http |
100 |
⬇️ Inbound |
✅ Allow |
🔗 TCP |
✳️ |
✳️ |
✳️ |
🔌 80 |
- |
### ♻️ module.network.azurerm_network_security_group.app
**Network Security Group:** `nsg-app`
#### Security Rules
| Change | Name | Priority | Direction | Access | Protocol | Source Addresses | Source Ports | Destination Addresses | Destination Ports | Description |
| -------- | ------ | ---------- | ----------- | -------- | ---------- | ------------------ | ------------ | ---------------------- | ------------------- | ------------- |
| ➕ | `🆔 allow-https` | `100` | `⬇️ Inbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 443` | `-` |
| ➕ | `🆔 deny-rdp` | `200` | `⬇️ Inbound` | `⛔ Deny` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 3389` | `Block RDP from internet` |
| ➕ | `🆔 allow-outbound-https` | `300` | `⬆️ Outbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 443` | `Allow outbound HTTPS` |
| ❌ | `🆔 allow-http` | `100` | `⬇️ Inbound` | `✅ Allow` | `🔗 TCP` | `✳️` | `✳️` | `✳️` | `🔌 80` | `-` |Clear table view: 3 rules added, 1 removed, and changed ports are visible immediately.
Supported Resources
azurerm_network_security_groupfor inline security rulesazurerm_network_security_rulefor standalone rule resources- Shows priority, direction, access, protocol, sources, and destinations in one table
- Visual icons help reviewers distinguish IPs, ports, and protocols quickly
Learn More
NSG rule diffing uses resource-specific templates to provide clear, table-based views of security rule changes.