[AVM Module Issue]: AzureBastion and ContainerAppEnvironment subnet should be associated with a NSG

[sjyang18]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

I'm not sure

(Optional) Module Version

No response

(Optional) Correlation Id

No response

Description

Description

The AVM module currently allows creation of subnets without enforcing association with a Network Security Group (NSG). This behavior can lead to unintended exposure or misconfiguration, especially in environments where NSG enforcement is critical for maintaining security posture.

This issue was flagged by S360, Microsoft’s internal compliance system.

Expected Behavior

All subnets provisioned through the module should either:

• Be explicitly associated with an NSG, or
• Fail validation if no NSG is provided.

Suggested Fix

Introduce a validation check or default behavior that ensures every subnet other than AzureFirewallSubnet has an NSG associated. Optionally, provide a flag to allow skipping NSG association only when explicitly intended.

Additional Context

This issue was identified during deployment reviews where some subnets were inadvertently left without NSGs, leading to potential security gaps. Enforcing NSG association aligns with best practices and internal compliance requirements.

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the Terraform Issue Triage documentation.

[microsoft-github-policy-service]

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service]

Caution

This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

Tip

• To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.