azurerm_subnet - support for direct network_security_group_id assignment during subnet creation

[gavinmorrison]

Description

This PR improves the Terraform AzureRM provider by enabling the assignment of a Network Security Group (NSG) directly during subnet creation. This change addresses compatibility issues encountered with Azure Policy enforcement, particularly in environments utilising the Enterprise-Scale Azure Landing Zone, which enforces a custom Azure Policy that explicitly denies subnet creation unless an NSG is attached.

Previously, the azurerm_subnet resource did not permit NSG assignment at creation time, leading to deployment failures in policy-restricted environments.

Note for Testers:
Please note that the custom policy applied in the Enterprise-Scale Azure Landing Zone differs from the similarly named built-in Azure Policy. The built-in policy employs an AuditIfNotExists effect, whereas the custom policy uses a stricter Deny effect.

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

• Allows network_security_group_id to be specified at the time of subnet creation.

• Acceptance tests have been updated to cover this scenario, accounting for environment-specific constraints.

• Tests affected by strict Azure policies are conditionally skipped via the environment variable (TF_ACC_SKIP_EMPTY_NSG_TEST).

Acceptance Tests Output

Scenario1: With TF_ACC_SKIP_EMPTY_NSG_TEST set:

=== RUN   TestAccSubnet_withNetworkSecurityGroup
--- PASS: TestAccSubnet_withNetworkSecurityGroup (84.21s)

=== RUN   TestAccSubnet_invalidNetworkSecurityGroup
--- PASS: TestAccSubnet_invalidNetworkSecurityGroup (8.06s)

=== RUN   TestAccSubnet_emptyNetworkSecurityGroup
    subnet_resource_test.go:424: Skipping TestAccSubnet_emptyNetworkSecurityGroup because policy enforcement prevents empty NSG
--- SKIP: TestAccSubnet_emptyNetworkSecurityGroup (0.00s)

Scenario 2: Without TF_ACC_SKIP_EMPTY_NSG_TEST, where the environment permits subnets without NSGs:

=== RUN   TestAccSubnet_withNetworkSecurityGroup
--- PASS: TestAccSubnet_withNetworkSecurityGroup (83.67s)

=== RUN   TestAccSubnet_invalidNetworkSecurityGroup
--- PASS: TestAccSubnet_invalidNetworkSecurityGroup (8.91s)

=== RUN   TestAccSubnet_emptyNetworkSecurityGroup
--- PASS: TestAccSubnet_emptyNetworkSecurityGroup (93.44s)

Scenario 3: Without TF_ACC_SKIP_EMPTY_NSG_TEST, where the environment denies subnets without NSGs:

=== RUN   TestAccSubnet_withNetworkSecurityGroup
--- PASS: TestAccSubnet_withNetworkSecurityGroup (79.45s)

=== RUN   TestAccSubnet_invalidNetworkSecurityGroup
--- PASS: TestAccSubnet_invalidNetworkSecurityGroup (9.43s)

=== RUN   TestAccSubnet_emptyNetworkSecurityGroup
    testcase.go:173: Step 1/3 error: Error running apply: exit status 1
        
        Error: creating Subnet (Subscription: "00000000-0000-0000-0000-000000000000"
        Resource Group Name: "acctestRG-250307025033603288"
        Virtual Network Name: "acctestvirtnet250307025033603288"
        Subnet Name: "internal"): performing CreateOrUpdate: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByPolicy: Resource 'internal' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Subnets should have a Network Security Group","id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/000000000000000000000000"},"policyDefinition":{"name":"Subnets should have a Network Security Group","id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000","version":"1.0.0"}}]'.
        
          with azurerm_subnet.test,
          on terraform_plugin_test.tf line 49, in resource "azurerm_subnet" "test":
          49: resource "azurerm_subnet" "test" {
--- FAIL: TestAccSubnet_emptyNetworkSecurityGroup (55.98s)

NOTE: Scenario 3 is intended to demonstrate a failure condition, emphasising the necessity of using the conditional environment variable to control behaviour rather than silently masking potential issues.

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_subnet - support for direct network_security_group_id assignment during subnet creation [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #28701

Note

If this PR changes meaningfully during the course of review please update the title and description as required.