Azure NSG in-line dynamic security rule block show inconsistent output

Hello,

Here is my code, each time after apply i still see 1 to change message with -/+ sign even the change is already applied.

resource “azurerm_network_security_group” “nsgs_poc” {

for_each = var.nsgs != “” ? var.nsgs : {}

provider = azurerm.spoke

name = each.key

location = “eastus2”

resource_group_name = “XXXX”

dynamic “security_rule” {

for_each                   = toset (each.value.security_rule)

content {

  name                       = security_rule.value.name

  priority                   = security_rule.value.priority

  direction                  = security_rule.value.direction

  access                     = security_rule.value.access

  protocol                   = security_rule.value.protocol

  source_port_range          = security_rule.value.source_port_range

  source_port_ranges         = security_rule.value.source_port_ranges

  destination_port_range     = security_rule.value.destination_port_range

  destination_port_ranges    = security_rule.value.destination_port_ranges

  source_address_prefix      = security_rule.value.source_address_prefix

  source_address_prefixes    = security_rule.value.source_address_prefixes

  destination_address_prefix = security_rule.value.destination_address_prefix

  destination_address_prefixes = security_rule.value.destination_address_prefixes

  description                = security_rule.value.description

}

}

tags = var.tags

}


terraform plan output

azurerm_network_security_group.nsgs_poc[“nsg-app”] will be updated in-place

~ resource “azurerm_network_security_group” “nsgs_poc” {
id = “/subscriptions/XXXX/resourceGroups/XXX/providers/Microsoft.Network/networkSecurityGroups/nsg-app”
location = “eastus2”
name = “nsg-app”
resource_group_name = “XXX”
~ security_rule = [
- {
- access = “Deny”
- description = “standard rule”
- destination_address_prefix = “"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "

- destination_port_ranges =
- direction = “Inbound”
- name = “bloc-traffic”
- priority = 2501
- protocol = “"
- source_address_prefix = "

- source_address_prefixes =
- source_application_security_group_ids =
- source_port_range = “"
- source_port_ranges = []
},
- {
- access = “Deny”
- description = “standard rule”
- destination_address_prefix = “Internet”
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "

- destination_port_ranges =
- direction = “Outbound”
- name = “block-internet”
- priority = 2500
- protocol = “"
- source_address_prefix = "

- source_address_prefixes =
- source_application_security_group_ids =
- source_port_range = “"
- source_port_ranges = []
},
+ {
+ access = “deny”
+ description = “standard rule”
+ destination_address_prefix = "

+ destination_address_prefixes =
+ destination_application_security_group_ids =
+ destination_port_range = “"
+ destination_port_ranges = []
+ direction = “inbound”
+ name = “block-traffic”
+ priority = 2501
+ protocol = "

+ source_address_prefix = “"
+ source_address_prefixes = []
+ source_application_security_group_ids = []
+ source_port_range = "

+ source_port_ranges =
},
+ {
+ access = “deny”
+ description = “standard rule”
+ destination_address_prefix = “Internet”
+ destination_address_prefixes =
+ destination_application_security_group_ids =
+ destination_port_range = “"
+ destination_port_ranges = []
+ direction = “outbound”
+ name = “block-internet”
+ priority = 2500
+ protocol = "

+ source_address_prefix = “"
+ source_address_prefixes = []
+ source_application_security_group_ids = []
+ source_port_range = "

+ source_port_ranges =
},
]
tags = {}
}
}

Plan: 0 to add, 1 to change, 0 to destroy.