# NSG Fix Status Report ## Configuration Changes ✅ ### Terraform Configuration Updated 1. ✅ Added `subnet_nsg_enabled` variable 2. ✅ Added `enable_besu_rules` variable 3. ✅ Made subnet NSG association conditional 4. ✅ Made Besu rules conditional using dynamic blocks 5. ✅ Updated `networking_admin` module configuration ### Files Modified - ✅ `terraform/modules/networking-vm/main.tf` - ✅ `terraform/modules/networking-vm/variables.tf` - ✅ `terraform/phases/phase1/phase1-main.tf` ## Deployment Status ### Terraform Plan - **Status**: ⏳ Needs `ssh_public_key` variable - **Action**: Run with `-var-file=terraform.tfvars` or provide variable ### Terraform Apply - **Status**: ⏳ Pending (requires plan to succeed first) - **Expected Changes**: - Destroy: `module.networking_admin.azurerm_subnet_network_security_group_association.vm` - Update: NSG rules (remove Besu rules if NSG still exists) ## Current State ### Subnet NSG - **Status**: ⚠️ Still attached (needs Terraform apply) - **NSG**: `az-p-wst-proxy-vm-nsg` - **Rules**: Has P2P/RPC/Metrics rules (wrong for Nginx) ### NIC NSG - **Status**: ✅ Attached - **NSG**: `az-p-wst-proxy-nginx-nsg` - **Rules**: HTTP (80), HTTPS (443), SSH (22) ✅ ## Required Actions ### 1. Complete Terraform Apply ```bash cd terraform/phases/phase1 terraform plan -var-file=terraform.tfvars -out=tfplan terraform apply tfplan ``` ### 2. Verify Changes - Check subnet NSG is detached - Verify NIC NSG has correct rules - Test port accessibility ## Expected Result After Apply ### Subnet NSG - ✅ Detached from Nginx subnet - ✅ No longer affects Nginx proxy ### NIC NSG - ✅ Remains attached - ✅ Has correct rules (HTTP/HTTPS/SSH) - ✅ No Besu-specific rules ## Notes - The Terraform configuration is correct and ready - The apply needs to be completed to remove the subnet NSG association - Once applied, the subnet NSG will be detached and only NIC NSG will apply --- **Status**: ✅ **Configuration Complete, Apply Pending** The Terraform configuration has been updated correctly. The changes need to be applied via `terraform apply` to remove the subnet NSG association.