hashicorp · sreallymatt · Nov 18, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 4, 2025
@@ -300,18 +300,26 @@ func resourceNetworkSecurityGroupRead(d *pluginsdk.ResourceData, meta interface{
 		return fmt.Errorf("retrieving %s: %+v", id, err)
 	}
 
+	if err := resourceNetworkSecurityGroupFlatten(d, id, resp.Model); err != nil {
+		return fmt.Errorf("flattening %s: %+v", id, err)
+	}
+
+	return nil
+}
+
+func resourceNetworkSecurityGroupFlatten(d *pluginsdk.ResourceData, id *networksecuritygroups.NetworkSecurityGroupId, nsg *networksecuritygroups.NetworkSecurityGroup) error {
 	d.Set("name", id.NetworkSecurityGroupName)
 	d.Set("resource_group_name", id.ResourceGroupName)
 
-	if model := resp.Model; model != nil {
-		d.Set("location", location.NormalizeNilable(model.Location))
-		if props := model.Properties; props != nil {
+	if nsg != nil {
+		d.Set("location", location.NormalizeNilable(nsg.Location))
+		if props := nsg.Properties; props != nil {
 			flattenedRules := flattenNetworkSecurityRules(props.SecurityRules)
 			if err := d.Set("security_rule", flattenedRules); err != nil {
 				return fmt.Errorf("setting `security_rule`: %+v", err)
 			}
 		}
-		if err := tags.FlattenAndSet(d, model.Tags); err != nil {
+		if err := tags.FlattenAndSet(d, nsg.Tags); err != nil {
 			return err
 		}
 	}

@@ -0,0 +1,115 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/network/2025-01-01/networksecuritygroups"
+	"github.com/hashicorp/terraform-plugin-framework/list"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/sdk"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
+)
+
+type NetworkSecurityGroupListResource struct{}
+
+var _ sdk.FrameworkListWrappedResource = new(NetworkSecurityGroupListResource)
+
+func (r NetworkSecurityGroupListResource) ResourceFunc() *pluginsdk.Resource {
+	return resourceNetworkSecurityGroup()
+}
+
+func (r NetworkSecurityGroupListResource) Metadata(_ context.Context, _ resource.MetadataRequest, response *resource.MetadataResponse) {
+	response.TypeName = networkSecurityGroupResourceName
+}
+
+func (r NetworkSecurityGroupListResource) List(ctx context.Context, request list.ListRequest, stream *list.ListResultsStream, metadata sdk.ResourceMetadata) {
+	client := metadata.Client.Network.NetworkSecurityGroups
+
+	ctx, cancel := context.WithTimeout(ctx, time.Minute*60)
+	defer cancel()
+
+	var data sdk.DefaultListModel
+	diags := request.Config.Get(ctx, &data)
+	if diags.HasError() {
+		stream.Results = list.ListResultsStreamDiagnostics(diags)
+		return
+	}
+
+	results := make([]networksecuritygroups.NetworkSecurityGroup, 0)
+
+	subscriptionID := metadata.SubscriptionId
+	if !data.SubscriptionId.IsNull() {
+		subscriptionID = data.SubscriptionId.ValueString()
+	}
+
+	switch {
+	case !data.ResourceGroupName.IsNull():
+		resp, err := client.ListComplete(ctx, commonids.NewResourceGroupID(subscriptionID, data.ResourceGroupName.ValueString()))
+		if err != nil {
+			sdk.SetResponseErrorDiagnostic(stream, fmt.Sprintf("listing `%s`", networkSecurityGroupResourceName), err)
+			return
+		}
+
+		results = resp.Items
+	default:
+		resp, err := client.ListAllComplete(ctx, commonids.NewSubscriptionID(subscriptionID))
+		if err != nil {
+			sdk.SetResponseErrorDiagnostic(stream, fmt.Sprintf("listing `%s`", networkSecurityGroupResourceName), err)
+			return
+		}
+
+		results = resp.Items
+	}
+
+	stream.Results = func(push func(list.ListResult) bool) {
+		for _, nsg := range results {
+			result := request.NewListResult(ctx)
+			result.DisplayName = pointer.From(nsg.Name)
+
+			id, err := networksecuritygroups.ParseNetworkSecurityGroupID(pointer.From(nsg.Id))
+			if err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, "parsing Network Security Group ID", err)
+				return
+			}
+
+			rd := resourceNetworkSecurityGroup().Data(&terraform.InstanceState{})
+			rd.SetId(id.ID())
+
+			if err := resourceNetworkSecurityGroupFlatten(rd, id, &nsg); err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, fmt.Sprintf("encoding `%s` resource data", networkSecurityGroupResourceName), err)
+				return
+			}
+
+			tfTypeIdentity, err := rd.TfTypeIdentityState()
+			if err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, "converting Identity State", err)
+				return
+			}
+
+			if err := result.Identity.Set(ctx, *tfTypeIdentity); err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, "setting Identity Data", err)
+				return
+			}
+
+			tfTypeResourceState, err := rd.TfTypeResourceState()
+			if err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, "converting Resource State", err)
+				return
+			}
+
+			if err := result.Resource.Set(ctx, *tfTypeResourceState); err != nil {
+				sdk.SetListIteratorErrorDiagnostic(result, push, "setting Resource Data", err)
+				return
+			}
+
+			if !push(result) {
+				return
+			}
+		}
+	}
+}
@@ -0,0 +1,92 @@
+package network_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/querycheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/provider/framework"
+)
+
+func TestAccNetworkSecurityGroup_list_basic(t *testing.T) {
+	r := NetworkSecurityGroupResource{}
+
+	data := acceptance.BuildTestData(t, "azurerm_network_security_group", "test1")
+
+	resource.Test(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(tfversion.Version1_14_0),
+		},
+		ProtoV5ProviderFactories: framework.ProtoV5ProviderFactoriesInit(context.Background(), "azurerm"),
+		Steps: []resource.TestStep{
+			{
+				Config: r.basicList(data),
+			},
+			{
+				Query:             true,
+				Config:            r.basicQuery(),
+				ConfigQueryChecks: []querycheck.QueryCheck{}, // TODO
+			},
+			{
+				Query:             true,
+				Config:            r.basicQueryByResourceGroupName(data),
+				ConfigQueryChecks: []querycheck.QueryCheck{}, // TODO
+			},
+		},
+	})
+}
+
+func (r NetworkSecurityGroupResource) basicList(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%[1]d"
+  location = "%[2]s"
+}
+
+resource "azurerm_network_security_group" "test1" {
+  name                = "acctestNSG1-%[1]d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_network_security_group" "test2" {
+  name                = "acctestNSG2-%[1]d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_network_security_group" "test3" {
+  name                = "acctestNSG3-%[1]d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
+
+func (r NetworkSecurityGroupResource) basicQuery() string {
+	return `
+list "azurerm_network_security_group" "list" {
+  provider = azurerm
+  config {}
+}
+`
+}
+
+func (r NetworkSecurityGroupResource) basicQueryByResourceGroupName(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+list "azurerm_network_security_group" "list" {
+  provider = azurerm
+  config {
+    resource_group_name = "acctestRG-%[1]d"
+  }
+}
+`, data.RandomInteger)
+}
@@ -192,7 +192,7 @@ func TestAccNetworkSecurityGroup_applicationSecurityGroup(t *testing.T) {
 	})
 }
 
-func (t NetworkSecurityGroupResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
+func (r NetworkSecurityGroupResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := networksecuritygroups.ParseNetworkSecurityGroupID(state.ID)
 	if err != nil {
 		return nil, err

@@ -200,6 +200,7 @@ func (r Registration) Actions() []func() action.Action {
 func (r Registration) ListResources() []sdk.FrameworkListWrappedResource {
 	return []sdk.FrameworkListWrappedResource{
 		NetworkInterfaceListResource{},
+		NetworkSecurityGroupListResource{},
 		VirtualNetworkListResource{},
 	}
 }

@@ -0,0 +1,43 @@
+---
+subcategory: "Network"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_network_security_group"
+description: |-
+  Lists Network Security Group resources.
+---
+
+# List resource: azurerm_network_security_group
+
+~> **Note:** The `azurerm_network_security_group` List Resource is in beta. Its interface and behaviour may change as the feature evolves, and breaking changes are possible. It is offered as a technical preview without compatibility guarantees until Terraform 1.14 is generally available.
+
+Lists Network Security Group resources.
+
+## Example Usage
+
+### List all Network Security Groups in the subscription
+
+```hcl
+list "azurerm_network_security_group" "example" {
+  provider = azurerm
+  config {}
+}
+```
+
+### List all Network Security Groups in a specific resource group
+
+```hcl
+list "azurerm_network_security_group" "example" {
+  provider = azurerm
+  config {
+    resource_group_name = "example-rg"
+  }
+}
+```
+
+## Argument Reference
+
+This list resource supports the following arguments:
+
+* `resource_group_name` - (Optional) The name of the resource group to query.
+
+* `subscription_id` - (Optional) The Subscription ID to query. Defaults to the value specified in the Provider Configuration.