mloskot
November 24, 2023, 10:15am
1
The Microsoft Azure Kubernetes Service documentation, section Disable authorized IP ranges says:
To disable authorized IP ranges, use az aks update
and specify an empty range to disable API server authorized IP ranges. For example:
az aks update \
--resource-group myResourceGroup \
--name myAKSCluster \
--api-server-authorized-ip-ranges ""
And, the AzureRM provider (tried 3.78.0) can not perform the equivalent action.
All the signs I can see suggest this is a regression as the provider in/around version 3.57.0 could do that - I have at least 4 clusters created with the provider where it worked and Azure Portal shows:
instead of
It looks like I’m not the only one here who experienced this problem
Hi, we have an AKS cluster provisioned with a pretty old version of azurerm (2.59.0) and we are trying to upgrade it to the latest (3.49.0). However the Terraform plan shows the following drift after we resolved the syntax changes, where the api_server_authorized_ip_ranges being added seems concerning, since we don’t have anything configured for api_server_access_profile. Any ideas whether it is avoidable or whether it is benign? Thanks!
# azurerm_kubernetes_cluster.my_cluster will be updated…
There have also been multiple issues opened about it, but none received any resolution - worrying! I’ve posted more details to one of those issues
opened 12:35PM - 18 Jan 23 UTC
bug
service/kubernetes-cluster
v/3.x
### Is there an existing issue for this?
- [X] I have searched the existing i… ssues
### Community Note
* Please vote on this issue by adding a :thumbsup: [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request
* Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
* If you are interested in working on this issue or have submitted a pull request, please leave a comment
### Terraform Version
1.3.7
### AzureRM Provider Version
3.39.1
### Affected Resource(s)/Data Source(s)
azurerm_kubernetes_cluster
### Terraform Configuration Files
```hcl
dynamic "api_server_access_profile" {
for_each = var.api_server_access_profile.authorized_ip_ranges != null || var.api_server_access_profile.vnet_integration_enabled == true ? [var.api_server_access_profile] : []
content {
authorized_ip_ranges = var.private_cluster_enabled == true ? null : api_server_access_profile.value.authorized_ip_ranges
subnet_id = api_server_access_profile.value.subnet_id
vnet_integration_enabled = api_server_access_profile.value.vnet_integration_enabled
}
}
variable "api_server_access_profile" {
type = object({
authorized_ip_ranges = optional(set(string), null)
subnet_id = optional(string, null)
vnet_integration_enabled = optional(bool, false)
})
default = {}
}
```
### Debug Output/Panic Output
```shell
Nothing changed in the `terraform plan`
```
### Expected Behaviour
Remove completely the `authorized_ip_ranges` from `azurerm_kubernetes_cluster` if they were already deployed, in AzCLI it's possible passing `""` or just empty as you can see [here](https://learn.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges#disable-authorized-ip-ranges) but it doesn't work in Terraform.
I have tried passing:
```json
api_server_access_profile = {
authorized_ip_ranges = []
}
```
Or even removing the dynamic `"api_server_access_profile"` block from `azurerm_kubernetes_cluster `, but it is not recognized by TF so the previous config remains.
### Actual Behaviour
_No response_
### Steps to Reproduce
`terraform plan`
### Important Factoids
_No response_
### References
_No response_