Hi @rk92,
Unfortunately the provider seems to treat this block type in a special way where if you don’t specify any nested blocks of that type at all then the provider understands that as a request to keep whatever objects already exist, rather than to remove those existing objects.
Since there’s an ambiguity in the provider’s model here I don’t think there is any way to explicitly specify that you want to have no ranges at all. The only way to get that effect, I think, would be to manually delete the existing objects, at which point “keep whatever objects already exist” would mean “keep the absence of objects”, because there would be no objects that exist.
Another workaround to consider here could be to try using either a match-everything or match-nothing IP range, if the remote system allows such a thing. "0.0.0.0/0" would match everything, and "255.255.255.255/32" would match nothing (because that’s not a valid host address), but I don’t know if the remote system has any restrictions on what sorts of patterns you can use.
In order to support your use-case this provider would need to separate the idea of “keep whatever objects already exist” from the idea of having zero objects, but I assume that it’s built the way it is for historical reasons of backwards compatibility.