Disable authorized_ip_ranges in api_server_access_profile block included in azurerm_kubernetes_cluster

[joselcaguilar]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.39.1

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

dynamic "api_server_access_profile" {
    for_each = var.api_server_access_profile.authorized_ip_ranges != null || var.api_server_access_profile.vnet_integration_enabled == true ? [var.api_server_access_profile] : []
    content {
      authorized_ip_ranges     = var.private_cluster_enabled == true ? null : api_server_access_profile.value.authorized_ip_ranges
      subnet_id                = api_server_access_profile.value.subnet_id
      vnet_integration_enabled = api_server_access_profile.value.vnet_integration_enabled
    }
  }

variable "api_server_access_profile" {
  type = object({
    authorized_ip_ranges     = optional(set(string), null)
    subnet_id                = optional(string, null)
    vnet_integration_enabled = optional(bool, false)
  })
  default     = {}
}

Debug Output/Panic Output

Nothing changed in the `terraform plan`

Expected Behaviour

Remove completely the authorized_ip_ranges from azurerm_kubernetes_cluster if they were already deployed, in AzCLI it's possible passing "" or just empty as you can see here but it doesn't work in Terraform.

I have tried passing:

api_server_access_profile = {
    authorized_ip_ranges = []
}

Or even removing the dynamic "api_server_access_profile" block from azurerm_kubernetes_cluster , but it is not recognized by TF so the previous config remains.

Actual Behaviour

No response

Steps to Reproduce

terraform plan

Important Factoids

No response

References

No response

[mloskot]

How to disable authorized IP ranges?

This is seriously annoying that Terraform can NOT perform the action equivalent to

az aks update \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --api-server-authorized-ip-ranges ""

which is officially documented by Microsoft to Disable authorized IP ranges.

Whatever method I try to clear disable the IP ranges

• using now deprecated, but AFAIR this used to work with Terraform AzureRM 3.57.0

  api_server_authorized_ip_ranges = []

• using current way

    api_server_access_profile {
      authorized_ip_ranges = []
      vnet_integration_enabled = false
    }

the IP range 0.0.0.0/32 for Allow only the outbound public IP of the Standard SKU load balancer always comes back:

The only way seems to go to portal.azure.com and manually tick off this setting in AKS > Networking

in order to disable the "Authorized IP ranges" all together:

Regression?

• As I mentioned, with the provider version 3.57.0 or earlier, disabling of the "Authorized IP ranges" works as expected
• There seem to be other users experiencing it, see Provider version upgrade results in api server authorized ip ranges being set in plan thread in the Terraform forum
• I also asked about this issue on #terraform-providers on Kubernetes Slack