azurerm_kubernetes_cluster - api_server_authorized_ip_ranges does not work

[manoj7shekhawat]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.4

AzureRM Provider Version

3.49.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

~ api_server_authorized_ip_ranges     = [
          + "xx.xx.xx.xx/28",
          + "yy.yy.yy.yy/23",
          + "zz.zz.zz.zz/23",
          + "aa.aa.aa.aa/30",
          + "bb.bb.bb.bb/29",
          + "cc.cc.cc.cc/29",
          + "dd.dd.dd.dd/29",
            # (15 unchanged elements hidden)
        ]

Debug Output/Panic Output

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.aks_cluster has changed
  ~ resource "azurerm_kubernetes_cluster" "aks_cluster" {
      ~ api_server_authorized_ip_ranges     = [
          - "xx.xx.xx.xx/28",
          - "yy.yy.yy.yy/23",
          - "zz.zz.zz.zz/23",
          - "aa.aa.aa.aa/30",
          - "bb.bb.bb.bb/29",
          - "cc.cc.cc.cc/29",
          - "dd.dd.dd.dd/29",
            # (15 unchanged elements hidden)
        ]
        id                                  = "/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks"
        name                                = "my-aks"
        tags                                = {
            "environment"            = "dev"
            "group"                  = "dev"
        }
        # (26 unchanged attributes hidden)

        # (8 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.aks_cluster will be updated in-place
  ~ resource "azurerm_kubernetes_cluster" "aks_cluster" {
      ~ api_server_authorized_ip_ranges     = [
          + "xx.xx.xx.xx/28",
          + "yy.yy.yy.yy/23",
          + "zz.zz.zz.zz/23",
          + "aa.aa.aa.aa/30",
          + "bb.bb.bb.bb/29",
          + "cc.cc.cc.cc/29",
          + "dd.dd.dd.dd/29",
            # (15 unchanged elements hidden)
        ]
        id                                  = "/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks"
        name                                = "my-aks"
        tags                                = {
            "environment"            = "dev"
            "group"                  = "dev"
        }
        # (26 unchanged attributes hidden)

        # (8 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

/agent/_work/_tool/terraform/1.4.4/x64/terraform apply -auto-approve -input=false YYYYMMDD.X.tfplan
module.aks_cluster: Modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-akss, 10s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 20s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 30s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 40s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 50s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m0s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m10s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m20s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m30s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m40s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 1m50s elapsed]
module.aks_cluster: Still modifying... [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks, 2m0s elapsed]
module.aks_cluster: Modifications complete after 2m5s [id=/subscriptions/xxxxx/resourceGroups/yyyy/providers/Microsoft.ContainerService/managedClusters/my-aks]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Finishing: Terraform Apply

Expected Behaviour

After terraform apply, the "Specify IP ranges" under "Networking" in Azure Kubernetes Service should be added to the existing list of CIDR.

Actual Behaviour

The "Specify IP ranges" under "Networking" in Azure Kubernetes Service is NOT updated. It still contains the old list of CIDR.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[stephybun]

Thanks for raising this issue @manoj7shekhawat.

As an aside this property is deprecated and you should switch over to using authorized_ip_ranges within the api_server_access_profile block. The cause of this is the same as the one outlined in #20085. So that we don't have multiple issues tracking the same problem please subscribe to #20085 for updates.

Thanks!

[manoj7shekhawat]

Thank you @stephybun for closing this issue. It would be nicer if we could have got a terraform warning for the deprecation for the property.

[stephybun]

@manoj7shekhawat there is a deprecation message set for the property in the provider which should be output when running a Terraform.
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/containers/kubernetes_cluster_resource.go#L1267
If you're running this in a CI e.g. Azure DevOps it's possible that the output is modified and the warning message is being swallowed?

[manoj7shekhawat]

@stephybun thanks for your inputs yes you are right it's swallowed but NOT by Azure DevOps it's actually by other deprecation warnings and we end up with this:
(and X more similar warnings elsewhere)
I see there is an open enhancement request for this feature hashicorp/terraform#32104

We have to work quickly to remove all deprecation warnings.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.