Disable `authorized_ip_ranges` in `api_server_access_profile` block included in `azurerm_kubernetes_cluster`

[joselcaguilar]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.39.1

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

dynamic "api_server_access_profile" {
    for_each = var.api_server_access_profile.authorized_ip_ranges != null || var.api_server_access_profile.vnet_integration_enabled == true ? [var.api_server_access_profile] : []
    content {
      authorized_ip_ranges     = var.private_cluster_enabled == true ? null : api_server_access_profile.value.authorized_ip_ranges
      subnet_id                = api_server_access_profile.value.subnet_id
      vnet_integration_enabled = api_server_access_profile.value.vnet_integration_enabled
    }
  }

variable "api_server_access_profile" {
  type = object({
    authorized_ip_ranges     = optional(set(string), null)
    subnet_id                = optional(string, null)
    vnet_integration_enabled = optional(bool, false)
  })
  default     = {}
}

Debug Output/Panic Output

Nothing changed in the `terraform plan`

Expected Behaviour

Remove completely the authorized_ip_ranges from azurerm_kubernetes_cluster if they were already deployed, in AzCLI it's possible passing "" or just empty as you can see here but it doesn't work in Terraform.

I have tried passing:

api_server_access_profile = {
    authorized_ip_ranges = []
}

Or even removing the dynamic "api_server_access_profile" block from azurerm_kubernetes_cluster, but it is not recognized by TF so the previous config remains.

Actual Behaviour

No response

Steps to Reproduce

terraform plan

Important Factoids

No response

References

No response

[selvanayaki678]

@stephybun do you have any update on above issue?

[selvanayaki678]

Do you have any workaround for the above issue? Please help me on this

[mloskot]

How to disable authorized IP ranges?

This is seriously annoying that Terraform can NOT perform the action equivalent to

az aks update \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --api-server-authorized-ip-ranges ""

which is officially documented by Microsoft to Disable authorized IP ranges.

Whatever method I try to clear disable the IP ranges

• using now deprecated, but AFAIR this used to work with Terraform AzureRM 3.57.0

  api_server_authorized_ip_ranges = []

• using current way

    api_server_access_profile {
      authorized_ip_ranges = []
      vnet_integration_enabled = false
    }

the IP range 0.0.0.0/32 for Allow only the outbound public IP of the Standard SKU load balancer always comes back:

The only way seems to go to portal.azure.com and manually tick off this setting in AKS > Networking

in order to disable the "Authorized IP ranges" all together:

Regression?

• As I mentioned, with the provider version 3.57.0 or earlier, disabling of the "Authorized IP ranges" works as expected
• There seem to be other users experiencing it, see Provider version upgrade results in api server authorized ip ranges being set in plan thread in the Terraform forum
• I also asked about this issue on #terraform-providers on Kubernetes Slack

[tspearconquest]

Have you tried the alternative [""] ? As in a list containing a single empty string. Since the AZ CLI takes "", and Terraform takes [], setting [] seems to mean to do nothing to what's there, whereas [""] would pass the "" like on the CLI.