AKS - `default_node_group` loses `enable_host_encryption` value when changing `vm_size`

[jleiser524]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.4

AzureRM Provider Version

3.51.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

provider "azurerm" {
  use_msi                    = false
  skip_provider_registration = true
  features {}
}

terraform {
  required_version = "~> 1.0"
  required_providers {
    azurerm = {
      version = "~> 3.0"
    }
  }
}

resource "azurerm_kubernetes_cluster" "main" {
  name                = "my-test-cluster"
  dns_prefix          = "my-test-cluster"
  location            = "centralus"
  resource_group_name = "my-test-aks-rg"

  default_node_pool {
    name                        = "default"
    vm_size                     = "Standard_DS2_v2"
    node_count                  = 1
    temporary_name_for_rotation = "tempdefault"
    enable_host_encryption      = true
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    Environment = "Production"
  }
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_kubernetes_cluster.main must be replaced
-/+ resource "azurerm_kubernetes_cluster" "main" {
        name                                = "my-test-cluster"
        tags                                = {
            "Environment" = "Production"
        }
        # (12 unchanged attributes hidden)

      ~ default_node_pool {
          ~ enable_host_encryption       = false -> true # forces replacement
            name                         = "default"
          - tags                         = {} -> null
            # (7 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Expected Behaviour

Default node group should retain the enable_host_encryption value as true

Actual Behaviour

Default node group enable_host_encryption is changed to false, which prevents any further update to the cluster without replacing it unless you change enable_host_encryption to false in your Terraform configuration.

Steps to Reproduce

1. terraform apply to create cluster
2. Change vm_size for the default_node_pool - I used Standard_D2s_v4
3. terraform apply
4. terraform plan

Plan will report cluster needs to be replaced due to the configuration having enable_host_encryption to true. The node pool appears to lose the enable_host_encryption setting when it is rotated due to the vm_size change

Important Factoids

Not sure if this is in azurerm itself or the provider. Could not find this anywhere else.

References

No response

[mpanthofer]

Thanks @jleiser524, seeing the same issue - this is a (really nasty) bug. that leaves clusters wedged.

[github-actions[bot]]

This functionality has been released in v3.52.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.