Support for setting `azurerm_kubernetes_cluster` network policy to `none`

[stevehipwell]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I'd like to be able to uninstall the network policy for an AKS cluster.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "example" {
  network_profile {
    network_policy = "none"
  }
}

References

• https://learn.microsoft.com/en-gb/azure/aks/use-network-policies#uninstall-azure-network-policy-manager-or-calico-preview

[stevehipwell]

@rcskosir could you add a comment as to what's blocking this upstream?

[aristosvo]

@stevehipwell The fact that it is in preview is blocking, as the AKS service team doesn't want preview features to be integrated in the azurerm Terraform provider

[stevehipwell]

@aristosvo I'm pretty sure that isn't the case. There are a significant number of preview features integrated into the AKS TF resources and the API used is one of the preview APIs.

[aristosvo]

@stevehipwell I understand your confusion, but it is. https://github.com/hashicorp/pandora/pull/3469#issuecomment-1881475876 is explaining why.

[stevehipwell]

@aristosvo that doesn't align with the communication we've had with the AKS team. I only add this to show that there doesn't seem to be a consistent message coming out of Azure.

[stephybun]

@stevehipwell to reiterate on the comment linked by @aristosvo, we have been asked by the AKS Service Team to switch to using a stable API version for the AKS resource. This discussion is currently ongoing and has not reached a resolution yet.

If the conclusion is to move to a stable API version, then we will be removing all preview features currently supported in the AKS resource that do not exist in the newest available stable version at the time, in the next major 4.0 release.

It's unsettling that this news diverges from the communication you've had with the AKS team. Given the scope and impact of this change and being no longer able to support preview features going forward should the decision fall in favour of only using stable, it would be disconcerting to find out that this wasn't a unanimous desire.

Would you be able to reach out to your Azure/AKS contact to get some clarity and to get them to comment here on this issue? At the very least I think direct feedback from the community on how they feel about preview features being removed and no longer supported in the AzureRM provider would be helpful for the AKS team.

[stevehipwell]

Thanks for the detailed explanation @stephybun. Azure is already significantly harder to operate as IaC than other clouds and the removal of preview support will have a significant impact based on the way Azure currently operates. The only way that this makes sense is if Azure are going to start releasing required functionality as GA rather than using "preview" to abdicate responsibility for quality (of implementation and design) ETC.

TL;DR - If functionality can't be accessed by IaC then it might as well not exist.

[stevehipwell]

CC @phealy

[tnn-simon]

Seems like the feature is finally available in a stable ARM API.

Option none has been available since API version 2024-05-01: https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update?view=rest-aks-2024-05-01&tabs=HTTP#networkpolicy.

Regarding the implementation. Should the provider support transitions for network_policy like calico -> azure? The transition graph gains some complexity from the constraints imposed by choice of network data_plane (cilium or azure).