AKS block azure_active_directory_role_based_access_control always produces a warning due to managed field being both required and deprecated

[adamzeyinsurity]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.2

AzureRM Provider Version

3.100.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

# Please note that this is not a working config, just a subset to illustrate where the problem lies

resource "azurerm_kubernetes_cluster" "cluster" {
    azure_active_directory_role_based_access_control {
        managed                 = true
        azure_rbac_enabled      = false
        tenant_id               = var.provider_tenant_id
        admin_group_object_ids  = [var.admin_k8s_group_id]
    }
}

Debug Output/Panic Output

N/A

Expected Behaviour

As part of the transition from AADv1 to AADv2, the "managed" field in the API only supports a value of "true" for new clusters. This field has a default value of "false" in azurerm. As a result, using AADv2 requires that the field be explicitly set to "true" in the terraform config. The expected behaviour is either that the field can be removed and will be defaulted to "true" (which is the only valid value) or that it can be left in-place set to "true".

Actual Behaviour

PR 25200 (https://github.com/hashicorp/terraform-provider-azurerm/pull/25200) marked the field as deprecated, producing a warning if the field is present and set to true. If you omit the field, it defaults to false, which will produce an error. If you include the field, you get the warning. There is no way to use AADv2 without producing either an error or a warning.

Steps to Reproduce

Run a terraform plan or apply that uses AADv2

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-azurerm/pull/25200

[stephybun]

Thanks for raising this issue @adamzeyinsurity.

The initial implementation of the AAD block and the way the behaviour has changed has unfortunately brought us to this situation. We appreciate the pro-activeness in migrating off the legacy Entra integration for AKS and in bringing your config into a state that is agreeable with changes that will be made in 4.0. The reasoning for this is explained over in https://github.com/hashicorp/terraform-provider-azurerm/issues/25707.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.