Support for api_server_access_profile Block because api_server_authorized_ip_ranges is deprecreated

[cloebig]

Is there an existing issue for this?

• I have searched the existing issues

Description

Hello,

i got this new Error Message for this Condition.

precondition { condition = !var.public_network_access_enabled || try(contains(var.api_server_authorized_ip_ranges, "0.0.0.0/32"), false) error_message = "When public_network_access_enabledis set to true,0.0.0.0/32must be added toauthorized_ip_rangesin theapi_server_access_profile block (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#public_network_access_enabled)." }

but it looks like the Block api_server_access_profiledoesn't exists in main.tf

New or Affected Resource(s)/Data Source(s)

3.55.0

Potential Terraform Configuration

dynamic "api_server_access_profile" {
  for_each = var.api_server_access_profile != null ? var.api_server_access_profile : null

  content {
    authorized_ip_ranges     = var.authorized_ip_ranges
    subnet_id                = var.subnet_id
    vnet_integration_enabled = var.vnet_integration_enabled
  }
}

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#api_server_access_profile

[cloebig]

One more comment on this Issue.
I used the main Branch instead of the latest Release.
But neverless the main Branch should work every Time, but it doesn't.

[zioproto]

@cloebig because you are using the main branch instead of a tag version, you have hit a breaking change that was merged in preparation of the next release.

see PR #361 and issue #313

[zioproto]

@cloebig I see the problem now, it seems in PR #361 the dynamic "api_server_access_profile" block was missing.

@lonegunmanb could you please confirm ?

[lonegunmanb]

Yeah it looks like we never has this api_server_access_profile before, and now it must be added since we're enforcing such precondition.

I'll open a new pr to add this nested block, and thanks @cloebig for catch this issue before we launch v7.0!

[lonegunmanb]

After review the current code I finally recall why we haven't api_server_access_profile block in this module, because the block is designed for Terraform AzureRM Provider 4.0 and it's conflict with api_server_authorized_ip_ranges.

@cloebig the input variable is assigned to api_server_authorized_ip_ranges so would you please check it out? Thanks!

[cloebig]

Hello @lonegunmanb
i can't find api_server_authorized_ip_ranges key in the current azurerm_kubernetes_cluster azurerm 3.56.0.
That's why i thought to add the block api_server_access_profile as it's supported and you made already the condition in the Code.

[lonegunmanb]

Hi @cloebig the argument is here, it has been marked as deprecated and would be removed in provider v4.0.

Maybe we should do test to verify whether migrate from api_server_authorized_ip_ranges to api_server_access_profile.0.authorized_ip_ranges would cause breaking change or not. We're about to publish v7.0 for this module, if we'd like to introduce any changes it is time now.

[lonegunmanb]

After some naive tests I think converting from api_server_authorized_ip_ranges to api_server_access_profile.0.authorized_ip_ranges won't cause any changes, so I'd like to defer this issue to v7.1.0 so we can ensure that by running version upgrade test (which is skipped for v7.0).