Skip to content

azurerm_kubernetes_cluster - add policy property to network_profile.advanced_networking block#31506

Open
nddq wants to merge 1 commit into
hashicorp:mainfrom
nddq:acnsL7Policy
Open

azurerm_kubernetes_cluster - add policy property to network_profile.advanced_networking block#31506
nddq wants to merge 1 commit into
hashicorp:mainfrom
nddq:acnsL7Policy

Conversation

@nddq

@nddq nddq commented Jan 14, 2026

Copy link
Copy Markdown

The advanced_networking block currently exposes observability_enabled and
security_enabled, but not the advanced network policy mode that Advanced
Container Networking Services (ACNS) security applies — enabling security
always yields the service default, with no way to select L7 policy enforcement
or disable policy enforcement from Terraform.

This PR adds the policy property to the network_profile.advanced_networking
block, mapping to the AdvancedNetworkingSecurity.AdvancedNetworkPolicies
field on the managedclusters API.

The API treats advancedNetworkPolicies as a tri-state field with a
service-side default: when security_enabled is true and the field is
unset, the service defaults it to FQDN; when security is disabled, the
service normalizes it to None. The schema models this directly:

  • Schema: policy is Optional + Computed with possible values FQDN,
    L7 and None. When omitted, the service-applied value flows into state,
    so clusters that already have security_enabled = true keep their current
    policy with no diff on provider upgrade. None is exposed as an explicit
    value because omission cannot express it: an unset policy on a
    security-enabled cluster is defaulted by the API to FQDN, so disabling
    enforcement requires policy = "None".
  • Validation: FQDN and L7 can only be configured when
    security_enabled is true. The check applies only when policy is
    explicitly set in the configuration (via GetRawConfig), so a Computed
    value carried over from state does not block disabling security — the
    provider sends None in that case, matching the API's own normalization.
    L7 cannot be combined with a service_mesh_profile in Istio mode;
    FQDN with Istio is allowed, matching the API.
  • Disable paths: when security_enabled is false or the
    advanced_networking block is removed entirely, an explicit None is sent
    so a previously configured policy is reset rather than left for the API to
    retain.
  • Tests: acceptance coverage for the service-side FQDN default, updating
    FQDNL7, omitting policy (current value is retained), removing the
    advanced_networking block entirely, re-adding it, explicitly disabling
    with None, and the negative cases (L7 without security_enabled, L7
    with Istio).
  • Documentation: the policy argument and its preconditions added to the
    azurerm_kubernetes_cluster documentation.

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

See above.

PR Checklist

  • I have followed the guidelines in our Contributing Documentation.
  • I have checked to ensure there aren't other open Pull Requests for the same update/change.
  • I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
  • I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
  • I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
    For example: “resource_name_here - description of change e.g. adding property new_property_name_here

Changes to existing Resource / Data Source

  • I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
  • I have written new tests for my resource or datasource changes & updated any relevant documentation.
  • I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
  • (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

  • My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Validated two ways against a dev-override build of the provider:

Plan-time matrix (10 cases): FQDN/L7/None plan cleanly with security
enabled; explicit None is accepted with security disabled; explicit L7
without security_enabled is rejected; L7 with Istio is rejected while
FQDN with Istio plans cleanly; security_enabled = true with a non-cilium
data plane is still rejected; invalid values are rejected by schema validation
listing ["FQDN" "L7" "None"].

Apply-time lifecycle against the live API (2025-10-01), mirroring the
TestAccKubernetesCluster_advancedNetworkingPolicies steps, with
TF_LOG=DEBUG confirming the request and response bodies at each step:

Step Observed
create with security_enabled = true, policy omitted request omits advancedNetworkPolicies; API defaults it to FQDN; state = FQDN
plan with the same config empty — no drift from the Computed value
policy = "L7" request and response carry L7; state = L7
plan with policy omitted empty — current value retained
security_enabled = false with computed L7 in state no validation error; request sends None; state = None
security_enabled = true again None retained — the state value is sent explicitly, so the API default does not re-fire
advanced_networking block removed disable request carries an explicit advancedNetworkPolicies: None; block removed from state
block re-added with policy = "FQDN" state = FQDN

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

This is a (please select all that apply):

  • Bug Fix
  • New Feature (ie adding a service, resource, or data source)
  • Enhancement
  • Breaking Change

Related Issue(s)

N/A

AI Assistance Disclosure

  • AI Assisted - This contribution was made by, or with the assistance of, AI/LLMs

AI was used for code generation and test authoring; all changes were reviewed before submission.

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

@nddq

nddq commented Jan 21, 2026

Copy link
Copy Markdown
Author

@rcskosir hello, when can I expect to get a review for this PR? Thanks!

@ms-henglu

Copy link
Copy Markdown
Collaborator

Hi @nddq ,

Normally we need to make the SDK upgrade in a separate PR, and I opened this PR to update the SDK to 2025-10-01: #31401

I think you can rebase the branch once above PR is merged.

@ms-henglu

Copy link
Copy Markdown
Collaborator

Hi @nddq ,

The PR is merged, you can rebase to main branch. I'm happy to take over this task if you're occupied, let me know if you need any help.

@nddq nddq force-pushed the acnsL7Policy branch 2 times, most recently from 6dfbc10 to 6f3dcab Compare March 6, 2026 15:15
@nddq

nddq commented Mar 6, 2026

Copy link
Copy Markdown
Author

@ms-henglu Thanks! I have rebased this branch onto latest main

@ms-henglu ms-henglu left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @nddq , it mostly LGTM, I just have minor comments, please check.

Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_resource.go
Comment thread internal/services/containers/kubernetes_cluster_network_resource_test.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_network_resource_test.go Outdated
@sf-msft

sf-msft commented Apr 8, 2026

Copy link
Copy Markdown

@magodo @WodansSon Any chance y'all can take a pass?

@wuxu92 wuxu92 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! I left some comments otherwise look good!

Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_resource.go
Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
@nddq nddq changed the title azurerm_kubernetes_cluster - add advanced_network_policies property to network_profile.advanced_networking block azurerm_kubernetes_cluster - add policy property to network_profile.advanced_networking block Apr 30, 2026
@sf-msft

sf-msft commented Apr 30, 2026

Copy link
Copy Markdown

@sreallymatt any chance of queuing for reviews from hashicorp?

@wuxu92

wuxu92 commented May 5, 2026

Copy link
Copy Markdown
Collaborator

hi @nddq please take a looks at the failed CI actions

@wuxu92 wuxu92 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@nddq

nddq commented May 20, 2026

Copy link
Copy Markdown
Author

Any updates for this?

@catriona-m catriona-m left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @nddq - I left a couple of comments inline but otherwise this is looking good. Thanks!

Comment thread internal/services/containers/kubernetes_cluster_resource.go Outdated
Comment thread website/docs/r/kubernetes_cluster.html.markdown Outdated
@sf-msft

sf-msft commented Jun 4, 2026

Copy link
Copy Markdown

@catriona-m one more nudge for a review :shipit:

@sf-msft

sf-msft commented Jun 15, 2026

Copy link
Copy Markdown

@catriona-m Ping again to avoid PR going stale

@catriona-m catriona-m left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @nddq I had another look at this and left a couple of comments on adding more test steps around removing/re-adding policy and also removing the advanced_networking entirely. Once that is addressed and the tests are passing, I think this should be good to go! Thanks!

check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we add more steps to this test where we omit the policy field entirely and then add it again?

}
security := &managedclusters.AdvancedNetworkingSecurity{
Enabled: pointer.To(securityEnabled),
AdvancedNetworkPolicies: pointer.To(advancedNetworkPolicies),

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

policy currently gets set to None here if the policy property is omitted when the block is present in the config, but when the advanced_networking block is removed entirely, the other properties in the block are set to false explicitly and policy is nil. We should update the tests to cover this case and investigate if leaving it nil or set to None is correct here

…ile.advanced_networking` block

This change adds support for the `policy` property within the
`network_profile.advanced_networking` block for Azure Kubernetes Service
clusters. The property maps to the Azure SDK's
`AdvancedNetworkingSecurity.AdvancedNetworkPolicies` field.

Changes:
- Add `policy` field with valid values `FQDN`, `L7` and `None`
- The field is Optional and Computed: the API defaults an unset policy to
  `FQDN` when `security_enabled` is `true`, so the server-applied value is
  reflected in state, and `None` is exposed as the explicit value to disable
  advanced network policy enforcement
- Add plan-time validation: `FQDN` and `L7` can only be configured when
  `security_enabled` is `true`, and `L7` cannot be combined with a service
  mesh profile in `Istio` mode
- Send an explicit `None` when security is disabled or the
  `advanced_networking` block is removed, so a previously configured policy
  is reset rather than left for the API to retain
- Add acceptance tests covering the API-side `FQDN` default, updating the
  policy, omitting it (value is retained), removing the `advanced_networking`
  block, re-adding it, and explicitly disabling with `None`
- Update documentation

Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants