update pr

README.md

@@ -232,6 +232,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [azapi_update_resource.aks_cluster_http_proxy_config_no_proxy](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/update_resource) | resource |
 | [azapi_update_resource.aks_cluster_post_create](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/update_resource) | resource |
 | [azurerm_kubernetes_cluster.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
 | [azurerm_kubernetes_cluster_node_pool.node_pool](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource |
@@ -244,7 +245,7 @@ No modules.
 | [azurerm_role_assignment.existing_application_gateway_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.network_contributor_on_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [null_resource.aks_cluster_recreate](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.http_proxy_config_no_proxy_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.kubernetes_version_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.pool_name_keeper](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
@@ -317,7 +318,7 @@ No modules.
 | <a name="input_enable_node_public_ip"></a> [enable\_node\_public\_ip](#input\_enable\_node\_public\_ip) | (Optional) Should nodes in this Node Pool have a Public IP Address? Defaults to false. | `bool` | `false` | no |
 | <a name="input_green_field_application_gateway_for_ingress"></a> [green\_field\_application\_gateway\_for\_ingress](#input\_green\_field\_application\_gateway\_for\_ingress) | [Definition of `green_field`](https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-new)<br>* `name` - (Optional) The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster.<br>* `subnet_cidr` - (Optional) The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster.<br>* `subnet_id` - (Optional) The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | <pre>object({<br>    name        = optional(string)<br>    subnet_cidr = optional(string)<br>    subnet_id   = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_http_application_routing_enabled"></a> [http\_application\_routing\_enabled](#input\_http\_application\_routing\_enabled) | Enable HTTP Application Routing Addon (forces recreation). | `bool` | `false` | no |
-| <a name="input_http_proxy_config"></a> [http\_proxy\_config](#input\_http\_proxy\_config) | optional(object({<br>    http\_proxy  = (Optional) The proxy address to be used when communicating over HTTP. Changing this forces a new resource to be created.<br>    https\_proxy = (Optional) The proxy address to be used when communicating over HTTPS. Changing this forces a new resource to be created.<br>    no\_proxy    = (Optional) The list of domains that will not use the proxy for communication. Note: If you specify the `default_node_pool.0.vnet_subnet_id`, be sure to include the Subnet CIDR in the `no_proxy` list. Note: You may wish to use Terraform's `ignore_changes` functionality to ignore the changes to this field.<br>    trusted\_ca  = (Optional) The base64 encoded alternative CA certificate content in PEM format.<br>})) | <pre>object({<br>    http_proxy  = optional(string)<br>    https_proxy = optional(string)<br>    no_proxy    = optional(list(string))<br>    trusted_ca  = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_http_proxy_config"></a> [http\_proxy\_config](#input\_http\_proxy\_config) | optional(object({<br>    http\_proxy  = (Optional) The proxy address to be used when communicating over HTTP.<br>    https\_proxy = (Optional) The proxy address to be used when communicating over HTTPS.<br>    no\_proxy    = (Optional) The list of domains that will not use the proxy for communication. Note: If you specify the `default_node_pool.0.vnet_subnet_id`, be sure to include the Subnet CIDR in the `no_proxy` list. Note: You may wish to use Terraform's `ignore_changes` functionality to ignore the changes to this field.<br>    trusted\_ca  = (Optional) The base64 encoded alternative CA certificate content in PEM format.<br>}))<br>Once you have set only one of `http_proxy` and `https_proxy`, this config would be used for both `http_proxy` and `https_proxy` to avoid a configuration drift. | <pre>object({<br>    http_proxy  = optional(string)<br>    https_proxy = optional(string)<br>    no_proxy    = optional(list(string))<br>    trusted_ca  = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster. | `list(string)` | `null` | no |
 | <a name="input_identity_type"></a> [identity\_type](#input\_identity\_type) | (Optional) The type of identity used for the managed cluster. Conflicts with `client_id` and `client_secret`. Possible values are `SystemAssigned` and `UserAssigned`. If `UserAssigned` is set, an `identity_ids` must be set as well. | `string` | `"SystemAssigned"` | no |
 | <a name="input_image_cleaner_enabled"></a> [image\_cleaner\_enabled](#input\_image\_cleaner\_enabled) | (Optional) Specifies whether Image Cleaner is enabled. | `bool` | `false` | no |

main.tf

@@ -49,16 +49,6 @@ resource "azurerm_kubernetes_cluster" "main" {
   } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
   workload_identity_enabled = var.workload_identity_enabled
 
-  dynamic "http_proxy_config" {
-    for_each = var.http_proxy_config == null ? [] : ["http_proxy_config"]
-    content {
-      http_proxy  = var.http_proxy_config.http_proxy
-      https_proxy = var.http_proxy_config.https_proxy
-      no_proxy    = var.http_proxy_config.no_proxy
-      trusted_ca  = var.http_proxy_config.trusted_ca
-    }
-  }
-
   dynamic "default_node_pool" {
     for_each = var.enable_auto_scaling == true ? [] : ["default_node_pool_manually_scaled"]
 
@@ -330,6 +320,15 @@ resource "azurerm_kubernetes_cluster" "main" {
       sgx_quote_helper_enabled = confidential_computing.value.sgx_quote_helper_enabled
     }
   }
+  dynamic "http_proxy_config" {
+    for_each = var.http_proxy_config == null ? [] : ["http_proxy_config"]
+    content {
+      http_proxy  = coalesce(var.http_proxy_config.http_proxy, var.http_proxy_config.https_proxy)
+      https_proxy = coalesce(var.http_proxy_config.https_proxy, var.http_proxy_config.http_proxy)
+      no_proxy    = var.http_proxy_config.no_proxy
+      trusted_ca  = var.http_proxy_config.trusted_ca
+    }
+  }
   dynamic "identity" {
     for_each = var.client_id == "" || var.client_secret == "" ? ["identity"] : []
 
@@ -595,12 +594,6 @@ resource "azurerm_kubernetes_cluster" "main" {
   }
 }
 
-resource "null_resource" "aks_cluster_recreate" {
-  triggers = {
-    http_proxy_no_proxy = try(join(",", var.http_proxy_config.no_proxy), "")
-  }
-}
-
 resource "null_resource" "kubernetes_version_keeper" {
   triggers = {
     version = var.kubernetes_version
@@ -622,6 +615,35 @@ resource "azapi_update_resource" "aks_cluster_post_create" {
   }
 }
 
+resource "null_resource" "http_proxy_config_no_proxy_keeper" {
+  count = can(var.http_proxy_config.no_proxy[0]) ? 1 : 0
+
+  triggers = {
+    http_proxy_no_proxy = try(join(",", try(sort(var.http_proxy_config.no_proxy), [])), "")
+  }
+}
+
+resource "azapi_update_resource" "aks_cluster_http_proxy_config_no_proxy" {
+  count = can(var.http_proxy_config.no_proxy[0]) ? 1 : 0
+
+  type = "Microsoft.ContainerService/managedClusters@2023-01-02-preview"
+  body = jsonencode({
+    properties = {
+      httpProxyConfig = {
+        noProxy = var.http_proxy_config.no_proxy
+      }
+    }
+  })
+  resource_id = azurerm_kubernetes_cluster.main.id
+
+  depends_on = [azapi_update_resource.aks_cluster_post_create]
+
+  lifecycle {
+    ignore_changes       = all
+    replace_triggered_by = [null_resource.http_proxy_config_no_proxy_keeper[0].id]
+  }
+}
+
 resource "azurerm_kubernetes_cluster_node_pool" "node_pool" {
   for_each = var.node_pools
 

variables.tf

@@ -57,24 +57,6 @@ variable "agents_min_count" {
   description = "Minimum number of nodes in a pool"
 }
 
-variable "http_proxy_config" {
-  type = object({
-    http_proxy  = optional(string)
-    https_proxy = optional(string)
-    no_proxy    = optional(list(string))
-    trusted_ca  = optional(string)
-  })
-  default     = null
-  description = <<-EOT
-    optional(object({
-      http_proxy  = (Optional) The proxy address to be used when communicating over HTTP. Changing this forces a new resource to be created.
-      https_proxy = (Optional) The proxy address to be used when communicating over HTTPS. Changing this forces a new resource to be created.
-      no_proxy    = (Optional) The list of domains that will not use the proxy for communication. Note: If you specify the `default_node_pool.0.vnet_subnet_id`, be sure to include the Subnet CIDR in the `no_proxy` list. Note: You may wish to use Terraform's `ignore_changes` functionality to ignore the changes to this field.
-      trusted_ca  = (Optional) The base64 encoded alternative CA certificate content in PEM format.
-  }))
-EOT
-}
-
 variable "agents_pool_kubelet_configs" {
   type = list(object({
     cpu_manager_policy        = optional(string)
@@ -503,6 +485,30 @@ variable "http_application_routing_enabled" {
   description = "Enable HTTP Application Routing Addon (forces recreation)."
 }
 
+variable "http_proxy_config" {
+  type = object({
+    http_proxy  = optional(string)
+    https_proxy = optional(string)
+    no_proxy    = optional(list(string))
+    trusted_ca  = optional(string)
+  })
+  default     = null
+  description = <<-EOT
+    optional(object({
+      http_proxy  = (Optional) The proxy address to be used when communicating over HTTP.
+      https_proxy = (Optional) The proxy address to be used when communicating over HTTPS.
+      no_proxy    = (Optional) The list of domains that will not use the proxy for communication. Note: If you specify the `default_node_pool.0.vnet_subnet_id`, be sure to include the Subnet CIDR in the `no_proxy` list. Note: You may wish to use Terraform's `ignore_changes` functionality to ignore the changes to this field.
+      trusted_ca  = (Optional) The base64 encoded alternative CA certificate content in PEM format.
+  }))
+  Once you have set only one of `http_proxy` and `https_proxy`, this config would be used for both `http_proxy` and `https_proxy` to avoid a configuration drift.
+EOT
+
+  validation {
+    condition     = var.http_proxy_config == null ? true : can(coalesce(var.http_proxy_config.http_proxy, var.http_proxy_config.https_proxy))
+    error_message = "`http_proxy` and `https_proxy` cannot be both empty."
+  }
+}
+
 variable "identity_ids" {
   type        = list(string)
   default     = null