azurerm_kubernetes_cluster: node_os_channel_upgrade not set but cluster is set to NodeImage

[cveld]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.1

AzureRM Provider Version

3.110.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

resource "azurerm_kubernetes_cluster" "default" {
  name = "aks-${local.workload_name}-${random_string.default.result}"
  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_B2as_v2"
  }
  location            = local.location
  resource_group_name = azurerm_resource_group.default.name
  identity {
    type = "SystemAssigned"
  }
  dns_prefix = local.workload_name

  azure_active_directory_role_based_access_control {
    admin_group_object_ids = [data.azurerm_client_config.default.object_id]
    azure_rbac_enabled     = true
    tenant_id              = data.azurerm_client_config.default.tenant_id
    managed                = true
  }
}

data "azurerm_client_config" "default" {

}

resource "random_string" "default" {
  length  = 5
  special = false
  upper   = false
  numeric = false
}

resource "azurerm_resource_group" "default" {
  name     = "rg-${local.workload_name}-${random_string.default.result}"
  location = local.location
}

locals {
  workload_name   = "cve"
  location        = "swedencentral"
}

Debug Output/Panic Output

N/A

Expected Behaviour

In the azurerm resource we don't set the property node_os_channel_upgrade.
After the cluster is created, the cloud resource property Node security channel type / nodeOSUpgradeChannel should not have a value.

(taken from clusters created before)

Actual Behaviour

The cloud resource property Node security channel type / nodeOSUpgradeChannel gets the value NodeImage

(taken from a freshly created cluster)

This behavior has only been introduced recently, e.g. April 2024.

Steps to Reproduce

1. terraform apply

Important Factoids

No response

References

No response

[hqhqhqhqhqhqhqhqhqhqhq]

Hi @cveld, thanks for raising this. It seems NodeImage is used as the default option if no values are received by the AKS side. I'm contacting them now for reasons why this is used as default option. Will get back to you soon once I have the response.

[hqhqhqhqhqhqhqhqhqhqhq]

Hi @cveld, the reason to set the default value set to "NodeImage" is to steer away from ‘none’ / ‘unspecified’ behavior and bring in a conscious best practice in tune with industry security standard.
If you want it to be set as other values, then for now, you need to set the property to other properties in the terraform file.

I have created a fix to set this as a default value for azurerm provider which will take effect in the next major release (version 4.0).
#26576