diff --git a/internal/services/containers/kubernetes_cluster_network_resource_test.go b/internal/services/containers/kubernetes_cluster_network_resource_test.go index e8bb0e3cf17d..7577fd31cc15 100644 --- a/internal/services/containers/kubernetes_cluster_network_resource_test.go +++ b/internal/services/containers/kubernetes_cluster_network_resource_test.go @@ -258,6 +258,73 @@ func TestAccKubernetesCluster_advancedNetworkingAzureCiliumPolicyUpdate(t *testi }) } +func TestAccKubernetesCluster_advancedNetworkingAzurePolicyUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.advancedNetworkingConfig(data, "azure"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.advancedNetworkingWithPolicyConfig(data, "azure", "azure"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + +func TestAccKubernetesCluster_advancedNetworkingCalicoPolicyUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.advancedNetworkingConfig(data, "azure"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.advancedNetworkingWithPolicyConfig(data, "azure", "calico"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + }) +} + +func TestAccKubernetesCluster_advancedNetworkingCalicoToAzurePolicyUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") + r := KubernetesClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.advancedNetworkingWithPolicyConfig(data, "azure", "calico"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(), + ), + }, + data.ImportStep(), + { + Config: r.advancedNetworkingWithPolicyConfig(data, "azure", "azure"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(), + ), + }, + data.ImportStep(), + }) +} + func TestAccKubernetesCluster_advancedNetworkingAzureCalicoPolicyComplete(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test") r := KubernetesClusterResource{} diff --git a/internal/services/containers/kubernetes_cluster_resource.go b/internal/services/containers/kubernetes_cluster_resource.go index f97b3fa44b3c..9c5074b0c401 100644 --- a/internal/services/containers/kubernetes_cluster_resource.go +++ b/internal/services/containers/kubernetes_cluster_resource.go @@ -112,7 +112,16 @@ func resourceKubernetesCluster() *pluginsdk.Resource { return !strings.EqualFold(new.(string), string(managedclusters.NetworkPluginModeOverlay)) }), pluginsdk.ForceNewIfChange("network_profile.0.network_policy", func(ctx context.Context, old, new, meta interface{}) bool { - return old.(string) != "" || new.(string) != string(managedclusters.NetworkPolicyCilium) + // Follow scenarios are not supported as in-place update: + // * Switch from Cilium + // * Switch from network policy to non Cilium network policy + // * Remove network policy property does not uninstall the network policy, forcing new cluster. + // + // Omit network_policy does not uninstall the network policy, since it requires an explicit 'none' value. + // And an uninstallation of network policy engine is not GA yet. + // Once it is GA, an additional logic is needed to handle the uninstallation of network policy. + return old.(string) != string(managedclusters.NetworkPolicyCilium) || + old.(string) != "" && new.(string) != string(managedclusters.NetworkPolicyCilium) }), pluginsdk.ForceNewIfChange("custom_ca_trust_certificates_base64", func(ctx context.Context, old, new, meta interface{}) bool { return len(old.([]interface{})) > 0 && len(new.([]interface{})) == 0