azure_rm_aks does not detect any change in the aad_profile property

[emanueleaina]

SUMMARY

Updating values in the aad_profile property of azure_rm_aks does not seem to have any effect.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_aks

ANSIBLE VERSION

ansible [core 2.19.2]
  config file = /home/em/c/co/daimler/git/vcp-apertis-infra/ansible-playbooks/ansible.cfg
  configured module search path = ['/home/em/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/dist-packages/ansible
  ansible collection location = /home/em/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] (/usr/bin/python3)
  jinja version = 3.1.6
  pyyaml version = 6.0.3 (with libyaml v0.2.5)

COLLECTION VERSION

Collection         Version
------------------ -------
azure.azcollection 3.12.0

CONFIGURATION

CALLBACKS_ENABLED(/home/user/ansible-playbooks/ansible.cfg) = ['ansible.posix.profile_tasks']
COLOR_DEBUG(/home/user/ansible-playbooks/ansible.cfg) = blue
CONFIG_FILE() = /home/user/ansible-playbooks/ansible.cfg
DEFAULT_HOST_LIST(/home/user/ansible-playbooks/ansible.cfg) = ['/home/user/ansible-playbooks/inventories/staging']
EDITOR(env: EDITOR) = vim
INTERPRETER_PYTHON(/home/user/ansible-playbooks/ansible.cfg) = auto_silent

OS / ENVIRONMENT

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"

STEPS TO REPRODUCE

I have an AKS cluster with aadProfile.adminGroupObjectIDs set to null and I want to set a group with:

aad_profile:
    managed: true
    admin_group_object_ids:
      - foo # replace this with an actual group guid
    enable_azure_rbac: false

EXPECTED RESULTS

1. --check mode should detect the change
2. without --check the aadProfile.adminGroupObjectIDs should be set to the specified groups

ACTUAL RESULTS

No change is detected, no update is submitted to the azure API at all.

[zunyangc]

Hi @emanueleaina , thanks for submitting this issue.

A PR 2131 has been created for this issue. It would be great if you can give it a try. Thanks!

[emanueleaina]

I will have a look, thank you!

I also noticed that when running in verbose mode with -vvvv ansible shows this:

ok: […] => 
    aad_profile:
        admin_group_object_i_ds:
        - …
        enable_azure_rbac: false
        managed: true
        tenant_id: …
    addon:
        …

Note the admin_group_object_i_ds name, which seems to have been through a broken conversion from camel case (adminGroupObjectIDs) to snake case.

[rickysarraf]

I backported the patch to the local setup.

$ ansible-playbook --version
ansible-playbook [core 2.19.2]
  config file = /ansible-playbooks/ansible-playbooks/ansible.cfg
  configured module search path = ['/home/staging/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/dist-packages/ansible
  ansible collection location = /home/staging/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] (/usr/bin/python3)
  jinja version = 3.1.6

I changed to a dummy group.

      aad_profile:
        managed: true
        admin_group_object_ids:
          - foobarzoo
        enable_azure_rbac: false

But the change has no effect on the result. Running in --check mode, is reporting no change at all. I expect to see a diff for the admin_group_object_ids.

[zunyangc]

Hi @emanueleaina & @rickysarraf, thanks for the detailed repro and logs.

Root cause:

The module's update path was sending an incomplete AAD profile in a full PUT (missing tenant_id and flags), so AKS ignored adminGroupObjectIDs.

Solutions:

• Preserve AAD context on PUT: If playbook doesn't supply it, we now fill tenant_id from the existing cluster and preserve managed and enable_azure_rbac.
• Keep self.identity as a dict for comparisons/idempotence, and store the SDK object in self.identity_obj only for the outgoing request.

It should now update AAD admin groups as expected.

Please try it out and let me know if you see anything off or have suggestions. Thanks!