[Bug]: Crossplane does not detect drift in IP rules of storage account

[deggja]

Is there an existing issue for this?

• I have searched the existing issues

Affected Resource(s)

storage.azure.upbound.io/v1beta2

Resource MRs required to reproduce the bug

apiVersion: storage.azure.upbound.io/v1beta2
kind: Account
metadata:
  name: storage-account
spec:
  managementPolicies: ["Create", "Observe", "Update"]
  forProvider:
    accountKind: StorageV2
    accountReplicationType: ZRS
    accountTier: Standard
    publicNetworkAccessEnabled: false
    allowNestedItemsToBePublic: false
    sharedAccessKeyEnabled: false
    defaultToOauthAuthentication: true
    isHnsEnabled: false
    networkRules:
      ipRules: []
    blobProperties:
      containerDeleteRetentionPolicy:
        days: 7
      deleteRetentionPolicy:
        days: 7
    location: "my_region"
    resourceGroupNameRef:
      name: "resource_group"
  providerConfigRef:
    name: workload-identity-provider-config

Steps to Reproduce

Create a storage account managed resource with an empty ipRules list.

What happened?

The entire ipRules parameter is removed from the spec, and I believe this means reconciliation will not check for drift for this config. When setting an empty list you want the list to be empty, however, resource drift will not be caught as the controller never sees this drift because the empty list is not in the desired state.

Relevant Error Output Snippet

no error message, just unwanted resource drift in Azure.

Crossplane Version

1.18

Provider Version

1.9.0

Kubernetes Version

1.30.5

Kubernetes Distribution

AKS

Additional Info

No response

[deggja]

I see this, which I suppose means that the list will not be included if empty.

provider-upjet-azure/apis/storage/v1beta2/zz_account_types.go

Line 1297 in 1c27470

IPRules []*string `json:"ipRules,omitempty" tf:"ip_rules,omitempty"`

EDIT:

I would be happy to make a PR and contribute to resolving this.