fix: handle null undrainable_node_behavior in precondition validation

The contains() function in Terraform does not accept null arguments,
and Terraform does not short-circuit || evaluation. When
undrainable_node_behavior is explicitly set to null, try() passes
null through (since accessing a null attribute is not an error), causing
contains() to crash with 'argument must not be null'.

Fix by wrapping with coalesce() to convert null to an empty string
before passing to contains(). Also harden the blob driver subnet
check in main.tf with the same pattern.

Fixes #760

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lonegunmanb

extra_node_pool.tf

@@ -180,7 +180,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "node_pool_create_before_destroy
       error_message = "Exactly one of `max_surge` or `max_unavailable` must be specified in `upgrade_settings` for node pool '${each.value.name}'."
     }
     precondition {
-      condition     = each.value.upgrade_settings == null || try(each.value.upgrade_settings.undrainable_node_behavior, null) == null || contains(["Cordon", "Schedule"], try(each.value.upgrade_settings.undrainable_node_behavior, ""))
+      condition     = each.value.upgrade_settings == null || try(each.value.upgrade_settings.undrainable_node_behavior, null) == null || contains(["Cordon", "Schedule"], coalesce(try(each.value.upgrade_settings.undrainable_node_behavior, ""), ""))
       error_message = "`undrainable_node_behavior` in `upgrade_settings` must be `null`, `\"Cordon\"`, or `\"Schedule\"` for node pool '${each.value.name}'."
     }
   }
@@ -347,7 +347,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "node_pool_create_after_destroy"
       error_message = "Exactly one of `max_surge` or `max_unavailable` must be specified in `upgrade_settings` for node pool '${each.value.name}'."
     }
     precondition {
-      condition     = each.value.upgrade_settings == null || try(each.value.upgrade_settings.undrainable_node_behavior, null) == null || contains(["Cordon", "Schedule"], try(each.value.upgrade_settings.undrainable_node_behavior, ""))
+      condition     = each.value.upgrade_settings == null || try(each.value.upgrade_settings.undrainable_node_behavior, null) == null || contains(["Cordon", "Schedule"], coalesce(try(each.value.upgrade_settings.undrainable_node_behavior, ""), ""))
       error_message = "`undrainable_node_behavior` in `upgrade_settings` must be `null`, `\"Cordon\"`, or `\"Schedule\"` for node pool '${each.value.name}'."
     }
   }

main.tf

@@ -745,7 +745,7 @@ data "azurerm_subnet" "blob_driver_check" {
 
 check "blob_driver_subnet_service_endpoint" {
   assert {
-    condition     = var.vnet_subnet == null || !var.storage_profile_enabled || !var.storage_profile_blob_driver_enabled || contains(try(data.azurerm_subnet.blob_driver_check[0].service_endpoints, []), "Microsoft.Storage")
+    condition     = var.vnet_subnet == null || !var.storage_profile_enabled || !var.storage_profile_blob_driver_enabled || contains(coalesce(try(data.azurerm_subnet.blob_driver_check[0].service_endpoints, null), []), "Microsoft.Storage")
     error_message = "The subnet used by the default node pool does not have 'Microsoft.Storage' in its service_endpoints. When storage_profile_blob_driver_enabled is true, the AKS Blob CSI driver may automatically add this service endpoint out-of-band, causing Terraform state drift. To prevent this, add service_endpoints = [\"Microsoft.Storage\"] to your subnet configuration. See: https://github.com/Azure/terraform-azurerm-aks/issues/424"
   }
 }