azure: Delete RoleAssignment after VMScaleSet during cluster deletion

hakman · hakman · commit 0a8d3afe23a0 · 2026-04-13T18:53:29.000+03:00
Signed-off-by: Ciprian Hacman &lt;ciprian@hakman.dev&gt;
diff --git a/pkg/resources/azure/azure.go b/pkg/resources/azure/azure.go
@@ -575,10 +575,7 @@ func (g *resourceGetter) listDisks(ctx context.Context) ([]*resources.Resource,
 func (g *resourceGetter) toDiskResource(disk *compute.Disk) *resources.Resource {
 	var blocked []string
 	if disk.ManagedBy != nil {
-		vm, err := arm.ParseResourceID(*disk.ManagedBy)
-		if err == nil {
-			blocked = append(blocked, toKey(typeVMScaleSet, vm.Parent.String()))
-		}
+		blocked = append(blocked, toKey(typeVMScaleSetVM, *disk.ManagedBy))
 	}
 
 	return &resources.Resource{
@@ -626,8 +623,10 @@ func (g *resourceGetter) toRoleAssignmentResource(ra *authz.RoleAssignment, vmss
 		Deleter: g.deleteRoleAssignment,
 		Blocks: []string{
 			toKey(typeResourceGroup, g.resourceGroupID()),
-			toKey(typeVMScaleSet, *vmss.ID),
 		},
+		// Wait for the VMSS to be deleted before removing role assignments,
+		// to avoid permission issues during VMSS teardown.
+		Blocked: []string{toKey(typeVMScaleSet, *vmss.ID)},
 	}
 }
 
diff --git a/pkg/resources/azure/azure_test.go b/pkg/resources/azure/azure_test.go
@@ -19,6 +19,7 @@ package azure
 import (
 	"fmt"
 	"reflect"
+	"slices"
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
@@ -227,11 +228,15 @@ func TestListResourcesAzure(t *testing.T) {
 	toDigests := func(rs map[string]*resources.Resource) map[string]*resourceDigest {
 		d := map[string]*resourceDigest{}
 		for k, r := range rs {
+			blocks := slices.Clone(r.Blocks)
+			blocked := slices.Clone(r.Blocked)
+			slices.Sort(blocks)
+			slices.Sort(blocked)
 			d[k] = &resourceDigest{
 				rtype:   r.Type,
 				name:    r.Name,
-				blocks:  r.Blocks,
-				blocked: r.Blocked,
+				blocks:  blocks,
+				blocked: blocked,
 				shared:  r.Shared,
 			}
 		}
@@ -253,8 +258,8 @@ func TestListResourcesAzure(t *testing.T) {
 			rtype: typeSubnet,
 			name:  subnetName,
 			blocks: []string{
-				toKey(typeVirtualNetwork, vnetID),
 				toKey(typeResourceGroup, rgID),
+				toKey(typeVirtualNetwork, vnetID),
 			},
 		},
 		toKey(typeRouteTable, rtID): {
@@ -267,8 +272,8 @@ func TestListResourcesAzure(t *testing.T) {
 			name:  vmssName,
 			blocks: []string{
 				toKey(typeResourceGroup, rgID),
-				toKey(typeVirtualNetwork, vnetID),
 				toKey(typeSubnet, subnetID),
+				toKey(typeVirtualNetwork, vnetID),
 			},
 			blocked: []string{
 				toKey(typeVMScaleSetVM, vmID),
@@ -278,15 +283,13 @@ func TestListResourcesAzure(t *testing.T) {
 			rtype:   typeDisk,
 			name:    diskName,
 			blocks:  []string{toKey(typeResourceGroup, rgID)},
-			blocked: []string{toKey(typeVMScaleSet, vmssID)},
+			blocked: []string{toKey(typeVMScaleSetVM, vmID)},
 		},
 		toKey(typeRoleAssignment, raID): {
-			rtype: typeRoleAssignment,
-			name:  raName,
-			blocks: []string{
-				toKey(typeResourceGroup, rgID),
-				toKey(typeVMScaleSet, vmssID),
-			},
+			rtype:   typeRoleAssignment,
+			name:    raName,
+			blocks:  []string{toKey(typeResourceGroup, rgID)},
+			blocked: []string{toKey(typeVMScaleSet, vmssID)},
 		},
 		toKey(typeLoadBalancer, lbID): {
 			rtype:  typeLoadBalancer,
