From 501845804779b352bbd1463a1ed738594ea2e109 Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian@hakman.dev>
Date: Wed, 9 Jul 2025 08:19:43 +0300
Subject: [PATCH] Fix role assignment deletion creation

---
 pkg/resources/azure/azure.go   | 22 ++++++++++++++++++----
 pkg/resources/clusterinfo.go   |  2 ++
 pkg/resources/ops/collector.go |  2 ++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/pkg/resources/azure/azure.go b/pkg/resources/azure/azure.go
index 2c553f3942..818332a187 100644
--- a/pkg/resources/azure/azure.go
+++ b/pkg/resources/azure/azure.go
@@ -63,6 +63,14 @@ func (g *resourceGetter) resourceGroupName() string {
 	return g.clusterInfo.AzureResourceGroupName
 }
 
+func (g *resourceGetter) resourceGroupID() string {
+	return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", g.clusterInfo.AzureSubscriptionID, g.clusterInfo.AzureResourceGroupName)
+}
+
+func (g *resourceGetter) storageAccountID() string {
+	return g.clusterInfo.AzureStorageAccountID
+}
+
 func (g *resourceGetter) listResourcesAzure() (map[string]*resources.Resource, error) {
 	rs, err := g.listAll()
 	if err != nil {
@@ -397,11 +405,17 @@ func (g *resourceGetter) listVMScaleSetsAndRoleAssignments(ctx context.Context)
 		principalIDs[*vmss.Identity.PrincipalID] = vmss
 	}
 
-	ras, err := g.listRoleAssignments(ctx, principalIDs)
+	resourceGroupRAs, err := g.listRoleAssignments(ctx, principalIDs, g.resourceGroupID())
 	if err != nil {
 		return nil, err
 	}
-	rs = append(rs, ras...)
+	rs = append(rs, resourceGroupRAs...)
+
+	storageAccountRAs, err := g.listRoleAssignments(ctx, principalIDs, g.storageAccountID())
+	if err != nil {
+		return nil, err
+	}
+	rs = append(rs, storageAccountRAs...)
 
 	return rs, nil
 }
@@ -509,8 +523,8 @@ func (g *resourceGetter) deleteDisk(_ fi.Cloud, r *resources.Resource) error {
 	return g.cloud.Disk().Delete(context.TODO(), g.resourceGroupName(), r.Name)
 }
 
-func (g *resourceGetter) listRoleAssignments(ctx context.Context, principalIDs map[string]*compute.VirtualMachineScaleSet) ([]*resources.Resource, error) {
-	ras, err := g.cloud.RoleAssignment().List(ctx, g.resourceGroupName())
+func (g *resourceGetter) listRoleAssignments(ctx context.Context, principalIDs map[string]*compute.VirtualMachineScaleSet, scope string) ([]*resources.Resource, error) {
+	ras, err := g.cloud.RoleAssignment().List(ctx, scope)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/resources/clusterinfo.go b/pkg/resources/clusterinfo.go
index 4b2d58f18e..53e92b97fb 100644
--- a/pkg/resources/clusterinfo.go
+++ b/pkg/resources/clusterinfo.go
@@ -20,6 +20,8 @@ type ClusterInfo struct {
 	Name        string
 	UsesNoneDNS bool
 	// Azure specific
+	AzureStorageAccountID    string
+	AzureSubscriptionID      string
 	AzureResourceGroupName   string
 	AzureResourceGroupShared bool
 	AzureNetworkShared       bool
diff --git a/pkg/resources/ops/collector.go b/pkg/resources/ops/collector.go
index d471cf01c0..331c1b70ef 100644
--- a/pkg/resources/ops/collector.go
+++ b/pkg/resources/ops/collector.go
@@ -57,6 +57,8 @@ func ListResources(cloud fi.Cloud, cluster *kops.Cluster) (map[string]*resources
 	case kops.CloudProviderOpenstack:
 		return openstack.ListResources(cloud.(cloudopenstack.OpenstackCloud), clusterInfo)
 	case kops.CloudProviderAzure:
+		clusterInfo.AzureStorageAccountID = cluster.Spec.CloudProvider.Azure.StorageAccountID
+		clusterInfo.AzureSubscriptionID = cluster.Spec.CloudProvider.Azure.SubscriptionID
 		clusterInfo.AzureResourceGroupName = cluster.AzureResourceGroupName()
 		clusterInfo.AzureResourceGroupShared = cluster.IsSharedAzureResourceGroup()
 		clusterInfo.AzureNetworkShared = cluster.SharedVPC()