test/e2e: detach NSGs from subnets before deletion

bennerv · bennerv · commit 0620f6052634 · 2025-12-20T13:24:25.000-05:00
diff --git a/test/go.mod b/test/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/Azure/ARO-Tools v0.0.0-20251217212052-baa2e4c6d49a
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0
diff --git a/test/go.sum b/test/go.sum
@@ -94,6 +94,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsI
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.2.0 h1:akP6VpxJGgQRpDR1P462piz/8OhYLRCreDj48AyNabc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.2.0/go.mod h1:8wzvopPfyZYPaQUoKW87Zfdul7jmJMDfp/k7YY3oJyA=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 h1:HYGD75g0bQ3VO/Omedm54v4LrD3B1cGImuRF3AJ5wLo=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeploymentstacks v1.0.1 h1:bcgO/crpp7wqI0Froi/I4C2fme7Vk/WLusbV399Do8I=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeploymentstacks v1.0.1/go.mod h1:kvfPmsE8gpOwwC1qrO1FeyBDDNfnwBN5UU3MPNiWW7I=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armfeatures v1.2.0 h1:wIDqH4WA5uJ6irRqjzodeSw6Pmp0tu3oIbwzBZEdMfQ=
diff --git a/test/util/framework/per_test_framework.go b/test/util/framework/per_test_framework.go
@@ -39,6 +39,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	armcompute "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions"
 
@@ -58,6 +59,7 @@ type perItOrDescribeTestContext struct {
 	armComputeClientFactory       *armcompute.ClientFactory
 	armResourcesClientFactory     *armresources.ClientFactory
 	armSubscriptionsClientFactory *armsubscriptions.ClientFactory
+	armNetworkClientFactory       *armnetwork.ClientFactory
 	graphClient                   *graphutil.Client
 
 	timingMetadata   timing.SpecTimingMetadata
@@ -349,6 +351,11 @@ func (tc *perItOrDescribeTestContext) cleanupResourceGroup(ctx context.Context,
 		return err
 	}
 
+	networkClientFactory, err := tc.GetARMNetworkClientFactory(ctx)
+	if err != nil {
+		return err
+	}
+
 	hcpClientFactory, err := tc.Get20240610ClientFactory(ctx)
 	if err != nil {
 		return err
@@ -371,7 +378,7 @@ func (tc *perItOrDescribeTestContext) cleanupResourceGroup(ctx context.Context,
 	}
 
 	ginkgo.GinkgoLogr.Info("deleting resource group", "resourceGroup", resourceGroupName)
-	if err := DeleteResourceGroup(ctx, resourceClientFactory.NewResourceGroupsClient(), resourceGroupName, false, timeout); err != nil {
+	if err := DeleteResourceGroup(ctx, resourceClientFactory.NewResourceGroupsClient(), networkClientFactory, resourceGroupName, false, timeout); err != nil {
 		return fmt.Errorf("failed to cleanup resource group: %w", err)
 	}
 
@@ -398,14 +405,19 @@ func (tc *perItOrDescribeTestContext) cleanupResourceGroupNoRP(ctx context.Conte
 		return fmt.Errorf("failed to search for managed resource groups: %w", err)
 	}
 
-	clientFactory, err := tc.GetARMResourcesClientFactory(ctx)
+	resourceClientFactory, err := tc.GetARMResourcesClientFactory(ctx)
+	if err != nil {
+		return err
+	}
+
+	networkClientFactory, err := tc.GetARMNetworkClientFactory(ctx)
 	if err != nil {
 		return err
 	}
 
 	for _, managedRG := range managedResourceGroups {
 		ginkgo.GinkgoLogr.Info("deleting managed resource group", "resourceGroup", managedRG, "parentResourceGroup", resourceGroupName)
-		if err := DeleteResourceGroup(ctx, clientFactory.NewResourceGroupsClient(), managedRG, true, timeout); err != nil {
+		if err := DeleteResourceGroup(ctx, resourceClientFactory.NewResourceGroupsClient(), networkClientFactory, managedRG, true, timeout); err != nil {
 			if isIgnorableResourceGroupCleanupError(err) {
 				ginkgo.GinkgoLogr.Info("ignoring not found resource group", "resourceGroup", managedRG)
 			} else {
@@ -415,7 +427,7 @@ func (tc *perItOrDescribeTestContext) cleanupResourceGroupNoRP(ctx context.Conte
 	}
 
 	ginkgo.GinkgoLogr.Info("deleting resource group", "resourceGroup", resourceGroupName)
-	if err := DeleteResourceGroup(ctx, clientFactory.NewResourceGroupsClient(), resourceGroupName, false, timeout); err != nil {
+	if err := DeleteResourceGroup(ctx, resourceClientFactory.NewResourceGroupsClient(), networkClientFactory, resourceGroupName, false, timeout); err != nil {
 		return fmt.Errorf("failed to cleanup resource group: %w", err)
 	}
 
@@ -564,6 +576,44 @@ func (tc *perItOrDescribeTestContext) getARMSubscriptionsClientFactoryUnlocked()
 	return tc.armSubscriptionsClientFactory, nil
 }
 
+func (tc *perItOrDescribeTestContext) GetARMNetworkClientFactory(ctx context.Context) (*armnetwork.ClientFactory, error) {
+	tc.contextLock.RLock()
+	if tc.armNetworkClientFactory != nil {
+		defer tc.contextLock.RUnlock()
+		return tc.armNetworkClientFactory, nil
+	}
+	tc.contextLock.RUnlock()
+
+	tc.contextLock.Lock()
+	defer tc.contextLock.Unlock()
+
+	return tc.getARMNetworkClientFactoryUnlocked(ctx)
+}
+
+func (tc *perItOrDescribeTestContext) getARMNetworkClientFactoryUnlocked(ctx context.Context) (*armnetwork.ClientFactory, error) {
+	if tc.armNetworkClientFactory != nil {
+		return tc.armNetworkClientFactory, nil
+	}
+
+	creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials()
+	if err != nil {
+		return nil, err
+	}
+
+	// We already hold the lock, so we call the unlocked version
+	subscriptionID, err := tc.getSubscriptionIDUnlocked(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	clientFactory, err := armnetwork.NewClientFactory(subscriptionID, creds, tc.perBinaryInvocationTestContext.getClientFactoryOptions())
+	if err != nil {
+		return nil, err
+	}
+	tc.armNetworkClientFactory = clientFactory
+	return tc.armNetworkClientFactory, nil
+}
+
 func (tc *perItOrDescribeTestContext) GetARMResourcesClientFactory(ctx context.Context) (*armresources.ClientFactory, error) {
 	tc.contextLock.RLock()
 	if tc.armResourcesClientFactory != nil {
diff --git a/test/util/framework/resourcegroup_helper.go b/test/util/framework/resourcegroup_helper.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions"
 )
@@ -122,6 +123,7 @@ func ListAllExpiredResourceGroups(
 func DeleteResourceGroup(
 	ctx context.Context,
 	resourceGroupsClient *armresources.ResourceGroupsClient,
+	networkClientFactory *armnetwork.ClientFactory,
 	resourceGroupName string,
 	force bool,
 	timeout time.Duration,
@@ -130,6 +132,12 @@ func DeleteResourceGroup(
 	ctx, cancel := context.WithTimeoutCause(ctx, timeout, fmt.Errorf("timeout '%f' minutes exceeded during DeleteResourceGroup for resource group %s", timeout.Minutes(), resourceGroupName))
 	defer cancel()
 
+	// detach any NSGs from subnets to avoid blocking deletion of the RG
+	err := detachSubnetNSGs(ctx, networkClientFactory, resourceGroupName)
+	if err != nil {
+		return fmt.Errorf("failed to detach NSGs from subnets in resource group %s: %w", resourceGroupName, err)
+	}
+
 	var opts *armresources.ResourceGroupsClientBeginDeleteOptions
 	if force {
 		opts = &armresources.ResourceGroupsClientBeginDeleteOptions{
@@ -164,3 +172,52 @@ func DeleteResourceGroup(
 
 	return nil
 }
+
+// detach any NSGs from subnets to avoid blocking deletion of the RG
+func detachSubnetNSGs(ctx context.Context, networkClientFactory *armnetwork.ClientFactory, resourceGroupName string) error {
+	vnetClient := networkClientFactory.NewVirtualNetworksClient()
+	subnetClient := networkClientFactory.NewSubnetsClient()
+
+	vnetPager := vnetClient.NewListPager(resourceGroupName, nil)
+	for vnetPager.More() {
+		vnetPage, err := vnetPager.NextPage(ctx)
+		if err != nil {
+			return fmt.Errorf("failed listing vnets in resource group %s: %w", resourceGroupName, err)
+		}
+
+		for _, vnet := range vnetPage.Value {
+			if vnet == nil || vnet.Properties == nil || vnet.Properties.Subnets == nil || vnet.Name == nil {
+				continue
+			}
+
+			subnetsPager := subnetClient.NewListPager(resourceGroupName, *vnet.Name, nil)
+			for subnetsPager.More() {
+				subnetPage, err := subnetsPager.NextPage(ctx)
+				if err != nil {
+					return fmt.Errorf("failed listing subnets in resource group %s: %w", resourceGroupName, err)
+				}
+
+				for _, subnet := range subnetPage.Value {
+					if subnet == nil || subnet.Name == nil || subnet.Properties == nil || subnet.Properties.NetworkSecurityGroup == nil || subnet.Properties.NetworkSecurityGroup.ID == nil {
+						continue
+					}
+
+					subnet.Properties.NetworkSecurityGroup = nil
+					poller, err := subnetClient.BeginCreateOrUpdate(ctx, resourceGroupName, *vnet.Name, *subnet.Name, *subnet, &armnetwork.SubnetsClientBeginCreateOrUpdateOptions{})
+					if err != nil {
+						return fmt.Errorf("failed detaching NSG from subnet %s in resource group %s: %w", *subnet.Name, resourceGroupName, err)
+					}
+
+					_, err = poller.PollUntilDone(ctx, &runtime.PollUntilDoneOptions{
+						Frequency: StandardPollInterval,
+					})
+					if err != nil {
+						return fmt.Errorf("failed waiting for subnet %s in resource group %s to finish updating: %w", *subnet.Name, resourceGroupName, err)
+					}
+				}
+			}
+		}
+	}
+
+	return nil
+}
