Return errors for missing identity data in createOrUpdateDenyAssignment during installs, log and continue for admin updates

[slawande2]

Which issue this PR addresses:

https://redhat.atlassian.net/browse/ARO-26127

• Currently in createOrUpdateDenyAssignment(), when required identity data is missing (SPObjectID, ServicePrincipalProfile, or PlatformWorkloadIdentity ObjectID), the function logs the issue and returns nil, silently skipping deny assignment creation. This happens regardless of whether the call is from an install or an admin update.

• During installs, missing identity data indicates a real problem — silently skipping deny assignment creation masks failures that should block the operation. We want to return errors in this case so the install fails explicitly.

• During admin updates, the log-and-continue behavior is intentional. We want to preserve this behavior — log the issue and continue without returning an error. This PR adds logic so that createOrUpdateDenyAssignment distinguishes between these two calling contexts: returning errors during installs, and logging and continuing during admin updates.

What this PR does / why we need it:

This change updates three log messages to Errors when createOrUpdateDenyAssignment encounters missing identity data (empty platform workload identity ObjectID, nil ServicePrincipalProfile, or empty SPObjectID). These conditions indicate unexpected state that should not be silently logged at informational level and elevates them to errors.

Test plan for issue:

updated unit tests

Is there any documentation that needs to be updated for this PR?

no

[Copilot]

Pull request overview

This PR changes createOrUpdateDenyAssignment to fail fast (return errors) when required identity data is missing, rather than logging and skipping deny assignment creation, and updates the unit tests accordingly.

Changes:

• Return errors when Platform Workload Identity ObjectID is empty, ServicePrincipalProfile is nil, or SPObjectID is empty.
• Update TestCreateOrUpdateDenyAssignment table tests to assert expected error strings for the newly-failing cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
pkg/cluster/denyassignment.go	Converts previously “log-and-skip” missing-identity branches into returned errors before ARM deployment.
pkg/cluster/denyassignment_test.go	Adds wantErr expectations and assertions for the new error-return behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shubhadapaithankar]

LGTM

[slawande2]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[kimorris27]

This change makes sense to ensure we catch these errors on installs, but I think we should include some additional changes to preserve the existing behavior during admin updates (log the error and keep going).

[slawande2]

@kimorris27 that makes sense. I've added a validationErr variable to check for provisioningStateAdminUpdate , log and continue if that's the case.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tsatam]

LGTM - we might want to make the specific error we return more comprehensive over all identities but this change as-is is fine to move forward with

[kimorris27]

MIWI E2E failed with an issue deleting the cluster, but the actual E2E tests passed; see below. I'll go ahead and merge this while I'm here.

run-e2e  | time="2026-04-16T18:53:32Z" level=error msg="Delete failed with 3 error(s)" func="cluster.(*Cluster).Delete()" file="pkg/util/cluster/cluster.go:854"
run-e2e  | time="2026-04-16T18:53:32Z" level=error msg="Cluster deletion failed with errors: failed to delete cluster: error deleting cluster v4-e2e-V160694354-eastus-miwi: Code=\"InternalServerError\" Message=\"Internal server error.\"\nfailed to check resource group aro-v4-e2e-V160694354-eastus-miwi deleted: timed out checking for resource group aro-v4-e2e-V160694354-eastus-miwi to be deleted\nfailed to delete resource group v4-e2e-V160694354-eastus-miwi: error deleting resource group: Future#WaitForCompletion: the number of retries has been exceeded: StatusCode=409 -- Original Error: Code=\"ResourceGroupDeletionBlocked\" Message=\"Deletion of resource group 'v4-e2e-V160694354-eastus-miwi' failed as resources with identifiers 'Microsoft.Network/routeTables/v4-e2e-V160694354-eastus-miwi-rt,Microsoft.Network/virtualNetworks/dev-vnet,Microsoft.Compute/diskEncryptionSets/v4-e2e-V160694354-eastus-miwi-disk-encryption-set' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is '47648f2f-6b10-4edc-aaac-f583a02271d3'. Please check audit logs for more details.\" Details=[{\"message\":\"{\\\"error\\\":{\\\"code\\\":\\\"InUseRouteTableCannotBeDeleted\\\",\\\"message\\\":\\\"Route table v4-e2e-V160694354-eastus-miwi-rt is in use and cannot be deleted.\\\",\\\"details\\\":[]}}\",\"target\":\"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Network/routeTables/v4-e2e-V160694354-eastus-miwi-rt\"},{\"message\":\"{\\\"error\\\":{\\\"code\\\":\\\"InUseSubnetCannotBeDeleted\\\",\\\"message\\\":\\\"Subnet v4-e2e-V160694354-eastus-miwi-worker is in use by /subscriptions/***/resourceGroups/ARO-V4-E2E-V160694354-EASTUS-MIWI/providers/Microsoft.Network/networkInterfaces/V4-E2E-V160694354-EAS-NRDMK-WORKER-EASTUS3-Z2DLG-NIC/ipConfigurations/PIPCONFIG and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.\\\",\\\"details\\\":[]}}\",\"target\":\"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Network/virtualNetworks/dev-vnet\"},{\"message\":\"{\\\"error\\\":{\\\"code\\\":\\\"OperationNotAllowed\\\",\\\"message\\\":\\\"DiskEncryptionSet 'v4-e2e-V160694354-eastus-miwi-disk-encryption-set' is being used by resource 'v4-e2e-v160694354-eas-nrdmk-master-0_OSDisk' and cannot be deleted.\\\"}}\",\"target\":\"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Compute/diskEncryptionSets/v4-e2e-V160694354-eastus-miwi-disk-encryption-set\"}]" func="e2e.cleanupE2EInfrastructure()" file="test/e2e/setup.go:642"
run-e2e  |   [PANICKED] in [AfterSuite] - /app/test/e2e/setup.go:690 @ 04/16/26 18:53:32.251
run-e2e  | [AfterSuite] [PANICKED] [2105.468 seconds]
run-e2e  | [AfterSuite] 
run-e2e  | /app/test/e2e/setup.go:684
run-e2e  | 
run-e2e  |   [PANICKED] Test Panicked
run-e2e  |   In [AfterSuite] at: /app/test/e2e/setup.go:690 @ 04/16/26 18:53:32.251
run-e2e  | 
run-e2e  |   failed to delete cluster: error deleting cluster v4-e2e-V160694354-eastus-miwi: Code="InternalServerError" Message="Internal server error."
run-e2e  |   failed to check resource group aro-v4-e2e-V160694354-eastus-miwi deleted: timed out checking for resource group aro-v4-e2e-V160694354-eastus-miwi to be deleted
run-e2e  |   failed to delete resource group v4-e2e-V160694354-eastus-miwi: error deleting resource group: Future#WaitForCompletion: the number of retries has been exceeded: StatusCode=409 -- Original Error: Code="ResourceGroupDeletionBlocked" Message="Deletion of resource group 'v4-e2e-V160694354-eastus-miwi' failed as resources with identifiers 'Microsoft.Network/routeTables/v4-e2e-V160694354-eastus-miwi-rt,Microsoft.Network/virtualNetworks/dev-vnet,Microsoft.Compute/diskEncryptionSets/v4-e2e-V160694354-eastus-miwi-disk-encryption-set' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is '47648f2f-6b10-4edc-aaac-f583a02271d3'. Please check audit logs for more details." Details=[{"message":"{\"error\":{\"code\":\"InUseRouteTableCannotBeDeleted\",\"message\":\"Route table v4-e2e-V160694354-eastus-miwi-rt is in use and cannot be deleted.\",\"details\":[]}}","target":"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Network/routeTables/v4-e2e-V160694354-eastus-miwi-rt"},{"message":"{\"error\":{\"code\":\"InUseSubnetCannotBeDeleted\",\"message\":\"Subnet v4-e2e-V160694354-eastus-miwi-worker is in use by /subscriptions/***/resourceGroups/ARO-V4-E2E-V160694354-EASTUS-MIWI/providers/Microsoft.Network/networkInterfaces/V4-E2E-V160694354-EAS-NRDMK-WORKER-EASTUS3-Z2DLG-NIC/ipConfigurations/PIPCONFIG and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.\",\"details\":[]}}","target":"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Network/virtualNetworks/dev-vnet"},{"message":"{\"error\":{\"code\":\"OperationNotAllowed\",\"message\":\"DiskEncryptionSet 'v4-e2e-V160694354-eastus-miwi-disk-encryption-set' is being used by resource 'v4-e2e-v160694354-eas-nrdmk-master-0_OSDisk' and cannot be deleted.\"}}","target":"/subscriptions/***/resourceGroups/v4-e2e-V160694354-eastus-miwi/providers/Microsoft.Compute/diskEncryptionSets/v4-e2e-V160694354-eastus-miwi-disk-encryption-set"}]
run-e2e  | 
run-e2e  |   Full Stack Trace
run-e2e  |     github.com/Azure/ARO-RP/test/e2e.init.func56()
run-e2e  |     	/app/test/e2e/setup.go:690 +0xe5
run-e2e  | ------------------------------
run-e2e  | [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
run-e2e  | autogenerated by Ginkgo
run-e2e  | [ReportAfterSuite] PASSED [0.009 seconds]
run-e2e  | ------------------------------
run-e2e  | 
run-e2e  | Summarizing 1 Failure:
run-e2e  |   [PANICKED!] [AfterSuite] 
run-e2e  |   /app/test/e2e/setup.go:690
run-e2e  | 
run-e2e  | Ran 74 of 97 Specs in 5626.275 seconds
run-e2e  | FAIL! -- 74 Passed | 0 Failed | 5 Pending | 18 Skipped
run-e2e  | --- FAIL: TestE2E (5626.29s)
run-e2e  | FAIL