azure: Disallow cross subscription encryption sets

rna-afk · rna-afk · commit 2a64205f3bc0 · 2026-02-24T13:08:17.000-05:00
Since CAPZ does not support using encryption sets in a subscription
not in the current subscription, adding a validation to return
error if the subscriptions don't match.
diff --git a/pkg/asset/installconfig/azure/client.go b/pkg/asset/installconfig/azure/client.go
@@ -318,6 +318,9 @@ func (c *Client) GetVirtualMachineSku(ctx context.Context, name, region string)
 
 // GetDiskEncryptionSet retrieves the specified disk encryption set.
 func (c *Client) GetDiskEncryptionSet(ctx context.Context, subscriptionID, groupName, diskEncryptionSetName string) (*azenc.DiskEncryptionSet, error) {
+	if c.ssn.Credentials.SubscriptionID != subscriptionID {
+		return nil, fmt.Errorf("different subscription from resource group subscription. CAPZ does not support cross subscription encryption sets")
+	}
 	client := azenc.NewDiskEncryptionSetsClientWithBaseURI(c.ssn.Environment.ResourceManagerEndpoint, subscriptionID)
 	client.Authorizer = c.ssn.Authorizer
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
@@ -327,7 +330,6 @@ func (c *Client) GetDiskEncryptionSet(ctx context.Context, subscriptionID, group
 	if err != nil {
 		return nil, fmt.Errorf("failed to get disk encryption set: %w", err)
 	}
-
 	return &diskEncryptionSet, nil
 }
 
