Azure · theunrepentantgeek · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 20, 2025
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	. "github.com/onsi/gomega"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -71,6 +72,8 @@ func Test_DataProtection_BackupInstance_20231101_CRUD(t *testing.T) {
 		},
 	}
 
+	addAnnotation(&blobService.ObjectMeta, "serviceoperator.azure.com/reconcile-policy", "detach-on-delete")
+
 	blobContainer := &storage.StorageAccountsBlobServicesContainer{
 		ObjectMeta: tc.MakeObjectMeta("velero"),
 		Spec: storage.StorageAccountsBlobServicesContainer_Spec{
@@ -308,3 +311,17 @@ func newBackupInstanceManagedCluster(tc *testcommon.KubePerTestContext, rg *reso
 	}
 	return cluster
 }
+
+func addAnnotation(
+	obj *v1.ObjectMeta,
+	key string,
+	value string,
+) {
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+
+	annotations[key] = value
+	obj.SetAnnotations(annotations)
+}
@@ -38,8 +38,9 @@ const (
 type DeleteAction string
 
 const (
-	DeleteActionBeginDelete   = DeleteAction("BeginDelete")
-	DeleteActionMonitorDelete = DeleteAction("MonitorDelete")
+	DeleteActionBeginDelete        = DeleteAction("BeginDelete")
+	DeleteActionMonitorDelete      = DeleteAction("MonitorDelete")
+	DeleteActionNotPossibleInAzure = DeleteAction("NotPossibleInAzure")
 )
 
 type (

@@ -26,6 +26,7 @@ import (
 	"github.com/Azure/azure-service-operator/v2/internal/reconcilers/arm/errorclassification"
 	"github.com/Azure/azure-service-operator/v2/internal/reflecthelpers"
 	"github.com/Azure/azure-service-operator/v2/internal/resolver"
+	"github.com/Azure/azure-service-operator/v2/pkg/common/annotations"
 	"github.com/Azure/azure-service-operator/v2/pkg/common/labels"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime/conditions"
@@ -129,6 +130,11 @@ func (r *azureDeploymentReconcilerInstance) DetermineDeleteAction() (DeleteActio
 		return DeleteActionMonitorDelete, r.MonitorDelete, nil
 	}
 
+	if !genruntime.ResourceOperationDelete.IsSupportedBy(r.Obj) {
+		// Resource doesn't support delete, so we just remove the finalizer and stop managing it
+		return DeleteActionNotPossibleInAzure, r.DeleteNotPossibleInAzure, nil
+	}
+
 	return DeleteActionBeginDelete, r.StartDeleteOfResource, nil
 }
 
@@ -205,6 +211,23 @@ func (r *azureDeploymentReconcilerInstance) MonitorDelete(ctx context.Context) (
 	return ctrl.Result{Requeue: true, RequeueAfter: retryAfter}, nil
 }
 
+// DeleteNotPossibleInAzure is used when the underlying Azure resource doesn't support direct deletion, so we return an error.
+func (r *azureDeploymentReconcilerInstance) DeleteNotPossibleInAzure(ctx context.Context) (ctrl.Result, error) {
+	msg := fmt.Sprintf(
+		"Resource does not support deletion in Azure; set annotation %s: %s to permit deletion in Kubernetes",
+		annotations.ReconcilePolicy,
+		annotations.ReconcilePolicyDetachOnDelete)
+	r.Log.V(Verbose).Info(msg)
+	r.Recorder.Event(r.Obj, v1.EventTypeNormal, string(DeleteActionNotPossibleInAzure), msg)
+
+	// Return a meaningful error so that the Ready condition is updated to show the user why the resource can't yet be deleted.
+	return ctrl.Result{},
+		conditions.NewReadyConditionImpactingError(
+			eris.New(msg),
+			conditions.ConditionSeverityError,
+			conditions.ReasonDeletionNotSupported)
+}
+
 func (r *azureDeploymentReconcilerInstance) BeginCreateOrUpdateResource(
 	ctx context.Context,
 ) (ctrl.Result, error) {

@@ -39,6 +39,7 @@ var (
 	ReasonReconcileBlocked                = Reason{Name: "ReconciliationBlocked", RetryClassification: retry.Slow}
 	ReasonReconcilePostponed              = Reason{Name: "ReconciliationPostponed", RetryClassification: retry.Slow}
 	ReasonPostReconcileFailure            = Reason{Name: "PostReconciliationFailure", RetryClassification: retry.Slow}
+	ReasonDeletionNotSupported            = Reason{Name: "DeletionNotSupportedInAzure", RetryClassification: retry.None}
 )
 
 // ReasonFailed is a catch-all error code for when we don't have a more specific error classification

@@ -3,6 +3,8 @@ kind: StorageAccountsBlobService
 metadata:
   name: sqlstorageservice
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: asotestsqlstorageref
@@ -3,6 +3,8 @@ kind: ServersAdvancedThreatProtectionSetting
 metadata:
   name: aso-sample-atp
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-sqlserver

@@ -3,6 +3,8 @@ kind: ServersAuditingSetting
 metadata:
   name: aso-sample-audit
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-sqlserver

@@ -3,6 +3,8 @@ kind: ServersConnectionPolicy
 metadata:
   name: aso-sample-connpolicy
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-sqlserver

@@ -3,6 +3,8 @@ kind: ServersDatabasesAdvancedThreatProtectionSetting
 metadata:
   name: aso-sample-atp
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersDatabasesAuditingSetting
 metadata:
   name: aso-sample-audit
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersDatabasesBackupLongTermRetentionPolicy
 metadata:
   name: aso-sample-longterm-backup-policy
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersDatabasesBackupShortTermRetentionPolicy
 metadata:
   name: aso-sample-shortterm-backup-policy
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersDatabasesSecurityAlertPolicy
 metadata:
   name: aso-sample-alertpolicy
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersDatabasesTransparentDataEncryption
 metadata:
   name: aso-sample-encrypt
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-db

@@ -3,6 +3,8 @@ kind: ServersSecurityAlertPolicy
 metadata:
   name: aso-sample-alertpolicy
   namespace: default
+  annotations: 
+    serviceoperator.azure.com/reconcile-policy: detach-on-delete
 spec:
   owner:
     name: aso-sample-sqlserver