Fix Azure Low Priority VM deprecation for Batch Managed accounts (#6258)

Azure Low Priority VMs are deprecated in Batch Managed pool allocation mode but
still supported in User Subscription mode. This adds validation to:
- Block low priority VMs for Batch Managed accounts with clear error message
- Allow low priority VMs for User Subscription accounts
- Gracefully handle unknown allocation modes with warnings

Adds subscriptionId to config to enable retrieval of this value. If not
supplied Nextflow will raise a warning and continue. This does open us
up to being able to do more with Azure Batch because we have access to
the management API.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: adamrtalbot <[email protected]>

Author: adamrtalbot

plugins/nf-azure/build.gradle

@@ -46,6 +46,9 @@ dependencies {
     api('com.azure:azure-identity:1.15.1') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
+    api('com.azure.resourcemanager:azure-resourcemanager-batch:1.1.0-beta.4') {
+        exclude group: 'org.slf4j', module: 'slf4j-api'
+    }
 
     // address security vulnerabilities
     runtimeOnly 'io.netty:netty-handler:4.1.118.Final'

plugins/nf-azure/src/main/nextflow/cloud/azure/batch/AzBatchExecutor.groovy

@@ -86,6 +86,38 @@ class AzBatchExecutor extends Executor implements ExtensionPoint {
         }
     }
 
+    protected void validateLowPriorityVMs() {
+        // Check if any pool has lowPriority enabled
+        def lowPriorityPools = config.batch().pools.findAll { poolName, poolOpts -> 
+            poolOpts.lowPriority 
+        }
+        
+        if( lowPriorityPools ) {
+            def poolNames = lowPriorityPools.keySet().join(', ')
+            
+            // Get the pool allocation mode to determine if low priority VMs are allowed
+            def poolAllocationMode = batchService.getPoolAllocationMode()
+            log.debug "[AZURE BATCH] Pool allocation mode determined as: ${poolAllocationMode}"
+            
+            if( poolAllocationMode == 'BATCH_SERVICE' || poolAllocationMode == 'BatchService' ) {
+                throw new AbortOperationException("Azure Low Priority VMs are deprecated and no longer supported for Batch Managed pool allocation mode. " +
+                    "Please update your configuration to use standard VMs instead, or migrate to User Subscription pool allocation mode. " +
+                    "Affected pools: ${poolNames}. " +
+                    "Remove 'lowPriority: true' from your pool configuration or set 'lowPriority: false'.")
+            } else if( poolAllocationMode == 'USER_SUBSCRIPTION' || poolAllocationMode == 'UserSubscription' ) {
+                // Low Priority VMs are still supported in User Subscription mode, proceed without warning
+                log.debug "[AZURE BATCH] User Subscription mode detected, allowing low priority VMs in pools: ${poolNames}"
+            } else {
+                // If we can't determine the pool allocation mode, show a warning but allow execution
+                log.warn "[AZURE BATCH] Unable to determine pool allocation mode (got: ${poolAllocationMode}). " +
+                    "Low Priority VMs are configured in pools: ${poolNames}. " +
+                    "Please note that Low Priority VMs are deprecated in Batch Managed accounts. " +
+                    "If you're using a Batch Managed account, please update your configuration to use standard VMs. " +
+                    "To enable automatic detection, set azure.batch.subscriptionId in your config or AZURE_SUBSCRIPTION_ID environment variable."
+            }
+        }
+    }
+
     protected void uploadBinDir() {
         /*
          * upload local binaries
@@ -120,6 +152,7 @@ class AzBatchExecutor extends Executor implements ExtensionPoint {
         initBatchService()
         validateWorkDir()
         validatePathDir()
+        validateLowPriorityVMs()
         uploadBinDir()
     }
 

plugins/nf-azure/src/main/nextflow/cloud/azure/batch/AzBatchService.groovy

@@ -388,6 +388,102 @@ class AzBatchService implements Closeable {
         return builder.buildClient()
     }
 
+    /**
+     * Determines the pool allocation mode of the Azure Batch account
+     * @return The pool allocation mode ('BatchService' or 'UserSubscription'), or null if it cannot be determined
+     */
+    @Memoized
+    protected String getPoolAllocationMode() {
+        try {
+            // Get batch account name from endpoint
+            final accountName = extractAccountName(config.batch().endpoint)
+            if (!accountName) {
+                log.debug "[AZURE BATCH] Cannot extract account name from endpoint"
+                return null
+            }
+            
+            // Get subscription ID
+            final subscriptionId = config.batch().subscriptionId
+            if (!subscriptionId) {
+                log.debug "[AZURE BATCH] No subscription ID configured. Set azure.batch.subscriptionId or AZURE_SUBSCRIPTION_ID"
+                return null
+            }
+            
+            // Get Azure credentials
+            final credential = getAzureCredential()
+            if (!credential) {
+                log.debug "[AZURE BATCH] No valid credentials for Azure Resource Manager"
+                return null
+            }
+            
+            // Create BatchManager with proper configuration
+            final batchManager = createBatchManager(credential, subscriptionId)
+            
+            // Find the batch account
+            return findBatchAccountPoolMode(batchManager, accountName)
+            
+        } catch (Exception e) {
+            log.warn "[AZURE BATCH] Failed to determine pool allocation mode: ${e.message}", e
+            return null
+        }
+    }
+    
+    /**
+     * Extract account name from batch endpoint URL
+     */
+    private String extractAccountName(String endpoint) {
+        if (!endpoint) return null
+        // Format: https://accountname.region.batch.azure.com
+        return endpoint.split('\\.')[0].replace('https://', '')
+    }
+    
+    /**
+     * Get Azure credentials based on configuration
+     */
+    private TokenCredential getAzureCredential() {
+        if (config.managedIdentity().isConfigured()) {
+            return createBatchCredentialsWithManagedIdentity()
+        } else if (config.activeDirectory().isConfigured()) {
+            return createBatchCredentialsWithServicePrincipal()
+        }
+        return null
+    }
+    
+    /**
+     * Create and configure BatchManager
+     */
+    private com.azure.resourcemanager.batch.BatchManager createBatchManager(TokenCredential credential, String subscriptionId) {
+        // AzureProfile constructor: (tenantId, subscriptionId, environment)
+        final profile = new com.azure.core.management.profile.AzureProfile(
+            null, // tenantId - null to use default
+            subscriptionId,
+            com.azure.core.management.AzureEnvironment.AZURE
+        )
+        
+        // Use configure().authenticate() pattern to ensure proper initialization
+        return com.azure.resourcemanager.batch.BatchManager
+            .configure()
+            .authenticate(credential, profile)
+    }
+    
+    /**
+     * Find batch account and return its pool allocation mode
+     */
+    private String findBatchAccountPoolMode(com.azure.resourcemanager.batch.BatchManager batchManager, String accountName) {
+        log.debug "[AZURE BATCH] Searching for account '${accountName}'"
+        
+        for (batchAccount in batchManager.batchAccounts().list()) {
+            if (batchAccount.name() == accountName) {
+                final poolMode = batchAccount.poolAllocationMode()
+                log.debug "[AZURE BATCH] Found account with pool allocation mode: ${poolMode}"
+                return poolMode?.toString()
+            }
+        }
+        
+        log.debug "[AZURE BATCH] Account '${accountName}' not found in subscription"
+        return null
+    }
+
     AzTaskKey submitTask(TaskRun task) {
         final poolId = getOrCreatePool(task)
         final jobId = getOrCreateJob(poolId, task)

plugins/nf-azure/src/main/nextflow/cloud/azure/config/AzBatchOpts.groovy

@@ -48,6 +48,7 @@ class AzBatchOpts implements CloudTransferOptions {
     String accountKey
     String endpoint
     String location
+    String subscriptionId
     Boolean autoPoolMode
     Boolean allowPoolCreation
     Boolean terminateJobsOnCompletion
@@ -67,6 +68,7 @@ class AzBatchOpts implements CloudTransferOptions {
         accountKey = config.accountKey ?: sysEnv.get('AZURE_BATCH_ACCOUNT_KEY')
         endpoint = config.endpoint
         location = config.location
+        subscriptionId = config.subscriptionId ?: sysEnv.get('AZURE_SUBSCRIPTION_ID')
         autoPoolMode = config.autoPoolMode
         allowPoolCreation = config.allowPoolCreation
         terminateJobsOnCompletion = config.terminateJobsOnCompletion != Boolean.FALSE

plugins/nf-azure/src/test/nextflow/cloud/azure/batch/AzBatchExecutorTest.groovy

@@ -0,0 +1,134 @@
+package nextflow.cloud.azure.batch
+
+import nextflow.Session
+import nextflow.cloud.azure.config.AzConfig
+import nextflow.cloud.azure.config.AzBatchOpts
+import nextflow.cloud.azure.config.AzPoolOpts
+import nextflow.exception.AbortOperationException
+import spock.lang.Specification
+
+/**
+ * Test for AzBatchExecutor validation logic
+ */
+class AzBatchExecutorTest extends Specification {
+
+    def 'should validate low priority VMs for BatchService allocation mode'() {
+        given:
+        def CONFIG = [
+            batch: [
+                endpoint: 'https://testaccount.eastus.batch.azure.com',
+                pools: [
+                    'pool1': [vmType: 'Standard_D2_v2', lowPriority: true],
+                    'pool2': [vmType: 'Standard_D2_v2', lowPriority: false]
+                ]
+            ]
+        ]
+        
+        and:
+        def config = new AzConfig(CONFIG)
+        def batchService = Mock(AzBatchService) {
+            getPoolAllocationMode() >> 'BATCH_SERVICE'
+        }
+        
+        and:
+        def executor = new AzBatchExecutor()
+        executor.config = config
+        executor.batchService = batchService
+
+        when:
+        executor.validateLowPriorityVMs()
+
+        then:
+        def e = thrown(AbortOperationException)
+        e.message.contains('Azure Low Priority VMs are deprecated and no longer supported for Batch Managed pool allocation mode')
+        e.message.contains('pool1')
+    }
+
+    def 'should allow low priority VMs for UserSubscription allocation mode'() {
+        given:
+        def CONFIG = [
+            batch: [
+                endpoint: 'https://testaccount.eastus.batch.azure.com',
+                pools: [
+                    'pool1': [vmType: 'Standard_D2_v2', lowPriority: true]
+                ]
+            ]
+        ]
+        
+        and:
+        def config = new AzConfig(CONFIG)
+        def batchService = Mock(AzBatchService) {
+            getPoolAllocationMode() >> 'USER_SUBSCRIPTION'
+        }
+        
+        and:
+        def executor = new AzBatchExecutor()
+        executor.config = config
+        executor.batchService = batchService
+
+        when:
+        executor.validateLowPriorityVMs()
+
+        then:
+        noExceptionThrown()
+    }
+
+    def 'should handle unknown allocation mode gracefully'() {
+        given:
+        def CONFIG = [
+            batch: [
+                endpoint: 'https://testaccount.eastus.batch.azure.com',
+                pools: [
+                    'pool1': [vmType: 'Standard_D2_v2', lowPriority: true]
+                ]
+            ]
+        ]
+        
+        and:
+        def config = new AzConfig(CONFIG)
+        def batchService = Mock(AzBatchService) {
+            getPoolAllocationMode() >> null
+        }
+        
+        and:
+        def executor = new AzBatchExecutor()
+        executor.config = config
+        executor.batchService = batchService
+
+        when:
+        executor.validateLowPriorityVMs()
+
+        then:
+        noExceptionThrown()
+    }
+
+    def 'should not validate when no low priority VMs configured'() {
+        given:
+        def CONFIG = [
+            batch: [
+                endpoint: 'https://testaccount.eastus.batch.azure.com',
+                pools: [
+                    'pool1': [vmType: 'Standard_D2_v2', lowPriority: false],
+                    'pool2': [vmType: 'Standard_D2_v2']
+                ]
+            ]
+        ]
+        
+        and:
+        def config = new AzConfig(CONFIG)
+        def batchService = Mock(AzBatchService) {
+            getPoolAllocationMode() >> 'BATCH_SERVICE'
+        }
+        
+        and:
+        def executor = new AzBatchExecutor()
+        executor.config = config
+        executor.batchService = batchService
+
+        when:
+        executor.validateLowPriorityVMs()
+
+        then:
+        noExceptionThrown()
+    }
+}

plugins/nf-azure/src/test/nextflow/cloud/azure/config/AzBatchOptsTest.groovy

@@ -105,4 +105,26 @@ class AzBatchOptsTest extends Specification {
         then:
         opts3.jobMaxWallClockTime.toString() == '12h'
     }
+
+    def 'should set subscription ID from config or environment' () {
+        when:
+        def opts1 = new AzBatchOpts([:], [:])
+        then:
+        opts1.subscriptionId == null
+
+        when:
+        def opts2 = new AzBatchOpts([subscriptionId: 'config-sub-id'], [:])
+        then:
+        opts2.subscriptionId == 'config-sub-id'
+
+        when:
+        def opts3 = new AzBatchOpts([:], [AZURE_SUBSCRIPTION_ID: 'env-sub-id'])
+        then:
+        opts3.subscriptionId == 'env-sub-id'
+
+        when:
+        def opts4 = new AzBatchOpts([subscriptionId: 'config-sub-id'], [AZURE_SUBSCRIPTION_ID: 'env-sub-id'])
+        then:
+        opts4.subscriptionId == 'config-sub-id'  // config takes precedence over environment
+    }
 }