[aks-preview] Use bastion subscription from resource ID in az aks bastion

[Copilot]

Related command
az aks bastion

Description
az aks bastion was forwarding the AKS/current CLI subscription to az network bastion tunnel even when --bastion was a full resource ID in another subscription. This updates bastion resolution to preserve the bastion host's subscription and uses that subscription when creating the tunnel.

• Bastion resource parsing

  • Extend bastion resource parsing to retain subscriptionId when --bastion is provided as a full resource ID.
  • Keep existing behavior unchanged for name-based bastion lookup.

• Tunnel command construction

  • Pass the bastion host subscription, not the AKS cluster subscription, to az network bastion tunnel.
  • Scope bastion lookup and tunnel creation consistently to the bastion resource's subscription.

• Targeted coverage

  • Add focused coverage for cross-subscription bastion resource IDs to verify the tunnel command is built with the correct --subscription.

Example:

az aks bastion \
  -g aks-resource-group \
  -n aks-cluster \
  --subscription <aks-subscription> \
  --bastion /subscriptions/<hub-subscription>/resourceGroups/bastion-rg/providers/Microsoft.Network/bastionHosts/bastion-name

Expected tunnel invocation after this change:

az network bastion tunnel \
  --resource-group bastion-rg \
  --name bastion-name \
  --target-resource-id /subscriptions/<aks-subscription>/resourceGroups/aks-resource-group/providers/Microsoft.ContainerService/managedClusters/aks-cluster \
  --subscription <hub-subscription>

Testing Guide

# AKS in subscription A, Bastion in subscription B
az aks bastion -g <aks-rg> -n <aks-name> --subscription <sub-a> \
  --bastion /subscriptions/<sub-b>/resourceGroups/<bastion-rg>/providers/Microsoft.Network/bastionHosts/<bastion-name> --verbose

Verify the verbose output shows az network bastion tunnel ... --subscription <sub-b>.

History Notes
[aks-preview] az aks bastion: use the bastion host subscription when --bastion is a cross-subscription resource ID

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

️✔️AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.14

️✔️acs

️✔️latest

️✔️3.12

️✔️3.14

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.14

️✔️ams

️✔️latest

️✔️3.12

️✔️3.14

️✔️apim

️✔️latest

️✔️3.12

️✔️3.14

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.14

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.14

️✔️aro

️✔️latest

️✔️3.12

️✔️3.14

️✔️backup

️✔️latest

️✔️3.12

️✔️3.14

️✔️batch

️✔️latest

️✔️3.12

️✔️3.14

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.14

️✔️billing

️✔️latest

️✔️3.12

️✔️3.14

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.14

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.14

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.14

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.14

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.14

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.14

️✔️config

️✔️latest

️✔️3.12

️✔️3.14

️✔️configure

️✔️latest

️✔️3.12

️✔️3.14

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.14

️✔️container

️✔️latest

️✔️3.12

️✔️3.14

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.14

️✔️core

️✔️latest

️✔️3.12

️✔️3.14

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.14

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.14

️✔️dls

️✔️latest

️✔️3.12

️✔️3.14

️✔️dms

️✔️latest

️✔️3.12

️✔️3.14

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.14

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.14

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.14

️✔️find

️✔️latest

️✔️3.12

️✔️3.14

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.14

️✔️identity

️✔️latest

️✔️3.12

️✔️3.14

️✔️iot

️✔️latest

️✔️3.12

️✔️3.14

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.14

️✔️lab

️✔️latest

️✔️3.12

️✔️3.14

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.14

️✔️maps

️✔️latest

️✔️3.12

️✔️3.14

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.14

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.14

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.14

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.14

️✔️network

️✔️latest

️✔️3.12

️✔️3.14

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.14

️✔️postgresql

️✔️latest

️✔️3.12

️✔️3.14

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.14

️✔️profile

️✔️latest

️✔️3.12

️✔️3.14

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.14

️✔️redis

️✔️latest

️✔️3.12

️✔️3.14

️✔️relay

️✔️latest

️✔️3.12

️✔️3.14

️✔️resource

️✔️latest

️✔️3.12

️✔️3.14

️✔️role

️✔️latest

️✔️3.12

️✔️3.14

️✔️search

️✔️latest

️✔️3.12

️✔️3.14

️✔️security

️✔️latest

️✔️3.12

️✔️3.14

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.14

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.14

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.14

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.14

️✔️sql

️✔️latest

️✔️3.12

️✔️3.14

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.14

️✔️storage

️✔️latest

️✔️3.12

️✔️3.14

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.14

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.14

️✔️util

️✔️latest

️✔️3.12

️✔️3.14

️✔️vm

️✔️latest

️✔️3.12

️✔️3.14

[azure-client-tools-bot-prd]

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

[yonzhan]

aks-preview

[azclibot]

Live test results — azdev test network --live --series

❌ FAIL (exit 1)

Target: network (module)
PR head ref: copilot/fix-aks-bastion-subscription-issue
PR head sha: 7011741e4026963d13fc18396c731ce1a2013c4a
PR base ref: dev
New test files in PR: false

Workflow run: https://github.com/Azure/issue-sentinel/actions/runs/27864929635

Last 80 lines of azdev output

    def _handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception ResourceNotFoundError during execution and fails the command.

azure-cli/src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_dns_commands.DnsZoneImportTest testMethod=test_dns_zone10_import>
resource_group = 'cli_dns_zone10_import27n5p7wecjec3e35sbmd5qicwkbjeowp3n2y3u2edfwnyxhin2wbvq'

    @ResourceGroupPreparer(name_prefix='cli_dns_zone10_import')
    def test_dns_zone10_import(self, resource_group):
>       self._test_zone('dnstestzone10.com', 'zone10.txt')

azure-cli/src/azure-cli/azure/cli/command_modules/network/tests/latest/test_dns_commands.py:137: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
azure-cli/src/azure-cli/azure/cli/command_modules/network/tests/latest/test_dns_commands.py:56: in _test_zone
    self.cmd('network dns zone import -n {zone} -g {rg} --file-name "{export}"')
azure-cli/src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in __init__
    self._in_process_execute(cli_ctx, command, expect_failure=expect_failure)
azure-cli/src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in _in_process_execute
    raise ex.exception
.venv/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli-core/azure/cli/core/commands/__init__.py:677: in execute
    raise ex
azure-cli/src/azure-cli-core/azure/cli/core/commands/__init__.py:820: in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli-core/azure/cli/core/commands/__init__.py:789: in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli-core/azure/cli/core/commands/__init__.py:335: in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli/azure/cli/command_modules/network/custom.py:2831: in import_zone
    root_soa = DNSRecordSetSOAShow(cli_ctx=cmd.cli_ctx)(command_args={
azure-cli/src/azure-cli-core/azure/cli/core/aaz/_command.py:154: in __call__
    return self._handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
azure-cli/src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/dns/record_set/_show.py:27: in _handler
    self._execute_operations()
azure-cli/src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/dns/record_set/_show.py:67: in _execute_operations
    self.RecordSetsGet(ctx=self.ctx)()
azure-cli/src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/dns/record_set/_show.py:91: in __call__
    return self.on_error(session.http_response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <azure.cli.command_modules.network.aaz.latest.network.dns.record_set._show.Show.RecordSetsGet object at 0x7f260d592a50>
response = <RequestsTransportResponse: 404 Not Found, Content-Type: application/json; charset=utf-8>

    def on_error(self, response):
        """ handle errors in response
        """
        # raise common http errors
        error_type = self.error_map.get(response.status_code)
        if error_type:
>           raise error_type(response=response)
E           azure.core.exceptions.ResourceNotFoundError: (ParentResourceNotFound) Failed to perform 'read' on resource(s) of type 'dnszones/SOA', because the parent resource '/subscriptions/0c302431-1ad0-4187-87c9-d4cebcf7edc2/resourceGroups/cli_dns_zone10_import27n5p7wecjec3e35sbmd5qicwkbjeowp3n2y3u2edfwnyxhin2wbvq/providers/Microsoft.Network/dnszones/dnstestzone10.com' could not be found.
E           Code: ParentResourceNotFound
E           Message: Failed to perform 'read' on resource(s) of type 'dnszones/SOA', because the parent resource '/subscriptions/0c302431-1ad0-4187-87c9-d4cebcf7edc2/resourceGroups/cli_dns_zone10_import27n5p7wecjec3e35sbmd5qicwkbjeowp3n2y3u2edfwnyxhin2wbvq/providers/Microsoft.Network/dnszones/dnstestzone10.com' could not be found.

azure-cli/src/azure-cli-core/azure/cli/core/aaz/_operation.py:324: ResourceNotFoundError
!!!!!!!!!!!!!!!!!!!!!!!!!! stopping after 1 failures !!!!!!!!!!!!!!!!!!!!!!!!!!!
=================== 1 failed, 1 passed, 1 skipped in 52.61s ====================

Posted by agent-assist live-test workflow.

[azclibot]

Agent Review — PR #33581

@copilot, there are failures that need attention before this PR can be merged.

CI Check Failures

Check	Result
Azure.azure-cli (Build)	❌ Failed — Build #20260617.20 failed
Check PR Title/Content Format	❌ Failed — 1 error

47/49 checks passed.

Live Test Result

❌ The live-test workflow also failed: run #27864929635

Action Required

1. Fix the PR title/content format issue — the title [aks-preview] Use bastion subscription from resource ID in \az aks bastion`` may have formatting or naming convention issues per Azure CLI PR standards.
2. Investigate the build failure linked above and resolve any errors.
3. Re-run or address the live-test failure.

---

Posted by agent-assist (autonomous bug-fix pipeline).