feat(azure): add NetworkLoadBalancerBackendAddressPool adapter (#4393)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary

Add a new Azure adapter for Load Balancer Backend Address Pools
(ENG-3327).

## Changes

- **Client interface**: Created
`load-balancer-backend-address-pools-client.go` with `Get` and
`NewListPager` methods
- **Mock**: Generated mock client for unit testing
- **Adapter implementation**:
`network-load-balancer-backend-address-pool.go` implementing
`SearchableWrapper` with:
- `Get` method requiring `loadBalancerName` and `backendAddressPoolName`
query parts
- `Search` and `SearchStream` methods requiring `loadBalancerName` query
part
  - Health status mapping from provisioning state
  - Input validation for empty query parts
- **Linked item queries**:
  - Parent: NetworkLoadBalancer
  - VirtualNetwork (pool and address level)
  - Subnet (from backend addresses)
  - NetworkInterface (from backend IP configurations)
  - InboundNatRule, LoadBalancingRule, OutboundRule references
  - FrontendIPConfiguration (from regional LB references)
  - stdlib NetworkIP (from backend address IP addresses)
- **Registration**: Added to `adapters.go` in both active and
placeholder blocks
- **Unit tests**: Comprehensive tests including StaticTests for linked
queries
- **Integration test**: Setup/Run/Teardown structure with Get, Search,
VerifyLinkedItems, and VerifyItemAttributes tests

## Self-Review Checklist

- [x] **IAMPermissions**: Present, references
`Microsoft.Network/loadBalancers/backendAddressPools/read`
- [x] **PredefinedRole**: Present, uses `Reader`
- [x] **LinkedItemQueries**: 10 link types verified (parent LB, VNets,
subnets, NICs, NAT rules, LB rules, outbound rules, frontend IPs, IP
addresses). IP links included.
- [x] **PotentialLinks**: 9 types listed, matches LinkedItemQueries
- [x] **Unit tests**: All passing (Get, Search, SearchStream,
StaticTests, ErrorHandling, empty validation)
- [x] **Integration test**: Present, follows Setup/Run/Teardown
structure

All checklist items passed. Ready for review.
<!-- CURSOR_AGENT_PR_BODY_END -->

Linear Issue:
[ENG-3327](https://linear.app/overmind/issue/ENG-3327/create-azure-adapter-networkloadbalancerbackendaddresspool)

<div><a
href="https://cursor.com/agents/bc-6a1336c3-9cda-48d4-a15a-7a3d815ee9eb"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a
href="https://cursor.com/background-agent?bcId=bc-6a1336c3-9cda-48d4-a15a-7a3d815ee9eb"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>

Passing integration test :

<img width="744" height="992" alt="image"
src="https://github.com/user-attachments/assets/7e6806e1-fe22-4786-b4dc-7ded89f001f8"
/>
GitOrigin-RevId: 4c6f3ae3a9e4029379959b970b67009d945c98cf

Author: DavidS-ovm

sources/azure/clients/load-balancer-backend-address-pools-client.go

@@ -0,0 +1,35 @@
+package clients
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v9"
+)
+
+//go:generate mockgen -destination=../shared/mocks/mock_load_balancer_backend_address_pools_client.go -package=mocks -source=load-balancer-backend-address-pools-client.go
+
+// LoadBalancerBackendAddressPoolsPager is a type alias for the generic Pager interface.
+type LoadBalancerBackendAddressPoolsPager = Pager[armnetwork.LoadBalancerBackendAddressPoolsClientListResponse]
+
+// LoadBalancerBackendAddressPoolsClient is an interface for interacting with Azure load balancer backend address pools.
+type LoadBalancerBackendAddressPoolsClient interface {
+	Get(ctx context.Context, resourceGroupName string, loadBalancerName string, backendAddressPoolName string) (armnetwork.LoadBalancerBackendAddressPoolsClientGetResponse, error)
+	NewListPager(resourceGroupName string, loadBalancerName string) LoadBalancerBackendAddressPoolsPager
+}
+
+type loadBalancerBackendAddressPoolsClient struct {
+	client *armnetwork.LoadBalancerBackendAddressPoolsClient
+}
+
+func (a *loadBalancerBackendAddressPoolsClient) Get(ctx context.Context, resourceGroupName string, loadBalancerName string, backendAddressPoolName string) (armnetwork.LoadBalancerBackendAddressPoolsClientGetResponse, error) {
+	return a.client.Get(ctx, resourceGroupName, loadBalancerName, backendAddressPoolName, nil)
+}
+
+func (a *loadBalancerBackendAddressPoolsClient) NewListPager(resourceGroupName string, loadBalancerName string) LoadBalancerBackendAddressPoolsPager {
+	return a.client.NewListPager(resourceGroupName, loadBalancerName, nil)
+}
+
+// NewLoadBalancerBackendAddressPoolsClient creates a new LoadBalancerBackendAddressPoolsClient from the Azure SDK client.
+func NewLoadBalancerBackendAddressPoolsClient(client *armnetwork.LoadBalancerBackendAddressPoolsClient) LoadBalancerBackendAddressPoolsClient {
+	return &loadBalancerBackendAddressPoolsClient{client: client}
+}

sources/azure/integration-tests/authorization-role-assignment_test.go

@@ -68,8 +68,9 @@ func TestAuthorizationRoleAssignmentIntegration(t *testing.T) {
 		t.Fatalf("Failed to get Reader role definition ID: %v", err)
 	}
 
-	// Generate unique role assignment name (GUID)
-	roleAssignmentName := uuid.New().String()
+	// Deterministic role assignment name so re-runs reuse the same assignment ID
+	// instead of conflicting with a prior run's different UUID for the same principal+role combo
+	roleAssignmentName := uuid.NewSHA1(uuid.NameSpaceURL, []byte(principalID+readerRoleDefinitionID+integrationTestResourceGroup)).String()
 	azureScope := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", subscriptionID, integrationTestResourceGroup)
 	setupCompleted := false
 
@@ -83,10 +84,11 @@ func TestAuthorizationRoleAssignmentIntegration(t *testing.T) {
 		}
 
 		// Create role assignment at resource group scope
-		err = createRoleAssignment(ctx, roleAssignmentsClient, azureScope, roleAssignmentName, principalID, readerRoleDefinitionID)
-		if err != nil {
-			t.Fatalf("Failed to create role assignment: %v", err)
+		actualName, createErr := createRoleAssignment(ctx, roleAssignmentsClient, azureScope, roleAssignmentName, principalID, readerRoleDefinitionID)
+		if createErr != nil {
+			t.Fatalf("Failed to create role assignment: %v", createErr)
 		}
+		roleAssignmentName = actualName
 		err = waitForRoleAssignmentAvailable(ctx, roleAssignmentsClient, azureScope, roleAssignmentName)
 		if err != nil {
 			t.Fatalf("Failed waiting for role assignment to be available: %v", err)
@@ -365,29 +367,22 @@ func getReaderRoleDefinitionID(ctx context.Context, client *armauthorization.Rol
 	return "", fmt.Errorf("Reader role definition not found")
 }
 
-// createRoleAssignment creates an Azure role assignment (idempotent)
-func createRoleAssignment(ctx context.Context, client *armauthorization.RoleAssignmentsClient, scope, roleAssignmentName, principalID, roleDefinitionID string) error {
+// createRoleAssignment creates an Azure role assignment (idempotent).
+// Returns the actual assignment name used (may differ from input if a prior run
+// created the same principal+role combo under a different UUID).
+func createRoleAssignment(ctx context.Context, client *armauthorization.RoleAssignmentsClient, scope, roleAssignmentName, principalID, roleDefinitionID string) (string, error) {
 	return createRoleAssignmentWithRemediation(ctx, client, scope, roleAssignmentName, principalID, roleDefinitionID, 0)
 }
 
-func createRoleAssignmentWithRemediation(ctx context.Context, client *armauthorization.RoleAssignmentsClient, scope, roleAssignmentName, principalID, roleDefinitionID string, remediationAttempt int) error {
-	// Check if role assignment already exists
+func createRoleAssignmentWithRemediation(ctx context.Context, client *armauthorization.RoleAssignmentsClient, scope, roleAssignmentName, principalID, roleDefinitionID string, remediationAttempt int) (string, error) {
 	_, err := client.Get(ctx, scope, roleAssignmentName, nil)
 	if err == nil {
 		log.Printf("Role assignment %s already exists, skipping creation", roleAssignmentName)
-		return nil
+		return roleAssignmentName, nil
 	}
 
-	// Create the role assignment
-	// Note: We need to get the principal ID from the current user or a service principal
-	// For integration tests, we'll use Azure CLI to get the current user's object ID
-	// This requires running: az ad signed-in-user show --query id -o tsv
-	// Or using Graph API
-
-	// For now, let's try to create it and handle the error if principal ID is needed
-	// Actually, we should get the principal ID before calling this function
 	if principalID == "" {
-		return fmt.Errorf("principal ID is required to create role assignment")
+		return "", fmt.Errorf("principal ID is required to create role assignment")
 	}
 
 	parameters := armauthorization.RoleAssignmentCreateParameters{
@@ -402,39 +397,68 @@ func createRoleAssignmentWithRemediation(ctx context.Context, client *armauthori
 		var respErr *azcore.ResponseError
 		if errors.As(err, &respErr) {
 			if respErr.StatusCode == http.StatusConflict {
+				if strings.Contains(respErr.Error(), "RoleAssignmentExists") {
+					existingID := extractExistingRoleAssignmentID(respErr.Error())
+					if existingID != "" {
+						log.Printf("Role assignment for this principal+role already exists at scope %s with ID %s, reusing", scope, existingID)
+						return existingID, nil
+					}
+					log.Printf("Role assignment for this principal+role already exists at scope %s, treating as success", scope)
+					return roleAssignmentName, nil
+				}
 				existing, getErr := client.Get(ctx, scope, roleAssignmentName, nil)
 				if getErr == nil && existing.RoleAssignment.ID != nil && *existing.RoleAssignment.ID != "" {
 					log.Printf("Role assignment %s already exists (conflict), verified readable, skipping creation", roleAssignmentName)
-					return nil
+					return roleAssignmentName, nil
 				}
 				var getRespErr *azcore.ResponseError
 				if errors.As(getErr, &getRespErr) && getRespErr.StatusCode == http.StatusNotFound {
 					if remediationAttempt >= 1 {
-						return fmt.Errorf("role assignment %s still in ghost conflict state after remediation (scope=%s): %w", roleAssignmentName, scope, err)
+						return "", fmt.Errorf("role assignment %s still in ghost conflict state after remediation (scope=%s): %w", roleAssignmentName, scope, err)
 					}
 					log.Printf("Detected ghost role-assignment conflict for %s at %s, attempting automatic remediation", roleAssignmentName, scope)
 					if deleteErr := deleteRoleAssignment(ctx, client, scope, roleAssignmentName); deleteErr != nil {
-						return fmt.Errorf("failed to remediate ghost role assignment %s before retry: %w", roleAssignmentName, deleteErr)
+						return "", fmt.Errorf("failed to remediate ghost role assignment %s before retry: %w", roleAssignmentName, deleteErr)
 					}
 					time.Sleep(5 * time.Second)
 					return createRoleAssignmentWithRemediation(ctx, client, scope, roleAssignmentName, principalID, roleDefinitionID, remediationAttempt+1)
 				}
-				return fmt.Errorf("role assignment conflict for %s and failed to verify existing role assignment: %w", roleAssignmentName, getErr)
+				return "", fmt.Errorf("role assignment conflict for %s and failed to verify existing role assignment: %w", roleAssignmentName, getErr)
 			}
 			if respErr.StatusCode == http.StatusForbidden {
-				return fmt.Errorf("insufficient permissions to create role assignment: %w", err)
+				return "", fmt.Errorf("insufficient permissions to create role assignment: %w", err)
 			}
 		}
-		return fmt.Errorf("failed to create role assignment: %w", err)
+		return "", fmt.Errorf("failed to create role assignment: %w", err)
 	}
 
-	// Verify the role assignment was created successfully
 	if resp.RoleAssignment.ID == nil {
-		return fmt.Errorf("role assignment created but ID is unknown")
+		return "", fmt.Errorf("role assignment created but ID is unknown")
 	}
 
 	log.Printf("Role assignment %s created successfully at scope %s", roleAssignmentName, scope)
-	return nil
+	return roleAssignmentName, nil
+}
+
+// extractExistingRoleAssignmentID parses the existing assignment ID from the
+// RoleAssignmentExists error message (format: "...The ID of the existing role
+// assignment is <hex-id-no-dashes>.").
+func extractExistingRoleAssignmentID(errMsg string) string {
+	const marker = "The ID of the existing role assignment is "
+	_, after, ok := strings.Cut(errMsg, marker)
+	if !ok {
+		return ""
+	}
+	rest := after
+	if dotIdx := strings.Index(rest, "."); dotIdx > 0 {
+		rest = rest[:dotIdx]
+	}
+	rest = strings.TrimSpace(rest)
+	if len(rest) != 32 {
+		return rest
+	}
+	// Convert 32-char hex to UUID format (8-4-4-4-12)
+	return rest[:8] + "-" + rest[8:12] + "-" + rest[12:16] + "-" + rest[16:20] + "-" + rest[20:]
 }
 
 // deleteRoleAssignment deletes an Azure role assignment

sources/azure/integration-tests/compute-availability-set_test.go

@@ -385,11 +385,12 @@ func createAvailabilitySet(ctx context.Context, client *armcompute.AvailabilityS
 	// Create the availability set
 	resp, err := client.CreateOrUpdate(ctx, resourceGroupName, avSetName, armcompute.AvailabilitySet{
 		Location: new(location),
+		SKU: &armcompute.SKU{
+			Name: new("Aligned"),
+		},
 		Properties: &armcompute.AvailabilitySetProperties{
 			PlatformFaultDomainCount:  new(int32(2)),
 			PlatformUpdateDomainCount: new(int32(2)),
-			ProximityPlacementGroup:   nil, // Optional - not setting for this test
-			VirtualMachines:           nil, // Will be populated when VMs are added
 		},
 		Tags: map[string]*string{
 			"purpose": new("overmind-integration-tests"),
@@ -579,14 +580,13 @@ func createVirtualMachineWithAvailabilitySetWithRemediation(ctx context.Context,
 		Location: new(location),
 		Properties: &armcompute.VirtualMachineProperties{
 			HardwareProfile: &armcompute.HardwareProfile{
-				// Use Standard_D2ps_v5 - ARM-based VM with good availability in westus2
-				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2ps_v5")),
+				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2s_v3")),
 			},
 			StorageProfile: &armcompute.StorageProfile{
 				ImageReference: &armcompute.ImageReference{
 					Publisher: new("Canonical"),
 					Offer:     new("0001-com-ubuntu-server-jammy"),
-					SKU:       new("22_04-lts-arm64"), // ARM64 image for ARM-based VM
+					SKU:       new("22_04-lts"),
 					Version:   new("latest"),
 				},
 				OSDisk: &armcompute.OSDisk{

sources/azure/integration-tests/compute-virtual-machine-extension_test.go

@@ -444,14 +444,13 @@ func createVirtualMachineForExtensionWithRemediation(ctx context.Context, client
 		Location: new(location),
 		Properties: &armcompute.VirtualMachineProperties{
 			HardwareProfile: &armcompute.HardwareProfile{
-				// Use Standard_D2ps_v5 - ARM-based VM with good availability in westus2
-				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2ps_v5")),
+				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2s_v3")),
 			},
 			StorageProfile: &armcompute.StorageProfile{
 				ImageReference: &armcompute.ImageReference{
 					Publisher: new("Canonical"),
 					Offer:     new("0001-com-ubuntu-server-jammy"),
-					SKU:       new("22_04-lts-arm64"), // ARM64 image for ARM-based VM
+					SKU:       new("22_04-lts"),
 					Version:   new("latest"),
 				},
 				OSDisk: &armcompute.OSDisk{

sources/azure/integration-tests/compute-virtual-machine-run-command_test.go

@@ -444,14 +444,13 @@ func createVirtualMachineForRunCommandWithRemediation(ctx context.Context, clien
 		Location: new(location),
 		Properties: &armcompute.VirtualMachineProperties{
 			HardwareProfile: &armcompute.HardwareProfile{
-				// Use Standard_D2ps_v5 - ARM-based VM with good availability in westus2
-				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2ps_v5")),
+				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2s_v3")),
 			},
 			StorageProfile: &armcompute.StorageProfile{
 				ImageReference: &armcompute.ImageReference{
 					Publisher: new("Canonical"),
 					Offer:     new("0001-com-ubuntu-server-jammy"),
-					SKU:       new("22_04-lts-arm64"), // ARM64 image for ARM-based VM
+					SKU:       new("22_04-lts"),
 					Version:   new("latest"),
 				},
 				OSDisk: &armcompute.OSDisk{

sources/azure/integration-tests/compute-virtual-machine-scale-set_test.go

@@ -409,7 +409,7 @@ func createVirtualMachineScaleSet(ctx context.Context, client *armcompute.Virtua
 	poller, err := client.BeginCreateOrUpdate(ctx, resourceGroupName, vmssName, armcompute.VirtualMachineScaleSet{
 		Location: new(location),
 		SKU: &armcompute.SKU{
-			Name:     new("Standard_B1s"), // Burstable B-series VM - cheaper and more widely available
+			Name:     new("Standard_D2s_v3"),
 			Tier:     new("Standard"),
 			Capacity: new(int64(1)), // Start with 1 instance for testing
 		},
@@ -489,7 +489,7 @@ func createVirtualMachineScaleSet(ctx context.Context, client *armcompute.Virtua
 					retryPoller, retryErr := client.BeginCreateOrUpdate(ctx, resourceGroupName, vmssName, armcompute.VirtualMachineScaleSet{
 						Location: new(location),
 						SKU: &armcompute.SKU{
-							Name:     new("Standard_B1s"),
+							Name:     new("Standard_D2s_v3"),
 							Tier:     new("Standard"),
 							Capacity: new(int64(1)),
 						},

sources/azure/integration-tests/compute-virtual-machine_test.go

@@ -413,14 +413,13 @@ func createVirtualMachineWithRemediation(ctx context.Context, client *armcompute
 		Location: new(location),
 		Properties: &armcompute.VirtualMachineProperties{
 			HardwareProfile: &armcompute.HardwareProfile{
-				// Use Standard_D2ps_v5 - ARM-based VM with good availability in westus2
-				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2ps_v5")),
+				VMSize: new(armcompute.VirtualMachineSizeTypes("Standard_D2s_v3")),
 			},
 			StorageProfile: &armcompute.StorageProfile{
 				ImageReference: &armcompute.ImageReference{
 					Publisher: new("Canonical"),
 					Offer:     new("0001-com-ubuntu-server-jammy"),
-					SKU:       new("22_04-lts-arm64"), // ARM64 image for ARM-based VM
+					SKU:       new("22_04-lts"),
 					Version:   new("latest"),
 				},
 				OSDisk: &armcompute.OSDisk{

sources/azure/integration-tests/helpers_test.go

@@ -25,8 +25,9 @@ var invalidRunIDSanitizer = regexp.MustCompile(`[^a-z0-9-]+`)
 // optionally scoped by AZURE_INTEGRATION_TEST_RUN_ID for parallel runs.
 //
 // Example:
-//   AZURE_INTEGRATION_TEST_RUN_ID=agent-42
-//   => overmind-integration-tests-agent-42
+//
+//	AZURE_INTEGRATION_TEST_RUN_ID=agent-42
+//	=> overmind-integration-tests-agent-42
 func resolveIntegrationTestResourceGroup() string {
 	runID := normalizeIntegrationTestRunID(os.Getenv("AZURE_INTEGRATION_TEST_RUN_ID"))
 	if runID == "" {

sources/azure/integration-tests/network-flow-log_test.go

@@ -6,11 +6,10 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"testing"
 	"time"
 
-	"strings"
-
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v9"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2"