Bug: SubscriptionMismatch when assigning a private endpoint in another subscription

[SaschaJohn]

Version of Azure Service Operator
2.9.0
The version of the operator pod.
azureserviceoperator:v2.9.0

Describe the bug
Sync fails with SubscriptionMismatch, when specifiying private endpoint in a subnet in a different subscription then flexible server.

To Reproduce
Steps to reproduce the behavior:
I'm trying to create a

apiVersion: dbforpostgresql.azure.com/v1api20230601preview
kind: FlexibleServer

in Subscription1 and want to assign a delegatedSubnetArgument in Subscription2
Secret for Subscription1 is fetched from a namespace-scope.
I defined the existing subnet with a resource-scoped secret

apiVersion: network.azure.com/v1api20201101
kind: VirtualNetworksSubnet
metadata:
  creationTimestamp: null
  name: snet--002
  annotations:
    serviceoperator.azure.com/reconcile-policy: detach-on-delete
    serviceoperator.azure.com/credential-from: aso-sub2
spec:
  addressPrefix: 192.168.0.0/24
  azureName: snet-002
  owner:
    armId: /subscriptions/<SUB2>/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet1
  privateEndpointNetworkPolicies: Disabled
  privateLinkServiceNetworkPolicies: Enabled

In the network section of the flexible server, I refer to the delegated subnet:

network:
    delegatedSubnetArgument: 
      name: snet-002 
    privateDnsZoneArmResourceId:
      armId: /subscriptions/<SUB1>/resourceGroups/rg-1/providers/Microsoft.Network/privateDnsZones/privatelink.postgres.database.azure.com

Expected behavior
The assignment should not be rejected, because of a SubscriptionMismatch

Error message:

Reason: SubscriptionMismatch, Severity: Error, RetryClassification: RetryFast, Cause: 
SubscriptionID "<SUB1>" for "/subscriptions/<SUB1>/resourceGroups/rg-1/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql1" 
resource does not match with Client Credential: "<SUB2>"

[matthchr]

Can you clarify which resource is getting that error? Is it on the FlexibleServer?

Assuming it is, can you share a bit more of the FlexibleServer configuration? Specifically I want to see what ASO has saved for this annotation: serviceoperator.azure.com/resource-id, and the subscription in the ASO credential secret that this resource is using.

The error you're getting is saying that the value of this annotation (which is added when the resource is initially created) does not match the SubscriptionID in the secret. This could happen if for example you updated the secret to use a different subscription after the resource was created, or if you updated the resource to refer to a different credential (via the credential-from annotation, for example).