Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider parameter auxiliary_tenant_ids not working when authenticating with Secret Value or Az CLI #419

Open
nikitagrimmred opened this issue Feb 21, 2024 · 1 comment
Open

Provider parameter auxiliary_tenant_ids not working when authenticating with Secret Value or Az CLI #419

nikitagrimmred opened this issue Feb 21, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@nikitagrimmred
Copy link

I have been trying to deploy networks with peering to a hub in another tenant using the AzApi provider. I need to do so since I generate a dynamic number of subscriptions, making me unable to use the AzureRm provider as they require a fixed subscription.

Now I have run into the issue where I connect with an app registration and a client secret and the cross tenant deployment is simply not working even after using the auxiliary_tenant_ids parameter. Using the same setting in the AzureRm provider as well as running the equivalent command in the Az CLI made the peering work.

The error received when running the AzApi is always a LinkedAuthorizationFailed error. With the more detailed error message being however the current tenant '***' is not authorized to access linked subscription '***'

I also tried Azure CLI authentication and the auxiliary_tenant_ids parameter still did not work. I also looked at the source code of the AzApi and manually set the Environment Variable AZURE_ADDITIONALLY_ALLOWED_TENANTS to * but that also did not work. I can not confirm whether it worked with other authentication methods because those were not available to me (MSI & OIDC), but at least I feel confident to say that the deployment across tenants did not work even when specifying the field.

The Azapi Resource Call that did not work. The azapi_resource.vnet_spoke is a deployment of multiple networks.

resource "azapi_resource" "peering_spoke_hub" {
  for_each = azapi_resource.vnet_spoke
  type = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-08-01"
  parent_id = data.azurerm_virtual_network_hub.id
  name = "peering-hub-spoke"
  body = jsonencode({
    properties = {
      remoteVirtualNetwork = {id = each.value.id}
    }
    allowVirtualNetworkAccess = true
    allowForwardedTraffic = true
    allowGatewayTransit = true
    useRemoteGateways = false
  })
}

The AzureRm Resource call that did work in the cross tenant scenario is

resource "azurerm_virtual_network_peering" "peering_hub_spoke" {
  for_each = azapi_resource.vnet_spoke
  name = "peering-hub-spoke"
  resource_group_name = data.azurerm_virtual_network.hub.resource_group_name
  virtual_network_name =  data.azurerm_virtual_network.hub.name
  remote_virtual_network_id = each.value.id
  allow_virtual_network_access = true
  allow_forwarded_traffic = true
  allow_gateway_transit = true
  use_remote_gateways = false
}

I hope you can look into this issue and hopefully resolve it.

Best wishes
Niko
@ms-henglu
Copy link
Collaborator

Hi @nikitagrimmred ,

Thank you for taking time to report this issue and apologize for late response.

I'll investigate and fix this bug, thanks!

@ms-henglu ms-henglu added the bug Something isn't working label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ms-henglu @nikitagrimmred