azure_rm_deployment should support auxiliary tenants

[eberkut]

SUMMARY

Support logging into an auxiliary tenant when deploying an ARM template to be able to use external resources.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

azure_rm_deployment

ADDITIONAL INFORMATION

Some features, in particular Azure Shared Image Gallery (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/shared-image-galleries), allows for resources to be shared across Azure tenants (https://docs.microsoft.com/en-us/azure/virtual-machines/linux/share-images-across-tenants). However, this requires to log into two different tenants when deploying a template using resources in different tenants.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant

There is no mechanism for this double authentication directly in ARM.

https://docs.microsoft.com/en-us/answers/questions/52987/using-a-shared-image-gallery-from-another-tenant-w.html

So it requires to be implemented in the tools running the ARM deployment. This is implemented in az cli when using the az cli deployment group command (https://github.com/Azure/azure-cli/issues/11151) and it was also implemented in Terraform (https://github.com/terraform-providers/terraform-provider-azurerm/pull/4290).

This could be implemented in ansible azure_rm_deployment by adding a aux_tenant parameter.

[Fred-sun]

@eberkut Thank you for submitting this question! We will investigate this issue.

[dsavov]

I have the same problem. I would like to deploy a VM in a tenant that's different than the one shared image gallery is using.