Open cjasset opened 5 months ago
Hi,
If we implement this I think it will mean that we cannot cancel the subscription, or deploy any resources into it - do you concur?
If this is the case then I believe that the value of this module is lost. WDYT?
Perhaps a better use case will be to reduce blast radius by using different provider credentials via CI/CD.
Description
When creating a new subscription by default the principal creating the subscription is added to the RBAC Owner role on the subscription. Even in the case of using an SPN that has been delegated the SubscriptionCreator role. The result is an ever increasing scope of access and blast radius for the SPN used for vending subscription. This behavior can be overridden by providing the subscriptionOwnerId and subscriptionTenantId properties. (https://learn.microsoft.com/en-us/rest/api/subscription/alias/create?view=rest-subscription-2021-10-01&tabs=HTTP#putaliasrequestadditionalproperties)
Describe the solution you'd like
The module should be updated to provide these additional properties so that organizations can specify a different principal for the Owner role. This would reduce the risk and blast radius of the SPN used for vending subscriptions.
Additional context