Open timway opened 1 year ago
@timway custom subscription_id
is not available for all kind types of authorization. You can custom the subscrioption_id
with az CLI authorization but SPN auth cannot
@timway custom
subscription_id
is not available for all kind types of authorization. You can custom thesubscrioption_id
with az CLI authorization but SPN auth cannot
My example uses env
via auto
which my understanding is that's a service principal behind it. I'm able to use subscription_id
currently to get resources in a different subscription in some modules but not others. It works that way today because of the code sections I highlighted in my issue. My opinion is that the subscription_id
module parameter have the following behavior:
Provided by user directly -> Provided by ENV fallback -> Discovered and assigned as part of auth
Furthermore when referenced in code for doing things like constructing a resource ID it should follow that order of precedence.
@timway Do you want to use 'subscription_id' in the parameter first? Like PR #1380?
@timway Do you want to use 'subscription_id' in the parameter first? Like PR #1380?
Yes, in my opinion 'subscription_id' should act like other Ansible module parameters that have traditional ENV fallback values. If specified by a user in a task it should have precedence over the ENV variable.
I haven't fully reviewed the proposed solution in that PR though.
SUMMARY
Related to #1218 but broader. Most if not all
azure.azcollection
modules leverage thesubscription_id
module argument provided byAzureRMModuleBase
class. It has a fallback to the environment variableAZURE_SUBSCRIPTION_ID
that is commonly used to inject credentials into playbooks either viaansible-navigator
, AWX, or Automation Controller.In the
parse_resource_to_dict
method provided byAzureRMModuleBase
it looks only tosubscription_id
provided byAzureRMModuleBase
which maps back toself.azure_auth.subscription_id
withazure_auth
being an instantiation ofAzureRMAuth
. This creates a binding between any module that has code that interacts withparse_resource_to_dict
have the subscription ID used for authentication added to the resource ID it generates (assumes).On the other hand, modules that use
get_mgmt_svc_client
method provided byAzureRMModuleBase
to get a follow-on management client instantiation. actually look at the module parameter forsubscription_id
. This creates some modules that are able to usesubscription_id
to target a module to a subscription not used for authentication and actually get resources created in that target subscription but follow-on plays that try to find that resource by name fail.As stated below, my expectation coming to the collection and viewing how
ansible
as a whole functions is that any module parameter provided overrides its fallback method. This is not the case right now and I would disagree with @xuzhang3 opinion in #1218 that separate parameters should be leveraged for this use case. I don't view this bug as an enhancement request but it is possible that fixing it like I propose would have playbook breaking changes so it would warrant a v2.0.0 release in my opinion.ISSUE TYPE
COMPONENT NAME
azure.plugins.module_utils.azure_rm_common.AzureRMModuleBase
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Mac OS on M1, Azure authentication done by fallback environment variables
STEPS TO REPRODUCE
AZURE_SUBSCRIPTION_ID
--extra-vars "sub2=the-second-sub-id"
Set your environment to authenticate to Azure and use a
EXPECTED RESULTS
That the
subscription_id
module parameter is more preferred over the fallback ofAZURE_SUBSCRIPTION_ID
when provided when resolving names to identifiers.In this particular case, the
route_table
parameter does accept an ID so I can specify that as a work-around. That said other module parameters likevirtual_network_name
exist in this module. It is my opinion that all_name
parameters should be replaced by a module parameter that is only the resource name, providing an alias back to_name
is acceptable. Then all the module parameters should pass through theparse_resource_to_dict
method found in AzureRMModuleBase. That method should then be adjusted to respect the module parameter over the fallback for authentication.ACTUAL RESULTS
The results contain subscription IDs but you will see that the it tries to find the route table in the first subscription, the one used for authentication. Despite it respecting the
subscription_id
module parameter in the earlier task and creating the route table in the second subscription.