The azure_federated_identity_with_github module allows to assign roles to the federated identity to deploy and modify infrastructure pieces in the subscription where the project is deployed.
Sometimes, however, the infrastructure may span on different subscription.
Example:
In this case a function app is deployed in the PROD-TRIAL and its private endpoint dns record must be inserted in the private DNS zone of the PROD-IO subscription.
This needs the CD action's identity to both have permissions on the PROD-TRIAL subscription as in the PROD-IO one.
The azure_federated_identity_with_github module allows to assign roles to the federated identity to deploy and modify infrastructure pieces in the subscription where the project is deployed.
Sometimes, however, the infrastructure may span on different subscription.
Example: In this case a function app is deployed in the PROD-TRIAL and its private endpoint dns record must be inserted in the private DNS zone of the PROD-IO subscription. This needs the CD action's identity to both have permissions on the PROD-TRIAL subscription as in the PROD-IO one.