[Feature Request] BREAKING change: Discuss CI environment secrets naming
Description
This discussion needs to take place before issues #1450 #1465 #1085
- #1450 Leverage same naming documented here https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=openid%2CCLI#configure-the-github-secrets
GitHub/ADO Secret Active Directory Application AZURE_CLIENT_ID Application (client) ID AZURE_TENANT_ID Directory (tenant) ID AZURE_SUBSCRIPTION_ID Subscription ID - #1465 Discuss a name consistent with the above
- #1085 Discuss if we want the same SP to deploy to both subscriptions (requires ownership on both) or if we want to support 2 different SP each mapped to a different subscription. Depending on that decision:
- 2 subs, 1 SP -> the subscription secret decided above needs to be duplicated, e.g. AZURE_SUBSCRIPTION_ID_VALIDATION, AZURE_SUBSCRIPTION_ID_PUBLISHING
- 2 subs, 2 SPs -> Also AZURE_CLIENT_ID need to be duplicated e.g. AZURE_CLIENT_ID_VALIDATION, AZURE_CLIENT_ID_PUBLISHING. Secret decided at point 2 doesn't need to be duplicated since it's only used for validation purposes
POC and implementation of this is covered in:
- #1607
- #1606
Also, #1465 could potentially be made obsolete by #1605
And I would suggest we add possibility for consumers to use 2 subs, 2 SPs, and even 2 tenants, as you might need a validation tenant and or MG to validate changes. Maybe the ARM_MGMTGROUP_ID should be in the validation environment or prefixed with VALIDATION_MG_ID ?
Removing from upcoming release 0.7, will be worked on in the next one
It was decided to hold on to the environment split until we figured out whether we can use Open ID connect or not (#1450) - even though it is only relevant for GitHub & not ADO