Support azure cli credentials with multiple subscription_ids

[internetionals]

This is the same change I have a pull request for at the Ansible main repository, but it isn't entirely clear what the correct path for new changes is for the Azure Ansible modules.

See original pull request: ansible/ansible#65331
(and also: Azure/azure_preview_modules#358)

I also couldn't find the doc_fragments part from the original change, so this change doesn't update the documentation, which the original does.

Also relates to these issues/pull requests in the main Ansible repository:

• Azure dynamic inventory plugin to use Subscription ID with CLI auth ansible/ansible#48089
• [inventory/azure_rm] auth_source: cli doesn't honour subscription_id setting ansible/ansible#63182

Below is the text from the pull request against the main Ansible repository:

SUMMARY

When using credentials obtained from the azure cli only the default subscription can be used, even though the azure cli is authenticated for multiple subscriptions.

This change passes any optionally specified subscription_id (similar to how it's done for auth_source: msi) along when requesting the azure cli credentials. If none is specified it falls back to the current behaviour of selecting the default subscription.

The only other change that had to be made was in the auth_source: auto case where we would always assume that all credential information is passed using arguments when subscription_id is set. I changed this to check the fields that actually refer to specific credentials (namely client_id (for service principals) and ad_user (for user names)). This way we still fall through to the azure cli method, eventhough only subscription_id is explicitly set.

Fixes ansible/ansible#63182
Fixes Azure/azure_preview_modules#321

This effectively fixes the same problem as ansible/ansible#48089 is trying to fix, only in a way that is more consistent with how credentials and subscription id's are determined for other auth_sources. This was one of the main criticisms that's probably holding that pull request up.

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

azure_rm_common

ADDITIONAL INFORMATION

We have different Azure subscriptions for our prod and dev environments. By default we only work on the dev environment, but we have a number of playbooks that we want to work with all virtual machines at once.

Demonstration playbook:

- name: Get azure vm info from different subscriptions
  hosts: localhost
  tasks:
  - azure_rm_virtualmachine_info:
      name: prod-db
      resource_group: prod
      subscription_id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
      auth_source: cli
  - azure_rm_virtualmachine_info:
      name: dev-db
      resource_group: dev
      subscription_id: YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY
      auth_source: cli

Before:

$ ansible-playbook playbooks/az_info.yml

PLAY [Get azure vm info from different subscriptions] *********************************************************************************

TASK [azure_rm_virtualmachine_info] ***************************************************************************************************
fatal: [localhost]: FAILED! => changed=false
  msg: |-
    Error getting virtual machine prod-db - Azure Error: ResourceGroupNotFound
    Message: Resource group 'prod' could not be found.

PLAY RECAP ****************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

After:

$ ansible-playbook playbooks/az_info.yml

PLAY [Get azure vm info from different subscriptions] *********************************************************************************

TASK [azure_rm_virtualmachine_info] ***************************************************************************************************
ok: [localhost]

TASK [azure_rm_virtualmachine_info] ***************************************************************************************************
ok: [localhost]

PLAY RECAP ****************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[internetionals]

Sadly, I'm currently a bit overwhelmed by these CI failures and I don't have the time to triage them. But cursory glance suggests that they have nothing to do with the changes in this pull request.

[Fred-sun]

@internetionals Thank you for your interest in ansible-colleciton-azure. Recently, azure-cli is converting the mechanism of using credentials. For the PR you submitted, we will consider merging after the mechanism is modified.

[internetionals]

@Fred-sun Thanks for the update, keep us posted :-)

[bailsman]

Hi @Fred-sun. Is there anywhere I can follow the progress on the azure-cli mechanism change? Where's that discussion happening? I'm quite interested in this pull request.

[Fred-sun]

Hi @Fred-sun. Is there anywhere I can follow the progress on the azure-cli mechanism change? Where's that discussion happening? I'm quite interested in this pull request.

Thank you for your pay attention on this. I'm sorry for not replying this question in time. I will ping Community developers to prioritize this PR tomorrow. Thank you very much!

[Fred-sun]

@internetionals Can you help resolve the conflicting files? Thank you very much!

[UnwashedMeme]

@Fred-sun @internetionals I rebased in #195 and added/fixed up the docs. There are a few other small patches in there too. But I'm also happy to split those into separate PRs if you prefer.

[internetionals]

@Fred-sun @UnwashedMeme : I rebased my changes and included the doc-changes from my original pull request against the azure repository. The changes by @UnwashedMeme are a bit more extensive but also more comprehensive, those would be equally fine by me.

[Fred-sun]

@Fred-sun @UnwashedMeme : I rebased my changes and included the doc-changes from my original pull request against the azure repository. The changes by @UnwashedMeme are a bit more extensive but also more comprehensive, those would be equally fine by me.

Thanks for your udpate! I will test it!

[Fred-sun]

It has added by #195, closed this!