Hi @tombuildsstuff

Have you got a chance to look into this.. thank you

Hi @nicethomaslearngit,

We have actually quietly adding support for multi tenant situations like this with service principal authentication. the CLI version is in the works but no timeframe yet. It's not been documented as it remains untested/unofficial but if you'd like to give it a try using a SP for auth and adding the additional tenants in the provider block:

provider "azurerm" {
  auxiliary_tenant_ids = ["00000000-0000-0000-0000-000000000000", "00000000-0000-0000-0000-000000000000", "00000000-0000-0000-0000-000000000000"]
}

or in an environment variable: ARM_AUXILIARY_TENANT_IDS="00000000-0000-0000-0000-000000000000;00000000-0000-0000-0000-000000000000;00000000-0000-0000-0000-000000000000"

Up to 3 can be specified.

If this does work for you please let us know! as we have not tested or verified that it works.

Hi @katbyte

Thanks a lot for the update.

I tried using auxiliary tenant ids and unfortunately its not working, I will await for the official documentation for using this.

Thank You

@nicethomaslearngit I was having the same issue as you and seem to have figured it out.

I was attempting to peer vnets across ad tenants but the idea is the same.

I followed the steps here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/share-images-across-tenants and ended up with a service principal that had contributor access to both subscriptions (haven't tested it yet with less access or scoped to just the vnet).

My provider setup that finally worked for me was as follows (Notice I'm using the same client_id and client_secret across both providers):

provider "azurerm" {
  version = "=1.34"
  alias = "hub"
  client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  subscription_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
  tenant_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
  auxiliary_tenant_ids = ["bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"]
}

provider "azurerm" {
  version = "=1.34"
  alias = "spoke"
  client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  subscription_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
  tenant_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
  auxiliary_tenant_ids = ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"]
}

@darryncurranHP

Awesome awesome.. It worked like a charm, I was on it for couple of weeks and finally the above worked !!

@katbyte @tombuildsstuff FYI

Thanks again.

Hi @darryncurranHP @katbyte @tombuildsstuff

I ran into another issue, when I am trying to deploy to same tenant it failing with error tenant_id and auxilliary tenant_id are same.

I did a workaround as below

auxiliary_tenant_ids = "${(var.sig_tenant_id == var.tenant_id ? [] : ["var.tenant_id"])}"

If both tenant IDs are same , I am assigning a null value and is working fine in terraform 12. But failing in terraform 11 and I am using terraform version 11

Error reading config for provider config azurerm: parse error at 1:45: expected expression but found "["

Above is the error when used in 11 version. Any suggestions?

Hi,
I use the following workaround.
Works fine for me in any cases.
https://github.com/siobam/Terraform/tree/master/cross_tenant_peeting

Hi,

Sure, how can i help you?

Thanks,
Viktor

ср, 6 нояб. 2019 г. в 10:06, nicethomaslearngit notifications@github.com:

Hi @siobam https://github.com/siobam

Can you please help me with the code again.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/terraform-providers/terraform-provider-azurerm/issues/4378?email_source=notifications&email_token=ADC553C5YNTSOCC7RKLL4EDQSJUIHA5CNFSM4IYK4IHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDFQKQA#issuecomment-550176064,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ADC553EK2ESQU5KOBPPNMCTQSJUIHANCNFSM4IYK4IHA
.

Thanks @siobam

The link above was giving 404, I got the git url. Thanks again

try this:
https://github.com/siobam/Terraform/tree/master/azure_cross_tenant_peeting

ср, 6 нояб. 2019 г. в 10:25, nicethomaslearngit notifications@github.com:

Thanks @siobam https://github.com/siobam

The link above was giving 404, I got the git url. Thanks again

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/terraform-providers/terraform-provider-azurerm/issues/4378?email_source=notifications&email_token=ADC553FSIALWRPQARLOGTQ3QSJWQBA5CNFSM4IYK4IHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDFRWPA#issuecomment-550181692,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ADC553HQKAGUB6JPWZDLAW3QSJWQBANCNFSM4IYK4IHA
.

This issue is still open and I wonder what the actual workaround for using image versions in a shared gallery in a tenant in another tenant is? Can someone describe what needs to be done here?
I followed https://docs.microsoft.com/en-us/azure/virtual-machines/linux/share-images-across-tenants and I tried using the described setup in https://github.com/terraform-providers/terraform-provider-azurerm/issues/4378#issuecomment-537948435 but this is not working. I haven't tried it with the same service principal though.

Error: Error creating Linux Virtual Machine "testvm" (Resource Group "testvm-rg"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/subscription-id-fdsfsfsd/resourceGroups/imgbos-rg/providers/Microsoft.Compute/virtualMachines/testvm', however the current tenant 'tenant-id-fdfdfsdf' is not authorized to access linked subscription 'subscription-id-fdsfsfsd'."

Do I really need the same service principal and how do I give him access to tenant 2?

Any help would be appreciated.

@christiansetzer Yes it needs to be the same service principal, and it details how to give access in the link you included.

@darryncurranHP So the service principal has to be authenticated with the same procedure is what I understand. TGhe service principal also needs the setting for

Accounts in any organizational directory (Any Azure AD directory - Multitenant)

I will try that and give feedback

@darryncurranHP Thanks that really works now. But I still have to wonder why there are contributor rights in tenant1 where the shared image gallery resides necessary.

Any idea if this can work with Managed Identities? We are using Managed Identities for authenticating Terraform. Can Managed Identity be shared between tenants?

I have tried the workaround outlined here to deploy images from a shared image gallery in tenant_1 into tenant_2 and it works, thank you.
I want to use the same code base to deploy images into a few environments, some will be in the same tenant as the image gallery, some will be in other tenants. There is a workaround for this listed on this page also:
auxiliary_tenant_ids = "${(var.sig_tenant_id == var.tenant_id ? [] : ["var.tenant_id"])}"

I received errors with this in terraform 0.12.28, turned out to be syntax with the false value, so posting the full code here that works when tenant id's are different and also when they are the same:

// Provider to deploy into
provider "azurerm" {
version = "2.17.0"
subscription_id = var.ARM_SUBSCRIPTION
client_id = var.ARM_CLIENT_ID
client_secret = var.ARM_CLIENT_SECRET
tenant_id = var.ARM_TENANT_ID
auxiliary_tenant_ids = (var.ARM_TENANT_ID_GALLERY == var.ARM_TENANT_ID ? [] : ["${var.ARM_TENANT_ID_GALLERY}"])
features {}
}

// Provider for connecting to shared image gallery
provider "azurerm" {
alias = "sig"
version = "2.17.0"
subscription_id = var.ARM_SUBSCRIPTION_GALLERY
tenant_id = var.ARM_TENANT_ID_GALLERY
client_id = var.ARM_CLIENT_ID
client_secret = var.ARM_CLIENT_SECRET
auxiliary_tenant_ids = (var.ARM_TENANT_ID == var.ARM_TENANT_ID_GALLERY ? [] : ["${var.ARM_TENANT_ID}"])
features {}
}