locked
Multi-tenant deployment using Shared Image gallery via Terraform RRS feed

  • Question

  • We got the 1.34 version released and I am getting the error I pasted initially. My Azure Shared Image galleries are in tenant-1 and I am trying to deploy a VM in tenant-2 using this SIG in tenant-1.

    ####  connecting to tenant -2 ########
    provider "azurerm" {
      subscription_id = "${var.subscription_id}"
      client_id       = "${var.client_id}"
      client_secret   = "${var.client_secret}"
      tenant_id       = "${var.tenant_id}"
    }
    
    #####  connecting to tenant -1 ######## Provider for fetching the SIG resource
    provider "azurerm" {
      alias           = "sig-resources-id"
      subscription_id = "${var.sig_subscription_id}"
      client_id       = "${var.sig_client_id}"
      client_secret   = "${var.sig_client_secret}"
      tenant_id       = "${var.sig_tenant_id}"
    }

    using alias I fetches the image ID from tenant-1 and use this ID to provision in tenant-2 and is not working.

    Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/subscription-ID-of-tenant-2/resourceGroups/mygroup/providers/Microsoft.Compute/virtualMachines/sigvm-01', however the current tenant '<Tenant-2 ID>' is not authorized to access linked subscription '<subscription-ID-of-tenant-1>'."

    ANY help is much appreciated.

    Thursday, September 19, 2019 7:02 AM

Answers

  • As Rohan mentioned, the error does appear to be directly related to permissions. However since you can perform the steps using PowerShell and CLI it seems an issue with the terraform code or implementation with terraform itself.

    Can you share the link to the new version you are using? I have only used shared image galleries a couple times so I am not aware of a new version. 

     
    • Marked as answer by Nice Thomas Friday, September 27, 2019 10:06 AM
    Friday, September 20, 2019 4:11 PM

All replies

  • Sounds like a permission issue. Please refer the link below it might help.

    https://docs.microsoft.com/en-us/azure/virtual-machines/linux/share-images-across-tenants

    Thursday, September 19, 2019 9:57 AM
  • Yeah all permissions are done and I am able to implement the same using CLI and powershell , only terraform fails  as per @Manoj Reddy we were expecting it to be working in povider version 1.34.0. This got released yesterday ( 18/09/ ) but still no luck. So thought if you can be of any help here.
    Thursday, September 19, 2019 12:46 PM
  • As Rohan mentioned, the error does appear to be directly related to permissions. However since you can perform the steps using PowerShell and CLI it seems an issue with the terraform code or implementation with terraform itself.

    Can you share the link to the new version you are using? I have only used shared image galleries a couple times so I am not aware of a new version. 

     
    • Marked as answer by Nice Thomas Friday, September 27, 2019 10:06 AM
    Friday, September 20, 2019 4:11 PM