[Feature Request] BREAKING change: Discuss CI environment secrets naming

[eriqua]

Description

This discussion needs to take place before issues #1450 #1465 #1085

1. [Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect #1450 Leverage same naming documented here https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=openid%2CCLI#configure-the-github-secrets

   GitHub/ADO Secret	Active Directory Application
   AZURE_CLIENT_ID	Application (client) ID
   AZURE_TENANT_ID	Directory (tenant) ID
   AZURE_SUBSCRIPTION_ID	Subscription ID

2. [Feature Request] BREAKING change: Rename DEPLOYMENT_SP_ID to DEPLOYMENT_SPN_ENTAPP_OBJID #1465 Discuss a name consistent with the above
3. [Feature Request] BREAKING change: Add options to split validation and publication resources #1085 Discuss if we want the same SP to deploy to both subscriptions (requires ownership on both) or if we want to support 2 different SP each mapped to a different subscription. Depending on that decision:
   • 2 subs, 1 SP -> the subscription secret decided above needs to be duplicated, e.g. AZURE_SUBSCRIPTION_ID_VALIDATION, AZURE_SUBSCRIPTION_ID_PUBLISHING
   • 2 subs, 2 SPs -> Also AZURE_CLIENT_ID need to be duplicated e.g. AZURE_CLIENT_ID_VALIDATION, AZURE_CLIENT_ID_PUBLISHING. Secret decided at point 2 doesn't need to be duplicated since it's only used for validation purposes

[MariusStorhaug]

POC and implementation of this is covered in:

• Upcoming BREAKING change: Introducing OIDC and dual environment support #1607
• [CI Environment] [MAJOR/BREAKING] Authentication overhaul #1606

[MariusStorhaug]

Also, #1465 could potentially be made obsolete by #1605

[MariusStorhaug]

And I would suggest we add possibility for consumers to use 2 subs, 2 SPs, and even 2 tenants, as you might need a validation tenant and or MG to validate changes. Maybe the ARM_MGMTGROUP_ID should be in the validation environment or prefixed with VALIDATION_MG_ID ?

[eriqua]

Removing from upcoming release 0.7, will be worked on in the next one

[AlexanderSehr]

It was decided to hold on to the environment split until we figured out whether we can use Open ID connect or not (#1450) - even though it is only relevant for GitHub & not ADO