Document how to use Lighthouse to consume a bicep registry from a different tenant

[Agazoth]

We are providing a bicep module registry for our customers along with a pipeline setup, that instruments the modules.

The public feature in azurecr is not supported in bicep yet, so we have to provide some sort of authentication to our registry in order to setup the registry in the customer pipelines.

I guess this might be accomplished by creating a SP in the tenant holding the br, and granting the SP ArcPull on the br. Then, using the SP in a PowerShell session in the customer tenant pipeline for an Azure CLI login, while pointing the bicepconfig.json to use AzureCLI, running New-AzDeployment to deploy the main.bicep holding references to a module alias pointing to our br.

I apologize for this very condensed gibberish. I short, what I want to achieve is:

Run a pipeline in a customer Azure DevOps Organization targeting a customer Tenant, referencing a registry located in a different tenant.

First off, it is not important that the customer authenticates, but un-authenticated access to registries is not possible for now.

Secondly, a way to restrict access to provider registries would be ideal. If this includes creating a Managed Application in the br tenant, that would be fine.

Any pointers to how I can solve this issue is greatly appreciated!

[alex-frankel]

Related to #4947

We definitely need to support regular basic auth and token based auth to enable this and other scenarios.

Out of curiosity, would you be willing to make the registry public if we supported it?

cc @stweb1963 since we were discussing this yesterday

[Agazoth]

Absolutely. Our registry already is public. You should be able to reach: ateabicepcr.azurecr.io/p/disk:1.0

[alex-frankel]

Our suspicion is that if we support auth tokens and/or basic auth, most the scenario will be covered.

[jannickoeben]

This scenario is already supported with the use of Azure Lighthouse. Details are described here:
https://www.jannickoeben.cloud/2021/how-to-deploy-from-a-bicep-registry-to-another-tenant/

[alex-frankel]

This is a great post @jannickoeben!

@mumian / @tfitzmac -- this would probably be a good one to doc as well. @jannickoeben - any interest in contributing some of this content directly to MS docs?

[jannickoeben]

Sure. Although English is not my first language, I'm up for it to try. How do I get started?

[tfitzmac]

@jannickoeben - thanks for your interest in contributing to the docs! Here is some info about creating a pull request in the public docs repo. If you find that the process is taking up too much of your time, contact me or @mumian. We can help facilitate some of the steps.

[PixelRobots]

Any update on this request and timelines?

[alex-frankel]

@PixelRobots - is using lighthouse an option for enabling this? I saw you commented on the token auth issue as well, will post an update there too.

@stephaniezyen / @mumian - can we work on documenting the process for using Lighthouse to enable this scenario?

[PixelRobots]

@PixelRobots - is using lighthouse an option for enabling this? I saw you commented on the token auth issue as well, will post an update there too.

@stephaniezyen / @mumian - can we work on documenting the process for using Lighthouse to enable this scenario?

Yeah I think lighthouse will work for most of my customers. But not all of them. It would be good to also support token based authentication. We sometimes do work for customers where we are unable to use lighthouse so that would mean copying all our modules over and then maintaining two or more repos.