feat: Add subscriptionOwnerID and subscriptionTenantId as options during subscription creation

[cjasset]

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When creating a new subscription by default the principal creating the subscription is added to the RBAC Owner role on the subscription. Even in the case of using an SPN that has been delegated the SubscriptionCreator role. The result is an ever increasing scope of access and blast radius for the SPN used for vending subscription. This behavior can be overridden by providing the subscriptionOwnerId and subscriptionTenantId properties. (https://learn.microsoft.com/en-us/rest/api/subscription/alias/create?view=rest-subscription-2021-10-01&tabs=HTTP#putaliasrequestadditionalproperties)

Describe the solution you'd like

The module should be updated to provide these additional properties so that organizations can specify a different principal for the Owner role. This would reduce the risk and blast radius of the SPN used for vending subscriptions.

Additional context

[matt-FFFFFF]

Hi,

If we implement this I think it will mean that we cannot cancel the subscription, or deploy any resources into it - do you concur?

If this is the case then I believe that the value of this module is lost. WDYT?

Perhaps a better use case will be to reduce blast radius by using different provider credentials via CI/CD.