Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for System Managed Identity for ACR Pulls in azurerm_container_app_job #27141

Open
1 task done
mcaulifn opened this issue Aug 22, 2024 · 1 comment
Open
1 task done

Support for System Managed Identity for ACR Pulls in azurerm_container_app_job #27141

mcaulifn opened this issue Aug 22, 2024 · 1 comment
Labels
enhancement service/container-apps

Comments

@mcaulifn
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Add support for using System Managed Identities when setting registry permissions in azurerm_container_app_job. Currently, a separate user assigned identity is required which adds an additional resource. This is possible when using the UI.

The registry block could default to using the SystemAssigned identity if the identity block is configured that way.

New or Affected Resource(s)/Data Source(s)

azurerm_container_app_job

Potential Terraform Configuration

resource "azurerm_container_app_job" "this" {
  name                         = var.app_name
  location                     = azurerm_resource_group.rg.location
  resource_group_name          = azurerm_resource_group.rg.name
  container_app_environment_id = azurerm_container_app_environment.this.id

  identity {
    type = "SystemAssigned"
  }
  
  registry {
    server               = data.azurerm_container_registry.acr.login_server
  }
}


### References

https://github.com/hashicorp/terraform-provider-azurerm/issues/26871
@harshavmb
Copy link
Contributor

I can't visualize how this is going here. I also see secret block supporting UMI & SMIs but both the MIs need to be granted appropriate access on keyvault resource. I do hope it's the same with registry block. UMIs could be granted RBAC roles beforehand but that's not possible with SMIs right?

My assumption is that on Portal, SMIs are granted access on registry resource on the fly which isn't possible unless role assignment resource is called. I am not sure if this is solved for other resources..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/container-apps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harshavmb @mybayern1974 @mcaulifn