azurerm_container_app cannot deploy with image from private ACR

[konopkap]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.2

AzureRM Provider Version

3.64.0

Affected Resource(s)/Data Source(s)

azurerm_container_app

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.64"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_container_registry" "acr" {
  name                = "xxx"
  resource_group_name = "xxx-rg"
}

resource "azurerm_resource_group" "rg" {
  location = var.location
  name     = "xxx-rg"
}

resource "azurerm_container_app_environment" "cae" {
  location                   = var.location
  log_analytics_workspace_id = var.log_analytics_workspace_id
  name                       = "cae-xxx"
  resource_group_name        = azurerm_resource_group.rg.name

  depends_on = [azurerm_resource_group.rg]
}

resource "azurerm_container_app" "ca" {
  container_app_environment_id = azurerm_container_app_environment.cae.id
  name                         = "ca-xxx"
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Single"

  secret {
    name  = "password"
    value = data.azurerm_container_registry.acr.admin_password
  }

  registry {
    server               = "xxxacr.azurecr.io"
    username             = "data.azurerm_container_registry.acr.admin_username"
    password_secret_name = "password"
  }
  template {
    container {
      cpu    = 0.25
      image  = var.image_name
      memory = "0.5Gi"
      name   = "http"
    }
  }

  depends_on = [azurerm_container_app_environment.cae]
}

Debug Output/Panic Output

Error: creating Container App (Subscription: "xxx-xxx-xxx-xxx--xxx"
│ Resource Group Name: "xxx-rg"
│ Container App Name: "ca-xxx"): performing CreateOrUpdate: containerapps.ContainerAppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameterValueInContainerTemplate" Message="The following field(s) are either invalid or missing. Field 'template.containers.http.image' is invalid with details: 'Invalid value: \"xxx/zzz/aaa:bbb\": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:xxx/zzz/aaa Type:repository]]';."
│
│   with azurerm_container_app.ca,
│   on main.tf line 61, in resource "azurerm_container_app" "ca":
│   61: resource "azurerm_container_app" "ca" {
│
│ creating Container App (Subscription: "xxx-xxx-xxx--xxx"
│ Resource Group Name: "xxx-rg"
│ Container App Name: "ca-xxx"): performing CreateOrUpdate: containerapps.ContainerAppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameterValueInContainerTemplate" Message="The
│ following field(s) are either invalid or missing. Field 'template.containers.http.image' is invalid with details: 'Invalid value: \"xxx/zzz/aaa:bbb\": GET https::
│ UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:xxx/zzz/aaa Type:repository]]';."

Expected Behaviour

Container app created with image downloaded from private ACR

Actual Behaviour

Container app is not deployed due to UNATHOURIZED error.

Steps to Reproduce

1. Have existing private ACR with some images in it
2. Have Admin access enabled for ACR
3. terraform apply above config

Important Factoids

No response

References

No response

[jtatum]

You have an error in your code:

    username             = "data.azurerm_container_registry.acr.admin_username"

Because you quoted this string, you're specifying that the username is literally data.azurerm_container... as opposed to the value of that attribute.

[dss010101]

having a similar issue. my code looks very similar. besides the quotes issue - is there any other considerations needed here?

[CalianDos]

Also getting this error when trying to pull from a gitlab container registry. I've confirmed the username/password are correct by doing a docker login registry.gitlab.com with the same deploy token and successfully pulling the container image.

[CalianDos]

For those coming back to this, the issue was that the image must be fully qualified, presumably so azure knows which private registry to connect to. So we just needed a registry.gitlab.com/ on the front of the image and then it worked!