search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.52k stars 4.6k forks source link

Support for System Managed Identity for ACR Pulls in `azurerm_container_app_job` #27141

Open mcaulifn opened 3 weeks ago

mcaulifn commented 3 weeks ago

Is there an existing issue for this?

Community Note

Description

Add support for using System Managed Identities when setting registry permissions in azurerm_container_app_job. Currently, a separate user assigned identity is required which adds an additional resource. This is possible when using the UI.

The registry block could default to using the SystemAssigned identity if the identity block is configured that way.

New or Affected Resource(s)/Data Source(s)

azurerm_container_app_job

Potential Terraform Configuration

resource "azurerm_container_app_job" "this" {
  name                         = var.app_name
  location                     = azurerm_resource_group.rg.location
  resource_group_name          = azurerm_resource_group.rg.name
  container_app_environment_id = azurerm_container_app_environment.this.id

  identity {
    type = "SystemAssigned"
  }

  registry {
    server               = data.azurerm_container_registry.acr.login_server
  }
}


### References

https://github.com/hashicorp/terraform-provider-azurerm/issues/26871
harshavmb commented 2 weeks ago

I can't visualize how this is going here. I also see secret block supporting UMI & SMIs but both the MIs need to be granted appropriate access on keyvault resource. I do hope it's the same with registry block. UMIs could be granted RBAC roles beforehand but that's not possible with SMIs right?

My assumption is that on Portal, SMIs are granted access on registry resource on the fly which isn't possible unless role assignment resource is called. I am not sure if this is solved for other resources..