Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container Groups - User Assigned Identity for ACR and Subnets #1946

Open
1 task done
Romiko opened this issue Mar 18, 2024 · 0 comments
Open
1 task done

Container Groups - User Assigned Identity for ACR and Subnets #1946

Romiko opened this issue Mar 18, 2024 · 0 comments

Comments

@Romiko
Copy link

Romiko commented Mar 18, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please can we add support for subnets and User Assigned Identity for ACR registry credentials. We use Azure DevOps agent at level 0 and level 1 using Azure Container Instances and User Assigned Identities.

modules/compute/container_group

container_group.tf

`resource "azurerm_container_group" "acg" {
name = azurecaf_name.acg.result
location = var.location
resource_group_name = var.resource_group_name
os_type = try(var.settings.os_type, "Linux")
dns_name_label = try(var.settings.dns_name_label, null)
tags = merge(local.tags, try(var.settings.tags, null))
ip_address_type = try(var.settings.ip_address_type, "Public")
restart_policy = try(var.settings.restart_policy, "Always")
subnet_ids = try(var.settings.network.subnets, null) == null ? null : [
for key, value in var.settings.network.subnets : can(value.subnet_id) ? value.subnet_id : var.combined_resources.networking[try(value.lz_key, var.client_config.landingzone_key)][value.vnet_key].subnets[value.subnet_key].id
]

...
....

dynamic "image_registry_credential" {
for_each = try(var.settings.image_registry_credentials, {})
content {
server = image_registry_credential.value.server
username = try(data.azurerm_key_vault_secret.image_registry_credential_username[image_registry_credential.key].value, image_registry_credential.value.username, null)
password = try(data.azurerm_key_vault_secret.image_registry_credential_password[image_registry_credential.key].value, image_registry_credential.value.password, null)
user_assigned_identity_id = try(var.settings.identity, false) == false ? null : try(local.managed_identities[0], null)
}
}
`

container_groups.tf

`module "container_groups" {
source = "./modules/compute/container_group"
for_each = local.compute.container_groups
depends_on = [module.dynamic_keyvault_secrets]

location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
client_config = local.client_config
combined_diagnostics = local.combined_diagnostics
diagnostic_profiles = try(each.value.diagnostic_profiles, {})
global_settings = local.global_settings
settings = each.value
dynamic_keyvault_secrets = try(local.security.dynamic_keyvault_secrets, {})

combined_resources = {
keyvaults = local.combined_objects_keyvaults
managed_identities = local.combined_objects_managed_identities
network_profiles = local.combined_objects_network_profiles
networking = local.combined_objects_networking
}
}`

New or Affected Resource(s

container_groups

Potential Configuration file

container_group.tf

`resource "azurerm_container_group" "acg" {
  name                = azurecaf_name.acg.result
  location            = var.location
  resource_group_name = var.resource_group_name
  os_type             = try(var.settings.os_type, "Linux")
  dns_name_label      = try(var.settings.dns_name_label, null)
  tags                = merge(local.tags, try(var.settings.tags, null))
  ip_address_type     = try(var.settings.ip_address_type, "Public")
  restart_policy      = try(var.settings.restart_policy, "Always")
  **subnet_ids = try(var.settings.network.subnets, null) == null ? null : [
    for key, value in var.settings.network.subnets : can(value.subnet_id) ? value.subnet_id : var.combined_resources.networking[try(value.lz_key, var.client_config.landingzone_key)][value.vnet_key].subnets[value.subnet_key].id**
  ]

...
....

  dynamic "image_registry_credential" {
    for_each = try(var.settings.image_registry_credentials, {})
    content {
      server                    = image_registry_credential.value.server
      username                  = try(data.azurerm_key_vault_secret.image_registry_credential_username[image_registry_credential.key].value, image_registry_credential.value.username, null)
      password                  = try(data.azurerm_key_vault_secret.image_registry_credential_password[image_registry_credential.key].value, image_registry_credential.value.password, null)
      user_assigned_identity_id = try(var.settings.identity, false) == false ? null : try(local.managed_identities[0], null)
    }
  }
`

container_groups.tf

`module "container_groups" {
  source     = "./modules/compute/container_group"
  for_each   = local.compute.container_groups
  depends_on = [module.dynamic_keyvault_secrets]


  location                 = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
  resource_group_name      = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
  base_tags                = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
  client_config            = local.client_config
  combined_diagnostics     = local.combined_diagnostics
  diagnostic_profiles      = try(each.value.diagnostic_profiles, {})
  global_settings          = local.global_settings
  settings                 = each.value
  dynamic_keyvault_secrets = try(local.security.dynamic_keyvault_secrets, {})

  combined_resources = {
    keyvaults          = local.combined_objects_keyvaults
    managed_identities = local.combined_objects_managed_identities
    network_profiles   = local.combined_objects_network_profiles
    **networking         = local.combined_objects_networking**
  }
}`

References

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Romiko