From 7477ec7c7471787bde0e378ac7bd97c759bd9f74 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 31 Oct 2024 21:30:59 +0100 Subject: [PATCH] add AKS permissions over the ACR Signed-off-by: Jorge Turrado --- terraform/main.tf | 4 ++++ terraform/modules/azure/aks/main.tf | 10 ++++++++++ terraform/modules/azure/aks/vars.tf | 5 +++++ terraform/modules/azure/registry/outputs.tf | 3 +++ 4 files changed, 22 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index 64906f9..de1a72d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -109,6 +109,8 @@ module "azure_aks_pr" { module.azuread_applications.identity_2 ] + azure_container_registry_id = module.acr_proxy.id + tags = local.tags } @@ -132,6 +134,8 @@ module "azure_aks_nightly" { module.azuread_applications.identity_2 ] + azure_container_registry_id = module.acr_proxy.id + tags = local.tags } diff --git a/terraform/modules/azure/aks/main.tf b/terraform/modules/azure/aks/main.tf index 824ec49..d007df5 100644 --- a/terraform/modules/azure/aks/main.tf +++ b/terraform/modules/azure/aks/main.tf @@ -56,6 +56,16 @@ resource "azurerm_kubernetes_cluster" "aks" { } } +## ACR Permissions + +resource "azurerm_role_assignment" "kubweb_to_acr" { + scope = var.azure_container_registry_id + role_definition_name = "AcrPull" + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id +} + +## Workload Identity Federation + resource "azurerm_federated_identity_credential" "msi_federation" { count = length(var.workload_identity_applications) name = "msi_federation-${local.cluster_full_name}-${var.workload_identity_applications[count.index].name}" diff --git a/terraform/modules/azure/aks/vars.tf b/terraform/modules/azure/aks/vars.tf index 3cb1ce3..143f9fb 100644 --- a/terraform/modules/azure/aks/vars.tf +++ b/terraform/modules/azure/aks/vars.tf @@ -36,6 +36,11 @@ variable "node_resource_group_name" { description = "AKS nodes resource group name" } +variable "azure_container_registry_id" { + type = string + description = "Azure Container Registry ID" +} + variable "default_node_pool_count" { type = number default = 3 diff --git a/terraform/modules/azure/registry/outputs.tf b/terraform/modules/azure/registry/outputs.tf index e69de29..4ac3a0a 100644 --- a/terraform/modules/azure/registry/outputs.tf +++ b/terraform/modules/azure/registry/outputs.tf @@ -0,0 +1,3 @@ +output "id" { + value = azurerm_container_registry.acr.id +} \ No newline at end of file