turn off admin_enabled and use managed identity for container registry (

#1260) * turn off admin_enabled and use managed identity for container registry --------- Co-authored-by: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-authored-by: halprin <halprin@users.noreply.github.com> Co-authored-by: Samuel Aquino <saquino@flexion.us> Co-authored-by: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com>
CDCgov · Aug 26, 2024 · 326c15b · 326c15b
1 parent b7ae4d6
commit 326c15b
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -4,7 +4,7 @@ resource "azurerm_container_registry" "registry" {
   resource_group_name = data.azurerm_resource_group.group.name
   location            = data.azurerm_resource_group.group.location
   sku                 = "Standard"
-  admin_enabled       = true
+
   #   below tags are managed by CDC
   lifecycle {
     ignore_changes = [
@@ -24,6 +24,12 @@ resource "azurerm_container_registry" "registry" {
   }
 }
 
+resource "azurerm_role_assignment" "allow_app_to_pull_from_registry" {
+  principal_id         = azurerm_linux_web_app.api.identity.0.principal_id
+  role_definition_name = "AcrPull"
+  scope                = azurerm_container_registry.registry.id
+}
+
 # Create the staging service plan
 resource "azurerm_service_plan" "plan" {
   name                   = "cdcti-${var.environment}-service-plan"
@@ -69,6 +75,8 @@ resource "azurerm_linux_web_app" "api" {
 
     scm_use_main_ip_restriction = local.cdc_domain_environment ? true : null
 
+    container_registry_use_managed_identity = true
+
     dynamic "ip_restriction" {
       for_each = local.cdc_domain_environment ? [1] : []