chore: use identity instead of password for ACR

pankajagrawal16 · pankajagrawal16 · commit f8fde0455959 · 2023-04-14T14:16:26.000+02:00
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -100,17 +100,6 @@ param keyVaultName string = '${prefix}kv-${uniqueString(resourceGroup().id)}${su
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
-
 @description('The image for the backend processor service.')
 param backendProcessorServiceImage string
 
@@ -212,9 +201,6 @@ module containerApps 'modules/container-apps.bicep' = {
     backendApiServiceName: backendApiServiceName
     frontendWebAppServiceName: frontendWebAppServiceName    
     containerAppsEnvironmentName: containerAppsEnvironmentName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
     keyVaultId: keyVault.outputs.keyVaultId
     serviceBusName: serviceBus.outputs.serviceBusName
     serviceBusTopicName: serviceBus.outputs.serviceBusTopicName
diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json
@@ -62,15 +62,6 @@
     "containerRegistryName": {
       "value": "<CONTAINER_REGISTRY_NAME>"
     },
-    "containerRegistryUsername": {
-      "value": "<CONTAINER_REGISTRY_ADMIN>"
-    },
-    "containerRegistryPasswordRefName": {
-      "value": "acaworkshopacrazurecrio-acaworkshopacr"
-    },
-    "containerRegistryPassword": {
-      "value": "<CONTAINER_REGISTRY_PASSWORD>"
-    },
     "backendProcessorServiceImage": {
       "value": "<CONTAINER_REGISTRY_NAME>.azurecr.io/tasksmanager/tasksmanager-backend-processor:latest"
     },
diff --git a/bicep/modules/container-apps.bicep b/bicep/modules/container-apps.bicep
@@ -65,16 +65,6 @@ param externalStorageAccountName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
-
 @description('The image for the backend api service.')
 param backendApiServiceImage string
 
@@ -87,6 +77,9 @@ param frontendWebAppServiceImage string
 @description('The name of the application insights.')
 param applicationInsightsName string
 
+var containerRegistryPullRoleGuid='7f951dda-4ed3-4680-a7ca-43fe172d538d'
+
+
 // ------------------
 // RESOURCES
 // ------------------
@@ -100,6 +93,26 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
   name: applicationInsightsName
 }
 
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: containerRegistryName
+}
+
+resource containerRegistryUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: 'aca-user-identity-${uniqueString(resourceGroup().id)}'
+  location: location
+  tags: tags
+}
+
+resource containerRegistryPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if(!empty(containerRegistryName)) {
+  name: guid(subscription().id, containerRegistry.id, containerRegistryUserAssignedIdentity.id) 
+  scope: containerRegistry
+  properties: {
+    principalId: containerRegistryUserAssignedIdentity.properties.principalId
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', containerRegistryPullRoleGuid)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 module frontendWebAppService 'container-apps/webapp-frontend-service.bicep' = {
   name: 'frontendWebAppService-${uniqueString(resourceGroup().id)}'
   params: {
@@ -108,11 +121,10 @@ module frontendWebAppService 'container-apps/webapp-frontend-service.bicep' = {
     tags: tags
     containerAppsEnvironmentId: containerAppsEnvironment.id
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     frontendWebAppServiceImage: frontendWebAppServiceImage
     appInsightsInstrumentationKey: applicationInsights.properties.InstrumentationKey
+    
   }
 }
 
@@ -126,9 +138,7 @@ module backendApiService 'container-apps/webapi-backend-service.bicep' = {
     serviceBusName: serviceBusName
     serviceBusTopicName: serviceBusTopicName
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     backendApiServiceImage: backendApiServiceImage
     cosmosDbName: cosmosDbName
     cosmosDbDatabaseName: cosmosDbDatabaseName
@@ -149,9 +159,7 @@ module backendProcessorService 'container-apps/processor-backend-service.bicep'
     serviceBusTopicName: serviceBusTopicName
     serviceBusTopicAuthorizationRuleName: serviceBusTopicAuthorizationRuleName
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     sendGridKeySecretName: sendGridKeySecretName
     sendGridKeySecretValue: sendGridKeySecretValue
     externalStorageAccountName: externalStorageAccountName
diff --git a/bicep/modules/container-apps/processor-backend-service.bicep b/bicep/modules/container-apps/processor-backend-service.bicep
@@ -54,16 +54,8 @@ param externalStorageAccountName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
+@description('The resource ID of the user assigned managed identity for the container registry to be able to pull images from it.')
+param containerRegistryUserAssignedIdentityId string
 
 @description('The image for the backend processor service.')
 param backendProcessorServiceImage string
@@ -106,7 +98,10 @@ resource backendProcessorService 'Microsoft.App/containerApps@2022-06-01-preview
   location: location
   tags: tags
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+        '${containerRegistryUserAssignedIdentityId}': {}
+    }
   }
   properties: {
     managedEnvironmentId: containerAppsEnvironmentId
@@ -129,16 +124,11 @@ resource backendProcessorService 'Microsoft.App/containerApps@2022-06-01-preview
           name: 'appinsights-key'
           value: appInsightsInstrumentationKey
         }
-        {
-          name: containerRegistryPasswordRefName
-          value: containerRegistryPassword
-        }
       ]
       registries: !empty(containerRegistryName) ? [
         {
           server: '${containerRegistryName}.azurecr.io'
-          username: containerRegistryUsername
-          passwordSecretRef: containerRegistryPasswordRefName
+          identity: containerRegistryUserAssignedIdentityId
         }
       ] : []
     }
diff --git a/bicep/modules/container-apps/webapi-backend-service.bicep b/bicep/modules/container-apps/webapi-backend-service.bicep
@@ -37,16 +37,8 @@ param cosmosDbCollectionName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string 
+@description('The resource ID of the user assigned managed identity for the container registry to be able to pull images from it.')
+param containerRegistryUserAssignedIdentityId string
 
 @description('The image for the backend api service.')
 param backendApiServiceImage string
@@ -87,7 +79,10 @@ resource backendApiService 'Microsoft.App/containerApps@2022-06-01-preview' = {
   location: location
   tags: tags
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+        '${containerRegistryUserAssignedIdentityId}': {}
+    }
   }
   properties: {
     managedEnvironmentId: containerAppsEnvironmentId
@@ -108,19 +103,14 @@ resource backendApiService 'Microsoft.App/containerApps@2022-06-01-preview' = {
       registries: !empty(containerRegistryName) ? [
         {
           server: '${containerRegistryName}.azurecr.io'
-          username: containerRegistryUsername
-          passwordSecretRef: containerRegistryPasswordRefName
+          identity: containerRegistryUserAssignedIdentityId
         }
       ] : []
       secrets: [
         {
           name: 'appinsights-key'
           value: appInsightsInstrumentationKey
         }
-        {
-          name: containerRegistryPasswordRefName
-          value: containerRegistryPassword
-        }
       ]
     }
     template: {
diff --git a/bicep/modules/container-apps/webapp-frontend-service.bicep b/bicep/modules/container-apps/webapp-frontend-service.bicep
@@ -20,16 +20,8 @@ param frontendWebAppServiceName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
+@description('The resource ID of the user assigned managed identity for the container registry to be able to pull images from it.')
+param containerRegistryUserAssignedIdentityId string
 
 @description('The image for the frontend web app service.')
 param frontendWebAppServiceImage string
@@ -46,6 +38,12 @@ resource frontendWebAppService 'Microsoft.App/containerApps@2022-06-01-preview'
   name: frontendWebAppServiceName
   location: location
   tags: tags
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+        '${containerRegistryUserAssignedIdentityId}': {}
+    }
+  }
   properties: {
     managedEnvironmentId: containerAppsEnvironmentId
     configuration: {
@@ -67,16 +65,11 @@ resource frontendWebAppService 'Microsoft.App/containerApps@2022-06-01-preview'
           name: 'appinsights-key'
           value: appInsightsInstrumentationKey
         }
-        {
-          name: containerRegistryPasswordRefName
-          value: containerRegistryPassword
-        }
       ]
       registries: !empty(containerRegistryName) ? [
         {
           server: '${containerRegistryName}.azurecr.io'
-          username: containerRegistryUsername
-          passwordSecretRef: containerRegistryPasswordRefName
+          identity: containerRegistryUserAssignedIdentityId
         }
       ] : []
     }
diff --git a/docs/aca/10-aca-iac-bicep/index.md b/docs/aca/10-aca-iac-bicep/index.md
@@ -344,17 +344,11 @@ Next, we will prepare container images for the three container apps and update t
 
     3. Update the `main.parameters.jsonc` file with the container registry name and the container images names as shown below:
 
-        ```json hl_lines="3 6 9 12 15 18"
+        ```json hl_lines="3 6 9 12"
         {
             "containerRegistryName": {
                 "value": "<CONTAINER_REGISTRY_NAME>"
             },
-            "containerRegistryUsername": {
-              "value": "<CONTAINER_REGISTRY_ADMIN>"
-            },
-            "containerRegistryPassword": {
-                "value": "<CONTAINER_REGISTRY_PASSWORD>"
-            },
             "backendProcessorServiceImage": {
                 "value": "<CONTAINER_REGISTRY_NAME>.azurecr.io/tasksmanager/<BACKEND_API_NAME>:latest"
             },
@@ -405,17 +399,11 @@ Next, we will prepare container images for the three container apps and update t
 
     3. Update the `main.parameters.jsonc` file with the container registry name and the container images names as shown below:
 
-        ```json hl_lines="3 6 9 12 15 18"
+        ```json hl_lines="3 6 9 12"
         {
             "containerRegistryName": {
                 "value": "<CONTAINER_REGISTRY_NAME>"
             },
-            "containerRegistryUsername": {
-              "value": "<CONTAINER_REGISTRY_ADMIN>"
-            },
-            "containerRegistryPassword": {
-                "value": "<CONTAINER_REGISTRY_PASSWORD>"
-            },
             "backendProcessorServiceImage": {
                 "value": "<CONTAINER_REGISTRY_NAME>.azurecr.io/tasksmanager/tasksmanager-backend-processor:latest"
             },
diff --git a/docs/assets/images/10-aca-iac-bicep/aca-rescources.jpg b/docs/assets/images/10-aca-iac-bicep/aca-rescources.jpg
