Merge pull request Azure#60 from Azure/image-to-ghcr

Simplify image creation for bicep module by pushing latest image to GHCR

Author: waelkdouh

.github/workflows/publish-images.yml

@@ -0,0 +1,145 @@
+name: Create and publish a Docker images for apps
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'TasksTracker.Processor.Backend.Svc/**'
+      - 'TasksTracker.TasksManager.Backend.Api/**'
+      - 'TasksTracker.WebPortal.Frontend.Ui/**'
+  workflow_dispatch: {}
+
+env:
+  REGISTRY: ghcr.io
+  BACKEND_API_IMAGE_NAME: azure/tasksmanager-backend-api
+  FRONTEND_APP_IMAGE_NAME: azure/tasksmanager-frontend-webapp
+  BACKEND_PROCESSOR_IMAGE_NAME: azure/tasksmanager-backend-processor
+
+jobs:
+  detect-changes:
+    name: Detect apps which has changed to trigger image jobs conditionally
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      frontend: ${{ steps.filter.outputs.frontend }}
+      processor: ${{ steps.filter.outputs.processor }}
+    steps:
+    - uses: actions/checkout@v3
+    - uses: dorny/paths-filter@v2
+      id: filter
+      with:
+        filters: |
+          backend:
+            - 'TasksTracker.TasksManager.Backend.Api/**'
+          frontend:
+            - 'TasksTracker.WebPortal.Frontend.Ui/**'
+          processor:
+            - 'TasksTracker.Processor.Backend.Svc/**'
+
+  build-and-push-backend-image:
+    needs: detect-changes
+    name: Build and push backend image
+    if: ${{ needs.detect-changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.BACKEND_API_IMAGE_NAME }}
+          tags: |
+              type=raw,value=latest,enable={{is_default_branch}}
+              type=ref,event=branch
+              type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          file: ./TasksTracker.TasksManager.Backend.Api/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-and-push-frontend-image:
+    needs: detect-changes
+    name: Build and push frontend image
+    if: ${{ needs.detect-changes.outputs.frontend == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.FRONTEND_APP_IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          file: ./TasksTracker.WebPortal.Frontend.Ui/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-and-push-backend-processor-image:
+    needs: detect-changes
+    name: Build and push backend processor image
+    if: ${{ needs.detect-changes.outputs.processor == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.BACKEND_PROCESSOR_IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          file: ./TasksTracker.Processor.Backend.Svc/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

TasksTracker.Processor.Backend.Svc/TasksTracker.Processor.Backend.Svc.csproj

@@ -14,5 +14,4 @@
     <PackageReference Include="SendGrid" Version="9.28.1" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.21.0" />
   </ItemGroup>
-
 </Project>

TasksTracker.TasksManager.Backend.Api/TasksTracker.TasksManager.Backend.Api.csproj

@@ -14,5 +14,4 @@
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.15.1" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.21.0" />
   </ItemGroup>
-
 </Project>

TasksTracker.WebPortal.Frontend.Ui/TasksTracker.WebPortal.Frontend.Ui.csproj

@@ -13,5 +13,4 @@
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.15.1" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.21.0" />
   </ItemGroup>
-
 </Project>

bicep/main.bicep

@@ -100,17 +100,6 @@ param keyVaultName string = '${prefix}kv-${uniqueString(resourceGroup().id)}${su
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
-
 @description('The image for the backend processor service.')
 param backendProcessorServiceImage string
 
@@ -212,9 +201,6 @@ module containerApps 'modules/container-apps.bicep' = {
     backendApiServiceName: backendApiServiceName
     frontendWebAppServiceName: frontendWebAppServiceName    
     containerAppsEnvironmentName: containerAppsEnvironmentName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
     keyVaultId: keyVault.outputs.keyVaultId
     serviceBusName: serviceBus.outputs.serviceBusName
     serviceBusTopicName: serviceBus.outputs.serviceBusTopicName

bicep/main.parameters.json

@@ -62,15 +62,6 @@
     "containerRegistryName": {
       "value": "<CONTAINER_REGISTRY_NAME>"
     },
-    "containerRegistryUsername": {
-      "value": "<CONTAINER_REGISTRY_ADMIN>"
-    },
-    "containerRegistryPasswordRefName": {
-      "value": "acaworkshopacrazurecrio-acaworkshopacr"
-    },
-    "containerRegistryPassword": {
-      "value": "<CONTAINER_REGISTRY_PASSWORD>"
-    },
     "backendProcessorServiceImage": {
       "value": "<CONTAINER_REGISTRY_NAME>.azurecr.io/tasksmanager/tasksmanager-backend-processor:latest"
     },

bicep/modules/container-apps.bicep

@@ -65,16 +65,6 @@ param externalStorageAccountName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
-
 @description('The image for the backend api service.')
 param backendApiServiceImage string
 
@@ -87,6 +77,9 @@ param frontendWebAppServiceImage string
 @description('The name of the application insights.')
 param applicationInsightsName string
 
+var containerRegistryPullRoleGuid='7f951dda-4ed3-4680-a7ca-43fe172d538d'
+
+
 // ------------------
 // RESOURCES
 // ------------------
@@ -100,6 +93,26 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
   name: applicationInsightsName
 }
 
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: containerRegistryName
+}
+
+resource containerRegistryUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: 'aca-user-identity-${uniqueString(resourceGroup().id)}'
+  location: location
+  tags: tags
+}
+
+resource containerRegistryPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if(!empty(containerRegistryName)) {
+  name: guid(subscription().id, containerRegistry.id, containerRegistryUserAssignedIdentity.id) 
+  scope: containerRegistry
+  properties: {
+    principalId: containerRegistryUserAssignedIdentity.properties.principalId
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', containerRegistryPullRoleGuid)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 module frontendWebAppService 'container-apps/webapp-frontend-service.bicep' = {
   name: 'frontendWebAppService-${uniqueString(resourceGroup().id)}'
   params: {
@@ -108,11 +121,10 @@ module frontendWebAppService 'container-apps/webapp-frontend-service.bicep' = {
     tags: tags
     containerAppsEnvironmentId: containerAppsEnvironment.id
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     frontendWebAppServiceImage: frontendWebAppServiceImage
     appInsightsInstrumentationKey: applicationInsights.properties.InstrumentationKey
+    
   }
 }
 
@@ -126,9 +138,7 @@ module backendApiService 'container-apps/webapi-backend-service.bicep' = {
     serviceBusName: serviceBusName
     serviceBusTopicName: serviceBusTopicName
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     backendApiServiceImage: backendApiServiceImage
     cosmosDbName: cosmosDbName
     cosmosDbDatabaseName: cosmosDbDatabaseName
@@ -149,9 +159,7 @@ module backendProcessorService 'container-apps/processor-backend-service.bicep'
     serviceBusTopicName: serviceBusTopicName
     serviceBusTopicAuthorizationRuleName: serviceBusTopicAuthorizationRuleName
     containerRegistryName: containerRegistryName
-    containerRegistryUsername: containerRegistryUsername
-    containerRegistryPasswordRefName: containerRegistryPasswordRefName
-    containerRegistryPassword: containerRegistryPassword
+    containerRegistryUserAssignedIdentityId: containerRegistryUserAssignedIdentity.id
     sendGridKeySecretName: sendGridKeySecretName
     sendGridKeySecretValue: sendGridKeySecretValue
     externalStorageAccountName: externalStorageAccountName

bicep/modules/container-apps/processor-backend-service.bicep

@@ -54,16 +54,8 @@ param externalStorageAccountName string
 @description('The name of the container registry.')
 param containerRegistryName string
 
-@description('The username of the container registry user.')
-param containerRegistryUsername string
-
-@description('The password name of the container registry.')
-// We disable lint of this line as it is not a secret
-#disable-next-line secure-secrets-in-params
-param containerRegistryPasswordRefName string
-
-@secure()
-param containerRegistryPassword string
+@description('The resource ID of the user assigned managed identity for the container registry to be able to pull images from it.')
+param containerRegistryUserAssignedIdentityId string
 
 @description('The image for the backend processor service.')
 param backendProcessorServiceImage string
@@ -106,7 +98,10 @@ resource backendProcessorService 'Microsoft.App/containerApps@2022-06-01-preview
   location: location
   tags: tags
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+        '${containerRegistryUserAssignedIdentityId}': {}
+    }
   }
   properties: {
     managedEnvironmentId: containerAppsEnvironmentId
@@ -129,18 +124,13 @@ resource backendProcessorService 'Microsoft.App/containerApps@2022-06-01-preview
           name: 'appinsights-key'
           value: appInsightsInstrumentationKey
         }
-        {
-          name: containerRegistryPasswordRefName
-          value: containerRegistryPassword
-        }
       ]
-      registries: [
+      registries: !empty(containerRegistryName) ? [
         {
           server: '${containerRegistryName}.azurecr.io'
-          username: containerRegistryUsername
-          passwordSecretRef: containerRegistryPasswordRefName
+          identity: containerRegistryUserAssignedIdentityId
         }
-      ]
+      ] : []
     }
     template: {
       containers: [