-
Notifications
You must be signed in to change notification settings - Fork 26
/
acrpull-roleassignment.bicep
43 lines (34 loc) · 1.44 KB
/
acrpull-roleassignment.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
targetScope = 'resourceGroup'
/*** PARAMETERS ***/
@description('The name of the Azure Container Registry to perform the role assignment on.')
@minLength(1)
param containerRegistryName string
@description('The existing user managed identity pricipal id to grant the ACR pull role to. This is a GUID.')
@minLength(36)
@maxLength(36)
param containerAppUserPrincipalId string
@description('Name of the Azure Containers Apps resource.')
@minLength(1)
param containerAppName string
/*** EXISTING RESOURCE ***/
@description('Existing container registry')
resource existingContainerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
name: containerRegistryName
}
@description('Built-in ACR Pull role')
resource builtInAcrPullRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
}
/*** RESOURCES ***/
@description('The ACR Pull role assignment between the managed identity and the ACR instance.')
resource acrPullAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(containerAppUserPrincipalId, builtInAcrPullRole.id, existingContainerRegistry.id)
scope: existingContainerRegistry
properties: {
principalId: containerAppUserPrincipalId
roleDefinitionId: builtInAcrPullRole.id
description: 'Allows the ${containerAppName} to pull images from this container registry.'
principalType: 'ServicePrincipal'
}
}