通过 Terraform 中 azure 应用服务的角色分配访问 azure 容器注册表 (ACR)

Question

I have a azure app service that is provisioned by Terraform. The app service fires up the docker image from Azure ACR there fore it need to access the ACR. I'm currently using the password and login name method in my Terraform configuration. How can I make the azure app service to access the ACR by service principle role assignment in Terraform?

resource "azurerm_app_service" "tf_app_service" {
  name                = var.application_name
  location            = azurerm_resource_group.tf_resource_group.location
  resource_group_name = azurerm_resource_group.tf_resource_group.name
  app_service_plan_id = azurerm_app_service_plan.tf_service_plan.id

  site_config {
    always_on        = true
    linux_fx_version = "DOCKER|${var.acr_name}.azurecr.io/${var.img_repo_name}:${var.tag}"
  }

  // How to use role assignment?
  app_settings = {
    DOCKER_REGISTRY_SERVER_URL          = // need to avoid docker URL
    WEBSITES_ENABLE_APP_SERVICE_STORAGE = "false"
    DOCKER_REGISTRY_SERVER_USERNAME     = // need to avoid user name
    DOCKER_REGISTRY_SERVER_PASSWORD     = // need to avoid PW
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    environment = var.environment
    DeployedBy  = "terraform"
  }
}

Answer 1

The steps to use a Service Principle to access ACR are lined out here .

So to do the same in Terraform, you need to first create a new service principle . Then assign a password to it. Afterwards you should be able to use those two to fill the app settings of your app service.