Deploy Container App and pull image from Azure Container Registry using Terraform

by

In this blog post, I am going to show how you can Deploy an Azure Container Image and pull its image from Azure Container Registry using an user assigned managed identity – all done via Terraform.

In a previous blog post, I completed similar using Terraform and AzAPI but in a recent Terraform update 3.43.0 , native Terraform container app resources became available.

Please note, currently there is a couple of bugs noted here, I will update the blog post further with public ingress when these issues are resolved.

Image below shows a diagram of what I will be deploying; it shows container app accessing a container registry using a user created identity.

Terraform

The terraform will create:

  • Resource Group
  • Log Analytics Workspace
  • Container App Environment
  • Container App
  • User created identity
  • Assign IAM permissions to an already created container registry for the user created identity
  • Assign user created identity to the container App
  • Successfully deploy container app with image stored in container registry

Resource Group

resource "azurerm_resource_group" "rg" {
  name     = "${var.aca_name}rg"
  location = var.location
}

Log Analytics Workspace

resource "azurerm_log_analytics_workspace" "loganalytics" {
  name                = "${var.aca_name}la"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

Data resources associated with already created Container Registry

data "azurerm_container_registry" "acr" {
  name                = "tamopsactionacr"
  resource_group_name = "tamops-acr-github"
}

Container App Environment deployed using the new Terraform resource azurerm_container_app_environment and Log Analytics workspace associated to send logs

resource "azurerm_container_app_environment" "containerappenv" {
  name                       = "${var.aca_name}containerappenv"
  location                   = azurerm_resource_group.rg.location
  resource_group_name        = azurerm_resource_group.rg.name
  log_analytics_workspace_id = azurerm_log_analytics_workspace.loganalytics.id
}

Create user assigned identity and associated IAM role assignment

resource "azurerm_user_assigned_identity" "containerapp" {
  location            = azurerm_resource_group.rg.location
  name                = "containerappmi"
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_role_assignment" "containerapp" {
  scope                = data.azurerm_container_registry.acr.id
  role_definition_name = "acrpull"
  principal_id         = azurerm_user_assigned_identity.containerapp.principal_id
  depends_on = [
    azurerm_user_assigned_identity.containerapp
  ]
}

Azure Container App using the new Terraform resource azurerm_container_app , note:

  • Lines 7-10: Shows User assigned identity being configured that was created above
  • Lines 12-15: Registry used to storage the image along with authorisation to the container registry using the user assigned managed identity
  • Lines 17-23: Ingress configured for public access but currently the GitHub issue contains current Terraform related issue
resource "azurerm_container_app" "containerapp" {
  name                         = "${var.aca_name}app"
  container_app_environment_id = azurerm_container_app_environment.containerappenv.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Multiple"

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.containerapp.id]
  }

  registry {
    server   = data.azurerm_container_registry.acr.login_server
    identity = azurerm_user_assigned_identity.containerapp.id
  }

  #   ingress {
  #     external_enabled = true
  #     target_port = 80
  #     traffic_weight {
  #       percentage = 100
  #     }
  #     }
  template {
    container {
      name   = "firstcontainerappacracr"
      image  = "${data.azurerm_container_registry.acr.login_server}/aspcoresample:76ef8d9511d310649729a28563fdf6d133338e30"
      cpu    = 0.25
      memory = "0.5Gi"

      readiness_probe {
        transport = "HTTP"
        port      = 80
      }

      liveness_probe {
        transport = "HTTP"
        port      = 80
      }

      startup_probe {
        transport = "HTTP"
        port      = 80
      }
    }
  }

}

With a successful deploy of Terraform, it will deploy the below resources

Reviewing the deployed container app, we can see the user assigned identity

Finally, reviewing the registry information – we can see the registry image and tag referenced correctly.

Full example code found here

Relatively new resources via Terraform, I look forward to the maturity of this further.

4 thoughts on “Deploy Container App and pull image from Azure Container Registry using Terraform”

Leave a Reply

Discover more from Thomas Thornton Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from Thomas Thornton Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading