In this blog post, I am going to show how you can Deploy an Azure Container Image and pull its image from Azure Container Registry using an user assigned managed identity – all done via Terraform.
In a previous blog post, I completed similar using Terraform and AzAPI but in a recent Terraform update 3.43.0 , native Terraform container app resources became available.
Please note, currently there is a couple of bugs noted here, I will update the blog post further with public ingress when these issues are resolved.
- https://github.com/hashicorp/terraform-provider-azurerm/issues/20435
- https://github.com/hashicorp/terraform-provider-azurerm/issues/20537
Image below shows a diagram of what I will be deploying; it shows container app accessing a container registry using a user created identity.

Terraform
The terraform will create:
- Resource Group
- Log Analytics Workspace
- Container App Environment
- Container App
- User created identity
- Assign IAM permissions to an already created container registry for the user created identity
- Assign user created identity to the container App
- Successfully deploy container app with image stored in container registry
Resource Group
resource "azurerm_resource_group" "rg" {
name = "${var.aca_name}rg"
location = var.location
}
Log Analytics Workspace
resource "azurerm_log_analytics_workspace" "loganalytics" {
name = "${var.aca_name}la"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku = "PerGB2018"
retention_in_days = 30
}
Data resources associated with already created Container Registry
data "azurerm_container_registry" "acr" {
name = "tamopsactionacr"
resource_group_name = "tamops-acr-github"
}
Container App Environment deployed using the new Terraform resource azurerm_container_app_environment
and Log Analytics workspace associated to send logs
resource "azurerm_container_app_environment" "containerappenv" {
name = "${var.aca_name}containerappenv"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
log_analytics_workspace_id = azurerm_log_analytics_workspace.loganalytics.id
}
Create user assigned identity and associated IAM role assignment
resource "azurerm_user_assigned_identity" "containerapp" {
location = azurerm_resource_group.rg.location
name = "containerappmi"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_role_assignment" "containerapp" {
scope = data.azurerm_container_registry.acr.id
role_definition_name = "acrpull"
principal_id = azurerm_user_assigned_identity.containerapp.principal_id
depends_on = [
azurerm_user_assigned_identity.containerapp
]
}
Azure Container App using the new Terraform resource azurerm_container_app
, note:
- Lines 7-10: Shows User assigned identity being configured that was created above
- Lines 12-15: Registry used to storage the image along with authorisation to the container registry using the user assigned managed identity
- Lines 17-23: Ingress configured for public access but currently the GitHub issue contains current Terraform related issue
resource "azurerm_container_app" "containerapp" {
name = "${var.aca_name}app"
container_app_environment_id = azurerm_container_app_environment.containerappenv.id
resource_group_name = azurerm_resource_group.rg.name
revision_mode = "Multiple"
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.containerapp.id]
}
registry {
server = data.azurerm_container_registry.acr.login_server
identity = azurerm_user_assigned_identity.containerapp.id
}
# ingress {
# external_enabled = true
# target_port = 80
# traffic_weight {
# percentage = 100
# }
# }
template {
container {
name = "firstcontainerappacracr"
image = "${data.azurerm_container_registry.acr.login_server}/aspcoresample:76ef8d9511d310649729a28563fdf6d133338e30"
cpu = 0.25
memory = "0.5Gi"
readiness_probe {
transport = "HTTP"
port = 80
}
liveness_probe {
transport = "HTTP"
port = 80
}
startup_probe {
transport = "HTTP"
port = 80
}
}
}
}
With a successful deploy of Terraform, it will deploy the below resources

Reviewing the deployed container app, we can see the user assigned identity

Finally, reviewing the registry information – we can see the registry image and tag referenced correctly.

Relatively new resources via Terraform, I look forward to the maturity of this further.