Deploy Container App and pull image from Azure Container Registry using Terraform

In this blog post, I am going to show how you can Deploy an Azure Container Image and pull its image from Azure Container Registry using an user assigned managed identity – all done via Terraform.

In a previous blog post, I completed similar using Terraform and AzAPI but in a recent Terraform update 3.43.0 , native Terraform container app resources became available.

Please note, currently there is a couple of bugs noted here, I will update the blog post further with public ingress when these issues are resolved.

Image below shows a diagram of what I will be deploying; it shows container app accessing a container registry using a user created identity.

Terraform

The terraform will create:

  • Resource Group
  • Log Analytics Workspace
  • Container App Environment
  • Container App
  • User created identity
  • Assign IAM permissions to an already created container registry for the user created identity
  • Assign user created identity to the container App
  • Successfully deploy container app with image stored in container registry

Resource Group

resource "azurerm_resource_group" "rg" {
  name     = "${var.aca_name}rg"
  location = var.location
}

Log Analytics Workspace

resource "azurerm_log_analytics_workspace" "loganalytics" {
  name                = "${var.aca_name}la"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

Data resources associated with already created Container Registry

data "azurerm_container_registry" "acr" {
  name                = "tamopsactionacr"
  resource_group_name = "tamops-acr-github"
}

Container App Environment deployed using the new Terraform resource azurerm_container_app_environment and Log Analytics workspace associated to send logs

resource "azurerm_container_app_environment" "containerappenv" {
  name                       = "${var.aca_name}containerappenv"
  location                   = azurerm_resource_group.rg.location
  resource_group_name        = azurerm_resource_group.rg.name
  log_analytics_workspace_id = azurerm_log_analytics_workspace.loganalytics.id
}

Create user assigned identity and associated IAM role assignment

resource "azurerm_user_assigned_identity" "containerapp" {
  location            = azurerm_resource_group.rg.location
  name                = "containerappmi"
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_role_assignment" "containerapp" {
  scope                = data.azurerm_container_registry.acr.id
  role_definition_name = "acrpull"
  principal_id         = azurerm_user_assigned_identity.containerapp.principal_id
  depends_on = [
    azurerm_user_assigned_identity.containerapp
  ]
}

Azure Container App using the new Terraform resource azurerm_container_app , note:

  • Lines 7-10: Shows User assigned identity being configured that was created above
  • Lines 12-15: Registry used to storage the image along with authorisation to the container registry using the user assigned managed identity
  • Lines 17-23: Ingress configured for public access but currently the GitHub issue contains current Terraform related issue
resource "azurerm_container_app" "containerapp" {
  name                         = "${var.aca_name}app"
  container_app_environment_id = azurerm_container_app_environment.containerappenv.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Multiple"

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.containerapp.id]
  }

  registry {
    server   = data.azurerm_container_registry.acr.login_server
    identity = azurerm_user_assigned_identity.containerapp.id
  }

  #   ingress {
  #     external_enabled = true
  #     target_port = 80
  #     traffic_weight {
  #       percentage = 100
  #     }
  #     }
  template {
    container {
      name   = "firstcontainerappacracr"
      image  = "${data.azurerm_container_registry.acr.login_server}/aspcoresample:76ef8d9511d310649729a28563fdf6d133338e30"
      cpu    = 0.25
      memory = "0.5Gi"

      readiness_probe {
        transport = "HTTP"
        port      = 80
      }

      liveness_probe {
        transport = "HTTP"
        port      = 80
      }

      startup_probe {
        transport = "HTTP"
        port      = 80
      }
    }
  }

}

With a successful deploy of Terraform, it will deploy the below resources

Reviewing the deployed container app, we can see the user assigned identity

Finally, reviewing the registry information – we can see the registry image and tag referenced correctly.

Full example code found here

Relatively new resources via Terraform, I look forward to the maturity of this further.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s