Search code examples
azurepulumi

How to use existing Container Registry when creating AKS cluster in Pulumi Azure Native

I created Azure Container Registry (ACR) and now need to create Managed Cluster (AKS). When we use Azure Portal or Azure CLI, we can integrate existing ACR. In Pulumi Azure Native, ManagedClusterArgs does not have any property to accept existing ACR.

How to attach already created ACR when creating Managed Cluster?

Or assigning AcrPull role to the automatically created User Assigned Managed Identity (<clsuter-name>-agentpool) will achieve the same?

Solution

  • Yes, you need to assign AcrPull role to managed identity of the cluster (VMSS).

    (make sure that the Service Principal used by Pulumi CLI has User Access Administrator role, otherwise Pulumi would not be able to create role assignment)

    Here is an example using a system-assigned managed identity in TypeScript:

    const cluster = new containerservice.ManagedCluster("managedCluster", {
    // ...
    identity: {
        type: "SystemAssigned",
    },
});

const creds = containerservice.listManagedClusterUserCredentialsOutput({
    resourceGroupName: resourceGroup.name,
    resourceName: cluster.name,
});

const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);

// const registry = ...
// const subscriptionId = ...

const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
    properties: {
        principalId: principalId,
        roleDefinitionId: roleDefinitionId,
    },
    scope: registry.id,
});

    C#:

    // var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });

var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
    var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
    return vmssManagedIdentityProfile.ObjectId;
});

var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
    
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
    PrincipalId = vmssManagedIdentityPrincipalId!,
    PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
    RoleDefinitionId = acrPullRoleDefinitionId,
    Scope = mainAcr.Id,
});

    For built-in role ids: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles