Dasd 8786 acr role assignment (#188)

* Add ACR Build Blocks * Try Older API Version * Add Scope * Add Principal Type * Change Name * Test with hardcoded value * Use Scope correctly * Remove Principal Type * Move Scope * Up API Version * Try Object ID * Try New Name * Add principalType * Tweaks for Testing * Further Testing * Hardcode PrincipalId * Fix Name & Type * Test with older version * Try a diff version * Support Recommendations * Further Testing * Further Testing * Test with different parameter * Testing * Random Guid * Hard Coded Value * Further Testing * Further Testing * Further Testing * Include acr build step template * Use Preview version to support Anonymous pull * Remove hard coded principal type * Fix hardcoded guid
SkillsFundingAgency · Jun 15, 2021 · 0414717 · 0414717
1 parent 51de77c
commit 0414717
Show file tree

Hide file tree

Showing 3 changed files with 128 additions and 0 deletions.
diff --git a/azure-pipelines-templates/build/step/dockerfile-build.yml b/azure-pipelines-templates/build/step/dockerfile-build.yml
@@ -0,0 +1,13 @@
+parameters:
+  ContainerRegistryName:
+  ServiceConnection:
+  ImageName:
+
+steps:
+- task: AzureCLI@2
+  displayName: 'Build Image'
+  inputs:
+    azureSubscription: ${{ parameters.ServiceConnection }}
+    scriptType: pscore
+    scriptLocation: inlineScript
+    inlineScript: 'az acr build --registry ${{ parameters.ContainerRegistryName }} --image ${{ parameters.ImageName }}:$(build.buildnumber) $(Build.SourcesDirectory)'
diff --git a/templates/container-registry.json b/templates/container-registry.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "registryName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Container Registry."
+      }
+    },
+    "registrySkuName": {
+      "type": "string",
+      "defaultValue": "",
+      "allowedValues": [
+        "Classic",
+        "Basic",
+        "Standard",
+        "Premium"
+      ]
+    },
+    "subnetResourceIdList": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "A list of subnet resource ids."
+      }
+    },
+    "allowedIpAddressesList": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "A list of allowed IPs"
+      }
+    }
+  },
+  "variables": {
+    "virtualNetworkRules": {
+      "copy": [
+        {
+          "name": "virtualNetworkRules",
+          "count": "[if(greater(length(parameters('subnetResourceIdList')), 0), length(parameters('subnetResourceIdList')), 1)]",
+          "input": {
+            "id": "[if(greater(length(parameters('subnetResourceIdList')), 0), parameters('subnetResourceIdList')[copyIndex('virtualNetworkRules')], json('null'))]",
+            "action": "Allow"
+          }
+        }
+      ]
+    },
+    "ipRules": {
+      "copy": [
+        {
+          "name": "ipRules",
+          "count": "[if(greater(length(parameters('allowedIpAddressesList')), 0), length(parameters('allowedIpAddressesList')), 1)]",
+          "input": {
+            "value": "[if(greater(length(parameters('allowedIpAddressesList')), 0), parameters('allowedIpAddressesList')[copyIndex('ipRules')], json('null'))]",
+            "action": "Allow"
+          }
+        }
+      ]
+    },
+    "networkRuleSet": {
+      "virtualNetworkRules": "[if(greater(length(parameters('subnetResourceIdList')), 0), variables('virtualNetworkRules').virtualNetworkRules, json('null'))]",
+      "ipRules": "[if(greater(length(parameters('allowedIpAddressesList')), 0), variables('ipRules').ipRules, json('null'))]",
+      "defaultAction": "Deny"
+    }
+  },
+  "resources": [
+    {
+      "apiVersion": "2020-11-01-preview",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "location": "[resourceGroup().location]",
+      "name": "[parameters('registryName')]",
+      "sku": {
+        "name": "[parameters('registrySkuName')]"
+      },
+      "properties": {
+        "networkRuleSet": "[if(or(greater(length(parameters('subnetResourceIdList')), 0),greater(length(parameters('allowedIpAddressesList')), 0)), variables('networkRuleSet'), json('null'))]"
+      }
+    }
+  ],
+  "outputs": {
+  }
+}
diff --git a/templates/role-assignments/role-assignment-container-registry.json b/templates/role-assignments/role-assignment-container-registry.json
@@ -0,0 +1,32 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "assignmentType": {
+            "type": "string",
+            "allowedValues": [
+                "AcrPull"
+            ]
+        },
+        "resourceName": {
+            "type": "string"
+        },
+        "principalId": {
+            "type": "string"
+        }
+    },
+    "variables": {
+        "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.ContainerRegistry/registries/providers/roleAssignments",
+            "apiVersion": "2018-09-01-preview",
+            "name": "[concat(parameters('resourceName'), '/Microsoft.Authorization/', guid(uniqueString(parameters('principalId'))))]",
+            "properties": {
+                "roleDefinitionId": "[variables(parameters('assignmentType'))]",
+                "principalId": "[parameters('principalId')]"
+            }
+        }
+    ]
+}