question

Aaron-9052 avatar image
0 Votes"
Aaron-9052 asked vipullag-MSFT commented

Terraform image_registry_credentials setup for azurerm_container_group?

I'd like to deploy "golden" containers from a private container registry, but I'm not sure how to give Terraform access.

I am already logged in through azure-cli and Terraform doesn't have any problem spinning up public-image containers on my Azure account, but when I try to pull a container from a private registry, it complains that it doesn't have access. main.tf looks like:

 # Use the Azure Resource Manager Provider
 provider "azurerm" {
   version = "~> 2.0"
   features {}
 }
    
 # Create a new Resource Group
 resource "azurerm_resource_group" "group" {
   name     = "demo-group"
   location = "eastus"
 }
    
 resource "azurerm_container_group" "example" {
   name                = "containers-demo"
   location            = azurerm_resource_group.group.location
   resource_group_name = azurerm_resource_group.group.name
   ip_address_type     = "public"
   dns_name_label      = "aci-label"
   os_type             = "Linux"
    
  container {
     name  = "elastic"
     # Not my real subdomain. Don't worry.
     image = "myprivatereg.azurecr.io/elasticsearch:v1"
     cpu   = "1.0"
     memory = "4.5"
    
     ports {
       port     = 9200
       protocol = "TCP"
     }
   }
    
   tags = {
     environment = "testing"
   }
 }
azure-container-instancesazure-container-registry
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipullag-MSFT avatar image
0 Votes"
vipullag-MSFT answered vipullag-MSFT commented

@Aaron-9052


ACR is equivalent to any private registry, so you need to provide username and password.
You can also configure service principal for authenticating.



Please refer below links for more info on your ask:


Azure Provider: Authenticating using a Service Principal


Support for registry auth





Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"I am already logged in through azure-cli and Terraform doesn't have any problem spinning up public-image containers on my Azure account"

Do I really need to supply Terraform with admin creds to my Azure account stored in a cleartext document? That doesn't seem right...

Even when I have logged into the ACR containing "myprivatereg" via azure-cli, Terraform still claims that it can't access the containers.

0 Votes 0 ·

@Aaron-9052


You dont need to put in Admin credentials. If you are using SP or other credentials, then you can scope them down significantly to only pull/push permissions. In this way you are going with least privileges and reducing risk a bit.

For example, create a token with permissions to only specific repos, please check this document.


0 Votes 0 ·