Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container App - Registry.Identity can't find identity #20675

Open
1 task done
penfold opened this issue Feb 27, 2023 · 4 comments
Open
1 task done

Container App - Registry.Identity can't find identity #20675

penfold opened this issue Feb 27, 2023 · 4 comments
Labels
question service/container-apps v/3.x

Comments

@penfold
Copy link

penfold commented Feb 27, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.9

AzureRM Provider Version

3.45

Affected Resource(s)/Data Source(s)

azurerm_container_app

Terraform Configuration Files

locals {
  container_app_names = {
    "pm-ca-test" = { container_name = "ca-test", image = "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", cpu = 0.25, memory = "0.5Gi" }
  }
}

resource "azurerm_user_assigned_identity" "uai" {
  location            = var.location
  name                = "${var.container_app_environment_name}-registry-identity"
  resource_group_name = var.resource_group_name
  
  tags = {
    Environment = var.environment_tag
  }
}


resource "azurerm_subnet" "snet" {
  name                 = "${var.container_app_environment_name}-subnet"
  resource_group_name  = var.resource_group_name
  virtual_network_name = var.virtual-network-name
  address_prefixes     = [var.container_app_environment_subnet]
}

resource "azurerm_container_app_environment" "cae" {
  name                       = var.container_app_environment_name
  resource_group_name        = var.resource_group_name
  location                   = var.location
  log_analytics_workspace_id = var.log_analytics_workspace_id
  infrastructure_subnet_id   = azurerm_subnet.snet.id

  tags = {
    Environment = var.environment_tag
  }
}

 resource "azurerm_container_app" "ca" {
 
   for_each = local.container_app_names
 
   name                         = "${each.key}-${var.dotnet_environment}"
   container_app_environment_id = azurerm_container_app_environment.cae.id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
   tags = {
     Environment = var.environment_tag
   }
 
   registry {
		identity = azurerm_user_assigned_identity.uai.id
		server="my-company.azurecr.io"
   }
        
   identity {
     type = "SystemAssigned"
   }
 
   ingress {
     external_enabled           = true
     allow_insecure_connections = true
     target_port                = 80
     traffic_weight {
      latest_revision = true
       percentage = 100
     }
   }
   
   template {
     container {
       name   = each.value.container_name
       image  = each.value.image
       cpu    = each.value.cpu
       memory = each.value.memory     	
	    env {
		   name = "dotnet_environment"
		   value = var.dotnet_environment
		}
	 }
   }
 }

Debug Output/Panic Output

Error: updating Container App (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "rg-development-pjl"
│ Container App Name: "ca-test-dev-sprint"): performing CreateOrUpdate: containerapps.ContainerAppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="WebhookInvalidParameterValue" Message="The following field(s) are either invalid or missing. Invalid value: \"/subscriptions/xxxxxxxxxxxxxxxxxxx/resourceGroups/rg-development-pjl/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cae-development-pjl-registry-identity\": Managed Identity does not exist: configuration.Registries.propertymaster.azurecr.io.Identity."
│
│   with module.container-app.azurerm_container_app.ca["ca-test"],
│   on ..\modules\container-apps\main.tf line 37, in resource "azurerm_container_app" "ca":
│   37:  resource "azurerm_container_app" "ca" {
│
│ updating Container App (Subscription: "xxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "rg-development-pjl"
│ Container App Name: "ca-test-dev-sprint"): performing CreateOrUpdate:
│ containerapps.ContainerAppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error:
│ Code="WebhookInvalidParameterValue" Message="The following field(s) are either invalid or missing. Invalid value:
\"/subscriptions/xxxxxxxxxxxxxxxxxxx/resourceGroups/rg-development-pjl/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cae-development-pjl-registry-identity\":
│ Managed Identity does not exist: configuration.Registries.propertymaster.azurecr.io.Identity."

Expected Behaviour

The container registry should be setup to access via the identity.

Actual Behaviour

It is unable to find the user assigned identity that was just created.

Steps to Reproduce

No response

Important Factoids

No response

References

#20466
@penfold penfold added the bug label Feb 27, 2023
@github-actions github-actions bot removed the bug label Feb 27, 2023
@penfold
Copy link
Author

penfold commented Feb 28, 2023

I think this issue is a bug as I don't have an issue when I run the equivalent call in powershell:

az containerapp registry set -n ca-test-dev-sprint -g pm-rg-development-pjl --server my-company.azurecr.io --identity /subscriptions/xxxxxxxxxxx/resourceGroups/rg-development-pjl/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cae-development-pjl-registry-identity

@penfold
Copy link
Author

penfold commented Feb 28, 2023

A look at the Azure Portal seems to suggest that a UserAssigned identity needs to be added to the Container's identities first and then referenced again in the Registry.Identity field.

Changing the resource.Identity field to:

identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.uai.id]
}

Works.

But I need SystemAssigned identity as well. Therefore, I'm reliant on fix for: #20437

Please can the docs for the Registry.Identity be updated to reflect that the Identity must be declared elsewhere and this is just a reference/lookup.

@penfold penfold mentioned this issue Feb 28, 2023
Closed
1 task
@rcskosir rcskosir added the v/3.x label Oct 5, 2023
@Peder2911
Copy link

Hey @penfold, I am currently having the same issue with the container app being unable to find the managed identity, but your fix unfortunately does not work. I add the user assigned identity to the container app, but it still is unable to use the identity towards the registry, it seems.

@redging-very-well
Copy link

@Peder2911 check out this issue microsoft/azure-container-apps#1233 (comment)
I found that you need to set the fully qualified id in the registry block.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question service/container-apps v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@penfold @redging-very-well @mybayern1974 @Peder2911 @rcskosir