Merge pull request #14 from devopsabcs-engineering/feature/13-acr-managed-identity-auth

Fix ACR authentication for Azure Web App using managed identity

Author: emmanuelknafo

end_to_end_test.txt

@@ -1,4 +1,10 @@
 Modify this file to trigger workflows!
 trigger again 2
 fixed all references to devopsabcs-engineering
-trigger cicd to deploy app
+trigger cicd to deploy app
+
+--- fixed
+Enabled System-Assigned Managed Identity on the Web App
+Granted AcrPull Role to the managed identity on your container registry
+Configured acrUseManagedIdentityCreds=true on the Web App
+Restarted the Web App to apply changes

infra/deploy.ps1

@@ -108,10 +108,54 @@ else {
         # Show deployment outputs
         Write-Host ""
         Write-Host "Deployment outputs:" -ForegroundColor Cyan
-        az deployment sub show `
+        $outputs = az deployment sub show `
             --name $DeploymentName `
             --query "properties.outputs" `
-            --output table
+            --output json | ConvertFrom-Json
+        
+        $outputs | ConvertTo-Json | Write-Host
+        
+        # Configure ACR managed identity authentication
+        if ($outputs.webAppName) {
+            $webAppName = $outputs.webAppName.value
+            $resourceGroupName = (az webapp show --name $webAppName --query resourceGroup -o tsv)
+            
+            Write-Host ""
+            Write-Host "Configuring ACR managed identity authentication..." -ForegroundColor Yellow
+            
+            # Ensure acrUseManagedIdentityCreds is set (should be set by Bicep, but double-check)
+            Write-Host "Verifying ACR managed identity configuration..." -ForegroundColor Cyan
+            $config = az webapp config show --name $webAppName --resource-group $resourceGroupName --query "acrUseManagedIdentityCreds" -o tsv
+            
+            if ($config -ne "true") {
+                Write-Host "Setting acrUseManagedIdentityCreds=true..." -ForegroundColor Cyan
+                az resource update `
+                    --ids "/subscriptions/$($account.id)/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$webAppName/config/web" `
+                    --set properties.acrUseManagedIdentityCreds=true
+            } else {
+                Write-Host "ACR managed identity already configured" -ForegroundColor Green
+            }
+            
+            # Restart the web app to apply all changes
+            Write-Host "Restarting web app to apply configuration..." -ForegroundColor Cyan
+            az webapp restart --name $webAppName --resource-group $resourceGroupName
+            
+            if ($LASTEXITCODE -eq 0) {
+                Write-Host "Web app restarted successfully!" -ForegroundColor Green
+                Write-Host ""
+                Write-Host "=== Configuration Summary ===" -ForegroundColor Cyan
+                Write-Host "✓ System-assigned managed identity enabled" -ForegroundColor Green
+                Write-Host "✓ AcrPull role assigned to managed identity" -ForegroundColor Green
+                Write-Host "✓ ACR authentication configured to use managed identity" -ForegroundColor Green
+                Write-Host "✓ Web app restarted" -ForegroundColor Green
+                Write-Host ""
+                if ($outputs.webAppUrl) {
+                    Write-Host "Web App URL: $($outputs.webAppUrl.value)" -ForegroundColor Green
+                }
+            } else {
+                Write-Warning "Failed to restart web app. You may need to restart it manually."
+            }
+        }
     }
     else {
         Write-Error "Deployment failed with exit code: $LASTEXITCODE"

infra/resources.bicep

@@ -24,7 +24,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
     name: acrSku
   }
   properties: {
-    adminUserEnabled: true
+    adminUserEnabled: false // Use managed identity instead
   }
 }
 
@@ -54,19 +54,12 @@ resource webApp 'Microsoft.Web/sites@2024-04-01' = {
   properties: {
     serverFarmId: appServicePlan.id
     siteConfig: {
+      acrUseManagedIdentityCreds: true // Use managed identity for ACR authentication
       appSettings: [
         {
           name: 'DOCKER_REGISTRY_SERVER_URL'
           value: 'https://${acr.name}.azurecr.io'
         }
-        {
-          name: 'DOCKER_REGISTRY_SERVER_USERNAME'
-          value: acr.properties.loginServer
-        }
-        {
-          name: 'DOCKER_REGISTRY_SERVER_PASSWORD'
-          value: acr.listCredentials().passwords[0].value
-        }
         {
           name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
           value: 'false'
@@ -80,3 +73,19 @@ resource webApp 'Microsoft.Web/sites@2024-04-01' = {
     }
   }
 }
+
+// Assign AcrPull role to the Web App's managed identity
+resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(acr.id, webApp.id, 'AcrPull')
+  scope: acr
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') // AcrPull role ID
+    principalId: webApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+output webAppName string = webApp.name
+output webAppUrl string = 'https://${webApp.properties.defaultHostName}'
+output acrLoginServer string = acr.properties.loginServer
+output webAppPrincipalId string = webApp.identity.principalId