refine deployment scripts

majguo · yiliuTo · commit 70ae2bac4121 · 2025-04-07T14:04:50.000+08:00
Signed-off-by: Jianguo Ma &lt;jiangma@microsoft.com&gt;
diff --git a/asset-manager/scripts/deploy-to-azure.cmd b/asset-manager/scripts/deploy-to-azure.cmd
@@ -163,6 +163,35 @@ if %ERRORLEVEL% neq 0 (
 )
 echo Blob container created.
 
+rem Create Azure Container Registry
+echo Creating Azure Container Registry...
+cmd /c az acr create --resource-group %ResourceGroupName% --name %AcrName% --sku Basic
+if %ERRORLEVEL% neq 0 (
+    echo Failed to create Azure Container Registry. Exiting.
+    exit /b 1
+)
+echo ACR created.
+for /f "tokens=*" %%i in ('az acr show --name %AcrName% --resource-group %ResourceGroupName% --query loginServer -o tsv') do (
+  set AcrLoginServer=%%i
+)
+if not defined AcrLoginServer (
+    echo Failed to get ACR login server. Exiting.
+    exit /b 1
+)
+echo Using ACR login server: !AcrLoginServer!
+
+rem Create Container Apps environment
+echo Creating Container Apps environment...
+cmd /c az containerapp env create ^
+  --resource-group %ResourceGroupName% ^
+  --name %EnvironmentName% ^
+  --location %Location%
+if %ERRORLEVEL% neq 0 (
+    echo Failed to create Container Apps environment. Exiting.
+    exit /b 1
+)
+echo Container Apps environment created.
+
 rem Create managed identity for web and worker apps
 echo Creating managed identity...
 cmd /c az identity create ^
@@ -227,34 +256,17 @@ if %ERRORLEVEL% neq 0 (
 )
 echo Service Bus Data Owner role assigned.
 
-rem Create Azure Container Registry
-echo Creating Azure Container Registry...
-cmd /c az acr create --resource-group %ResourceGroupName% --name %AcrName% --sku Basic
-if %ERRORLEVEL% neq 0 (
-    echo Failed to create Azure Container Registry. Exiting.
-    exit /b 1
-)
-echo ACR created.
-for /f "tokens=*" %%i in ('az acr show --name %AcrName% --resource-group %ResourceGroupName% --query loginServer -o tsv') do (
-  set AcrLoginServer=%%i
-)
-if not defined AcrLoginServer (
-    echo Failed to get ACR login server. Exiting.
-    exit /b 1
-)
-echo Using ACR login server: !AcrLoginServer!
-
-rem Create Container Apps environment
-echo Creating Container Apps environment...
-cmd /c az containerapp env create ^
-  --resource-group %ResourceGroupName% ^
-  --name %EnvironmentName% ^
-  --location %Location%
+rem AcrPull role for accessing ACR
+cmd /c az role assignment create ^
+  --assignee-object-id !IdentityPrincipalId! ^
+  --assignee-principal-type ServicePrincipal ^
+  --role "acrpull" ^
+  --scope "/subscriptions/!SubscriptionId!/resourceGroups/%ResourceGroupName%/providers/Microsoft.ContainerRegistry/registries/%AcrName%"
 if %ERRORLEVEL% neq 0 (
-    echo Failed to create Container Apps environment. Exiting.
+    echo Failed to assign AcrPull role to identity. Exiting.
     exit /b 1
 )
-echo Container Apps environment created.
+echo AcrPull role assigned.
 
 rem Create Dockerfiles for both modules
 echo Creating Dockerfile for web module...
diff --git a/asset-manager/scripts/deploy-to-azure.sh b/asset-manager/scripts/deploy-to-azure.sh
@@ -153,6 +153,33 @@ if [ $? -ne 0 ]; then
 fi
 echo "Blob container created."
 
+# Create Azure Container Registry
+echo "Creating Azure Container Registry..."
+az acr create --resource-group "$ResourceGroupName" --name "$AcrName" --sku Basic
+if [ $? -ne 0 ]; then
+    echo "Failed to create Azure Container Registry. Exiting."
+    exit 1
+fi
+echo "ACR created."
+AcrLoginServer=$(az acr show --name "$AcrName" --resource-group "$ResourceGroupName" --query loginServer -o tsv)
+if [ -z "$AcrLoginServer" ]; then
+    echo "Failed to get ACR login server. Exiting."
+    exit 1
+fi
+echo "Using ACR login server: $AcrLoginServer"
+
+# Create Container Apps environment
+echo "Creating Container Apps environment..."
+az containerapp env create \
+  --resource-group "$ResourceGroupName" \
+  --name "$EnvironmentName" \
+  --location "$Location"
+if [ $? -ne 0 ]; then
+    echo "Failed to create Container Apps environment. Exiting."
+    exit 1
+fi
+echo "Container Apps environment created."
+
 # Create managed identity for web and worker apps
 echo "Creating managed identity..."
 az identity create \
@@ -211,32 +238,18 @@ if [ $? -ne 0 ]; then
 fi
 echo "Service Bus Data Owner role assigned."
 
-# Create Azure Container Registry
-echo "Creating Azure Container Registry..."
-az acr create --resource-group "$ResourceGroupName" --name "$AcrName" --sku Basic
-if [ $? -ne 0 ]; then
-    echo "Failed to create Azure Container Registry. Exiting."
-    exit 1
-fi
-echo "ACR created."
-AcrLoginServer=$(az acr show --name "$AcrName" --resource-group "$ResourceGroupName" --query loginServer -o tsv)
-if [ -z "$AcrLoginServer" ]; then
-    echo "Failed to get ACR login server. Exiting."
-    exit 1
-fi
-echo "Using ACR login server: $AcrLoginServer"
-
-# Create Container Apps environment
-echo "Creating Container Apps environment..."
-az containerapp env create \
-  --resource-group "$ResourceGroupName" \
-  --name "$EnvironmentName" \
-  --location "$Location"
+# Assign AcrPull role to the managed identity
+echo "Assigning AcrPull role to managed identity..."
+az role assignment create \
+  --assignee-object-id "$IdentityPrincipalId" \
+  --assignee-principal-type ServicePrincipal \
+  --role "acrpull" \
+  --scope "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroupName}/providers/Microsoft.ContainerRegistry/registries/${AcrName}"
 if [ $? -ne 0 ]; then
-    echo "Failed to create Container Apps environment. Exiting."
+    echo "Failed to assign AcrPull role to identity. Exiting."
     exit 1
 fi
-echo "Container Apps environment created."
+echo "AcrPull role assigned."
 
 # Create Dockerfiles for both modules
 echo "Creating Dockerfile for web module..."
