More fixups to azure terraform config

Signed-off-by: Mark Rossetti <[email protected]>

Author: marosset

infra/azure/terraform/capz/capz-monitoring/main.tf

@@ -90,7 +90,7 @@ resource "azurerm_kubernetes_cluster" "capz-monitoring" {
 
   lifecycle {
     ignore_changes = [
-      "linux_profile",
+      linux_profile,
     ]
   }
 }

infra/azure/terraform/capz/cluster-api-gallery/main.tf

@@ -28,7 +28,7 @@ resource "azurerm_resource_group" "cluster-api-gallery" {
   name     = var.resource_group_name
   tags = {
     DO-NOT-DELETE     = "UpstreamInfra"
-    creationTimestamp = "2024-10-24T00:00:00Z"
+    creationTimestamp = "2024-10-03T15:53:21Z"
   }
 }
 
@@ -39,8 +39,9 @@ resource "azurerm_shared_image_gallery" "community_gallery" {
   name                = "community_gallery"
   resource_group_name = "cluster-api-gallery"
   tags = {
-    creationTimestamp = "2024-10-24T00:00:00Z"
+    creationTimestamp = "2024-10-24T17:36:37Z"
     jobName           = "image-builder-sig-ubuntu-2404"
+    DO-NOT-DELETE     = "UpstreamInfra"
   }
   sharing {
     permission = "Community"

infra/azure/terraform/capz/identities/main.tf

@@ -30,6 +30,10 @@ variable "container_registry_scope" {
   type = string
 }
 
+variable "e2eprivate_registry_scope" {
+  type    = string
+}
+
 resource "azurerm_user_assigned_identity" "cloud_provider_user_identity" {
   name                = "cloud-provider-user-identity"
   location            = var.location

infra/azure/terraform/capz/main.tf

@@ -102,6 +102,7 @@ module "identities" {
   location                 = var.location
   subscription_id          = data.azurerm_client_config.current.subscription_id
   container_registry_scope = module.container_registry.container_registry_id 
+  e2eprivate_registry_scope = module.container_registry.e2eprivate_registry_id
   depends_on = [
     azurerm_resource_group.capz_ci
   ]
@@ -127,7 +128,8 @@ module "role_assignments" {
   source                   = "./role-assignments"
   resource_group_name      = var.resource_group_name
   container_registry_scope = module.container_registry.container_registry_id
-  #storage_account_scope    = azurerm_storage_account.k8sprowstorage.id
+  e2eprivate_registry_scope = module.container_registry.e2eprivate_registry_id
+  cloud_provider_user_identity_id = module.identities.cloud_provider_user_identity_id
   subscription_id          = data.azurerm_client_config.current.subscription_id 
   key_vault_id             = module.key_vault.key_vault_id
   depends_on = [

infra/azure/terraform/capz/role-assignments/main.tf

@@ -28,6 +28,14 @@ variable "subscription_id" {
   type = string
 }
 
+variable "e2eprivate_registry_scope" {
+  type    = string
+}
+
+variable "cloud_provider_user_identity_id" {
+  type    = string
+}
+
 variable "key_vault_id" {
   type = string
 } 
@@ -42,6 +50,12 @@ resource "azurerm_role_assignment" "rg_contributor" {
   scope                = "/subscriptions/${var.subscription_id}"
 }
 
+resource "azurerm_role_assignment" "rg_contributor_cloud_provider" {
+  principal_id         = var.cloud_provider_user_identity_id
+  role_definition_name = "Contributor"
+  scope                = "/subscriptions/${var.subscription_id}"
+}
+
 resource "azurerm_role_assignment" "storage_blob_data_contributor" {
   principal_id         = data.azuread_service_principal.az_service_principal.object_id
   role_definition_name = "Storage Blob Data Contributor"
@@ -54,6 +68,12 @@ resource "azurerm_role_assignment" "acr_pull" {
   scope                = var.container_registry_scope
 }
 
+resource "azurerm_role_assignment" "acr_pull_private" {
+  principal_id         = var.cloud_provider_user_identity_id
+  role_definition_name = "AcrPull"
+  scope                = var.e2eprivate_registry_scope
+}
+
 resource "azurerm_role_definition" "custom_role" {
   name  = "WriteAccessOnly"
   scope = "/subscriptions/${var.subscription_id}"