Grant Production Service Principal acrPull permissions to Staging container registry, simplifying container pulls from Staging to Production

Author: tjementum

.github/workflows/_deploy-container.yml

@@ -114,21 +114,8 @@ jobs:
       STAGING_SUBSCRIPTION_ID: ${{ vars.STAGING_SUBSCRIPTION_ID }}
 
     steps:
-      - name: Login to Azure (Staging)
-        uses: azure/login@v2
-        with:
-          client-id: ${{ env.STAGING_SERVICE_PRINCIPAL_ID }}
-          tenant-id: ${{ env.TENANT_ID }}
-          subscription-id: ${{ env.STAGING_SUBSCRIPTION_ID }}
 
-      - name: Get Access Token for Staging Azure Subscription
-        id: staging_tokens
-        run: |
-          STAGING_TOKEN=$(az account get-access-token --resource https://management.azure.com --query accessToken -o tsv)
-          echo "::add-mask::$STAGING_TOKEN"
-          echo "access_token=$STAGING_TOKEN" >> $GITHUB_OUTPUT
-          
-      - name: Login to Azure (Production)
+      - name: Login to Azure
         uses: azure/login@v2
         with:
           client-id: ${{ env.SERVICE_PRINCIPAL_ID }}
@@ -144,7 +131,6 @@ jobs:
             --name ${{ env.UNIQUE_PREFIX }}${{ env.ENVIRONMENT }} \
             --source ${{ env.UNIQUE_PREFIX }}${{ env.STAGING_ENVIRONMENT }}.azurecr.io/${{ inputs.image_name }}:${{ inputs.version }} \
             --image ${{ inputs.image_name }}:${{ inputs.version }} \
-            --password ${{ steps.staging_tokens.outputs.access_token }} \
             --force
 
       - name: Deploy Container
@@ -170,4 +156,4 @@ jobs:
             echo "($i) Waiting for revision to become active. Running state: $RUNNING_STATUS"
           done
           echo "New revision did not become active in time. Running state: $RUNNING_STATUS"
-          exit 1
+          exit 1

.github/workflows/_deploy-infrastructure.yml

@@ -42,6 +42,10 @@ on:
       deployment_enabled:
         required: true
         type: string
+      production_service_principal_object_id:
+        required: false
+        type: string
+        default: "-"
 
 jobs:
   plan:
@@ -67,7 +71,7 @@ jobs:
 
       - name: Plan Shared Environment Resources
         if: ${{ inputs.include_shared_environment_resources == true }}
-        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} --plan
+        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} ${{ inputs.production_service_principal_object_id }} --plan
 
       - name: Plan Cluster Resources
         id: deploy_cluster
@@ -99,7 +103,7 @@ jobs:
 
       - name: Deploy Shared Environment Resources
         if: ${{ inputs.include_shared_environment_resources == true }}
-        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} --apply
+        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} ${{ inputs.production_service_principal_object_id }} --apply
 
       - name: Deploy Cluster Resources
         id: deploy_cluster

.github/workflows/cloud-infrastructure.yml

@@ -41,6 +41,7 @@ jobs:
       tenant_id: ${{ vars.TENANT_ID }}
       subscription_id: ${{ vars.STAGING_SUBSCRIPTION_ID }}
       deployment_enabled: ${{ vars.STAGING_CLUSTER_ENABLED }}
+      production_service_principal_object_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID }}
 
   prod1:
     name: Production

cloud-infrastructure/environment/deploy-environment.sh

@@ -3,13 +3,20 @@
 UNIQUE_PREFIX=$1
 ENVIRONMENT=$2
 LOCATION_SHARED=$3
+PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID=$4
 
 RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT
 CONTAINER_REGISTRY_NAME=$UNIQUE_PREFIX$ENVIRONMENT
 CURRENT_DATE=$(date +'%Y-%m-%dT%H-%M')
 DEPLOYMENT_COMMAND="az deployment sub create"
 DEPLOYMENT_PARAMETERS="-l $LOCATION_SHARED -n $CURRENT_DATE-$UNIQUE_PREFIX-$ENVIRONMENT --output table -f ./main-environment.bicep -p resourceGroupName=$RESOURCE_GROUP_NAME environment=$ENVIRONMENT containerRegistryName=$CONTAINER_REGISTRY_NAME"
 
+# Add production service principal object ID parameter if provided for ACR Pull role assignment to staging Container Registry
+if [[ "$PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID" != "-" ]]; then
+  echo "Using production service principal object ID: $PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID"
+  DEPLOYMENT_PARAMETERS="$DEPLOYMENT_PARAMETERS productionServicePrincipalObjectId=$PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID"
+fi
+
 cd "$(dirname "${BASH_SOURCE[0]}")"
 . ../deploy.sh
 

cloud-infrastructure/environment/main-environment.bicep

@@ -4,6 +4,7 @@ param location string = deployment().location
 param resourceGroupName string
 param environment string
 param containerRegistryName string
+param productionServicePrincipalObjectId string = ''
 
 var tags = { environment: environment, 'managed-by': 'bicep' }
 
@@ -23,6 +24,16 @@ module containerRegistry '../modules/container-registry.bicep' = {
   }
 }
 
+// Grant production service principal ACR Pull access to registry if specified
+module productionServicePrincipalAcrPull '../modules/role-assignments-container-registry-acr-pull.bicep' = if (!empty(productionServicePrincipalObjectId)) {
+  name: '${resourceGroupName}-production-sp-acr-pull'
+  scope: resourceGroup(environmentResourceGroup.name)
+  params: {
+    containerRegistryName: containerRegistryName
+    principalId: productionServicePrincipalObjectId
+  }
+}
+
 module logAnalyticsWorkspace '../modules/log-analytics-workspace.bicep' = {
   name: '${resourceGroupName}-log-analytics-workspace'
   scope: resourceGroup(environmentResourceGroup.name)