Merge pull request #4 from data-platform-hq/fix/fix-usage-with-user-identity

owlleg6 · web-flow · commit 3c1bb3d213c7 · 2025-03-20T10:41:24.000+02:00
fix: update code for usage of user assigned identity
diff --git a/README.md b/README.md
@@ -32,12 +32,13 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_container_instance_name"></a> [container\_instance\_name](#input\_container\_instance\_name) | Specifies the name of the Container Group. | `string` | n/a | yes |
-| <a name="input_containers"></a> [containers](#input\_containers) | List of objects to configure containers | <pre>list(object({<br>    name                  = string<br>    image                 = string<br>    cpu                   = number<br>    memory                = number<br>    environment_variables = optional(map(string))<br>    commands              = optional(list(string))<br>    ports_tcp             = optional(set(string), [])<br>    ports_udp             = optional(set(string), [])<br>    volumes = optional(list(object({<br>      mount_path           = string<br>      name                 = string<br>      storage_account_name = optional(string)<br>      storage_account_key  = optional(string)<br>      share_name           = optional(string)<br>    })), [])<br>  }))</pre> | n/a | yes |
+| <a name="input_containers"></a> [containers](#input\_containers) | List of objects to configure containers | <pre>list(object({<br/>    name                  = string<br/>    image                 = string<br/>    cpu                   = number<br/>    memory                = number<br/>    environment_variables = optional(map(string))<br/>    commands              = optional(list(string))<br/>    ports_tcp             = optional(set(string), [])<br/>    ports_udp             = optional(set(string), [])<br/>    volumes = optional(list(object({<br/>      mount_path           = string<br/>      name                 = string<br/>      storage_account_name = optional(string)<br/>      storage_account_key  = optional(string)<br/>      share_name           = optional(string)<br/>    })), [])<br/>  }))</pre> | n/a | yes |
 | <a name="input_dns_config_nameservers"></a> [dns\_config\_nameservers](#input\_dns\_config\_nameservers) | A list of nameservers the containers will search out to resolve requests. | `list(string)` | `[]` | no |
+| <a name="input_enable_system_assigned_identity"></a> [enable\_system\_assigned\_identity](#input\_enable\_system\_assigned\_identity) | Specifies whether to enable System Assigned identity for container instance or not | `bool` | `false` | no |
 | <a name="input_exposed_ports_tcp"></a> [exposed\_ports\_tcp](#input\_exposed\_ports\_tcp) | Set of ports to expose with TCP protocol | `set(string)` | `[]` | no |
 | <a name="input_exposed_ports_udp"></a> [exposed\_ports\_udp](#input\_exposed\_ports\_udp) | Set of ports to expose with UDP protocol | `set(string)` | `[]` | no |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | Specifies a list of User Assigned Managed Identity IDs to be assigned to this Container Group. | `list(string)` | `null` | no |
-| <a name="input_image_registry_credential"></a> [image\_registry\_credential](#input\_image\_registry\_credential) | List of objects to configure connection to private registry | <pre>list(object({<br>    server   = string<br>    username = string<br>    password = string<br>  }))</pre> | `[]` | no |
+| <a name="input_image_registry_credential"></a> [image\_registry\_credential](#input\_image\_registry\_credential) | List of objects to configure connection to private registry | <pre>list(object({<br/>    server                    = string<br/>    username                  = optional(string)<br/>    password                  = optional(string)<br/>    user_assigned_identity_id = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | Specifies the IP address type of the container. Public, Private or None. | `string` | `"Public"` | no |
 | <a name="input_location"></a> [location](#input\_location) | Specifies the supported Azure location where the resource exists. | `string` | n/a | yes |
 | <a name="input_os_type"></a> [os\_type](#input\_os\_type) | The OS for the container group. Allowed values are Linux and Windows. | `string` | `"Linux"` | no |
diff --git a/main.tf b/main.tf
@@ -9,17 +9,25 @@ resource "azurerm_container_group" "this" {
   subnet_ids          = var.subnet_ids
   tags                = var.tags
 
-  identity {
-    type         = var.identity_ids == null ? "SystemAssigned" : "SystemAssigned, UserAssigned"
-    identity_ids = var.identity_ids
+  dynamic "identity" {
+    for_each = (var.enable_system_assigned_identity || var.identity_ids != null) ? [1] : []
+
+    content {
+      type = join(", ", compact([
+        var.enable_system_assigned_identity ? "SystemAssigned" : "",
+        var.identity_ids != null ? "UserAssigned" : ""
+      ]))
+      identity_ids = var.identity_ids
+    }
   }
 
   dynamic "image_registry_credential" {
     for_each = var.image_registry_credential
     content {
-      server   = image_registry_credential.value.server
-      username = image_registry_credential.value.username
-      password = image_registry_credential.value.password
+      server                    = image_registry_credential.value.server
+      username                  = image_registry_credential.value.username
+      password                  = image_registry_credential.value.password
+      user_assigned_identity_id = image_registry_credential.value.user_assigned_identity_id
     }
   }
 
diff --git a/variables.tf b/variables.tf
@@ -37,6 +37,12 @@ variable "restart_policy" {
   default     = "Never"
 }
 
+variable "enable_system_assigned_identity" {
+  type        = bool
+  description = "Specifies whether to enable System Assigned identity for container instance or not"
+  default     = false
+}
+
 variable "identity_ids" {
   type        = list(string)
   description = "Specifies a list of User Assigned Managed Identity IDs to be assigned to this Container Group."
@@ -69,9 +75,10 @@ variable "exposed_ports_udp" {
 
 variable "image_registry_credential" {
   type = list(object({
-    server   = string
-    username = string
-    password = string
+    server                    = string
+    username                  = optional(string)
+    password                  = optional(string)
+    user_assigned_identity_id = optional(string)
   }))
   description = "List of objects to configure connection to private registry"
   default     = []
