Improve managed identity logic

Author: Artem Vovchenko

main.tf

@@ -9,9 +9,16 @@ resource "azurerm_container_group" "this" {
   subnet_ids          = var.subnet_ids
   tags                = var.tags
 
-  identity {
-    type         = var.identity_ids == null ? "SystemAssigned" : "SystemAssigned, UserAssigned"
-    identity_ids = var.identity_ids
+  dynamic "identity" {
+    for_each = (var.enable_system_assigned_identity || var.identity_ids != null) ? [1] : []
+
+    content {
+      type = join(", ", compact([
+        var.enable_system_assigned_identity ? "SystemAssigned" : "",
+        var.identity_ids != null ? "UserAssigned" : ""
+      ]))
+      identity_ids = var.identity_ids
+    }
   }
 
   dynamic "image_registry_credential" {

variables.tf

@@ -37,6 +37,12 @@ variable "restart_policy" {
   default     = "Never"
 }
 
+variable "enable_system_assigned_identity" {
+  type        = bool
+  description = "Specifies whether to enable System Assigned identity for container instance or not"
+  default     = false
+}
+
 variable "identity_ids" {
   type        = list(string)
   description = "Specifies a list of User Assigned Managed Identity IDs to be assigned to this Container Group."
@@ -70,9 +76,9 @@ variable "exposed_ports_udp" {
 variable "image_registry_credential" {
   type = list(object({
     server                    = string
-    username                  = string
-    password                  = string
-    user_assigned_identity_id = string
+    username                  = optional(string)
+    password                  = optional(string)
+    user_assigned_identity_id = optional(string)
   }))
   description = "List of objects to configure connection to private registry"
   default     = []