如何配置Azure应用服务以使用Terraform从ACR中提取图像?

时间:2020-01-25 23:48:35

标签: azure docker terraform azure-web-app-service azure-container-registry

我有以下terraform模块,可以在同一计划下设置应用程序服务:

document.querySelector

我通过以下配置调用它:

provider "azurerm" {
}

variable "env" {
    type = string
    description = "The SDLC environment (qa, dev, prod, etc...)"
}

variable "appsvc_names" {
    type = list(string)
    description = "The names of the app services to create under the same app service plan"
}

locals {
    location = "eastus2"
    resource_group_name = "app505-dfpg-${var.env}-web-${local.location}"
    acr_name = "app505dfpgnedeploycr88836"
}

resource "azurerm_app_service_plan" "asp" {
    name                = "${local.resource_group_name}-asp"
    location            = local.location
    resource_group_name = local.resource_group_name
    kind                = "Linux"
    reserved            = true

    sku {
        tier = "Basic"
        size = "B1"
    }
}

resource "azurerm_app_service" "appsvc" {
    for_each            = toset(var.appsvc_names)

    name                = "${local.resource_group_name}-${each.value}-appsvc"
    location            = local.location
    resource_group_name = local.resource_group_name
    app_service_plan_id = azurerm_app_service_plan.asp.id

    site_config {
        linux_fx_version = "DOCKER|${local.acr_name}/${each.value}:latest"
    }

    app_settings = {
        DOCKER_REGISTRY_SERVER_URL = "https://${local.acr_name}.azurecr.io"
    } 
}

output "hostnames" {
  value = {
    for appsvc in azurerm_app_service.appsvc: appsvc.name => appsvc.default_site_hostname
  }
}

容器注册表具有我需要的图像:

terraform {
    backend "azurerm" {
    }
}

locals {
    appsvc_names = ["gateway"]
}

module "web" {
    source = "../../modules/web"
    env = "qa"
    appsvc_names = local.appsvc_names
}

output "hostnames" {
    description = "The hostnames of the created app services"
    value       = module.web.hostnames
}

当我应用terraform配置时,一切都创建良好,但是在Azure Portal中检查创建的应用服务资源后,发现其容器设置未显示docker映像:

enter image description here

现在,我可以手动切换到另一个ACR,然后回到我只想得到的ACR:

enter image description here 

C:\> az acr login --name app505dfpgnedeploycr88836
Login Succeeded
C:\> az acr repository list  --name app505dfpgnedeploycr88836
[
  "gateway"
]
C:\> az acr repository show-tags --name app505dfpgnedeploycr88836 --repository gateway
[
  "latest"
]
C:\>

这让我感到困惑。根据{{​​3}},不应使用admin用户,因此我的ACR没有一个。另一方面,我了解我需要以某种方式配置应用程序服务以通过ACR进行身份验证。

那么正确的方法是什么?

1 个答案:

答案 0 :(得分:1)

因此您可以将服务主体auth与App Service一起使用,但是您必须创建服务主体以向其授予对注册表的ACRpull权限,并在App Service site_config中使用服务主体login \ password

DOCKER_REGISTRY_SERVER_USERNAME
DOCKER_REGISTRY_SERVER_PASSWORD

相关问题
最新问题