fix: Added Role assignment for managed identity to pull the image from Container

Prajwal-Microsoft · Prajwal-Microsoft · commit 7c461edece3b · 2025-07-11T15:56:05.000+05:30
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -467,6 +467,13 @@ module avmContainerRegistry 'modules/container-registry.bicep' = {
     acrSku: 'Standard'
     publicNetworkAccess: 'Enabled'
     zoneRedundancy: 'Disabled'
+    roleAssignments: [
+      {
+        principalId: avmContainerRegistryReader.outputs.principalId
+        roleDefinitionIdOrName: 'AcrPull'
+        principalType: 'ServicePrincipal'
+      }
+    ]
     tags: tags
   }
 }
diff --git a/infra/modules/container-registry.bicep b/infra/modules/container-registry.bicep
@@ -16,6 +16,10 @@ param publicNetworkAccess string = 'Enabled'
 @description('Zone redundancy setting for the Azure Container Registry')
 param zoneRedundancy string = 'Disabled'
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
 @description('Tags to be applied to the Container Registry')
 param tags object = {}
 
@@ -27,6 +31,7 @@ module avmContainerRegistry 'br/public:avm/res/container-registry/registry:0.9.1
     acrSku: acrSku
     publicNetworkAccess: publicNetworkAccess
     zoneRedundancy: zoneRedundancy
+    roleAssignments: roleAssignments
     tags: tags
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -467,6 +467,13 @@ module avmContainerRegistry 'modules/container-registry.bicep' = {`
`467`	`467`	`acrSku: 'Standard'`
`468`	`468`	`publicNetworkAccess: 'Enabled'`
`469`	`469`	`zoneRedundancy: 'Disabled'`
	`470`	`+ roleAssignments: [`
	`471`	`+ {`
	`472`	`+ principalId: avmContainerRegistryReader.outputs.principalId`
	`473`	`+ roleDefinitionIdOrName: 'AcrPull'`
	`474`	`+ principalType: 'ServicePrincipal'`
	`475`	`+ }`
	`476`	`+ ]`
`470`	`477`	`tags: tags`
`471`	`478`	`}`
`472`	`479`	`}`