feat: Support attaching the AKS to an ACR

Author: dploeger

README.md

@@ -53,6 +53,7 @@ The following resources are used by this module:
 - [azurerm_kubernetes_cluster.k8s](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) (resource)
 - [azurerm_kubernetes_cluster_node_pool.additional](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) (resource)
 - [azurerm_public_ip.public-ip-outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) (resource)
+- [azurerm_role_assignment.aksacr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azuread_group.ownersgroup](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) (data source)
 
 ## Required Inputs
@@ -143,6 +144,14 @@ Type: `list(number)`
 
 Default: `[]`
 
+### azure\_container\_registry\_ids
+
+Description: IDs of the azure container registries that the AKS should have pull access to
+
+Type: `list(string)`
+
+Default: `[]`
+
 ### default\_node\_pool\_name
 
 Description: Name of the default node pool

acr_attach.tf

@@ -0,0 +1,7 @@
+resource "azurerm_role_assignment" "aksacr" {
+  for_each                         = var.azure_container_registry_ids
+  principal_id                     = azurerm_kubernetes_cluster.k8s.kubelet_identity[0].object_id
+  role_definition_name             = "AcrPull"
+  scope                            = each.value
+  skip_service_principal_aad_check = true
+}

vars.tf

@@ -180,4 +180,12 @@ variable "managed_identity_security_group" {
     * Group.Read.All
     * Group.ReadWrite.All
   EOF
+}
+
+variable "azure_container_registry_ids" {
+  type        = list(string)
+  default     = []
+  description = <<-EOF
+    IDs of the azure container registries that the AKS should have pull access to
+  EOF
 }