mgmt, support MSI for access ACR, when create ACI (#45274)

Author: weidongxu-microsoft

sdk/resourcemanager/azure-resourcemanager-authorization/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added `ACR_PULL` to `BuiltInRole`.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/resourcemanager/azure-resourcemanager-authorization/src/main/java/com/azure/resourcemanager/authorization/models/BuiltInRole.java

@@ -234,6 +234,9 @@ public final class BuiltInRole extends ExpandableStringEnum<BuiltInRole> {
     /** Read and create quota requests, get quota request status, and create support tickets. */
     public static final BuiltInRole QUOTA_REQUEST_OPERATOR = BuiltInRole.fromString("Quota Request Operator");
 
+    /** Read-only access to pull images. */
+    public static final BuiltInRole ACR_PULL = BuiltInRole.fromString("AcrPull");
+
     /**
      * Creates a new instance of BuiltInRole value.
      *

sdk/resourcemanager/azure-resourcemanager-containerinstance/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added `withPrivateImageRegistry` overload for managed identity in `ContainerGroup`.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/resourcemanager/azure-resourcemanager-containerinstance/src/main/java/com/azure/resourcemanager/containerinstance/implementation/ContainerGroupImpl.java

@@ -361,6 +361,22 @@ public ContainerGroupImpl withPrivateImageRegistry(String server, String usernam
         return this;
     }
 
+    @Override
+    public ContainerGroupImpl withPrivateImageRegistry(String server, Identity identity) {
+        return withPrivateImageRegistry(server, Objects.requireNonNull(identity).id());
+    }
+
+    private ContainerGroupImpl withPrivateImageRegistry(String server, String managedIdentityResourceId) {
+        if (this.innerModel().imageRegistryCredentials() == null) {
+            this.innerModel().withImageRegistryCredentials(new ArrayList<ImageRegistryCredential>());
+        }
+        this.innerModel()
+            .imageRegistryCredentials()
+            .add(new ImageRegistryCredential().withServer(server).withIdentity(managedIdentityResourceId));
+
+        return this;
+    }
+
     @Override
     public ContainerGroupImpl withNewAzureFileShareVolume(String volumeName, String shareName) {
         if (this.newFileShares == null || this.creatableStorageAccountKey == null) {

sdk/resourcemanager/azure-resourcemanager-containerinstance/src/main/java/com/azure/resourcemanager/containerinstance/models/ContainerGroup.java

@@ -395,6 +395,15 @@ interface WithPrivateImageRegistry {
              * @return the next stage of the definition
              */
             WithPrivateImageRegistryOrVolume withPrivateImageRegistry(String server, String username, String password);
+
+            /**
+             * Specifies the private container image registry server login for the container group.
+             *
+             * @param server Docker image registry server, without protocol such as "http" and "https"
+             * @param identity the managed identity (with "acrpull" role)
+             * @return the next stage of the definition
+             */
+            WithPrivateImageRegistryOrVolume withPrivateImageRegistry(String server, Identity identity);
         }
 
         /** The stage of the container group definition allowing to specify a private image registry or a volume. */

sdk/resourcemanager/azure-resourcemanager/src/test/java/com/azure/resourcemanager/ContainerGroupTests.java

@@ -0,0 +1,123 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.resourcemanager;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.http.HttpClient;
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.policy.HttpLogOptions;
+import com.azure.core.http.policy.HttpPipelinePolicy;
+import com.azure.core.http.policy.RetryPolicy;
+import com.azure.core.management.Region;
+import com.azure.core.management.profile.AzureProfile;
+import com.azure.resourcemanager.authorization.models.BuiltInRole;
+import com.azure.resourcemanager.authorization.models.RoleAssignment;
+import com.azure.resourcemanager.containerinstance.models.ContainerGroup;
+import com.azure.resourcemanager.containerregistry.models.ImportImageParameters;
+import com.azure.resourcemanager.containerregistry.models.ImportMode;
+import com.azure.resourcemanager.containerregistry.models.ImportSource;
+import com.azure.resourcemanager.containerregistry.models.Registry;
+import com.azure.resourcemanager.msi.models.Identity;
+import com.azure.resourcemanager.resources.fluentcore.utils.HttpPipelineProvider;
+import com.azure.resourcemanager.resources.fluentcore.utils.ResourceManagerUtils;
+import com.azure.resourcemanager.test.ResourceManagerTestProxyTestBase;
+import com.azure.resourcemanager.test.utils.TestDelayProvider;
+import com.azure.resourcemanager.test.utils.TestIdentifierProvider;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
+import java.time.temporal.ChronoUnit;
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+public class ContainerGroupTests extends ResourceManagerTestProxyTestBase {
+
+    private AzureResourceManager azureResourceManager;
+
+    protected String rgName = "";
+    protected final Region region = Region.US_WEST3;
+
+    @Override
+    protected HttpPipeline buildHttpPipeline(TokenCredential credential, AzureProfile profile,
+        HttpLogOptions httpLogOptions, List<HttpPipelinePolicy> policies, HttpClient httpClient) {
+        return HttpPipelineProvider.buildHttpPipeline(credential, profile, null, httpLogOptions, null,
+            new RetryPolicy("Retry-After", ChronoUnit.SECONDS), policies, httpClient);
+    }
+
+    @Override
+    protected void initializeClients(HttpPipeline httpPipeline, AzureProfile profile) {
+        ResourceManagerUtils.InternalRuntimeContext.setDelayProvider(new TestDelayProvider(!isPlaybackMode()));
+        ResourceManagerUtils.InternalRuntimeContext internalContext = new ResourceManagerUtils.InternalRuntimeContext();
+        internalContext.setIdentifierFunction(name -> new TestIdentifierProvider(testResourceNamer));
+        azureResourceManager = buildManager(AzureResourceManager.class, httpPipeline, profile);
+        setInternalContext(internalContext, azureResourceManager);
+
+        rgName = generateRandomResourceName("javacsmrg", 15);
+    }
+
+    @Override
+    protected void cleanUpResources() {
+        try {
+            azureResourceManager.resourceGroups().beginDeleteByName(rgName);
+        } catch (Exception e) {
+        }
+    }
+
+    @Disabled("Admin in ACR is disallowed by policy, but it is required to deploy the image to ACI.")
+    // https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account
+    @Test
+    public void testContainerGroupWithPrivateImageRegistryAndMsi() {
+        // acr
+        final String acrName = generateRandomResourceName("acr", 10);
+        Registry registry = azureResourceManager.containerRegistries()
+            .define(acrName)
+            .withRegion(region)
+            .withNewResourceGroup(rgName)
+            .withBasicSku()
+            .withRegistryNameAsAdminUser()
+            .create();
+
+        azureResourceManager.containerRegistries()
+            .manager()
+            .serviceClient()
+            .getRegistries()
+            .importImage(rgName, registry.name(),
+                new ImportImageParameters()
+                    .withSource(new ImportSource().withRegistryUri("docker.io").withSourceImage("library/nginx:latest"))
+                    .withTargetTags(Arrays.asList("nginx:latest"))
+                    .withMode(ImportMode.NO_FORCE));
+
+        // msi
+        final String msiName = generateRandomResourceName("msi", 10);
+        Identity identity = azureResourceManager.identities()
+            .define(msiName)
+            .withRegion(region)
+            .withExistingResourceGroup(rgName)
+            .create();
+
+        // rbac
+        RoleAssignment roleAssignment = azureResourceManager.accessManagement()
+            .roleAssignments()
+            .define(UUID.randomUUID().toString())
+            .forObjectId(identity.principalId())
+            .withBuiltInRole(BuiltInRole.ACR_PULL)
+            .withScope(registry.id())
+            .create();
+
+        // aci
+        final String containerGroupName = generateRandomResourceName("acg", 10);
+        ContainerGroup containerGroup = azureResourceManager.containerGroups()
+            .define(containerGroupName)
+            .withRegion(region)
+            .withNewResourceGroup(rgName)
+            .withLinux()
+            .withPrivateImageRegistry(registry.loginServerUrl(), identity)
+            .withoutVolume()
+            .withContainerInstance("nginx", 80)
+            .withNewVirtualNetwork("10.0.0.0/24")
+            .withExistingUserAssignedManagedServiceIdentity(identity)
+            .create();
+    }
+}