Reputation: 1
Running Bicep Deployment Script Privately Over a Private Endpoint with Custom Image from Private Registry
We are working on using deployment scripts on a private network and need to use a custom container image. The image is stored in a private registry, and we would like to pull additional modules or dependencies from JFrog Artifactory (or another private registry) during the execution of the script. Is that even possible? Has someone come across such a situation?
Following the guide - Run Bicep deployment script privately over a private endpoint
Is it possible to configure the ACI to:
1. Pull a custom image from a private container registry.
2. Pull additional modules or dependencies from JFrog Artifactory (or any private registry) within the container?
If so, could you provide guidance on how to authenticate the container instance to access the JFrog Artifactory registry or another private registry, and how to configure the image to pull the required modules during execution?
Additional Information:
- We are using deployment scripts in Azure + using bicep.
- We need to ensure that the custom image can pull modules from private registries like JFrog or similar.
- If possible, please provide the steps to authenticate and configure the container instance to interact with private registries.
Thank you for any help or guidance!
Example code
resource mngId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
name: 'xxxx'
scope: resourceGroup(subId,usmiRG) //if MI in different RG than template deployment target RG
}
resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
name: vnetName
scope: resourceGroup(subId, vnetRg)
}
resource containerInstanceSubnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' existing = {
name: subnetName
parent: vnet
}
resource Script 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: 'scriptTestsi'
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${mngId.id}': {}
}
}
properties: {
azPowerShellVersion: '5.0'
scriptContent: '''
Param([string] $StorageAccountName)
Connect-AzAccount -Identity
$DeploymentScriptOutputs["output"] = New-AzStorageContext -UseConnectedAccount -StorageAccountName $StorageAccountName `
| Get-AzStorageBlob -Container 'images' -Blob * | Out-String
'''
arguments: '-StorageAccountName ${storageAccountName}'
cleanupPreference: 'OnSuccess' //when to cleanup the storage account and ACI instance or OnExpiration, Always
retentionInterval: 'PT4H' //keep the deployment script resource for this duration (ISO 8601 format) and ACI/SA if OnExpiration cleanuppreference
forceUpdateTag: currentTime // ensures script runs every time
storageAccountSettings: {
storageAccountName: storageAccountName
storageAccountKey: listKeys(resourceId('Microsoft.Storage/storageAccounts', storageAccountName), '2019-06-01').keys[0].value
}
containerSettings: {
containerGroupName: 'mycustomaci-1'
subnetIds: [
{
id: containerInstanceSubnet.id
}
]
}
}
}
output scriptOutput string = Script.properties.outputs.output
//output scriptLogs string = reference('${dScript.id}/logs/default', dScript.apiVersion, 'Full').properties.log
Upvotes: 0
Views: 28
Answers (0)
Related Questions
- Radius/Bicep - How to pull from private Docker registry with auth in generic Kubernetes?
- Issue with bicep template for subnet
- How to deploy Azure Container Instance to VNET using Azure CLI
- How do I configure my bicep scripts to allow a container app to pull an image from an ACR using managed identity using modules
- azure bicep to create a container app with an image from secure registry
- Publish Bicep module gives "The specified module reference scheme "'br" is not recognized"
- Azure Bicep The requested resource does not support http method 'PUT'
- Azure web app container private Endpoint deployment doesn't work with private endpoint container registry
- Azure Purview Ingestion Private Endpoint Creation using Bicep
- Azure link VNET to Private DNS with Azure CLI