forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Program.cs
73 lines (63 loc) · 2.88 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// Copyright 2016-2021, Pulumi Corporation. All rights reserved.
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text.Json;
using Pulumi;
using Pulumi.AzureNative.Authorization;
using Pulumi.AzureNative.ContainerRegistry;
using Pulumi.AzureNative.ContainerRegistry.Inputs;
using Pulumi.AzureNative.Resources;
using Deployment = Pulumi.Deployment;
using RoleAssignment = Pulumi.AzureNative.Authorization.RoleAssignment;
await Deployment.RunAsync<MyStack>();
class MyStack : Stack
{
[Output]
public Output<string> Result { get; set; }
public MyStack()
{
var resourceGroup = new ResourceGroup("registry-rg");
var registry = new Registry("registry", new()
{
ResourceGroupName = resourceGroup.Name,
Sku = new SkuArgs { Name = SkuName.Basic },
AdminUserEnabled = true
});
var currentServicePrincipalId = Output.Create(GetClientConfig.InvokeAsync()).Apply(c => c.ObjectId);
var grantPull = new RoleAssignment("access-from-cluster", new()
{
PrincipalId = currentServicePrincipalId,
PrincipalType = PrincipalType.ServicePrincipal, // adjust the type if you are running as a user
RoleDefinitionId = Output.Create(GetRoleIdByName("AcrPull")),
Scope = registry.Id
});
}
private static async System.Threading.Tasks.Task<string> GetRoleIdByName(string roleName, string? scope = null) {
var config = await GetClientConfig.InvokeAsync();
var token = await GetClientToken.InvokeAsync();
// Unfortunately, Microsoft hasn't shipped an .NET5-compatible SDK at the time of writing this.
// So, we have to hand-craft an HTTP request to retrieve a role definition.
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
var response = await httpClient.GetAsync($"https://management.azure.com/subscriptions/{config.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2018-01-01-preview&$filter=roleName%20eq%20'{roleName}'");
if (!response.IsSuccessStatusCode)
{
throw new Exception($"Request failed with {response.StatusCode}");
}
var body = await response.Content.ReadAsStringAsync();
var definition = JsonSerializer.Deserialize<RoleDefinition>(body);
return definition.value[0].id;
}
public class RoleDefinition
{
public List<RoleDefinitionValue> value { get; set; }
}
public class RoleDefinitionValue
{
public string id { get; set; }
public string type { get; set; }
public string name { get; set; }
}
}