aztfexport
aztfexport copied to clipboard
Published
20 hours ago •
Azure
Azure
Deploying Premium Azure Container Registry from import fails due to "azurerm_container_registry_scope_map" object names containing underscores
Deploying a Premium Azure Container Registry from a aztfy generated import file fails due to "azurerm_container_registry_scope_map" object names containing underscores.
NOTE: Only the Premium ACR SKU supports scope maps, so this issue only pertains to that ACR SKU.
The command below successfully creates a main.tf file,
$ aztfy --output-dir ./output aztfy-test-rg
resource "azurerm_resource_group" "res-5" {
location = "australiaeast"
name = "aztfy-test-rg"
}
resource "azurerm_container_registry" "res-1" {
location = "australiaeast"
name = "testacr876768"
resource_group_name = "aztfy-test-rg"
sku = "Premium"
depends_on = [
azurerm_resource_group.res-5,
]
}
resource "azurerm_container_registry_scope_map" "res-3" {
actions = ["repositories/*/content/read"]
container_registry_name = "testacr43057304"
description = "Can pull any repository of the registry"
name = "_repositories_pull"
resource_group_name = "bicep-acr-rg"
depends_on = [
azurerm_container_registry.res-1,
]
}
resource "azurerm_container_registry_scope_map" "res-4" {
actions = ["repositories/*/content/read", "repositories/*/content/write"]
container_registry_name = "testacr43057304"
description = "Can push to any repository of the registry"
name = "_repositories_push"
resource_group_name = "bicep-acr-rg"
depends_on = [
azurerm_container_registry.res-1,
]
}
resource "azurerm_container_registry_scope_map" "res-2" {
actions = ["repositories/*/metadata/read", "repositories/*/metadata/write", "repositories/*/content/read", "repositories/*/content/write", "repositories/*/content/delete"]
container_registry_name = "testacr43057304"
description = "Can perform all read, write and delete operations on the registry"
name = "_repositories_admin"
resource_group_name = "bicep-acr-rg"
depends_on = [
azurerm_container_registry.res-1,
]
}
Deploying the generated template with $ terraform plan fails with the following errors.
Error: alpha numeric characters and hyphens only are allowed in "name": "_repositories_pull"
│
│ with azurerm_container_registry_scope_map.res-3,
│ on main.tf line 18, in resource "azurerm_container_registry_scope_map" "res-3":
│ 18: name = "_repositories_pull"
│
╵
╷
│ Error: alpha numeric characters and hyphens only are allowed in "name": "_repositories_push"
│
│ with azurerm_container_registry_scope_map.res-4,
│ on main.tf line 28, in resource "azurerm_container_registry_scope_map" "res-4":
│ 28: name = "_repositories_push"
│
╵
╷
│ Error: alpha numeric characters and hyphens only are allowed in "name": "_repositories_admin"
│
│ with azurerm_container_registry_scope_map.res-2,
│ on main.tf line 38, in resource "azurerm_container_registry_scope_map" "res-2":
│ 38: name = "_repositories_admin"
If the scope maps are renamed to remove the underscores, the deployment again fails with the following errors since the scope map names don't follow the docker repository naming convention.
Error: creating Container Registry Scope Map: (Scope Map Name "repositories-pull" / Registry Name "testacr43057304" / Resource Group "bicep-acr-rg"): containerregistry.ScopeMapsClient#Create: Failure sending request: StatusCode=400 -- Original Error: Code="RepositoryNameInvalid" Message="Repository name * is invalid. The respository name should follow the standardized docker repository naming conventions. For more information on repository permissions, please visit https://aka.ms/acr/repo-permissions."
│
│ with azurerm_container_registry_scope_map.res-3,
│ on main.tf line 14, in resource "azurerm_container_registry_scope_map" "res-3":
│ 14: resource "azurerm_container_registry_scope_map" "res-3" {
│
╵
╷
│ Error: creating Container Registry Scope Map: (Scope Map Name "repositories-push" / Registry Name "testacr43057304" / Resource Group "bicep-acr-rg"): containerregistry.ScopeMapsClient#Create: Failure sending request: StatusCode=400 -- Original Error: Code="RepositoryNameInvalid" Message="Repository name * is invalid. The respository name should follow the standardized docker repository naming conventions. For more information on repository permissions, please visit https://aka.ms/acr/repo-permissions."
│
│ with azurerm_container_registry_scope_map.res-4,
│ on main.tf line 24, in resource "azurerm_container_registry_scope_map" "res-4":
│ 24: resource "azurerm_container_registry_scope_map" "res-4" {
│
╵
╷
│ Error: creating Container Registry Scope Map: (Scope Map Name "repositories-admin" / Registry Name "testacr43057304" / Resource Group "bicep-acr-rg"): containerregistry.ScopeMapsClient#Create: Failure sending request: StatusCode=400 -- Original Error: Code="RepositoryNameInvalid" Message="Repository name * is invalid. The respository name should follow the standardized docker repository naming conventions. For more information on repository permissions, please visit https://aka.ms/acr/repo-permissions."
│
│ with azurerm_container_registry_scope_map.res-2,
│ on main.tf line 34, in resource "azurerm_container_registry_scope_map" "res-2":
│ 34: resource "azurerm_container_registry_scope_map" "res-2" {
│
╵
@cbellee Are these scope maps with underscores are created by the ACR by default? If so, then we should skip them to be generated via aztfy.
Hey @cbellee! Since I didn't hear from you for a while, I'm going to close this issue for now. If you still have questions, feel free to reopen.
@magodo Apologies, I forgot to reply to your previous message. Yes, if the default policies could be skipped, it would solve the issue.