From 9fe1c0086737c7ae3629ee5f1cdb0b600ba8a985 Mon Sep 17 00:00:00 2001
From: Antony Natale <anatale@redhat.com>
Date: Tue, 11 Jun 2024 09:50:13 -0400
Subject: [PATCH] updates aks bicepf or acr pull role

---
 dev-infrastructure/modules/aks-cluster-base.bicep | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
index a47f3d520..ada421efb 100644
--- a/dev-infrastructure/modules/aks-cluster-base.bicep
+++ b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -49,6 +49,11 @@ var networkContributorRoleId = subscriptionResourceId(
   '4d97b98b-1d4f-4787-a291-c67834d212e7'
 )
 
+var acrPullRoleDefinitionId = subscriptionResourceId(
+  'Microsoft.Authorization/roleDefinitions',
+  '7f951dda-4ed3-4680-a7ca-43fe172d538d'
+)
+
 // Main
 // Tags the subscription
 resource subscriptionTags 'Microsoft.Resources/tags@2024-03-01' = {
@@ -333,6 +338,15 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
   }
 }
 
+resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, aksCluster.id, acrPullRoleDefinitionId)
+  properties: {
+    principalId: aksCluster.properties.identityProfile.kubeletidentity.objectId
+    roleDefinitionId: acrPullRoleDefinitionId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [
   for wi in workloadIdentities: {
     location: location