From d246bc73342cfb694e1bc553599f3377ab23e6d4 Mon Sep 17 00:00:00 2001
From: Richard Hagen <richard.hagen@gmail.com>
Date: Fri, 12 Apr 2024 13:27:43 +0200
Subject: [PATCH] Add AcrPull access to Vulnerability scanner Writer MI (#1290)

* Add AcrPull access to Vulnerability scanner Write

* formatting
---
 .../subscriptions/s940/c2/vulnerability-scanner/main.tf   | 8 +++++++-
 .../subscriptions/s940/prod/vulnerability-scanner/main.tf | 6 ++++++
 .../s941/playground/vulnerability-scanner/main.tf         | 7 +++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf
index 1a95a0615..9d04b45c6 100644
--- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf
+++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf
@@ -50,7 +50,7 @@ module "github-workload-id" {
   location            = module.resourcegroup.data.location
   roleassignments = {
     contributor = {
-      role     = "Contributor" # Needed to open firewall
+      role = "Contributor" # Needed to open firewall
       scope_id = data.azurerm_container_registry.acr.id
     },
   }
@@ -69,6 +69,12 @@ module "mi-writer" {
   name                = "radix-id-vulnerability-scan-writer-${module.config.environment}"
   resource_group_name = module.resourcegroup.data.name
   location            = module.resourcegroup.data.location
+  roleassignments = {
+    "acr" = {
+      role     = "AcrPull"
+      scope_id = data.azurerm_container_registry.acr.id
+    }
+  }
 }
 
 module "mi-reader" {
diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf
index 7ca2eb2ad..039d4dd09 100644
--- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf
+++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf
@@ -70,6 +70,12 @@ module "mi-writer" {
   name                = "radix-id-vulnerability-scan-writer-${module.config.environment}"
   resource_group_name = module.resourcegroup.data.name
   location            = module.resourcegroup.data.location
+  roleassignments = {
+    "acr" = {
+      role     = "AcrPull"
+      scope_id = data.azurerm_container_registry.acr.id
+    }
+  }
 }
 
 module "mi-reader" {
diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf
index 11e2f1235..821cdf9c6 100644
--- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf
+++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf
@@ -68,6 +68,13 @@ module "mi-writer" {
   name                = "radix-id-vulnerability-scan-writer-${module.config.environment}"
   resource_group_name = module.resourcegroup.data.name
   location            = module.resourcegroup.data.location
+
+  roleassignments = {
+    "acr" = {
+      role     = "AcrPull"
+      scope_id = data.azurerm_container_registry.acr.id
+    }
+  }
 }
 
 module "mi-reader" {