Support for Managed Identity in Container App Job Scale Rules

[Dionmm]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

In Azure Container App Jobs they have recently added support for authenticating using a managed identity in scaling rules. This allows rules to be added without the need for less secure methods (such as PATs, SAS tokens, or connection strings) to be used for the scaling rules' authentication.

Either user assigned or system identities can be used.

All scaling rules should have an identity property that accepts the resource ID for a user assigned identity or system in the case of a system assigned identity.

New or Affected Resource(s)/Data Source(s)

azurerm_container_app_job

Potential Terraform Configuration

resource "azurerm_container_app_job" "example" {
  name                         = "example-container-app-job"
  location                     = azurerm_resource_group.example.location
  resource_group_name          = azurerm_resource_group.example.name
  container_app_environment_id = azurerm_container_app_environment.example.id

  replica_timeout_in_seconds = 10
  replica_retry_limit        = 10
  event_trigger_config {
    parallelism = 1
    replica_completion_count = 1
    scale {
        max_executions = 10
        min_executions = 0
        polling_interval_in_seconds = 30
        rules {
            name = "azure-pipelines"
            custom_rule_type = "azure-pipelines"
            identity = azurerm_user_assigned_identity.example.id
            metadata = {
                poolName = "example-pool-name"
                targetPipelinesQueueLength = 1
            }
            authentication {
                trigger_parameter = "organizationURL"
                secret_name       = "organization-url"
            }
        }
    }
  }

  template {
    container {
      image = "repo/testcontainerAppsJob0:v1"
      name  = "testcontainerappsjob0"
      cpu    = 0.5
      memory = "1Gi"
    }
  }
}

References

Implementation discussion: microsoft/azure-container-apps#592
API Reference: https://learn.microsoft.com/en-us/rest/api/containerapps/container-apps/create-or-update?view=rest-containerapps-2024-02-02-preview&tabs=HTTP#customscalerule
Azcli example: https://learn.microsoft.com/en-us/azure/container-apps/scale-app?pivots=azure-cli#authentication-1

[Dilergore]

Hi,

Any ETA on this?

[LandryDubus]

This would be great to have support for managed identity also in scale rules for container apps (not jobs). This is officially supported through ARM templates and azure CLI commands but the azurerm provider still does not support it.

[dennisvdberg]

I am also missing this feature on custom_rule_type azure-queue.

[robertstettner]

We are also missing this, could someone please look into it. 😃