Add AcrPullVerifyStep

Author: MicroFish91

src/commands/EXECUTE_PRIORITY.md

@@ -29,7 +29,8 @@ When creating or updating resources, execute steps should occupy certain priorit
 #### Steps
 ##### Managed Identity Registry Credential
 - ManagedEnvironmentIdentityEnableStep: 450
-- AcrPullEnableStep: 460
+- AcrPullVerifyStep: 460
+- AcrPullEnableStep: 461
 - ManagedIdentityRegistryCredentialAddConfigurationStep: 470
 
 ##### Admin User Registry Credential

src/commands/registryCredentials/identity/AcrPullEnableStep.ts

@@ -3,39 +3,28 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { KnownPrincipalType, type AuthorizationManagementClient, type RoleAssignment, type RoleAssignmentCreateParameters } from "@azure/arm-authorization";
-import { uiUtils } from "@microsoft/vscode-azext-azureutils";
+import { KnownPrincipalType, type AuthorizationManagementClient, type RoleAssignmentCreateParameters } from "@azure/arm-authorization";
 import { AzureWizardExecuteStep, GenericParentTreeItem, GenericTreeItem, activityFailContext, activityFailIcon, activitySuccessContext, activitySuccessIcon, createUniversallyUniqueContextValue, nonNullValueAndProp, type ExecuteActivityOutput } from "@microsoft/vscode-azext-utils";
 import * as crypto from "crypto";
 import { type Progress } from "vscode";
 import { createAuthorizationManagementClient } from "../../../utils/azureClients";
 import { localize } from "../../../utils/localize";
+import { acrPullRoleId } from "./AcrPullVerifyStep";
 import { type ManagedIdentityRegistryCredentialsContext } from "./ManagedIdentityRegistryCredentialsContext";
 
-const acrPullRoleId: string = '7f951dda-4ed3-4680-a7ca-43fe172d538d';
-
 export class AcrPullEnableStep extends AzureWizardExecuteStep<ManagedIdentityRegistryCredentialsContext> {
-    public priority: number = 460;
-
-    // Add a configureBeforeExecute
+    public priority: number = 461;
 
     public async execute(context: ManagedIdentityRegistryCredentialsContext, progress: Progress<{ message?: string | undefined; increment?: number | undefined }>): Promise<void> {
         const client: AuthorizationManagementClient = await createAuthorizationManagementClient(context);
-        const registryId: string = nonNullValueAndProp(context.registry, 'id');
-        const managedEnvironmentIdentity: string = nonNullValueAndProp(context.managedEnvironment?.identity, 'principalId');
-
-        if (await this.hasAcrPullAssignment(client, registryId, managedEnvironmentIdentity)) {
-            return;
-        }
-
         const roleCreateParams: RoleAssignmentCreateParameters = {
             description: 'acr pull',
             roleDefinitionId: `/providers/Microsoft.Authorization/roleDefinitions/${acrPullRoleId}`,
             principalId: nonNullValueAndProp(context.managedEnvironment?.identity, 'principalId'),
             principalType: KnownPrincipalType.ServicePrincipal,
         };
 
-        progress.report({ message: localize('updatingRegistryCredentials', 'Updating registry credentials...') });
+        progress.report({ message: localize('addingAcrPull', 'Adding ACR pull role...') });
         await client.roleAssignments.create(
             nonNullValueAndProp(context.registry, 'id'),
             crypto.randomUUID(),
@@ -44,18 +33,7 @@ export class AcrPullEnableStep extends AzureWizardExecuteStep<ManagedIdentityReg
     }
 
     public shouldExecute(context: ManagedIdentityRegistryCredentialsContext): boolean {
-        return !!context.registry;
-    }
-
-    private async hasAcrPullAssignment(client: AuthorizationManagementClient, registryId: string, managedEnvironmentIdentity: string): Promise<boolean> {
-        const roleAssignments: RoleAssignment[] = await uiUtils.listAllIterator(client.roleAssignments.listForScope(
-            registryId,
-            {
-                // $filter=principalId eq {id}
-                filter: `principalId eq '{${managedEnvironmentIdentity}}'`,
-            }
-        ));
-        return roleAssignments.some(r => !!r.roleDefinitionId?.endsWith(acrPullRoleId));
+        return !!context.registry && !context.hasAcrPullRole;
     }
 
     public createSuccessOutput(): ExecuteActivityOutput {

src/commands/registryCredentials/identity/AcrPullVerifyStep.ts

@@ -0,0 +1,66 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { type AuthorizationManagementClient, type RoleAssignment } from "@azure/arm-authorization";
+import { uiUtils } from "@microsoft/vscode-azext-azureutils";
+import { AzureWizardExecuteStep, GenericParentTreeItem, GenericTreeItem, activityFailContext, activityFailIcon, activitySuccessContext, activitySuccessIcon, createUniversallyUniqueContextValue, nonNullValueAndProp, type ExecuteActivityOutput } from "@microsoft/vscode-azext-utils";
+import { type Progress } from "vscode";
+import { createAuthorizationManagementClient } from "../../../utils/azureClients";
+import { localize } from "../../../utils/localize";
+import { type ManagedIdentityRegistryCredentialsContext } from "./ManagedIdentityRegistryCredentialsContext";
+
+export const acrPullRoleId: string = '7f951dda-4ed3-4680-a7ca-43fe172d538d';
+
+export class AcrPullVerifyStep extends AzureWizardExecuteStep<ManagedIdentityRegistryCredentialsContext> {
+    public priority: number = 460;
+
+    public async execute(context: ManagedIdentityRegistryCredentialsContext, progress: Progress<{ message?: string | undefined; increment?: number | undefined }>): Promise<void> {
+        const client: AuthorizationManagementClient = await createAuthorizationManagementClient(context);
+        const registryId: string = nonNullValueAndProp(context.registry, 'id');
+        const managedEnvironmentIdentity: string = nonNullValueAndProp(context.managedEnvironment?.identity, 'principalId');
+
+        progress.report({ message: localize('verifyingAcrPull', 'Verifying ACR pull role...') })
+        const roleAssignments: RoleAssignment[] = await uiUtils.listAllIterator(client.roleAssignments.listForScope(
+            registryId,
+            {
+                // $filter=principalId eq {id}
+                filter: `principalId eq '{${managedEnvironmentIdentity}}'`,
+            }
+        ));
+
+        context.hasAcrPullRole = roleAssignments.some(r => !!r.roleDefinitionId?.endsWith(acrPullRoleId));
+    }
+
+    public shouldExecute(context: ManagedIdentityRegistryCredentialsContext): boolean {
+        return !!context.registry;
+    }
+
+    public createSuccessOutput(context: ManagedIdentityRegistryCredentialsContext): ExecuteActivityOutput {
+        if (context.hasAcrPullRole) {
+            return {
+                item: new GenericTreeItem(undefined, {
+                    contextValue: createUniversallyUniqueContextValue(['containerRegistryAcrPullVerifyStepSuccessItem', activitySuccessContext]),
+                    label: localize('verifyAcrPull', 'Verify "{0}" access for container environment identity', 'acrPull'),
+                    iconPath: activitySuccessIcon
+                }),
+                message: localize('verifyAcrPullSuccess', 'Successfully verified "{0}" access for container environment identity.', 'acrPull'),
+            };
+        } else {
+            // 'AcrPullEnableStep' will cover showing this output
+            return {};
+        }
+    }
+
+    public createFailOutput(): ExecuteActivityOutput {
+        return {
+            item: new GenericParentTreeItem(undefined, {
+                contextValue: createUniversallyUniqueContextValue(['containerRegistryAcrPullVerifyStepFailItem', activityFailContext]),
+                label: localize('verifyAcrPull', 'Verify "{0}" access for container environment identity"', 'acrPull'),
+                iconPath: activityFailIcon
+            }),
+            message: localize('verifyAcrPullFail', 'Failed to verify "{0}" access for container environment identity.', 'acrPull'),
+        };
+    }
+}

src/commands/registryCredentials/identity/ManagedIdentityRegistryCredentialsContext.ts

@@ -9,5 +9,6 @@ import { type CreateAcrContext } from "../../image/imageSource/containerRegistry
 import { type ManagedEnvironmentRequiredContext } from "../../ManagedEnvironmentContext";
 
 export interface ManagedIdentityRegistryCredentialsContext extends CreateAcrContext, ManagedEnvironmentRequiredContext, IContainerAppContext {
+    hasAcrPullRole?: boolean;
     newRegistryCredential?: RegistryCredentials;
 }