move uri to config

microsoft · Oct 1, 2024 · fe9b47f · fe9b47f
1 parent 2a9dfdb
commit fe9b47f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/...icrosoft.Health.Fhir.Azure/ContainerRegistry/AzureContainerRegistryAccessTokenProvider.cs b/...icrosoft.Health.Fhir.Azure/ContainerRegistry/AzureContainerRegistryAccessTokenProvider.cs
@@ -33,8 +33,6 @@ public class AzureContainerRegistryAccessTokenProvider : IContainerRegistryToken
         private const string ExchangeAcrRefreshTokenUrl = "oauth2/exchange";
         private const string GetAcrAccessTokenUrl = "oauth2/token";
 
-        private static readonly Uri AcrTargetResourceUri = new Uri("https://containerregistry.azure.net/");
-
         private readonly IAccessTokenProvider _aadTokenProvider;
         private readonly IHttpClientFactory _httpClientFactory;
         private readonly ConvertDataConfiguration _convertDataConfiguration;
@@ -61,10 +59,11 @@ public async Task<string> GetTokenAsync(string registryServer, CancellationToken
         {
             EnsureArg.IsNotNullOrEmpty(registryServer, nameof(registryServer));
 
+            var aadResourceUri = _convertDataConfiguration.AcrTargetResourceUri;
             string aadToken;
             try
             {
-                aadToken = await _aadTokenProvider.GetAccessTokenForResourceAsync(AcrTargetResourceUri, cancellationToken);
+                aadToken = await _aadTokenProvider.GetAccessTokenForResourceAsync(aadResourceUri, cancellationToken);
             }
             catch (AccessTokenProviderException ex)
             {

diff --git a/src/Microsoft.Health.Fhir.Core/Configs/ConvertDataConfiguration.cs b/src/Microsoft.Health.Fhir.Core/Configs/ConvertDataConfiguration.cs
@@ -21,12 +21,20 @@ public class ConvertDataConfiguration
         /// </summary>
         public ICollection<string> ContainerRegistryServers { get; } = new List<string>();
 
+        /// <summary>
+        /// AcrTargetResourceUri to acquire AAD token for ACR access token since ACR is not an AAD resource.
+        /// To enable Trusted Services scenarios, we must use the ACR-specific URI rather than the more generic ARM URI.
+        /// https://dev.azure.com/msazure/AzureContainerRegistry/_wiki/wikis/ACR%20Specs/480000/TrustedServicesPatterns
+        /// The value is "https://containerregistry.azure.net/" for all cloud environments.
+        /// </summary>
+        public Uri AcrTargetResourceUri { get; } = new Uri("https://containerregistry.azure.net/");
+
         /// <summary>
         /// ArmResourceManagerId to acquire AAD token for ACR access token since ACR is not an AAD resource.
         /// The value is "https://management.azure.com/" for AzureCloud and DogFood.
         /// Could be changed to "https://management.usgovcloudapi.net/" for Azure Government and "https://management.chinacloudapi.cn/ " for Azure China.
         /// </summary>
-        [Obsolete("Non-configurable ACR target resource URI will be used instead.")]
+        [Obsolete("Use AcrTargetResourceUri instead.")]
         public string ArmResourceManagerId { get; set; } = "https://management.azure.com/";
 
         /// <summary>