Also, just randomly for a #TWIL comment - since my new infra needs to coexist (for a while at least) with the way previous infra has been set up, I realized I needed trust between AKS and ACR so that AKS can pull images without requiring containerPullSecret and suchlike. So a bit of research brought me to https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration That just won't do. So I tried figuring out what it actually does, what the equivalent operation would be.. so after some hunting I found an issue with this not working for a period of time, and found the workaround that was proposed was just as good if not better. So - to avoid having to run AZ CLI to "attach" an ACR instance to an AKS cluster - this is all ya need to do:

const aksToACRRoleAssignment = new azure.authorization.RoleAssignment("aks-to-acr", {
            roleAssignmentName: new random.RandomUuid("aks-to-acr-RA").result,
            scope: myACR.id
            roleDefinitionId: "/subscriptions/<insert_sub_here>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",  // acrpull Role Defenition
            principalId: myAKS.identityProfile.apply(identityProfile => identityProfile?.kubeletidentity.objectId).apply(objectId => objectId ?? "<preview>") // gets the kubelet managed identity :)
        })

For the roleDefenitionId - I just did

az role definition list --output json --query "[].{roleName:roleName, description:description, id:id}" > roleDefenitions.json

once and found the role id from there 🙂