Implement Azure Container Registry for Container images

.github/workflows/scorecard.yml

@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: '16 22 * * 2'
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 
 # Declare default permissions as read only.
 permissions: read-all

alz/azuredevops/locals.files.terraform.tf

@@ -39,7 +39,7 @@ locals {
 
   module_files = { for key, value in module.files.files : key =>
     {
-      content = replace((file(value.path)), "# backend \"azurerm\" {}", "backend \"azurerm\" {\n    use_oidc         = true\n    use_azuread_auth = true\n  }")
+      content = replace((file(value.path)), "# backend \"azurerm\" {}", "backend \"azurerm\" {}")
     }
   }
   repository_files          = merge(local.cicd_files, local.module_files, var.use_separate_repository_for_pipeline_templates ? {} : local.cicd_template_files)

alz/azuredevops/locals.tf

@@ -87,3 +87,7 @@ locals {
 locals {
   starter_module_folder_path = var.module_folder_path_relative ? ("${path.module}/${var.module_folder_path}") : var.module_folder_path
 }
+
+locals {
+  agent_container_instance_dockerfile_url = "${var.agent_container_image_repository}#${var.agent_container_image_tag}:${var.agent_container_image_folder}"
+}

alz/azuredevops/main.tf

@@ -27,7 +27,7 @@ module "azure" {
   user_assigned_managed_identities                          = local.managed_identities
   federated_credentials                                     = local.federated_credentials
   agent_container_instances                                 = local.agent_container_instances
-  agent_container_instance_image                            = var.agent_container_image
+  agent_container_instance_managed_identity_name            = local.resource_names.container_instance_managed_identity
   agent_organization_url                                    = module.azure_devops.organization_url
   agent_token                                               = var.azure_devops_agents_personal_access_token
   agent_organization_environment_variable                   = var.agent_organization_environment_variable
@@ -39,16 +39,23 @@ module "azure" {
   root_parent_management_group_id                           = local.root_parent_management_group_id
   virtual_network_name                                      = local.resource_names.virtual_network
   virtual_network_subnet_name_container_instances           = local.resource_names.subnet_container_instances
-  virtual_network_subnet_name_storage                       = local.resource_names.subnet_storage
-  private_endpoint_name                                     = local.resource_names.private_endpoint
+  virtual_network_subnet_name_private_endpoints             = local.resource_names.subnet_private_endpoints
+  storage_account_private_endpoint_name                     = local.resource_names.storage_account_private_endpoint
   use_private_networking                                    = var.use_private_networking
   allow_storage_access_from_my_ip                           = var.allow_storage_access_from_my_ip
   virtual_network_address_space                             = var.virtual_network_address_space
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
-  virtual_network_subnet_address_prefix_storage             = var.virtual_network_subnet_address_prefix_storage
+  virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
+  use_self_hosted_agents                                    = var.use_self_hosted_agents
+  container_registry_name                                   = local.resource_names.container_registry
+  container_registry_private_endpoint_name                  = local.resource_names.container_registry_private_endpoint
+  container_registry_image_name                             = local.resource_names.container_image_name
+  container_registry_image_tag                              = var.agent_container_image_tag
+  container_registry_dockerfile_name                        = var.agent_container_image_dockerfile
+  container_registry_dockerfile_repository_folder_url       = local.agent_container_instance_dockerfile_url
 }
 
 module "azure_devops" {

alz/azuredevops/pipelines/terraform/templates/cd.yaml

@@ -23,7 +23,6 @@ stages:
               steps:
                 - checkout: self
                   displayName: Checkout Terraform Module
-                - template: helpers/terraform-block-msi-endpoint.yaml
                 - template: helpers/terraform-installer.yaml
                   parameters:
                     terraformVersion: 'latest'
@@ -82,7 +81,6 @@ stages:
                     buildType: 'current'
                     artifactName: 'module'
                     targetPath: '$(Build.SourcesDirectory)'
-                - template: helpers/terraform-block-msi-endpoint.yaml
                 - template: helpers/terraform-installer.yaml
                   parameters:
                     terraformVersion: 'latest'

alz/azuredevops/pipelines/terraform/templates/ci.yaml

@@ -34,7 +34,6 @@ stages:
               steps:
                 - checkout: self
                   displayName: Checkout Terraform Module
-                - template: helpers/terraform-block-msi-endpoint.yaml
                 - template: helpers/terraform-installer.yaml
                   parameters:
                     terraformVersion: 'latest'

alz/azuredevops/pipelines/terraform/templates/helpers/terraform-apply.yaml

@@ -22,12 +22,10 @@ steps:
 
         $env:ARM_TENANT_ID = $account.tenantId
         $env:ARM_SUBSCRIPTION_ID = $account.id
-
-        # Note: We are using CLI auth for the provider as it caches the access token for us, which helps with edge cases like terraform test.
-        # The backend is hard coded to use OIDC auth as it does not support CLI auth yet.
-        $env:ARM_USE_CLI = 'true'
         $env:ARM_OIDC_TOKEN = $oidcToken
+        $env:ARM_USE_OIDC = "true"
         $env:ARM_CLIENT_ID = $clientId
+        $env:ARM_USE_AZUREAD = "true"
 
         # Run Terraform Apply
         $command = "terraform"

alz/azuredevops/pipelines/terraform/templates/helpers/terraform-init.yaml

@@ -23,20 +23,20 @@ steps:
         $subscriptionId = $account.id
         $tenantId = $account.tenantId
 
+        $env:ARM_TENANT_ID = $tenantId
+        $env:ARM_SUBSCRIPTION_ID = $subscriptionId
+        $env:ARM_OIDC_TOKEN = $oidcToken
+        $env:ARM_USE_OIDC = "true"
+        $env:ARM_CLIENT_ID = $clientId
+        $env:ARM_USE_AZUREAD = "true"
+
         $arguments = @()
         $arguments += "init"
         $arguments += "-backend-config=storage_account_name=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_NAME)"
         $arguments += "-backend-config=container_name=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME)"
         $arguments += "-backend-config=key=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_KEY_NAME)"
         $arguments += "-backend-config=resource_group_name=$($env:BACKEND_AZURE_RESOURCE_GROUP_NAME)"
 
-        $env:ARM_SUBSCRIPTION_ID = $subscriptionId
-        $env:ARM_TENANT_ID = $tenantId
-
-        # Note: The backend is hardcoded to use oidc auth as we want to use a different auth type for the provider during plan and apply.
-        $env:ARM_OIDC_TOKEN = $oidcToken
-        $env:ARM_CLIENT_ID = $clientId
-
         # Run terraform init
         $command = "terraform"
         Write-Host "Running: $command $arguments"

alz/azuredevops/pipelines/terraform/templates/helpers/terraform-plan.yaml

@@ -22,12 +22,10 @@ steps:
 
         $env:ARM_TENANT_ID = $account.tenantId
         $env:ARM_SUBSCRIPTION_ID = $account.id
-
-        # Note: We are using CLI auth for the provider as it caches the access token for us, which helps with edge cases like terraform test.
-        # The backend is hard coded to use OIDC auth as it does not support CLI auth yet.
-        $env:ARM_USE_CLI = 'true'
         $env:ARM_OIDC_TOKEN = $oidcToken
+        $env:ARM_USE_OIDC = "true"
         $env:ARM_CLIENT_ID = $clientId
+        $env:ARM_USE_AZUREAD = "true"
 
         # Run Terraform Plan
         $command = "terraform"

alz/azuredevops/terraform.tfvars

@@ -1,5 +1,8 @@
 # Azure Variables
-agent_container_image = "microsoftavm/azure-devops-agent:1.1.0"
+agent_container_image_repository = "https://github.com/Azure/terraform-azurerm-avm-ptn-cicd-agents-and-runners"
+agent_container_image_tag        = "8ff4b85" # NOTE: Container registry task does not support tag ref, so we are using the commit hash of the release instead
+agent_container_image_folder     = "container-images/azure-devops-agent"
+agent_container_image_dockerfile = "dockerfile"
 
 # Names
 resource_names = {
@@ -15,12 +18,9 @@ resource_names = {
   storage_container                                          = "{{environment_name}}-tfstate"
   container_instance_01                                      = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   container_instance_02                                      = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number_plus_1}}"
-  container_instance_03                                      = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number_plus_2}}"
-  container_instance_04                                      = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number_plus_3}}"
+  container_instance_managed_identity                        = "id-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
   agent_01                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number}}"
   agent_02                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_1}}"
-  agent_03                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_2}}"
-  agent_04                                                   = "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_3}}"
   version_control_system_repository                          = "{{service_name}}-{{environment_name}}"
   version_control_system_repository_templates                = "{{service_name}}-{{environment_name}}-templates"
   version_control_system_service_connection_plan             = "sc-{{service_name}}-{{environment_name}}-plan"
@@ -36,6 +36,9 @@ resource_names = {
   public_ip                                                  = "pip-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   nat_gateway                                                = "nat-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   subnet_container_instances                                 = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
-  subnet_storage                                             = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-sto"
-  private_endpoint                                           = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  subnet_private_endpoints                                   = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-pe"
+  storage_account_private_endpoint                           = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-sto-{{postfix_number}}"
+  container_registry                                         = "acr{{service_name}}{{environment_name}}{{azure_location_short}}{{postfix_number}}{{random_string}}"
+  container_registry_private_endpoint                        = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-acr-{{postfix_number}}"
+  container_image_name                                       = "azure-devops-agent"
 }

alz/azuredevops/variables.hidden.tf

@@ -4,8 +4,23 @@ variable "additional_files" {
   default     = []
 }
 
-variable "agent_container_image" {
-  description = "The container image to use for Azure DevOps Agents"
+variable "agent_container_image_repository" {
+  description = "The container image repository to use for Azure DevOps Agents"
+  type        = string
+}
+
+variable "agent_container_image_tag" {
+  description = "The container image tag to use for Azure DevOps Agents"
+  type        = string
+}
+
+variable "agent_container_image_folder" {
+  description = "The folder containing the Dockerfile for the container image"
+  type        = string
+}
+
+variable "agent_container_image_dockerfile" {
+  description = "The Dockerfile to use for the container image"
   type        = string
 }
 
@@ -86,7 +101,7 @@ variable "virtual_network_subnet_address_prefix_container_instances" {
   default     = "10.0.0.0/26"
 }
 
-variable "virtual_network_subnet_address_prefix_storage" {
+variable "virtual_network_subnet_address_prefix_private_endpoints" {
   type        = string
   description = "Address prefix for the virtual network subnet"
   default     = "10.0.0.64/26"

alz/github/locals.tf

@@ -77,3 +77,7 @@ locals {
 locals {
   starter_module_folder_path = var.module_folder_path_relative ? ("${path.module}/${var.module_folder_path}") : var.module_folder_path
 }
+
+locals {
+  runner_container_instance_dockerfile_url = "${var.runner_container_image_repository}#${var.runner_container_image_tag}:${var.runner_container_image_folder}"
+}

alz/github/main.tf

@@ -29,7 +29,7 @@ module "azure" {
   target_subscriptions                                      = local.target_subscriptions
   root_parent_management_group_id                           = local.root_parent_management_group_id
   agent_container_instances                                 = local.runner_container_instances
-  agent_container_instance_image                            = var.runner_container_image
+  agent_container_instance_managed_identity_name            = local.resource_names.container_instance_managed_identity
   agent_organization_url                                    = local.runner_organization_repository_url
   agent_token                                               = var.github_runners_personal_access_token
   agent_organization_environment_variable                   = var.runner_organization_environment_variable
@@ -40,16 +40,23 @@ module "azure" {
   agent_token_environment_variable                          = var.runner_token_environment_variable
   virtual_network_name                                      = local.resource_names.virtual_network
   virtual_network_subnet_name_container_instances           = local.resource_names.subnet_container_instances
-  virtual_network_subnet_name_storage                       = local.resource_names.subnet_storage
-  private_endpoint_name                                     = local.resource_names.private_endpoint
+  virtual_network_subnet_name_private_endpoints             = local.resource_names.subnet_private_endpoints
+  storage_account_private_endpoint_name                     = local.resource_names.storage_account_private_endpoint
   use_private_networking                                    = var.use_private_networking
   allow_storage_access_from_my_ip                           = var.allow_storage_access_from_my_ip
   virtual_network_address_space                             = var.virtual_network_address_space
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
-  virtual_network_subnet_address_prefix_storage             = var.virtual_network_subnet_address_prefix_storage
+  virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
+  use_self_hosted_agents                                    = var.use_self_hosted_runners
+  container_registry_name                                   = local.resource_names.container_registry
+  container_registry_private_endpoint_name                  = local.resource_names.container_registry_private_endpoint
+  container_registry_image_name                             = local.resource_names.container_image_name
+  container_registry_image_tag                              = var.runner_container_image_tag
+  container_registry_dockerfile_name                        = var.runner_container_image_dockerfile
+  container_registry_dockerfile_repository_folder_url       = local.runner_container_instance_dockerfile_url
 }
 
 module "github" {

alz/github/terraform.tfvars

@@ -1,5 +1,8 @@
 # Azure Variables
-runner_container_image = "microsoftavm/github-runner:1.0.1"
+runner_container_image_repository = "https://github.com/Azure/terraform-azurerm-avm-ptn-cicd-agents-and-runners"
+runner_container_image_tag        = "8ff4b85" # NOTE: Container registry task does not support tag ref, so we are using the commit hash of the release instead
+runner_container_image_folder     = "container-images/github-runner"
+runner_container_image_dockerfile = "dockerfile"
 
 # Naming
 resource_names = {
@@ -14,6 +17,7 @@ resource_names = {
   storage_container                                           = "{{environment_name}}-tfstate"
   container_instance_01                                       = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   container_instance_02                                       = "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number_plus_1}}"
+  container_instance_managed_identity                         = "id-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
   runner_01                                                   = "runner-{{service_name}}-{{environment_name}}-{{postfix_number}}"
   runner_02                                                   = "runner-{{service_name}}-{{environment_name}}-{{postfix_number_plus_1}}"
   version_control_system_repository                           = "{{service_name}}-{{environment_name}}"
@@ -26,6 +30,9 @@ resource_names = {
   public_ip                                                   = "pip-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   nat_gateway                                                 = "nat-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   subnet_container_instances                                  = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
-  subnet_storage                                              = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-sto"
-  private_endpoint                                            = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  subnet_private_endpoints                                    = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-pe"
+  storage_account_private_endpoint                            = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-sto-{{postfix_number}}"
+  container_registry                                          = "acr{{service_name}}{{environment_name}}{{azure_location_short}}{{postfix_number}}{{random_string}}"
+  container_registry_private_endpoint                         = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-acr-{{postfix_number}}"
+  container_image_name                                        = "github-runner"
 }