feat: Decouple container registry zone redundancy from private networking and make flexible (#133)

* Initial plan

* Add container_registry_zone_redundancy_enabled variable to decouple ACR zone redundancy from private networking

Fixes the issue where zone_redundancy_enabled for the container registry was
tied to use_private_networking, causing failures in regions that don't support
zone redundancy (e.g., Jio India West). Re-uses the existing
agent_container_zone_support / runner_container_zone_support variables to
control both container instance zones and container registry zone redundancy.

Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com>

* Expose container_registry_zone_redundancy_enabled as separate top-level variable in ADO and GitHub ALZ modules

By default, the container registry zone redundancy follows the agent/runner
container zone support setting. Users can now independently override it by
setting container_registry_zone_redundancy_enabled, enabling scenarios like
AZ support for runners but not the registry.

Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com>

* Fix zone_redundancy_enabled to use ternary for independent control with private networking

When private networking is enabled (Premium SKU), zone_redundancy_enabled is
now independently controlled by container_registry_zone_redundancy_enabled.
When private networking is disabled (Basic SKU), zone_redundancy_enabled is
false as required by the Terraform provider. The ternary pattern is consistent
with the other attributes in the resource block.

Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com>

* Fix zone redundancy condition for container registry

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com>

Author: Copilot

alz/azuredevops/main.tf

@@ -49,6 +49,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = coalesce(var.container_registry_zone_redundancy_enabled, var.agent_container_zone_support)
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_agents

alz/azuredevops/variables.tf

@@ -394,11 +394,24 @@ variable "agent_container_zone_support" {
     **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances.
 
     When enabled, containers are distributed across availability zones for higher availability and resilience.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Defaults to the value of `agent_container_zone_support` if not set.
+  EOT
+  type        = bool
+  default     = null
+}
+
 variable "built_in_configuration_file_names" {
   description = <<-EOT
     **(Optional, default: `["config.yaml", "config-hub-and-spoke-vnet.yaml", "config-virtual-wan.yaml"]`)**

alz/github/main.tf

@@ -50,6 +50,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = coalesce(var.container_registry_zone_redundancy_enabled, var.runner_container_zone_support)
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_runners

alz/github/variables.tf

@@ -499,11 +499,24 @@ variable "runner_container_zone_support" {
     **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances.
 
     When enabled, containers are distributed across availability zones for higher availability and resilience.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Defaults to the value of `runner_container_zone_support` if not set.
+  EOT
+  type        = bool
+  default     = null
+}
+
 variable "runner_name_environment_variable" {
   description = <<-EOT
     **(Optional, default: `"GH_RUNNER_NAME"`)** The runner name environment variable supplied to the container.

modules/azure/container_registry.tf

@@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" {
   location                      = var.azure_location
   sku                           = var.use_private_networking ? "Premium" : "Basic"
   public_network_access_enabled = !var.use_private_networking
-  zone_redundancy_enabled       = var.use_private_networking
+  zone_redundancy_enabled       = var.use_private_networking && var.container_registry_zone_redundancy_enabled
   network_rule_bypass_option    = var.use_private_networking ? "AzureServices" : "None"
 }
 

modules/azure/variables.tf

@@ -528,6 +528,18 @@ variable "container_registry_image_name" {
   default     = ""
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `true`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Zone redundancy requires Premium SKU, which is only used when private networking is enabled.
+  EOT
+  type        = bool
+  default     = true
+}
+
 variable "container_registry_image_tag" {
   description = <<-EOT
     **(Optional, default: `"{{.Run.ID}}"`)** Tag pattern for the container image.