Add container_registry_zone_redundancy_enabled variable to decouple ACR zone redundancy from private networking

Copilot · jtracey93 · Copilot · commit cfd9c2fd0834 · 2026-02-10T13:01:37.000Z
Fixes the issue where zone_redundancy_enabled for the container registry was
tied to use_private_networking, causing failures in regions that don't support
zone redundancy (e.g., Jio India West). Re-uses the existing
agent_container_zone_support / runner_container_zone_support variables to
control both container instance zones and container registry zone redundancy.

Co-authored-by: jtracey93 &lt;41163455+jtracey93@users.noreply.github.com&gt;
diff --git a/alz/azuredevops/main.tf b/alz/azuredevops/main.tf
@@ -49,6 +49,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = var.agent_container_zone_support
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_agents
diff --git a/alz/azuredevops/variables.tf b/alz/azuredevops/variables.tf
@@ -391,9 +391,11 @@ variable "agent_container_memory_max" {
 
 variable "agent_container_zone_support" {
   description = <<-EOT
-    **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances.
+    **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances and container registry.
 
-    When enabled, containers are distributed across availability zones for higher availability and resilience.
+    When enabled, containers are distributed across availability zones for higher availability and resilience,
+    and the container registry is configured with zone redundancy.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
diff --git a/alz/github/main.tf b/alz/github/main.tf
@@ -50,6 +50,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = var.runner_container_zone_support
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_runners
diff --git a/alz/github/variables.tf b/alz/github/variables.tf
@@ -496,9 +496,11 @@ variable "runner_container_memory_max" {
 
 variable "runner_container_zone_support" {
   description = <<-EOT
-    **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances.
+    **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances and container registry.
 
-    When enabled, containers are distributed across availability zones for higher availability and resilience.
+    When enabled, containers are distributed across availability zones for higher availability and resilience,
+    and the container registry is configured with zone redundancy.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
diff --git a/modules/azure/container_registry.tf b/modules/azure/container_registry.tf
@@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" {
   location                      = var.azure_location
   sku                           = var.use_private_networking ? "Premium" : "Basic"
   public_network_access_enabled = !var.use_private_networking
-  zone_redundancy_enabled       = var.use_private_networking
+  zone_redundancy_enabled       = var.use_private_networking && var.container_registry_zone_redundancy_enabled
   network_rule_bypass_option    = var.use_private_networking ? "AzureServices" : "None"
 }
 
diff --git a/modules/azure/variables.tf b/modules/azure/variables.tf
@@ -528,6 +528,18 @@ variable "container_registry_image_name" {
   default     = ""
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `true`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Zone redundancy requires Premium SKU, which is only used when private networking is enabled.
+  EOT
+  type        = bool
+  default     = true
+}
+
 variable "container_registry_image_tag" {
   description = <<-EOT
     **(Optional, default: `"{{.Run.ID}}"`)** Tag pattern for the container image.

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" {`
`5`	`5`	`location = var.azure_location`
`6`	`6`	`sku = var.use_private_networking ? "Premium" : "Basic"`
`7`	`7`	`public_network_access_enabled = !var.use_private_networking`
`8`		`- zone_redundancy_enabled = var.use_private_networking`
	`8`	`+ zone_redundancy_enabled = var.use_private_networking && var.container_registry_zone_redundancy_enabled`
`9`	`9`	`network_rule_bypass_option = var.use_private_networking ? "AzureServices" : "None"`
`10`	`10`	`}`
`11`	`11`