Skip to content

feat: Implement dedicated Azure Container Registry#315

Open
Akhileswara-Microsoft wants to merge 1 commit into
devfrom
GAN/feature
Open

feat: Implement dedicated Azure Container Registry#315
Akhileswara-Microsoft wants to merge 1 commit into
devfrom
GAN/feature

Conversation

@Akhileswara-Microsoft

Copy link
Copy Markdown

Purpose

This pull request introduces a major change to the container image build and deployment process: each deployment now provisions its own dedicated Azure Container Registry (ACR) and uses identity-based authentication for container image pulls, eliminating the previous reliance on a shared/public registry and anonymous pull. It also adds post-deployment scripts for building and pushing images to the dedicated ACR, and updates infrastructure and documentation accordingly.

Dedicated ACR Provisioning & Identity-based Image Pulls

  • Added a new containerRegistry.bicep module to provision a dedicated ACR per deployment with identity-based authentication (AcrPull role for managed identities, Contributor for deployer), and disabled admin/anonymous access.
  • Updated infra/main.bicep to deploy the dedicated ACR, grant appropriate roles, and output relevant registry information. Container Apps now reference the dedicated registry and use a placeholder image until post-deployment scripts update them. The containerRegistryEndpoint parameter is deprecated.- Updated the architecture diagram in README.md to reflect identity-based image pulls from the dedicated ACR.

Deployment Scripts for Container Images

  • Added scripts/deploy_container_images.sh (Bash) and scripts/deploy_container_images.ps1 (PowerShell) scripts to build deployment-specific images using ACR remote builds and update Container Apps to use those images. These scripts run after provisioning and before any other post-deployment steps.
    Build Context Improvements

  • Updated .dockerignore files in src/backend-api and src/frontend to ensure Dockerfiles are included in the build context for remote ACR builds.
    Other Adjustments

  • Reduced the default OpenAI usage quota in infra/main.bicep for the GPT-5.1 model.

These changes collectively improve security, isolation, and automation for container image management in the deployment process.

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

Other Information

This pull request introduces a major change to the container image build and deployment workflow, moving from a shared/public Azure Container Registry (ACR) with anonymous pulls to a dedicated, per-deployment ACR with identity-based authentication. Images are now built and pushed using remote builds (az acr build), and container apps are updated to use these images post-deployment. This improves security, isolation, and aligns with best practices for cloud-native deployments.

The most important changes are:

Infrastructure and Registry Provisioning:

  • Each deployment now provisions its own dedicated Azure Container Registry (containerRegistry.bicep), disables admin/anonymous pull, and grants AcrPull to the app's managed identity and Contributor to the deployer for remote builds.
    Container Apps Configuration:
  • Container apps (backend, frontend, processor) are updated to use the dedicated ACR with identity-based pulls, and initially reference a public placeholder image until the actual images are available.
    Deployment Workflow Scripts:
  • New post-deployment scripts (deploy_container_images.sh for Bash and deploy_container_images.ps1 for PowerShell) build images remotely using az acr build, push them to the dedicated ACR, and update the container apps to use the new images.
    Documentation and Diagram Updates:
  • The architecture diagram in README.md is updated to reflect identity-based image pulls from ACR (no anonymous pull).

Build Context Fixes:

  • Dockerignore files are updated to ensure Dockerfile* is included in the build context, which is required for remote builds.

…d authentication and update deployment scripts
Copilot AI review requested due to automatic review settings July 3, 2026 17:08
@Akhileswara-Microsoft Akhileswara-Microsoft changed the title feat: Implement dedicated Azure Container Registry with identity-base… feat: Implement dedicated Azure Container Registry Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR shifts the solution from using a shared/public container registry with anonymous pulls to provisioning a dedicated Azure Container Registry (ACR) per deployment and configuring Container Apps to pull images via managed identity. It also adds post-deployment scripts intended to build/push images into the dedicated ACR and update the Container Apps accordingly.

Changes:

  • Added an infra/modules/containerRegistry.bicep module and updated infra/main.bicep to provision a per-deployment ACR, grant roles, and configure Container Apps registry settings for identity-based pulls.
  • Added post-deployment scripts (scripts/deploy_container_images.sh / .ps1) to remote-build images with az acr build and update Container Apps to use the newly pushed images.
  • Updated Docker build contexts (.dockerignore) and documentation/diagram (README.md) to reflect the new flow.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/frontend/.dockerignore Stops excluding Dockerfiles from remote build context used by az acr build.
src/backend-api/.dockerignore Stops excluding Dockerfiles from remote build context used by az acr build.
scripts/deploy_container_images.sh Adds Bash automation to remote-build/push images to the dedicated ACR and update Container Apps.
scripts/deploy_container_images.ps1 Adds PowerShell automation to remote-build/push images to the dedicated ACR and update Container Apps.
README.md Updates architecture diagram annotations to reflect identity-based AcrPull image pulls.
infra/modules/containerRegistry.bicep New module to provision a dedicated ACR, disable admin/anonymous access, and assign roles.
infra/main.bicep Integrates dedicated ACR provisioning, configures Container Apps registries/identity, and introduces placeholder images + new outputs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread infra/main.bicep
Comment on lines +51 to +53
@description('''Optional. Placeholder container image used to initially provision the container apps.
The dedicated Azure Container Registry is empty right after infrastructure provisioning, so a public image is used as the default allowed image until the post-deployment script (scripts/deploy_container_images.*) builds and pushes the deployment-specific images and updates the apps. Defaults to the Azure Container Apps quickstart image.''')
param placeholderContainerImage string = 'mcr.microsoft.com/k8se/quickstart:latest'
// Contributor role definition ID (allows remote build / scheduleRun + push).
var contributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c'

resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
Comment on lines +55 to +56
// Contributor role definition ID (allows remote build / scheduleRun + push).
var contributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants