feat: Implement dedicated Azure Container Registry#315
Open
Akhileswara-Microsoft wants to merge 1 commit into
Open
feat: Implement dedicated Azure Container Registry#315Akhileswara-Microsoft wants to merge 1 commit into
Akhileswara-Microsoft wants to merge 1 commit into
Conversation
…d authentication and update deployment scripts
Contributor
There was a problem hiding this comment.
Pull request overview
This PR shifts the solution from using a shared/public container registry with anonymous pulls to provisioning a dedicated Azure Container Registry (ACR) per deployment and configuring Container Apps to pull images via managed identity. It also adds post-deployment scripts intended to build/push images into the dedicated ACR and update the Container Apps accordingly.
Changes:
- Added an
infra/modules/containerRegistry.bicepmodule and updatedinfra/main.bicepto provision a per-deployment ACR, grant roles, and configure Container Apps registry settings for identity-based pulls. - Added post-deployment scripts (
scripts/deploy_container_images.sh/.ps1) to remote-build images withaz acr buildand update Container Apps to use the newly pushed images. - Updated Docker build contexts (
.dockerignore) and documentation/diagram (README.md) to reflect the new flow.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/frontend/.dockerignore | Stops excluding Dockerfiles from remote build context used by az acr build. |
| src/backend-api/.dockerignore | Stops excluding Dockerfiles from remote build context used by az acr build. |
| scripts/deploy_container_images.sh | Adds Bash automation to remote-build/push images to the dedicated ACR and update Container Apps. |
| scripts/deploy_container_images.ps1 | Adds PowerShell automation to remote-build/push images to the dedicated ACR and update Container Apps. |
| README.md | Updates architecture diagram annotations to reflect identity-based AcrPull image pulls. |
| infra/modules/containerRegistry.bicep | New module to provision a dedicated ACR, disable admin/anonymous access, and assign roles. |
| infra/main.bicep | Integrates dedicated ACR provisioning, configures Container Apps registries/identity, and introduces placeholder images + new outputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+51
to
+53
| @description('''Optional. Placeholder container image used to initially provision the container apps. | ||
| The dedicated Azure Container Registry is empty right after infrastructure provisioning, so a public image is used as the default allowed image until the post-deployment script (scripts/deploy_container_images.*) builds and pushes the deployment-specific images and updates the apps. Defaults to the Azure Container Apps quickstart image.''') | ||
| param placeholderContainerImage string = 'mcr.microsoft.com/k8se/quickstart:latest' |
| // Contributor role definition ID (allows remote build / scheduleRun + push). | ||
| var contributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c' | ||
|
|
||
| resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = { |
Comment on lines
+55
to
+56
| // Contributor role definition ID (allows remote build / scheduleRun + push). | ||
| var contributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request introduces a major change to the container image build and deployment process: each deployment now provisions its own dedicated Azure Container Registry (ACR) and uses identity-based authentication for container image pulls, eliminating the previous reliance on a shared/public registry and anonymous pull. It also adds post-deployment scripts for building and pushing images to the dedicated ACR, and updates infrastructure and documentation accordingly.
Dedicated ACR Provisioning & Identity-based Image Pulls
containerRegistry.bicepmodule to provision a dedicated ACR per deployment with identity-based authentication (AcrPull role for managed identities, Contributor for deployer), and disabled admin/anonymous access.infra/main.bicepto deploy the dedicated ACR, grant appropriate roles, and output relevant registry information. Container Apps now reference the dedicated registry and use a placeholder image until post-deployment scripts update them. ThecontainerRegistryEndpointparameter is deprecated.- Updated the architecture diagram inREADME.mdto reflect identity-based image pulls from the dedicated ACR.Deployment Scripts for Container Images
Added
scripts/deploy_container_images.sh(Bash) andscripts/deploy_container_images.ps1(PowerShell) scripts to build deployment-specific images using ACR remote builds and update Container Apps to use those images. These scripts run after provisioning and before any other post-deployment steps.Build Context Improvements
Updated
.dockerignorefiles insrc/backend-apiandsrc/frontendto ensure Dockerfiles are included in the build context for remote ACR builds.Other Adjustments
Reduced the default OpenAI usage quota in
infra/main.bicepfor the GPT-5.1 model.These changes collectively improve security, isolation, and automation for container image management in the deployment process.
Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
Other Information
This pull request introduces a major change to the container image build and deployment workflow, moving from a shared/public Azure Container Registry (ACR) with anonymous pulls to a dedicated, per-deployment ACR with identity-based authentication. Images are now built and pushed using remote builds (
az acr build), and container apps are updated to use these images post-deployment. This improves security, isolation, and aligns with best practices for cloud-native deployments.The most important changes are:
Infrastructure and Registry Provisioning:
containerRegistry.bicep), disables admin/anonymous pull, and grants AcrPull to the app's managed identity and Contributor to the deployer for remote builds.Container Apps Configuration:
backend,frontend,processor) are updated to use the dedicated ACR with identity-based pulls, and initially reference a public placeholder image until the actual images are available.Deployment Workflow Scripts:
deploy_container_images.shfor Bash anddeploy_container_images.ps1for PowerShell) build images remotely usingaz acr build, push them to the dedicated ACR, and update the container apps to use the new images.Documentation and Diagram Updates:
README.mdis updated to reflect identity-based image pulls from ACR (no anonymous pull).Build Context Fixes:
Dockerfile*is included in the build context, which is required for remote builds.