From 133800b7dd5cff010db4594f45bf6e6608fa9910 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 12:57:42 +0000 Subject: [PATCH 1/5] Initial plan From cfd9c2fd0834d34eb1a25ab74cfbab5aaa4173bc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 13:01:37 +0000 Subject: [PATCH 2/5] Add container_registry_zone_redundancy_enabled variable to decouple ACR zone redundancy from private networking Fixes the issue where zone_redundancy_enabled for the container registry was tied to use_private_networking, causing failures in regions that don't support zone redundancy (e.g., Jio India West). Re-uses the existing agent_container_zone_support / runner_container_zone_support variables to control both container instance zones and container registry zone redundancy. Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com> --- alz/azuredevops/main.tf | 1 + alz/azuredevops/variables.tf | 6 ++++-- alz/github/main.tf | 1 + alz/github/variables.tf | 6 ++++-- modules/azure/container_registry.tf | 2 +- modules/azure/variables.tf | 12 ++++++++++++ 6 files changed, 23 insertions(+), 5 deletions(-) diff --git a/alz/azuredevops/main.tf b/alz/azuredevops/main.tf index 4881972..05b9582 100644 --- a/alz/azuredevops/main.tf +++ b/alz/azuredevops/main.tf @@ -49,6 +49,7 @@ module "azure" { virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances virtual_network_subnet_address_prefix_private_endpoints = var.virtual_network_subnet_address_prefix_private_endpoints storage_account_replication_type = var.storage_account_replication_type + container_registry_zone_redundancy_enabled = var.agent_container_zone_support public_ip_name = local.resource_names.public_ip nat_gateway_name = local.resource_names.nat_gateway use_self_hosted_agents = var.use_self_hosted_agents diff --git a/alz/azuredevops/variables.tf b/alz/azuredevops/variables.tf index c773121..9c208aa 100644 --- a/alz/azuredevops/variables.tf +++ b/alz/azuredevops/variables.tf @@ -391,9 +391,11 @@ variable "agent_container_memory_max" { variable "agent_container_zone_support" { description = <<-EOT - **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances. + **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances and container registry. - When enabled, containers are distributed across availability zones for higher availability and resilience. + When enabled, containers are distributed across availability zones for higher availability and resilience, + and the container registry is configured with zone redundancy. + Some regions do not support availability zones, in which case this should be set to false. EOT type = bool default = true diff --git a/alz/github/main.tf b/alz/github/main.tf index 2249a74..1128d28 100644 --- a/alz/github/main.tf +++ b/alz/github/main.tf @@ -50,6 +50,7 @@ module "azure" { virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances virtual_network_subnet_address_prefix_private_endpoints = var.virtual_network_subnet_address_prefix_private_endpoints storage_account_replication_type = var.storage_account_replication_type + container_registry_zone_redundancy_enabled = var.runner_container_zone_support public_ip_name = local.resource_names.public_ip nat_gateway_name = local.resource_names.nat_gateway use_self_hosted_agents = var.use_self_hosted_runners diff --git a/alz/github/variables.tf b/alz/github/variables.tf index ef90d39..5b09491 100644 --- a/alz/github/variables.tf +++ b/alz/github/variables.tf @@ -496,9 +496,11 @@ variable "runner_container_memory_max" { variable "runner_container_zone_support" { description = <<-EOT - **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances. + **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances and container registry. - When enabled, containers are distributed across availability zones for higher availability and resilience. + When enabled, containers are distributed across availability zones for higher availability and resilience, + and the container registry is configured with zone redundancy. + Some regions do not support availability zones, in which case this should be set to false. EOT type = bool default = true diff --git a/modules/azure/container_registry.tf b/modules/azure/container_registry.tf index 5b1c40c..2b2ce94 100644 --- a/modules/azure/container_registry.tf +++ b/modules/azure/container_registry.tf @@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" { location = var.azure_location sku = var.use_private_networking ? "Premium" : "Basic" public_network_access_enabled = !var.use_private_networking - zone_redundancy_enabled = var.use_private_networking + zone_redundancy_enabled = var.use_private_networking && var.container_registry_zone_redundancy_enabled network_rule_bypass_option = var.use_private_networking ? "AzureServices" : "None" } diff --git a/modules/azure/variables.tf b/modules/azure/variables.tf index c44c84d..dfbfc77 100644 --- a/modules/azure/variables.tf +++ b/modules/azure/variables.tf @@ -528,6 +528,18 @@ variable "container_registry_image_name" { default = "" } +variable "container_registry_zone_redundancy_enabled" { + description = <<-EOT + **(Optional, default: `true`)** Enable zone redundancy for the Azure Container Registry. + + When enabled, the container registry is replicated across availability zones for higher availability. + Some regions do not support zone redundancy, in which case this should be set to false. + Zone redundancy requires Premium SKU, which is only used when private networking is enabled. + EOT + type = bool + default = true +} + variable "container_registry_image_tag" { description = <<-EOT **(Optional, default: `"{{.Run.ID}}"`)** Tag pattern for the container image. From 4b39231211cfa6f3dd2d70f488c785aef0aefa4e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 13:07:11 +0000 Subject: [PATCH 3/5] Expose container_registry_zone_redundancy_enabled as separate top-level variable in ADO and GitHub ALZ modules By default, the container registry zone redundancy follows the agent/runner container zone support setting. Users can now independently override it by setting container_registry_zone_redundancy_enabled, enabling scenarios like AZ support for runners but not the registry. Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com> --- alz/azuredevops/main.tf | 2 +- alz/azuredevops/variables.tf | 17 ++++++++++++++--- alz/github/main.tf | 2 +- alz/github/variables.tf | 17 ++++++++++++++--- 4 files changed, 30 insertions(+), 8 deletions(-) diff --git a/alz/azuredevops/main.tf b/alz/azuredevops/main.tf index 05b9582..30cde01 100644 --- a/alz/azuredevops/main.tf +++ b/alz/azuredevops/main.tf @@ -49,7 +49,7 @@ module "azure" { virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances virtual_network_subnet_address_prefix_private_endpoints = var.virtual_network_subnet_address_prefix_private_endpoints storage_account_replication_type = var.storage_account_replication_type - container_registry_zone_redundancy_enabled = var.agent_container_zone_support + container_registry_zone_redundancy_enabled = coalesce(var.container_registry_zone_redundancy_enabled, var.agent_container_zone_support) public_ip_name = local.resource_names.public_ip nat_gateway_name = local.resource_names.nat_gateway use_self_hosted_agents = var.use_self_hosted_agents diff --git a/alz/azuredevops/variables.tf b/alz/azuredevops/variables.tf index 9c208aa..c20ab06 100644 --- a/alz/azuredevops/variables.tf +++ b/alz/azuredevops/variables.tf @@ -391,16 +391,27 @@ variable "agent_container_memory_max" { variable "agent_container_zone_support" { description = <<-EOT - **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances and container registry. + **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances. - When enabled, containers are distributed across availability zones for higher availability and resilience, - and the container registry is configured with zone redundancy. + When enabled, containers are distributed across availability zones for higher availability and resilience. Some regions do not support availability zones, in which case this should be set to false. EOT type = bool default = true } +variable "container_registry_zone_redundancy_enabled" { + description = <<-EOT + **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry. + + When enabled, the container registry is replicated across availability zones for higher availability. + Some regions do not support zone redundancy, in which case this should be set to false. + Defaults to the value of `agent_container_zone_support` if not set. + EOT + type = bool + default = null +} + variable "built_in_configuration_file_names" { description = <<-EOT **(Optional, default: `["config.yaml", "config-hub-and-spoke-vnet.yaml", "config-virtual-wan.yaml"]`)** diff --git a/alz/github/main.tf b/alz/github/main.tf index 1128d28..278125c 100644 --- a/alz/github/main.tf +++ b/alz/github/main.tf @@ -50,7 +50,7 @@ module "azure" { virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances virtual_network_subnet_address_prefix_private_endpoints = var.virtual_network_subnet_address_prefix_private_endpoints storage_account_replication_type = var.storage_account_replication_type - container_registry_zone_redundancy_enabled = var.runner_container_zone_support + container_registry_zone_redundancy_enabled = coalesce(var.container_registry_zone_redundancy_enabled, var.runner_container_zone_support) public_ip_name = local.resource_names.public_ip nat_gateway_name = local.resource_names.nat_gateway use_self_hosted_agents = var.use_self_hosted_runners diff --git a/alz/github/variables.tf b/alz/github/variables.tf index 5b09491..cbb1d92 100644 --- a/alz/github/variables.tf +++ b/alz/github/variables.tf @@ -496,16 +496,27 @@ variable "runner_container_memory_max" { variable "runner_container_zone_support" { description = <<-EOT - **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances and container registry. + **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances. - When enabled, containers are distributed across availability zones for higher availability and resilience, - and the container registry is configured with zone redundancy. + When enabled, containers are distributed across availability zones for higher availability and resilience. Some regions do not support availability zones, in which case this should be set to false. EOT type = bool default = true } +variable "container_registry_zone_redundancy_enabled" { + description = <<-EOT + **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry. + + When enabled, the container registry is replicated across availability zones for higher availability. + Some regions do not support zone redundancy, in which case this should be set to false. + Defaults to the value of `runner_container_zone_support` if not set. + EOT + type = bool + default = null +} + variable "runner_name_environment_variable" { description = <<-EOT **(Optional, default: `"GH_RUNNER_NAME"`)** The runner name environment variable supplied to the container. From 605c7dea8315c0f6d782ab33430f8b8ebb333214 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 13:33:54 +0000 Subject: [PATCH 4/5] Fix zone_redundancy_enabled to use ternary for independent control with private networking When private networking is enabled (Premium SKU), zone_redundancy_enabled is now independently controlled by container_registry_zone_redundancy_enabled. When private networking is disabled (Basic SKU), zone_redundancy_enabled is false as required by the Terraform provider. The ternary pattern is consistent with the other attributes in the resource block. Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com> --- modules/azure/container_registry.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure/container_registry.tf b/modules/azure/container_registry.tf index 2b2ce94..210d9eb 100644 --- a/modules/azure/container_registry.tf +++ b/modules/azure/container_registry.tf @@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" { location = var.azure_location sku = var.use_private_networking ? "Premium" : "Basic" public_network_access_enabled = !var.use_private_networking - zone_redundancy_enabled = var.use_private_networking && var.container_registry_zone_redundancy_enabled + zone_redundancy_enabled = var.use_private_networking ? var.container_registry_zone_redundancy_enabled : false network_rule_bypass_option = var.use_private_networking ? "AzureServices" : "None" } From 11df5f0cb8ad32c23374d7b721e8c7d20454963f Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Tue, 10 Feb 2026 13:36:22 +0000 Subject: [PATCH 5/5] Fix zone redundancy condition for container registry --- modules/azure/container_registry.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azure/container_registry.tf b/modules/azure/container_registry.tf index 210d9eb..2b2ce94 100644 --- a/modules/azure/container_registry.tf +++ b/modules/azure/container_registry.tf @@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" { location = var.azure_location sku = var.use_private_networking ? "Premium" : "Basic" public_network_access_enabled = !var.use_private_networking - zone_redundancy_enabled = var.use_private_networking ? var.container_registry_zone_redundancy_enabled : false + zone_redundancy_enabled = var.use_private_networking && var.container_registry_zone_redundancy_enabled network_rule_bypass_option = var.use_private_networking ? "AzureServices" : "None" }