feat: Decouple container registry zone redundancy from private networking and make flexible

alz/azuredevops/main.tf

@@ -49,6 +49,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = coalesce(var.container_registry_zone_redundancy_enabled, var.agent_container_zone_support)
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_agents

alz/azuredevops/variables.tf

@@ -394,11 +394,24 @@ variable "agent_container_zone_support" {
     **(Optional, default: `true`)** Enable availability zone support for Azure DevOps agent container instances.
 
     When enabled, containers are distributed across availability zones for higher availability and resilience.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Defaults to the value of `agent_container_zone_support` if not set.
+  EOT
+  type        = bool
+  default     = null
+}
+
 variable "built_in_configuration_file_names" {
   description = <<-EOT
     **(Optional, default: `["config.yaml", "config-hub-and-spoke-vnet.yaml", "config-virtual-wan.yaml"]`)**

alz/github/main.tf

@@ -50,6 +50,7 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_private_endpoints   = var.virtual_network_subnet_address_prefix_private_endpoints
   storage_account_replication_type                          = var.storage_account_replication_type
+  container_registry_zone_redundancy_enabled                = coalesce(var.container_registry_zone_redundancy_enabled, var.runner_container_zone_support)
   public_ip_name                                            = local.resource_names.public_ip
   nat_gateway_name                                          = local.resource_names.nat_gateway
   use_self_hosted_agents                                    = var.use_self_hosted_runners

alz/github/variables.tf

@@ -499,11 +499,24 @@ variable "runner_container_zone_support" {
     **(Optional, default: `true`)** Enable availability zone support for GitHub runner container instances.
 
     When enabled, containers are distributed across availability zones for higher availability and resilience.
+    Some regions do not support availability zones, in which case this should be set to false.
   EOT
   type        = bool
   default     = true
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `null`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Defaults to the value of `runner_container_zone_support` if not set.
+  EOT
+  type        = bool
+  default     = null
+}
+
 variable "runner_name_environment_variable" {
   description = <<-EOT
     **(Optional, default: `"GH_RUNNER_NAME"`)** The runner name environment variable supplied to the container.

modules/azure/container_registry.tf

@@ -5,7 +5,7 @@ resource "azurerm_container_registry" "alz" {
   location                      = var.azure_location
   sku                           = var.use_private_networking ? "Premium" : "Basic"
   public_network_access_enabled = !var.use_private_networking
-  zone_redundancy_enabled       = var.use_private_networking
+  zone_redundancy_enabled       = var.use_private_networking && var.container_registry_zone_redundancy_enabled
   network_rule_bypass_option    = var.use_private_networking ? "AzureServices" : "None"
 }
 

modules/azure/variables.tf

@@ -528,6 +528,18 @@ variable "container_registry_image_name" {
   default     = ""
 }
 
+variable "container_registry_zone_redundancy_enabled" {
+  description = <<-EOT
+    **(Optional, default: `true`)** Enable zone redundancy for the Azure Container Registry.
+
+    When enabled, the container registry is replicated across availability zones for higher availability.
+    Some regions do not support zone redundancy, in which case this should be set to false.
+    Zone redundancy requires Premium SKU, which is only used when private networking is enabled.
+  EOT
+  type        = bool
+  default     = true
+}
+
 variable "container_registry_image_tag" {
   description = <<-EOT
     **(Optional, default: `"{{.Run.ID}}"`)** Tag pattern for the container image.