@@ -126,212 +126,6 @@ This building block supports 4 deployment scenarios based on your networking and
126126
127127---
128128
129- ### Scenario 1: New VNet + Hub Peering
130- Ideal for isolated workloads that need connectivity to hub network and on-premises resources.
131-
132- ``` hcl
133- provider "azurerm" {
134- alias = "hub"
135- subscription_id = "hub-subscription-id"
136- }
137-
138- module "acr" {
139- source = "./buildingblock"
140-
141- providers = {
142- azurerm = azurerm
143- azurerm.hub = azurerm.hub
144- }
145-
146- acr_name = "mycompanyacr"
147- resource_group_name = "acr-rg"
148- location = "West Europe"
149- sku = "Premium"
150- admin_enabled = false
151- public_network_access_enabled = false
152-
153- # Private endpoint - creates new VNet
154- private_endpoint_enabled = true
155- private_dns_zone_id = "System"
156- vnet_address_space = "10.250.0.0/16"
157- subnet_address_prefix = "10.250.1.0/24"
158-
159- # Hub connectivity - peering created automatically
160- hub_subscription_id = "hub-subscription-id"
161- hub_resource_group_name = "hub-network-rg"
162- hub_vnet_name = "hub-vnet"
163-
164- retention_days = 30
165- trust_policy_enabled = true
166-
167- tags = {
168- Environment = "Production"
169- }
170- }
171- ```
172-
173- ### Scenario 2: Existing Shared Connectivity VNet
174- Ideal for multi-tenant environments with a shared connectivity VNet already peered to hub.
175-
176- ``` hcl
177- module "acr" {
178- source = "./buildingblock"
179-
180- acr_name = "mycompanyacr"
181- resource_group_name = "acr-rg"
182- location = "West Europe"
183- sku = "Premium"
184- admin_enabled = false
185- public_network_access_enabled = false
186-
187- # Private endpoint in existing shared VNet
188- private_endpoint_enabled = true
189- private_dns_zone_id = "System"
190- vnet_name = "shared-connectivity-vnet"
191- existing_vnet_resource_group_name = "connectivity-rg"
192- subnet_name = "acr-subnet"
193-
194- # No hub peering - VNet already connected to hub
195- # hub variables omitted
196-
197- tags = {
198- Environment = "Production"
199- }
200- }
201- ```
202-
203- ### Scenario 3: Private Isolated (No Hub)
204- Ideal for secure workloads that only need access within the same VNet (e.g., AKS in same VNet).
205-
206- ``` hcl
207- module "acr" {
208- source = "./buildingblock"
209-
210- acr_name = "mycompanyacr"
211- resource_group_name = "acr-rg"
212- location = "West Europe"
213- sku = "Premium"
214- admin_enabled = false
215- public_network_access_enabled = false
216-
217- # Private endpoint - new isolated VNet
218- private_endpoint_enabled = true
219- private_dns_zone_id = "System"
220- vnet_address_space = "10.250.0.0/16"
221- subnet_address_prefix = "10.250.1.0/24"
222-
223- # No hub connectivity
224- # hub variables omitted
225-
226- tags = {
227- Environment = "Production"
228- }
229- }
230- ```
231-
232- ### Scenario 4: Completely Public ACR
233- Ideal for development/test environments or public CI/CD pipelines.
234-
235- ``` hcl
236- module "acr" {
237- source = "./buildingblock"
238-
239- acr_name = "mycompanyacr"
240- resource_group_name = "acr-rg"
241- location = "West Europe"
242- sku = "Standard" # Can use cheaper SKU
243- admin_enabled = false
244- public_network_access_enabled = true
245-
246- # No private endpoint
247- private_endpoint_enabled = false
248-
249- # Optional: IP allowlist for security
250- allowed_ip_ranges = [
251- "203.0.113.0/24", # Office network
252- "198.51.100.5/32" # CI/CD runner
253- ]
254-
255- tags = {
256- Environment = "Development"
257- }
258- }
259- ```
260-
261- ---
262-
263- ### Private ACR with AKS Integration
264- ``` hcl
265- module "aks" {
266- source = "../aks/buildingblock"
267-
268- aks_cluster_name = "my-aks"
269- resource_group_name = "aks-rg"
270- location = "West Europe"
271- private_cluster_enabled = true
272- aks_admin_group_object_id = "12345678-1234-1234-1234-123456789012"
273- log_analytics_workspace_name = "my-law"
274- }
275-
276- module "acr" {
277- source = "./buildingblock"
278-
279- acr_name = "mycompanyacr"
280- resource_group_name = "acr-rg"
281- location = "West Europe"
282- sku = "Premium"
283- admin_enabled = false
284- public_network_access_enabled = false
285-
286- # Private endpoint in same VNet as AKS
287- private_endpoint_enabled = true
288- private_dns_zone_id = "System"
289- vnet_name = "${module.aks.aks_cluster_name}-vnet"
290- subnet_name = "${module.aks.aks_cluster_name}-subnet"
291-
292- # Automatic AKS integration - grants AcrPull role
293- aks_managed_identity_principal_id = module.aks.aks_identity_client_id
294-
295- tags = {
296- Environment = "Production"
297- }
298- }
299- ```
300-
301- ### Geo-Replicated ACR (Premium)
302- ``` hcl
303- module "acr" {
304- source = "./buildingblock"
305-
306- acr_name = "mycompanyacr"
307- resource_group_name = "acr-rg"
308- location = "West Europe"
309- sku = "Premium"
310-
311- # Geo-replication to multiple regions
312- georeplications = [
313- {
314- location = "North Europe"
315- zone_redundancy_enabled = true
316- regional_endpoint_enabled = true
317- },
318- {
319- location = "East US"
320- zone_redundancy_enabled = true
321- regional_endpoint_enabled = true
322- }
323- ]
324-
325- zone_redundancy_enabled = true
326- retention_days = 30
327- trust_policy_enabled = true
328-
329- tags = {
330- Environment = "Production"
331- }
332- }
333- ```
334-
335129## Getting Started
336130
337131### Authenticating with ACR
0 commit comments