Adding Module code for Azure Container Registry

.github/workflows/checkov.yml

@@ -0,0 +1,25 @@
+
+name: Static security analysis for Terraform
+
+permissions: read-all
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+.terraform.*
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.77.1
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate
+    - id: terraform_checkov
+    - id: terraform_docs
+      args:
+          - '--args=--lockfile=false'
+

README.md

@@ -0,0 +1,74 @@
+# Terraform module for Azure ACR
+
+## How to use it as a module
+
+```hcl
+module "acr" {
+  source  = "./"
+  name                = "iba6yu5bgopi"
+  resource_group_name = "terraform-test"
+  location            = "East US"
+  sku                 = "Premium"
+  admin_enabled       = true
+}
+
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_container_registry.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_admin_enabled"></a> [admin\_enabled](#input\_admin\_enabled) | (Optional) Specifies whether the admin user is enabled. Defaults to false. | `bool` | `false` | no |
+| <a name="input_anonymous_pull_enabled"></a> [anonymous\_pull\_enabled](#input\_anonymous\_pull\_enabled) | (Optional) Whether allows anonymous (unauthenticated) pull access to this Container Registry? This is only supported on resources with the Standard or Premium SKU. | `bool` | `false` | no |
+| <a name="input_create_acr"></a> [create\_acr](#input\_create\_acr) | (Optional) Do you want to create ECR repo | `bool` | `true` | no |
+| <a name="input_data_endpoint_enabled"></a> [data\_endpoint\_enabled](#input\_data\_endpoint\_enabled) | (Optional) Whether to enable dedicated data endpoints for this Container Registry? This is only supported on resources with the Premium SKU. | `bool` | `true` | no |
+| <a name="input_encryption"></a> [encryption](#input\_encryption) | (Optional) An encryption block | `any` | `[]` | no |
+| <a name="input_export_policy_enabled"></a> [export\_policy\_enabled](#input\_export\_policy\_enabled) | (Optional) Boolean value that indicates whether export policy is enabled. Defaults to true. In order to set it to false, make sure the public\_network\_access\_enabled is also set to false. | `bool` | `true` | no |
+| <a name="input_georeplications"></a> [georeplications](#input\_georeplications) | A list of Azure locations where the Ccontainer Registry should be geo-replicated. Only activated on Premium SKU.<br>  Supported properties are:<br>    location                  = string<br>    zone\_redundancy\_enabled   = bool<br>    regional\_endpoint\_enabled = bool<br>    tags                      = map(string)<br>  or this can be a list of `string` (each element is a location) | `any` | `[]` | no |
+| <a name="input_identity"></a> [identity](#input\_identity) | (Optional) An identity block | `any` | `[]` | no |
+| <a name="input_location"></a> [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) Specifies the name of the Container Registry. Only Alphanumeric characters allowed. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_network_rule_bypass_option"></a> [network\_rule\_bypass\_option](#input\_network\_rule\_bypass\_option) | (Optional) Whether to allow trusted Azure services to access a network restricted Container Registry? Possible values are None and AzureServices. Defaults to AzureServices. | `string` | `"AzureServices"` | no |
+| <a name="input_network_rule_set"></a> [network\_rule\_set](#input\_network\_rule\_set) | A list of Azure locations where the Ccontainer Registry should be geo-replicated. Only activated on Premium SKU.<br>  Supported properties are:<br>    default\_action  = string<br>    ip\_rule         = list(map(string))<br>    virtual\_network = list(map(string)) | `any` | `[]` | no |
+| <a name="input_public_network_access_enabled"></a> [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | (Optional) Whether public network access is allowed for the container registry. Defaults to true. | `bool` | `false` | no |
+| <a name="input_quarantine_policy_enabled"></a> [quarantine\_policy\_enabled](#input\_quarantine\_policy\_enabled) | (Optional) Boolean value that indicates whether quarantine policy is enabled. | `bool` | `false` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the Container Registry. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_retention_policy"></a> [retention\_policy](#input\_retention\_policy) | (Optional) A retention\_policy block | `any` | <pre>[<br>  {<br>    "days": 30,<br>    "enabled": true<br>  }<br>]</pre> | no |
+| <a name="input_sku"></a> [sku](#input\_sku) | (Optional) The SKU name of the container registry. Possible values are Basic, Standard and Premium.Defaults to Premium. | `string` | `"Premium"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |
+| <a name="input_trust_policy"></a> [trust\_policy](#input\_trust\_policy) | (Optional) A trust\_policy block | `any` | <pre>[<br>  {<br>    "enabled": false<br>  }<br>]</pre> | no |
+| <a name="input_zone_redundancy_enabled"></a> [zone\_redundancy\_enabled](#input\_zone\_redundancy\_enabled) | (Optional) Whether zone redundancy is enabled for this Container Registry? Changing this forces a new resource to be created. Defaults to false. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_admin_password"></a> [admin\_password](#output\_admin\_password) | The Password associated with the Container Registry Admin account - if the admin account is enabled. |
+| <a name="output_admin_username"></a> [admin\_username](#output\_admin\_username) | The Username associated with the Container Registry Admin account - if the admin account is enabled. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the Container Registry. |
+| <a name="output_login_server"></a> [login\_server](#output\_login\_server) | The URL that can be used to log into the container registry. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

main.tf

@@ -0,0 +1,102 @@
+resource "azurerm_container_registry" "this" {
+  count = var.create_acr ? 1 : 0
+
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  sku                 = var.sku
+  admin_enabled       = var.admin_enabled
+
+
+  /* georeplications {
+
+  } */
+  dynamic "georeplications" {
+    for_each = length(var.georeplications) != 0 && var.sku == "Premium" ? var.georeplications : []
+
+    content {
+      location                  = try(georeplications.value.location)
+      regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false)
+      zone_redundancy_enabled   = try(georeplications.value.zone_redundancy_enabled, false)
+      tags                      = try(georeplications.value.tags, {})
+    }
+  }
+
+  dynamic "network_rule_set" {
+    for_each = length(var.network_rule_set) != 0 && var.sku == "Premium" ? var.network_rule_set : []
+
+    content {
+      default_action = try(network_rule_set.value.default_action, Allow)
+
+      dynamic "ip_rule" {
+        for_each = try(network_rule_set.value.ip_rule, [])
+
+        content {
+          action   = "Allow"
+          ip_range = try(ip_rule.value.ip_range)
+        }
+      }
+
+      dynamic "virtual_network" {
+        for_each = try(network_rule_set.value.virtual_network, [])
+
+        content {
+          action    = "Allow"
+          subnet_id = try(virtual_network.value.subnet_id)
+        }
+      }
+
+    }
+  }
+
+  public_network_access_enabled = var.public_network_access_enabled
+  quarantine_policy_enabled     = var.quarantine_policy_enabled
+
+
+  dynamic "retention_policy" {
+    for_each = length(var.retention_policy) != 0 ? var.retention_policy : []
+
+    content {
+      days    = try(retention_policy.value.days, 7)
+      enabled = try(retention_policy.value.enabled, true)
+    }
+
+  }
+
+  dynamic "trust_policy" {
+    for_each = var.trust_policy
+
+    content {
+      enabled = try(trust_policy.value.enabled, true)
+    }
+  }
+
+  zone_redundancy_enabled = var.zone_redundancy_enabled
+  export_policy_enabled   = var.export_policy_enabled
+
+  dynamic "identity" {
+    for_each = length(var.identity) != 0 ? var.identity : []
+
+    content {
+      type         = try(identity.value.type, "UserAssigned")
+      identity_ids = try(identity.value.identity_ids, [])
+    }
+  }
+
+  dynamic "encryption" {
+    for_each = length(var.encryption) != 0 && length(var.identity) != 0 ? var.encryption : []
+
+    content {
+      enabled            = try(encryption.value.enabled, true)
+      key_vault_key_id   = try(encryption.value.key_vault_key_id)
+      identity_client_id = try(encryption.value.identity_client_id)
+    }
+  }
+
+
+  anonymous_pull_enabled     = var.anonymous_pull_enabled
+  data_endpoint_enabled      = var.data_endpoint_enabled
+  network_rule_bypass_option = var.network_rule_bypass_option
+
+  tags = var.tags
+}

outputs.tf

@@ -0,0 +1,19 @@
+output "id" {
+  description = "The ID of the Container Registry."
+  value       = try(azurerm_container_registry.this[0].id, "")
+}
+
+output "login_server" {
+  description = "The URL that can be used to log into the container registry."
+  value       = try(azurerm_container_registry.this[0].login_server, "")
+}
+
+output "admin_username" {
+  description = "The Username associated with the Container Registry Admin account - if the admin account is enabled."
+  value       = try(azurerm_container_registry.this[0].admin_username, "")
+}
+
+output "admin_password" {
+  description = "The Password associated with the Container Registry Admin account - if the admin account is enabled."
+  value       = try(azurerm_container_registry.this[0].admin_password, "")
+}