Automated sync from private repo (2026-06-11)#771
Merged
foundry-samples-repo-sync[bot] merged 2 commits intoJun 11, 2026
Conversation
…519) * feat: add optional ACR with Private Endpoint to all Bicep VNet scenarios Add an enableContainerRegistry parameter (bool, default false) to all 8 Bicep VNet infrastructure scenarios. When enabled, creates: - Azure Container Registry (Premium SKU, no public access, no admin user) - Private Endpoint in the PE subnet (subresource: registry) - Private DNS Zone (privatelink.azurecr.io) with VNet link - DNS Zone Group for the Private Endpoint Implemented as a shared reusable module (container-registry.bicep) in each scenario's modules-network-secured/ directory. Scenarios updated: - 10-private-network-basic - 11-private-network-basic-vnet - 15-private-network-standard-agent-setup - 15a-private-network-evaluation-only-setup - 16-private-network-standard-agent-apim-setup - 17-private-network-standard-user-assigned-identity-agent-setup - 18-managed-virtual-network - 19-private-network-agent-tools Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: remove ACR from scenarios without network injection (10, 18) The optional ACR with Private Endpoint should only be available in scenarios that have network injection (agent VNet integration), not in PE-only or managed-network scenarios. Removed from: - 10-private-network-basic (PE-only, no agent subnet) - 18-managed-virtual-network (managed network, no agent subnet injection) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: default enableContainerRegistry to true for network injection scenarios Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add canadacentral to allowed locations in scenario 11 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add optional developer IP CIDR allowlist for ACR push access Adds a developerIpCidr parameter (string, default empty) to the ACR module. When provided, enables public network access on the ACR with a network rule that only allows the specified CIDR (e.g., /26). When empty, public access remains fully disabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: clarify developerIpCidr accepts any CIDR size Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: make uniqueSuffix deterministic for idempotent re-deploys (scenario 11) Remove utcNow() from the uniqueSuffix calculation so that re-deploying to the same resource group produces the same resource names. This makes deployments idempotent (patch-on-existing) rather than creating new resources on each run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: make all VNet templates idempotent by removing utcNow from suffix Remove deploymentTimestamp/utcNow() from uniqueSuffix calculation in all templates. The suffix is now derived solely from resourceGroup().id, making deployments idempotent — re-deploying to the same RG updates existing resources in-place rather than creating duplicates. Affected templates: 15, 15a, 16, 17, 18, 19 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: grant AcrPull role to project managed identity on ACR Adds an AcrPull role assignment in the container-registry module so the project's managed identity can pull images from the ACR. The principal ID is passed from each scenario's main.bicep (system-assigned identity for most, user-assigned for scenario 17). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: rebuild compiled JSON templates to include canadacentral Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add canadacentral to allowed locations in scenario 19 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add canadacentral to allowed locations in scenario 15 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Karthik Saligrama <ksaligrama@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated sync from private repo.
Synced commits: 1
Authors: Karthik Saligrama
Validation gate: mode=
none; tracked=46; blocked=46.Rollback point:
73df0d7813ab8817985cc0461575ab1a206d92ae— to revert, force-push this SHA tomainand clear the sync-marks cache.Triggered by:
workflow_dispatchRun: https://github.com/microsoft-foundry/foundry-samples-pr/actions/runs/27322271512