UNCLASSIFIED

Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
README.md 3.42 KB
Newer Older
chadningle's avatar
Initial commit  
chadningle committed
1 2 
## Azure Container Registry (ACR) Cross-Subscription Replication
chadningle's avatar
Updating readme  
chadningle committed
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 
This project is intended to replicate an ACR in one Azure Gov Subscription to another.  Azure currently has geo replication of ACRs but it is not cross subscription yet.  When it eventually does have cross subscription replication, it is recommended to retire this or modify if required.

Features:
1.  Code will analyze all Repos and Tags in the Source ACR minus tags that are equal to "latest".  We design for explicit tag pulls.
2.  Code will analyze all Repos and Tags in the Destination ACR.
3.  Code then compares and only if the Repo:Tag does not exist in the destination, it will replicate it.
4.  Code WILL NOT delete any container images on the source nor destination ACRs.

## Obtain Credentials and Tenant IDs

You will need the following:
- Source Tenant ID
- Source App Registration Client ID
- Source App Registration Client Secret
- Source Azure Container Registry
- Destination Tenant ID
- Destination App Registration Client ID
- Destination App Registration Client Secret
- Destination Azure Container Registry

## (Optional) Create new AD Service Principal

If you don't already have a service principal with appropriate access, create a new one.  Login to the Azure CLI using "az login" with an account that has permissions to create service principals.

NOTE: Edit the role creation appropriately for the level of permissions.  If you only need rights to pull for it, use acrpull.  If you need to push and pull with the ID, use the acrpush permission.

```bash
#!/bin/bash

# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal

# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpush --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)

# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
```

## Clone the repo
```bash
git clone https://repo1.dsop.io/platform-one/big-bang/acr-replicator.git
cd acr-replicator
```

## Create the terraform.tfvars and populate
```bash
cat << EOF > terraform.tfvars
src_pull_user = "Source Client ID used for ACR Pulls"
src_pull_secret = "Source Client Secret"
dst_push_user = "Destination Client ID used for ACR Pulls"
dst_push_secret = "Destination Client Secret"
source_registry = "sourceRegistry.azurecr.us"
source_tenant = "Source Azure AD Tenant ID"
destination_tenant = "Destination Azure AD Tenant ID"
destination_registry = "destinationRegistry.azurecr.us"
image_vm_user = "azureuser"
image_vm_pw = "pickApassword"
EOF
```

## Run the terraform
```bash
terraform init
terraform apply -auto-approve
terraform destroy -force
```

UNCLASSIFIED