Container registry private networking and bucket cidr range fix

terraform/modules/container_registry/main.tf

@@ -1,3 +1,7 @@
+locals {
+  whitelist = values(var.whitelist)
+}
+
 resource "azurerm_resource_group" "acr" {
   name     = "${var.name}-${var.environment}-acr"
   location = var.region
@@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" {
   sku                 = var.sku
   admin_enabled       = var.admin_enabled
   #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
+  network_rule_set {
+    default_action = var.policy
+
+    ip_rule = [
+      for cidr in values(var.whitelist) : {
+        action   = "Allow"
+        ip_range = cidr
+      }
+    ]
+    # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
+    #dynamic "ip_rule" {
+    #  for_each = values(var.whitelist)
+    #  content {
+    #    action   = "Allow"
+    #    ip_range = ip_rule.value
+    #  }
+    #}
+
+    virtual_network = [
+      for subnet in var.subnet_ids : {
+        action    = "Allow"
+        subnet_id = subnet.value
+      }
+    ]
+    #virtual_network {
+    #  action = "Allow"
+    #  subnet_id = var.subnet_ids
+    #}
+  }
 }

terraform/modules/container_registry/variables.tf

@@ -35,3 +35,20 @@ variable "admin_enabled" {
   default     = false
 
 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}
+
+variable "whitelist" {
+  type        = map
+  description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
+  default     = {}
+}