feat: Adds authentication to image import `ptn/deployment-script/impo…

…rt-image-to-acr` (#3253)

## Description

Adds the option to authenticate to the source container registry. Used
for e.g. docker hub login to avoid throttling.

Closes #3069 

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.ptn.deployment-script.import-image-to-acr](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.deployment-script.import-image-to-acr.yml/badge.svg?branch=import-image-docker-authentication)](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.deployment-script.import-image-to-acr.yml)
|

## Type of Change

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

avm/ptn/deployment-script/import-image-to-acr/README.md

@@ -281,6 +281,8 @@ module importImageToAcr 'br/public:avm/ptn/deployment-script/import-image-to-acr
 | [`overwriteExistingImage`](#parameter-overwriteexistingimage) | bool | The image will be overwritten if it already exists in the ACR with the same tag. Default is false. |
 | [`retryMax`](#parameter-retrymax) | int | The maximum number of retries for the script import operation. Default is 3. |
 | [`runOnce`](#parameter-runonce) | bool | How the deployment script should be forced to execute. Default is to force the script to deploy the image to run every time. |
+| [`sourceRegistryPassword`](#parameter-sourceregistrypassword) | securestring | The password for the source registry. Required if the source registry is private, or to logon to the public docker registry. |
+| [`sourceRegistryUsername`](#parameter-sourceregistryusername) | string | The username for the source registry. Required if the source registry is private, or to logon to the public docker registry. |
 | [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | The resource id of the storage account to use for the deployment script. An existing storage account is needed, if PrivateLink is going to be used for the deployment script. |
 | [`subnetResourceIds`](#parameter-subnetresourceids) | array | The subnet ids to use for the deployment script. An existing subnet is needed, if PrivateLink is going to be used for the deployment script. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
@@ -298,7 +300,12 @@ A fully qualified image name to import.
 
 - Required: Yes
 - Type: string
-- Example: `mcr.microsoft.com/k8se/quickstart-jobs:latest`
+- Example:
+  ```Bicep
+  mcr.microsoft.com/k8se/quickstart-jobs:latest
+  docker.io/library/image:latest
+  docker.io/hello-world:latest
+  ```
 
 ### Parameter: `name`
 
@@ -415,6 +422,22 @@ How the deployment script should be forced to execute. Default is to force the s
 - Type: bool
 - Default: `False`
 
+### Parameter: `sourceRegistryPassword`
+
+The password for the source registry. Required if the source registry is private, or to logon to the public docker registry.
+
+- Required: No
+- Type: securestring
+- Default: `''`
+
+### Parameter: `sourceRegistryUsername`
+
+The username for the source registry. Required if the source registry is private, or to logon to the public docker registry.
+
+- Required: No
+- Type: string
+- Default: `''`
+
 ### Parameter: `storageAccountResourceId`
 
 The resource id of the storage account to use for the deployment script. An existing storage account is needed, if PrivateLink is going to be used for the deployment script.
@@ -458,13 +481,17 @@ This section gives you an overview of all local-referenced module files (i.e., o
 
 | Reference | Type |
 | :-- | :-- |
-| `br/public:avm/res/resources/deployment-script:0.2.3` | Remote reference |
+| `br/public:avm/res/resources/deployment-script:0.4.0` | Remote reference |
 
 ## Notes
 
 The deployment script service will need and provision a Storage Account as well as a Container Instance to execute the provided script. _The deployment script resource is available only in the regions where Azure Container Instances is available._
 
-> The service cleans up these resources after the deployment script finishes. You incur charges for these resources until they're removed.
+> The service cleans up these resources after the deployment script finishes. You incur charges for these resources until they are removed.
+
+### Authentication to source Container Registry
+
+Authentication is possible by setting the ```sourceRegistryUsername``` and ```sourceRegistryPassword``` parameters. An example that uses Key Vault is in the max sample. It is commented out, as for the shared environments no user exists, that could be used to access e.g. docker hub images.
 
 ### Private network access
 

avm/ptn/deployment-script/import-image-to-acr/main.bicep

@@ -28,10 +28,21 @@ param managedIdentityName string?
 
 @description('Required. A fully qualified image name to import.')
 @metadata({
-  example: 'mcr.microsoft.com/k8se/quickstart-jobs:latest'
+  example: [
+    'mcr.microsoft.com/k8se/quickstart-jobs:latest'
+    'docker.io/library/image:latest'
+    'docker.io/hello-world:latest'
+  ]
 })
 param image string
 
+@description('Optional. The username for the source registry. Required if the source registry is private, or to logon to the public docker registry.')
+param sourceRegistryUsername string = ''
+
+@description('Optional. The password for the source registry. Required if the source registry is private, or to logon to the public docker registry.')
+@secure()
+param sourceRegistryPassword string = ''
+
 @description('Optional. The new image name in the ACR. You can use this to import a publically available image with a custom name for later updating from e.g., your build pipeline.')
 @metadata({
   example: 'your-image-name:tag'
@@ -147,7 +158,7 @@ resource acrRoleAssignmentNewManagedIdentity 'Microsoft.Authorization/roleAssign
   }
 }
 
-module imageImport 'br/public:avm/res/resources/deployment-script:0.2.3' = {
+module imageImport 'br/public:avm/res/resources/deployment-script:0.4.0' = {
   name: name ?? 'ACR-Import-${last(split(replace(image,':','-'),'/'))}'
   scope: resourceGroup()
   params: {
@@ -159,41 +170,20 @@ module imageImport 'br/public:avm/res/resources/deployment-script:0.2.3' = {
       : { userAssignedResourcesIds: [newManagedIdentity.id] }
     kind: 'AzureCLI'
     runOnce: runOnce
-    azCliVersion: '2.61.0' // available tags are listed here: https://mcr.microsoft.com/v2/azure-cli/tags/list
+    azCliVersion: '2.63.0' // available tags are listed here: https://mcr.microsoft.com/v2/azure-cli/tags/list
     timeout: 'PT30M' // set timeout to 30m
     retentionInterval: 'PT1H' // cleanup after 1h
-    environmentVariables: {
-      secureList: [
-        {
-          name: 'acrName'
-          value: acrName
-        }
-        {
-          name: 'imageName'
-          value: image
-        }
-        {
-          name: 'newImageName'
-          value: newImageName
-        }
-        {
-          name: 'overwriteExistingImage'
-          value: toLower(string(overwriteExistingImage))
-        }
-        {
-          name: 'initialDelay'
-          value: '${string(initialScriptDelay)}s'
-        }
-        {
-          name: 'retryMax'
-          value: string(retryMax)
-        }
-        {
-          name: 'retrySleep'
-          value: '5s'
-        }
-      ]
-    }
+    environmentVariables: [
+      { name: 'acrName', value: acrName }
+      { name: 'imageName', value: image }
+      { name: 'newImageName', value: newImageName }
+      { name: 'overwriteExistingImage', value: toLower(string(overwriteExistingImage)) }
+      { name: 'initialDelay', value: '${string(initialScriptDelay)}s' }
+      { name: 'retryMax', value: string(retryMax) }
+      { name: 'retrySleep', value: '5s' }
+      { name: 'sourceRegistryUsername', value: sourceRegistryUsername }
+      { name: 'sourceRegistryPassword', secureValue: sourceRegistryPassword }
+    ]
     cleanupPreference: cleanupPreference
     storageAccountResourceId: storageAccountResourceId
     containerGroupName: '${resourceGroup().name}-infrastructure'
@@ -210,9 +200,17 @@ module imageImport 'br/public:avm/res/resources/deployment-script:0.2.3' = {
     do
       echo "Importing Image ($retryLoopCount): $imageName into ACR: $acrName\n"
       if [ $overwriteExistingImage = 'true' ]; then
-        az acr import -n $acrName --source $imageName --image $newImageName --force
+        if [ -n "$sourceRegistryUsername" ] && [ -n "$sourceRegistryPassword" ]; then
+          az acr import -n $acrName --source $imageName --image $newImageName --force --username $sourceRegistryUsername --password $sourceRegistryPassword
+        else
+          az acr import -n $acrName --source $imageName --image $newImageName --force
+        fi
       else
-        az acr import -n $acrName --source $imageName --image $newImageName
+        if [ -n "$sourceRegistryUsername" ] && [ -n "$sourceRegistryPassword" ]; then
+          az acr import -n $acrName --source $imageName --image $newImageName --username $sourceRegistryUsername --password $sourceRegistryPassword
+        else
+          az acr import -n $acrName --source $imageName --image $newImageName
+        fi
       fi
 
       sleep $retrySleep