From 45d08ce05dece79767da6426bfeb41ab48651b17 Mon Sep 17 00:00:00 2001
From: paul senior <paul.senior@education.gov.uk>
Date: Thu, 21 May 2026 14:52:44 +0100
Subject: [PATCH 1/3] feat(2669): spike - dockerhub repo caching

---
 cluster/terraform_aks_cluster/caching.tf      | 81 +++++++++++++++++++
 .../config/development.tfvars.json            |  3 +-
 cluster/terraform_aks_cluster/terraform.tf    | 10 +++
 cluster/terraform_aks_cluster/variables.tf    | 14 ++++
 4 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 cluster/terraform_aks_cluster/caching.tf

diff --git a/cluster/terraform_aks_cluster/caching.tf b/cluster/terraform_aks_cluster/caching.tf
new file mode 100644
index 00000000..2997abf9
--- /dev/null
+++ b/cluster/terraform_aks_cluster/caching.tf
@@ -0,0 +1,81 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_key_vault" "key_vault" {
+  name                = var.cluster_kv
+  resource_group_name = var.resource_group_name
+}
+
+data "azurerm_key_vault_secret" "dockerhub_username" {
+  name         = "dockerhub-username"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "dockerhub_pat" {
+  name         = "dockerhub-pat"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+
+resource "azurerm_container_registry" "acr" {
+  name                = "AcrCache${var.environment}Dockerhub"
+  resource_group_name = data.azurerm_resource_group.cluster.name
+  location            = data.azurerm_resource_group.cluster.location
+  sku                 = "Standard"
+
+  admin_enabled = false
+}
+
+resource "azapi_resource" "dockerhub_credential_set" {
+  count = var.environment == "development" ? 1 : 0
+
+  type      = "Microsoft.ContainerRegistry/registries/credentialSets@2025-11-01"
+  name      = "dockerhub-creds"
+  parent_id = azurerm_container_registry.acr.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  body = {
+    properties = {
+      loginServer = "docker.io"
+
+      authCredentials = [
+        {
+          name                     = "Credential1"
+          usernameSecretIdentifier = data.azurerm_key_vault_secret.dockerhub_username.versionless_id
+          passwordSecretIdentifier = data.azurerm_key_vault_secret.dockerhub_pat.versionless_id
+        }
+      ]
+    }
+  }
+}
+
+resource "azurerm_role_assignment" "acr_cache_kv_secrets_user" {
+  count = var.environment == "development" ? 1 : 0
+
+  scope                = data.azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Secrets User"
+
+  principal_id = azapi_resource.dockerhub_credential_set[0].identity[0].principal_id
+}
+
+resource "azapi_resource" "dockerhub_nginx_cache" {
+  count = var.environment == "development" ? 1 : 0
+
+  type      = "Microsoft.ContainerRegistry/registries/cacheRules@2025-11-01"
+  name      = "dockerhub-nginx"
+  parent_id = azurerm_container_registry.acr.id
+
+  body = {
+    properties = {
+      sourceRepository        = "docker.io/library/nginx"
+      targetRepository        = "dockerhub/library/nginx"
+      credentialSetResourceId = azapi_resource.dockerhub_credential_set[0].id
+    }
+  }
+
+  depends_on = [
+    azurerm_role_assignment.acr_cache_kv_secrets_user
+  ]
+}
\ No newline at end of file
diff --git a/cluster/terraform_aks_cluster/config/development.tfvars.json b/cluster/terraform_aks_cluster/config/development.tfvars.json
index 8e72e04c..ef8c46fe 100644
--- a/cluster/terraform_aks_cluster/config/development.tfvars.json
+++ b/cluster/terraform_aks_cluster/config/development.tfvars.json
@@ -21,5 +21,6 @@
       "node_soak_duration_in_minutes": 1
     }
   },
-  "admin_group_id": "f77b2daf-7ff4-4aa5-8138-cf983d0b4a18"
+  "admin_group_id": "f77b2daf-7ff4-4aa5-8138-cf983d0b4a18",
+  "cluster_kv": "s189d01-tsc2-dv-kv"
 }
diff --git a/cluster/terraform_aks_cluster/terraform.tf b/cluster/terraform_aks_cluster/terraform.tf
index 8bdd97eb..c48b72c5 100644
--- a/cluster/terraform_aks_cluster/terraform.tf
+++ b/cluster/terraform_aks_cluster/terraform.tf
@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "4.61.0"
     }
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 2.0"
+    }
   }
   backend "azurerm" {
     container_name = "tsc-tfstate"
@@ -15,3 +19,9 @@ provider "azurerm" {
   features {}
   resource_provider_registrations = "none"
 }
+
+provider "azapi" {}
+
+
+
+
diff --git a/cluster/terraform_aks_cluster/variables.tf b/cluster/terraform_aks_cluster/variables.tf
index ae2e65b8..d43b81c6 100644
--- a/cluster/terraform_aks_cluster/variables.tf
+++ b/cluster/terraform_aks_cluster/variables.tf
@@ -55,6 +55,20 @@ variable "second_egress_ip" {
   description = "Allocate a second egress public IP for the cluster"
 }
 
+variable "dockerhub_username" {
+  type      = string
+  sensitive = true
+  default   = "bob"
+}
+
+variable "dockerhub_pat" {
+  type      = string
+  sensitive = true
+  default   = "bob"
+}
+
+variable "cluster_kv" { type = string }
+
 locals {
   backing_services_resource_group_name = "${var.resource_prefix}-tsc-${var.environment}-bs-rg"
   cluster_name = (

From 2137877fdd5e8c3135f6f83d6ee72e35c31a3e1c Mon Sep 17 00:00:00 2001
From: paul senior <paul.senior@education.gov.uk>
Date: Thu, 21 May 2026 14:56:39 +0100
Subject: [PATCH 2/3] feat(2669): spike - dockerhub repo caching

---
 cluster/terraform_aks_cluster/variables.tf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cluster/terraform_aks_cluster/variables.tf b/cluster/terraform_aks_cluster/variables.tf
index d43b81c6..17f54627 100644
--- a/cluster/terraform_aks_cluster/variables.tf
+++ b/cluster/terraform_aks_cluster/variables.tf
@@ -58,13 +58,11 @@ variable "second_egress_ip" {
 variable "dockerhub_username" {
   type      = string
   sensitive = true
-  default   = "bob"
 }
 
 variable "dockerhub_pat" {
   type      = string
   sensitive = true
-  default   = "bob"
 }
 
 variable "cluster_kv" { type = string }

From 2b4ccf1966c7e1c1b7f0d6ac581b6b988de0d8b0 Mon Sep 17 00:00:00 2001
From: paul senior <paul.senior@education.gov.uk>
Date: Thu, 21 May 2026 14:57:55 +0100
Subject: [PATCH 3/3] feat(2669): spike - dockerhub repo caching

---
 cluster/terraform_aks_cluster/caching.tf   | 2 +-
 cluster/terraform_aks_cluster/terraform.tf | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/cluster/terraform_aks_cluster/caching.tf b/cluster/terraform_aks_cluster/caching.tf
index 2997abf9..eeb3e634 100644
--- a/cluster/terraform_aks_cluster/caching.tf
+++ b/cluster/terraform_aks_cluster/caching.tf
@@ -78,4 +78,4 @@ resource "azapi_resource" "dockerhub_nginx_cache" {
   depends_on = [
     azurerm_role_assignment.acr_cache_kv_secrets_user
   ]
-}
\ No newline at end of file
+}
diff --git a/cluster/terraform_aks_cluster/terraform.tf b/cluster/terraform_aks_cluster/terraform.tf
index c48b72c5..379cc656 100644
--- a/cluster/terraform_aks_cluster/terraform.tf
+++ b/cluster/terraform_aks_cluster/terraform.tf
@@ -21,7 +21,3 @@ provider "azurerm" {
 }
 
 provider "azapi" {}
-
-
-
-