Amend destroy_env_no_terraform.sh to purge container repos

[jonnyry]

Problem

When using Defender to scan container images -

If the container registry is deleted as a whole (instead of deleting individual container repositories first), Defender does not remove scans of container images.

If redeploying a fresh TRE using the same name as previously, this leads to misleading results in Defender in dev/test environments with repeated scans 'stacking up' and making the results look larger than they actually are (see screen shots below).

Example of Defender results that are 'stacking up':

Example of Defender holding on to scans of deleted images (there is only 1 image in each repository):

Diagnosis

According to this Microsoft documentation, container scans should be deleted within an hour, or maximum three days, however our experience is that container scans for deleted images (where the registry was deleted as a whole) can persist for up to two weeks.

If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?

Azure Container Registries notifies Defender for Cloud when images are deleted, and removes the vulnerability assessment for deleted images within one hour. In some rare cases, Defender for Cloud might not be notified on the deletion, and deletion of associated vulnerabilities in such cases might take up to three days.

It appears the 'hook' Defender uses to remove scans does not work when the ACR is deleted as a whole with images remaining in it, and only functions as intended when repositories/images are deleted individually first.

Solution

This PR amends the destroy_env_no_terraform.sh script to individually delete container repositories, before the script continues as usual to delete the resource groups (including the container registry).

This ensures the 'hook' Defender uses to remove scans fires and scans are cleared up when a TRE is destroyed.

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 07880e7.

♻️ This comment has been updated with latest results.

[tamirkamara]

@jonnyry shouldn't the script just find the ACRs in the groups it's going to delete?

[jonnyry]

@jonnyry shouldn't the script just find the ACRs in the groups it's going to delete?

Yes good point, probably should - I'll amend.

[jonnyry]

@tamirkamara Now updated to search for containter registries rather than requiring a separate parameter.

[jonnyry]

/test 07880e7

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12562577242 (with refid 853a7c83)

(in response to this comment from @jonnyry)

[jonnyry]

/test 07880e7

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12563009383 (with refid 853a7c83)

(in response to this comment from @jonnyry)

[jonnyry]

/destroy-test-env

[github-actions]

🤖 pr-bot 🤖

/destroy-test-env is not recognised as a valid command.

You can use the following commands:
    /test - build, deploy and run smoke tests on a PR
    /test-extended - build, deploy and run smoke & extended tests on a PR
    /test-extended-aad - build, deploy and run smoke & extended AAD tests on a PR
    /test-shared-services - test the deployment of shared services on a PR build
    /test-force-approve - force approval of the PR tests (i.e. skip the deployment checks)
    /test-destroy-env - delete the validation environment for a PR (e.g. to enable testing a deployment from a clean start after previous tests)
    /help - show this help

(in response to this comment from @jonnyry)

[jonnyry]

/test-destroy-env

[github-actions]

Destroying PR test environment (RG: rg-tre853a7c83)... (run: https://github.com/microsoft/AzureTRE/actions/runs/12563557593)

[github-actions]

PR test environment destroy complete (RG: rg-tre853a7c83)

[tim-p-allen]

LGTM