docs: runner group variable (#132)

<!-- Thank you for submitting a Pull Request. Please fill out the
template below.-->
## Overview/Summary

Update the docs for the runner group fixes and options

## This PR fixes/adds/changes/removes

N/A

### Breaking Changes

None

## Testing Evidence

e2e tests run and testing in an Entrerprise

## As part of this Pull Request I have

- [x] Checked for duplicate [Pull
Requests](https://github.com/Azure/alz-terraform-accelerator/pulls)
- [x] Associated it with relevant
[issues](https://github.com/Azure/alz-terraform-accelerator/issues), for
tracking and closure.
- [x] Ensured my code/branch is up-to-date with the latest changes in
the `main`
[branch](https://github.com/Azure/alz-terraform-accelerator/tree/main)
- [x] Performed testing and provided evidence.
- [x] Updated relevant and associated documentation.

Author: jaredfholgate

docs/wiki/Troubleshooting.md

@@ -26,6 +26,18 @@ Follow these steps to ensure you have a working environment:
 
 You should now be able to successfully run the `Deploy-Accelerator` command and continue.
 
+## 422 Error when deleting Runner Group
+
+When trying to destroy a GitHub environment with a runner group you may see an error like:
+
+`Error: DELETE https://api.github.com/orgs/<org>/actions/runner-groups/3: 422 This group cannot be deleted because it contains runners. Please remove or move them to another group before proceeding. []`
+
+Unfortunately, this requires manual intervantion at the moment. The runners do not delete themselves when the container instance is delete, so they will show in the offline state for 14 days prior to being deleted.
+
+To resolve this, you can manually delete the runners from Runner Group in the GitHub UI. You can then re-run the destroy to complete the clean up.
+
+This only affects you if you have Enterprise licensing and have chosen to use a Runner Group. More details can be found here: <https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners>
+
 <!-- markdownlint-enable no-inline-html -->
 
 [Issues]:     https://github.com/Azure/alz-terraform-accelerator/issues "Our issues log"

docs/wiki/[User-Guide]-Quick-Start-Phase-1.md

@@ -106,6 +106,8 @@ The accelerator does not support GitHub personal accounts, since they don't supp
 
 #### 1.4.2.2 GitHub Personal Access Token (PAT)
 
+> NOTE: The following instructions refer to `classic` personal access tokens. You can also use `fine-grained` access tokens which are still in beta to provide more granular permissions. These docs will be updated to reflect this in the future.
+
 1. Navigate to [github.com](https://github.com).
 1. Click on your user icon in the top right and select `Settings`.
 1. Scroll down and click on `Developer Settings` in the left navigation.
@@ -129,7 +131,9 @@ The accelerator does not support GitHub personal accounts, since they don't supp
 If you are using self-hosted runners, you will need to create a second PAT for them. You can do this by following the steps above with the following differences:
 
 1. Select `No expiration` for the `Expiration` field. NOTE: You may want to set an expiration date for security reasons, but you will need to have a process in place to regenerate the token in that scenario.
-1. Select only the `repo` scope.
+1. The scope required depends on the type of organization you are using:
+    1. If you are using a Free organization or an Enterprise orgnization without a runner group, select only the `repo` scope.
+    1. If you are using an Enterprise organization and a runner group, select the `admin:org` scope for classic tokens (or `organization_self_hosted_runners:write` for fine-grained tokens).
 
 ### 1.4.3 Local File System
 

docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md

@@ -22,7 +22,6 @@
     1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true` or `azure_devops_authentication_scheme` is set to `ManagedServiceIdentity`. This defaults to `true`.
     1. `allow_storage_access_from_my_ip`: This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`.
     1. `apply_approvers`: This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is a comma-separated list like `[email protected],[email protected],[email protected]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider.
-    1. `root_parent_management_group_display_name`: This is the name of the root management group that you applied permissions to in a previous step. This defaults to `Tenant Root Group`, but if your organization has changed it or you want to use a different management group you'll need to enter the new display name.
 1. You will now see a green message telling you that the next section is specific to the starter module you choose. Navigate to the documentation for the relevant starter module to get details of the specific inputs.
 1. Once you have entered the starter module input, you see that a Terraform `init` and `apply` happen.
 1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed.

docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md

@@ -16,9 +16,9 @@
     1. `use_self_hosted_agents`: This controls if you want to deploy self-hosted runners. If you are using `ManagedServiceIdentity` for `azure_devops_authentication_scheme`, then you will need to deploy self-hosted runners as part of the bootstrap, so this setting will have no effect. This will default to `true`.
     1. `github_runners_personal_access_token`: Enter the GitHub PAT you generated in a previous step specifically for the self-hosted runners. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `""`.
     1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted runners and storage account. This only applies if you have `use_self_hosted_agents` set to `true` or `azure_devops_authentication_scheme` is set to `ManagedServiceIdentity`. This defaults to `true`.
+    1. `use_runner_group`: This controls whether to use a Runner Group for self hosted agents. This only applies if `use_self_hosted_agents` is `true` and your GitHub Organization is part of a licensed GitHub Enterprise. This defaults to `true`.
     1. `allow_storage_access_from_my_ip`: This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`.
     1. `apply_approvers`: This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is a comma-separated list like `[email protected],[email protected],[email protected]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider.
-    1. `root_parent_management_group_display_name`: This is the name of the root management group that you applied permissions to in a previous step. This defaults to `Tenant Root Group`, but if your organization has changed it or you want to use a different management group you'll need to enter the new display name.
 1. You will now see a green message telling you that the next section is specific to the starter module you choose. Navigate to the documentation for the relevant starter module to get details of the specific inputs.
 1. Once you have entered the starter module input, you see that a Terraform `init` and `apply` happen.
 1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed.

docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md

@@ -12,7 +12,6 @@
     1. `service_name`: This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-<service_name>-mgmt-uksouth-001`. We recommend using `alz` for this.
     1. `environment_name`: This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-<environment_name>-uksouth-001`. We recommend using `mgmt` for this.
     1. `postfix_number`: This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-mgmt-uksouth-<postfix_number>`. We recommend using `1` for this.
-    1. `root_parent_management_group_display_name`: This is the name of the root management group that you applied permissions to in a previous step. This defaults to `Tenant Root Group`, but if your organization has changed it or you want to use a different management group you'll need to enter the new display name.
 1. You will now see a green message telling you that the next section is specific to the starter module you choose. Navigate to the documentation for the relevant starter module to get details of the specific inputs.
 1. Once you have entered the starter module input, you see that a Terraform `init` and `apply` happen.
 1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed.

docs/wiki/examples/powershell-inputs/inputs-github.yaml

@@ -55,6 +55,9 @@ github_runners_personal_access_token: "<token2>"
 # Controls whether to use private networking for the runner to storage account communication
 use_private_networking: "true"
 
+# Controls whether to use a runner group. This is only relevant if using a GitHub Enterprise licensed organization
+use_runner_group: "true"
+
 # Allow access to the storage account from the current IP address. We recommend this is kept off for security
 allow_storage_access_from_my_ip: "false"