Top / Microsoft Azure / Azure Container / Registry

Azure Container Registry

This page shows how to write Terraform and Azure Resource Manager for Container Registry and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_container_registry (Terraform)

The Registry in Container can be configured in Terraform with the resource name azurerm_container_registry. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

container_registry_test.tf#L11
resource "azurerm_container_registry" "my_registry" {
  name                     = "containerRegistry1"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  sku                      = "Premium"
  admin_enabled            = false
container_registry_test.tf#L11
resource "azurerm_container_registry" "my_registry" {
  name                     = "containerRegistry1"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  sku                      = "Premium"
  admin_enabled            = false
main.tf#L7
resource "azurerm_container_registry" "registry" {
  count                    = var.georeplication_locations == [] ? 1 : 0

  name                     = var.name
  resource_group_name      = azurerm_resource_group.group.name
  location                 = azurerm_resource_group.group.location
acr.tf#L1
resource "azurerm_container_registry" "acr_dev_ablunch2_aztech_kc" {
  name                     = "acrdevablunch2aztechkc"
  resource_group_name      = data.azurerm_resource_group.rg_dev_lunch2_aztech_kc.name
  location                 = var.location
  sku                      = "Standard"
  admin_enabled            = true
main.tf#L15
resource "azurerm_container_registry" "acr" {
  name                = "containerRregistryScalableMicroservice"
  resource_group_name = azurerm_resource_group.scalable_microservice.name
  location            = azurerm_resource_group.scalable_microservice.location
  sku                 = "standard"
}
azure-container-registry.tf#L1
resource "azurerm_container_registry" "acr" {
  name                = join("", [var.project_name, "acr"])
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
  admin_enabled       = true
acr.tf#L1
resource "azurerm_container_registry" "acr" {
  name                     = var.container_registry_name
  resource_group_name      = var.product_resource_group_name
  location                 = var.location
  sku                      = var.container_registry_sku
container-registry.tf#L1
resource "azurerm_container_registry" "main" {
  location            = var.az_location
  name                = replace(local.delphai_name, "-", "")
  resource_group_name = azurerm_resource_group.main.name
  admin_enabled       = true
  sku                 = "Premium"
acr.tf#L1
resource "azurerm_container_registry" "acr" {
  name                = local.acr_name
  resource_group_name = azurerm_resource_group.spoke.name
  location            = azurerm_resource_group.spoke.location
  sku                 = "Premium"
  admin_enabled       = false
container_registryt.tf#L1
resource "azurerm_container_registry" "acr" {
  name                     = var.name
  resource_group_name      = var.resource_group_name
  location                 = var.location
  sku                      = var.sku
  admin_enabled            = var.admin_enabled

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an Azure Container Registry.

Note: All arguments including the access key will be stored in the raw state as plain-text. Read more about sensitive data in state.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Container Resources

In addition to the azurerm_kubernetes_cluster, Azure Container has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_kubernetes_cluster

Ensure to enable logging for AKS

It is better to enable AKS logging to Azure Monitoring. This provides useful information regarding access and usage.

Review your Azure Container settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.ContainerRegistry/registries (Azure Resource Manager)

The registries in Microsoft.ContainerRegistry can be configured in Azure Resource Manager with the resource name Microsoft.ContainerRegistry/registries. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
dash.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

  • apiVersion required - string
  • identity optional
      • principalId optional - string

        The principal ID of resource identity.

      • tenantId optional - string

        The tenant ID of resource.

      • type optional - string

        The identity type.

      • userAssignedIdentities optional - undefined

        The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

  • location required - string

    The location of the resource. This cannot be changed after the resource is created.

  • name required - string

    The name of the container registry.

  • properties required
      • adminUserEnabled optional - boolean

        The value that indicates whether the admin user is enabled.

      • dataEndpointEnabled optional - boolean

        Enable a single data endpoint per region for serving data.

      • encryption optional
          • keyVaultProperties optional
              • identity optional - string

                The client id of the identity which will be used to access key vault.

              • keyIdentifier optional - string

                Key vault uri to access the encryption key.

          • status optional - string

            Indicates whether or not the encryption is enabled for container registry.

      • networkRuleBypassOptions optional - string

        Whether to allow trusted Azure services to access a network restricted registry.

      • networkRuleSet optional
          • defaultAction required - string

            The default action of allow or deny when no other rules match.

          • ipRules optional array
              • action optional - string

                The action of IP ACL rule.

              • value required - string

                Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed.

      • policies optional
          • exportPolicy optional
              • status optional - string

                The value that indicates whether the policy is enabled or not.

          • quarantinePolicy optional
              • status optional - string

                The value that indicates whether the policy is enabled or not.

          • retentionPolicy optional
              • days optional - integer

                The number of days to retain an untagged manifest after which it gets purged.

              • status optional - string

                The value that indicates whether the policy is enabled or not.

          • trustPolicy optional
              • status optional - string

                The value that indicates whether the policy is enabled or not.

              • type optional - string

                The type of trust policy.

      • publicNetworkAccess optional - string

        Whether or not public network access is allowed for the container registry.

      • zoneRedundancy optional - string

        Whether or not zone redundancy is enabled for this container registry.

  • sku required
      • name required - string

        The SKU name of the container registry. Required for registry creation.

  • tags optional - string

    The tags of the resource.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Container Resources

Frequently asked questions

What is Azure Container Registry?

Azure Container Registry is a resource for Container of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Container Registry?

For Terraform, the gilyas/infracost, infracost/infracost and DanielMabbett/terraform-azurerm-container-registry source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the scautomation/Azure-Inventory-Workbook, rb-cloud-guru/Azure_Dashboard and VJchand-star/Azure source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents