Skip to content

azurermContainerRegistry

Manages an Azure Container Registry.

\~> Note: All arguments including the access key will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
new azurerm.containerRegistry.ContainerRegistry(this, "acr", {
  admin_enabled: false,
  georeplications: [
    {
      location: "East US",
      tags: {},
      zone_redundancy_enabled: true,
    },
    {
      location: "North Europe",
      tags: {},
      zone_redundancy_enabled: true,
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "containerRegistry1",
  resource_group_name: azurermResourceGroupExample.name,
  sku: "Premium",
});

Example Usage (Encryption)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermUserAssignedIdentityExample =
  new azurerm.userAssignedIdentity.UserAssignedIdentity(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "registry-uai",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermUserAssignedIdentityExample.overrideLogicalId("example");
const dataAzurermKeyVaultKeyExample =
  new azurerm.dataAzurermKeyVaultKey.DataAzurermKeyVaultKey(this, "example_2", {
    key_vault_id: "${data.azurerm_key_vault.existing.id}",
    name: "super-secret",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermKeyVaultKeyExample.overrideLogicalId("example");
new azurerm.containerRegistry.ContainerRegistry(this, "acr", {
  encryption: [
    {
      enabled: true,
      identity_client_id: azurermUserAssignedIdentityExample.clientId,
      key_vault_key_id: dataAzurermKeyVaultKeyExample.id,
    },
  ],
  identity: [
    {
      identity_ids: [azurermUserAssignedIdentityExample.id],
      type: "UserAssigned",
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "containerRegistry1",
  resource_group_name: azurermResourceGroupExample.name,
  sku: "Premium",
});

Example Usage (Attaching a Container Registry to a Kubernetes Cluster)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermContainerRegistryExample =
  new azurerm.containerRegistry.ContainerRegistry(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "containerRegistry1",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "Premium",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermContainerRegistryExample.overrideLogicalId("example");
const azurermKubernetesClusterExample =
  new azurerm.kubernetesCluster.KubernetesCluster(this, "example_2", {
    default_node_pool: [
      {
        name: "default",
        node_count: 1,
        vm_size: "Standard_D2_v2",
      },
    ],
    dns_prefix: "exampleaks1",
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example-aks1",
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      Environment: "Production",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKubernetesClusterExample.overrideLogicalId("example");
const azurermRoleAssignmentExample = new azurerm.roleAssignment.RoleAssignment(
  this,
  "example_3",
  {
    principal_id: `\${${azurermKubernetesClusterExample.kubeletIdentity.fqn}[0].object_id}`,
    role_definition_name: "AcrPull",
    scope: azurermContainerRegistryExample.id,
    skip_service_principal_aad_check: true,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRoleAssignmentExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the Container Registry. Only Alphanumeric characters allowed. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the Container Registry. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • sku - (Required) The SKU name of the container registry. Possible values are basic, standard and premium.

  • adminEnabled - (Optional) Specifies whether the admin user is enabled. Defaults to false.

  • tags - (Optional) A mapping of tags to assign to the resource.

  • georeplications - (Optional) A georeplications block as documented below.

\~> NOTE: The georeplications is only supported on new resources with the premium SKU.

\~> NOTE: The georeplications list cannot contain the location where the Container Registry exists.

\~> NOTE: If more than one georeplications block is specified, they are expected to follow the alphabetic order on the location property.

  • networkRuleSet - (Optional) A networkRuleSet block as documented below.

  • publicNetworkAccessEnabled - (Optional) Whether public network access is allowed for the container registry. Defaults to true.

  • quarantinePolicyEnabled - (Optional) Boolean value that indicates whether quarantine policy is enabled.

  • retentionPolicy - (Optional) A retentionPolicy block as documented below.

  • trustPolicy - (Optional) A trustPolicy block as documented below.

  • zoneRedundancyEnabled - (Optional) Whether zone redundancy is enabled for this Container Registry? Changing this forces a new resource to be created. Defaults to false.

  • exportPolicyEnabled - (Optional) Boolean value that indicates whether export policy is enabled. Defaults to true. In order to set it to false, make sure the publicNetworkAccessEnabled is also set to false.

    \~> NOTE: quarantinePolicyEnabled, retentionPolicy, trustPolicy, exportPolicyEnabled and zoneRedundancyEnabled are only supported on resources with the premium SKU.

  • identity - (Optional) An identity block as defined below.

  • encryption - (Optional) An encryption block as documented below.

  • anonymousPullEnabled - (Optional) Whether allows anonymous (unauthenticated) pull access to this Container Registry? This is only supported on resources with the standard or premium SKU.

  • dataEndpointEnabled - (Optional) Whether to enable dedicated data endpoints for this Container Registry? This is only supported on resources with the premium SKU.

  • networkRuleBypassOption - (Optional) Whether to allow trusted Azure services to access a network restricted Container Registry? Possible values are none and azureServices. Defaults to azureServices.

The georeplications block supports the following:

  • location - (Required) A location where the container registry should be geo-replicated.

  • regionalEndpointEnabled - (Optional) Whether regional endpoint is enabled for this Container Registry?

  • zoneRedundancyEnabled - (Optional) Whether zone redundancy is enabled for this replication location? Defaults to false.

    \~> NOTE: Changing the zoneRedundancyEnabled forces the a underlying replication to be created.

  • tags - (Optional) A mapping of tags to assign to this replication location.

The networkRuleSet block supports the following:

  • defaultAction - (Optional) The behaviour for requests matching no rules. Either allow or deny. Defaults to allow

  • ipRule - (Optional) One or more ipRule blocks as defined below.

  • virtualNetwork - (Optional) One or more virtualNetwork blocks as defined below.

\~> NOTE: networkRuleSet is only supported with the premium SKU at this time.

\~> NOTE: Azure automatically configures Network Rules - to remove these you'll need to specify an networkRuleSet block with defaultAction set to deny.

The ipRule block supports the following:

  • action - (Required) The behaviour for requests matching this rule. At this time the only supported value is allow

  • ipRange - (Required) The CIDR block from which requests will match the rule.

The virtualNetwork block supports the following:

  • action - (Required) The behaviour for requests matching this rule. At this time the only supported value is allow

  • subnetId - (Required) The subnet id from which requests will match the rule.

The trustPolicy block supports the following:

  • enabled - (Optional) Boolean value that indicates whether the policy is enabled.

The retentionPolicy block supports the following:

  • days - (Optional) The number of days to retain an untagged manifest after which it gets purged. Default is 7.

  • enabled - (Optional) Boolean value that indicates whether the policy is enabled.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Container Registry. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Container Registry.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

The encryption block supports the following:

  • enabled - (Optional) Boolean value that indicates whether encryption is enabled.

  • keyVaultKeyId - (Required) The ID of the Key Vault Key.

  • identityClientId - (Required) The client ID of the managed identity associated with the encryption key.

\~> NOTE The managed identity used in encryption also needs to be part of the identity block under identityIds

Attributes Reference

The following attributes are exported:

  • id - The ID of the Container Registry.

  • loginServer - The URL that can be used to log into the container registry.

  • adminUsername - The Username associated with the Container Registry Admin account - if the admin account is enabled.

  • adminPassword - The Password associated with the Container Registry Admin account - if the admin account is enabled.

  • identity - An identity block as defined below.

An identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

-> You can access the Principal ID via azurermContainerRegistryExampleIdentity0PrincipalId and the Tenant ID via azurermContainerRegistryExampleIdentity0TenantId

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Container Registry.
  • update - (Defaults to 30 minutes) Used when updating the Container Registry.
  • read - (Defaults to 5 minutes) Used when retrieving the Container Registry.
  • delete - (Defaults to 30 minutes) Used when deleting the Container Registry.

Import

Container Registries can be imported using the resourceId, e.g.

terraform import azurerm_container_registry.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.ContainerRegistry/registries/myregistry1