Bicep Module Documentation
← Back to Overview
Module container-registry
containerRegistry
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| sku | 'Basic' 'Premium' 'Standard' |
Sku of the container registry (default: Standard) |
| adminUserEnabled | bool | Enable the admin user for the container registry (default: false) |
| anonymousPullEnabled | bool | Enables registry-wide pull from unauthenticated clients (default: false) |
| cacheRules | containerRegistryCacheRule[] | List of cache rules to create |
| cacheCredentials | containerRegistryCacheCredential[] | List of cache credentials to create |
| networkRuleBypassOptions | 'AzureServices' 'None' |
Allow trusted Azure services to access a network restricted registry (default: AzureServices) [Premium sku only] |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Allow public access to the container registry [Premium sku only] |
| networkRuleSet | networkRuleSet | Set firewall rules [Premium sku only] |
| dataEndpointEnabled | bool | Enable a single data endpoint per region for serving data [Premium sku only] |
| zoneRedundancy | 'Disabled' 'Enabled' |
Enable zone redundancy for the container registry [Premium sku only] |
| policies | policies | |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
identity
| Property | Value | Description |
|---|---|---|
| type (required) | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
networkRuleSet
| Property | Value | Description |
|---|---|---|
| defaultAction (required) | 'Allow' 'Deny' |
|
| ipRules (required) | containerRegistryIpRule[] | Add allow rules to container registry [Array of IP rules] |
exportPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
quarantinePolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
retentionPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
Enable the retention policy |
| days (required) | int | Set the amount of days before the untagged images are purged |
trustPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
policies
| Property | Value | Description |
|---|---|---|
| exportPolicy | exportPolicy | When disabled blocks import from artifacts to other container registries [Premium sku only] |
| quarantinePolicy | quarantinePolicy | When enabled, will move new images to a quarantaine which need to be approved [Premium sku only] |
| retentionPolicy | retentionPolicy | Retenion policy to have an untagged image automatically purged after a set of days [Premium sku only] |
| trustPolicy | trustPolicy | Enabled pushing & pulling of signed images [Only for Microsoft managed key registries] [Premium sku only] |
containerRegistryIpRule
| Property | Value | Description |
|---|---|---|
| action (required) | 'Allow' | |
| value (required) | string | [[CIDR notation or IP address only IPv4] |
containerRegistryCacheRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | Name of the rule |
| sourceRepository (required) | string | Source repository pulled from upstream |
| targetRepository (required) | string | Target repository specified in docker pull command, e.g. docker pull myregistry.azurecr.io/{targetRepository}:{tag} |
| credentialName | string | Name of the Cache Rule Credential to use for this Cache Rule |
containerRegistryCacheCredential
| Property | Value | Description |
|---|---|---|
| name (required) | string | Name of the credential |
| loginServer (required) | string | The credentials are stored for this upstream or login server. |
| usernameSecretIdentifier (required) | string | KeyVault Secret URI for accessing the username. |
| passwordSecretIdentifier (required) | string | KeyVault Secret URI for accessing the password. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Cant end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they cant modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
| principalType (required) | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
The principal type of the assigned principal ID |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
7.4.0 (2025-10-07)
Features
- update resource api versions
7.3.2 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
7.3.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
7.3.0 (2025-03-26)
Features
- add resourceName output
7.2.0 (2025-03-26)
Features
- change types file for better processing by the documentation
- change types file for better processing by the documentation script
7.1.0 (2025-03-25)
Features
- add output principalId
7.0.1 (2025-03-17)
Bug Fixes
- revise descriptions
- revise descriptions
7.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
6.0.1 (2025-02-17)
Bug Fixes
- correctly display the hidden title
6.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
5.0.1 (2025-01-02)
Bug Fixes
- use new toObject function for UserAssignedIdentities