Bicep Module Documentation
← Back to Overview
Module container-registry
containerRegistry
| Property | Value | Description |
|---|---|---|
| general (required) | general | General object |
| identity | identity | Identity object |
| sku | 'Basic' 'Premium' 'Standard' |
The SKU of the container registry. (default: Standard) |
| adminUserEnabled | bool | The value that indicates whether the admin user is enabled. (default: False) |
| anonymousPullEnabled | bool | Enables registry-wide pull from unauthenticated clients. (default: false) |
| cacheRules | containerRegistryCacheRule[] | List of cache rules to create. |
| cacheCredentials | containerRegistryCacheCredential[] | List of cache credentials to create. |
| networkRuleBypassOptions | 'AzureServices' 'None' |
Whether to allow trusted Azure services to access a network restricted registry. (default: AzureServices) |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public network access is allowed for the container registry. |
| networkRuleSet | networkRuleSet | The network rule set for a container registry. |
| dataEndpointEnabled | bool | Enable a single data endpoint per region for serving data. |
| zoneRedundancy | 'Disabled' 'Enabled' |
Whether or not zone redundancy is enabled for this container registry. |
| policies | policies | policies |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource. |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: None) |
| userAssignedIdentities | string[] | The list of user identities associated with the resource. The user identity |
| dictionary key references will be ARM resource ids in the form: | ||
| '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ | ||
| providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
networkRuleSet
| Property | Value | Description |
|---|---|---|
| defaultAction (required) | 'Allow' 'Deny' |
The default action of allow or deny when no other rules match. |
| ipRules (required) | containerRegistryIpRule[] | The IP ACL rules. |
exportPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
When disabled, blocks import from artifacts to other container registries. |
quarantinePolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
When enabled, will move new images to a quarantaine which need to be approved. |
retentionPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
The value that indicates whether the policy is enabled or not. |
| days (required) | int | The number of days to retain an untagged manifest after which it gets purged. |
trustPolicy
| Property | Value | Description |
|---|---|---|
| status (required) | 'Disabled' 'Enabled' |
Enable pushing & pulling of signed images. Only for Microsoft managed key registries. |
policies
| Property | Value | Description |
|---|---|---|
| exportPolicy | exportPolicy | When disabled, blocks import from artifacts to other container registries. |
| quarantinePolicy | quarantinePolicy | When enabled, will move new images to a quarantaine which need to be approved. |
| retentionPolicy | retentionPolicy | Retenion policy to have an untagged image automatically purged after a set of days. |
| trustPolicy | trustPolicy | Enable pushing & pulling of signed images. Only for Microsoft managed key registries. |
containerRegistryIpRule
| Property | Value | Description |
|---|---|---|
| action (required) | 'Allow' | The action of IP ACL rule. |
| value (required) | string | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. |
containerRegistryCacheRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name. |
| sourceRepository (required) | string | Source repository pulled from upstream. |
| targetRepository (required) | string | Target repository specified in docker pull command. |
| Eg: docker pull myregistry.azurecr.io/{targetRepository}:{tag} |
credentialName | string | Name of the Cache Rule Credential to use for this Cache Rule.
containerRegistryCacheCredential
| Property | Value | Description |
|---|---|---|
| name (required) | string | The name of the credential. |
| loginServer (required) | string | The credentials are stored for this upstream or login server. |
| usernameSecretIdentifier (required) | string | KeyVault Secret URI for accessing the username. |
| passwordSecretIdentifier (required) | string | KeyVault Secret URI for accessing the password. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
7.4.0 (2025-10-07)
Features
- update resource api versions
7.3.2 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
7.3.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
7.3.0 (2025-03-26)
Features
- add resourceName output
7.2.0 (2025-03-26)
Features
- change types file for better processing by the documentation
- change types file for better processing by the documentation script
7.1.0 (2025-03-25)
Features
- add output principalId
7.0.1 (2025-03-17)
Bug Fixes
- revise descriptions
- revise descriptions
7.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
6.0.1 (2025-02-17)
Bug Fixes
- correctly display the hidden title
6.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
5.0.1 (2025-01-02)
Bug Fixes
- use new toObject function for UserAssignedIdentities