diff --git a/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json b/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json index 0b7604f9da..1601d99964 100644 --- a/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json +++ b/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json @@ -8,6 +8,26 @@ "acrAdminUserEnabled": { "value": false }, + "acrSku": { + "value": "Premium" + }, + "exportPolicyStatus": { + "value": "enabled" + }, + "quarantinePolicyStatus": { + "value": "enabled" + }, + "trustPolicyStatus": { + "value": "enabled" + }, + "replications": { + "value": [ + { + "name": "northeurope", + "location": "northeurope" + } + ] + }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep index 7de9a5cac0..d5e398d254 100644 --- a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -18,32 +18,85 @@ param privateEndpoints array = [] @description('Optional. Tier of your Azure container registry.') @allowed([ 'Basic' - 'Standard' 'Premium' + 'Standard' ]) param acrSku string = 'Basic' -@description('Optional. The value that indicates whether the policy is enabled or not.') -param quarantinePolicyStatus string = '' +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether the export policy is enabled or not.') +param exportPolicyStatus string = 'disabled' -@description('Optional. The value that indicates whether the policy is enabled or not.') -param trustPolicyStatus string = '' +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether the quarantine policy is enabled or not.') +param quarantinePolicyStatus string = 'disabled' -@description('Optional. The value that indicates whether the policy is enabled or not.') -param retentionPolicyStatus string = '' +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether the trust policy is enabled or not.') +param trustPolicyStatus string = 'disabled' + +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether the retention policy is enabled or not.') +param retentionPolicyStatus string = 'enabled' @description('Optional. The number of days to retain an untagged manifest after which it gets purged.') -param retentionPolicyDays string = '' +param retentionPolicyDays int = 15 + +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether encryption is enabled or not.') +param encryptionStatus string = 'disabled' + +@description('Optional. Identity which will be used to access key vault and Key vault uri to access the encryption key.') +param keyVaultProperties object = {} @description('Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access.') param dataEndpointEnabled bool = false +@allowed([ + 'Disabled' + 'Enabled' +]) @description('Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled') param publicNetworkAccess string = 'Enabled' @description('Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None') param networkRuleBypassOptions string = 'AzureServices' +@allowed([ + 'Allow' + 'Deny' +]) +@description('Optional. The default action of allow or deny when no other rules match.') +param networkRuleSetDefaultAction string = 'Deny' + +@description('Optional. The IP ACL rules.') +param networkRuleSetIpRules array = [] + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether or not zone redundancy is enabled for this container registry') +param zoneRedundancy string = 'Disabled' + +@description('Optional. All replications to create') +param replications array = [] + @allowed([ 'CanNotDelete' 'NotSpecified' @@ -140,25 +193,49 @@ resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = { } properties: { adminUserEnabled: acrAdminUserEnabled + encryption: acrSku == 'Premium' ? { + keyVaultProperties: !empty(keyVaultProperties) ? keyVaultProperties : null + status: encryptionStatus + } : null policies: { + exportPolicy: acrSku == 'Premium' ? { + status: exportPolicyStatus + } : null quarantinePolicy: { - status: (empty(quarantinePolicyStatus) ? null : quarantinePolicyStatus) + status: quarantinePolicyStatus } trustPolicy: { type: 'Notary' - status: (empty(trustPolicyStatus) ? null : trustPolicyStatus) - } - retentionPolicy: { - days: (empty(retentionPolicyDays) ? null : int(retentionPolicyDays)) - status: (empty(retentionPolicyStatus) ? null : retentionPolicyStatus) + status: trustPolicyStatus } + retentionPolicy: acrSku == 'Premium' ? { + days: retentionPolicyDays + status: retentionPolicyStatus + } : null } dataEndpointEnabled: dataEndpointEnabled publicNetworkAccess: publicNetworkAccess networkRuleBypassOptions: networkRuleBypassOptions + networkRuleSet: !empty(networkRuleSetIpRules) ? { + defaultAction: networkRuleSetDefaultAction + ipRules: networkRuleSetIpRules + } : null + zoneRedundancy: acrSku == 'Premium' ? zoneRedundancy : null } } +module registry_replications 'replications/deploy.bicep' = [for (replication, index) in replications: { + name: '${uniqueString(deployment().name, location)}-Registry-Replication-${index}' + params: { + name: replication.name + registryName: registry.name + location: replication.location + regionEndpointEnabled: contains(replication, 'regionEndpointEnabled') ? replication.regionEndpointEnabled : true + zoneRedundancy: contains(replication, 'zoneRedundancy') ? replication.zoneRedundancy : 'Disabled' + tags: contains(replication, 'tags') ? replication.tags : {} + } +}] + resource registry_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${registry.name}-${lock}-lock' properties: { diff --git a/arm/Microsoft.ContainerRegistry/registries/readme.md b/arm/Microsoft.ContainerRegistry/registries/readme.md index 65d628a2c7..e6f4de55c9 100644 --- a/arm/Microsoft.ContainerRegistry/registries/readme.md +++ b/arm/Microsoft.ContainerRegistry/registries/readme.md @@ -9,39 +9,58 @@ Azure Container Registry is a managed, private Docker registry service based on | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.ContainerRegistry/registries` | 2021-09-01 | +| `Microsoft.ContainerRegistry/registries/replications` | 2021-12-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/privateEndpoints` | 2021-02-01 | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `acrAdminUserEnabled` | bool | | | Optional. Enable admin user that have push / pull permission to the registry. | -| `acrSku` | string | `Basic` | `[Basic, Standard, Premium]` | Optional. Tier of your Azure container registry. | +| `acrAdminUserEnabled` | bool | `False` | | Optional. Enable admin user that have push / pull permission to the registry. | +| `acrSku` | string | `Basic` | `[Basic, Premium, Standard]` | Optional. Tier of your Azure container registry. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `dataEndpointEnabled` | bool | | | Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. | +| `dataEndpointEnabled` | bool | `False` | | Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. | | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | +| `encryptionStatus` | string | `disabled` | `[disabled, enabled]` | Optional. The value that indicates whether encryption is enabled or not. | +| `exportPolicyStatus` | string | `disabled` | `[disabled, enabled]` | Optional. The value that indicates whether the export policy is enabled or not. | +| `keyVaultProperties` | object | `{object}` | | Optional. Identity which will be used to access key vault and Key vault uri to access the encryption key. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `logsToEnable` | array | `[ContainerRegistryRepositoryEvents, ContainerRegistryLoginEvents]` | `[ContainerRegistryRepositoryEvents, ContainerRegistryLoginEvents]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. Name of your Azure container registry | | `networkRuleBypassOptions` | string | `AzureServices` | | Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None | +| `networkRuleSetDefaultAction` | string | `Deny` | `[Allow, Deny]` | Optional. The default action of allow or deny when no other rules match. | +| `networkRuleSetIpRules` | array | `[]` | | Optional. The IP ACL rules. | | `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `Enabled` | | Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled | -| `quarantinePolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | -| `retentionPolicyDays` | string | | | Optional. The number of days to retain an untagged manifest after which it gets purged. | -| `retentionPolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | +| `publicNetworkAccess` | string | `Enabled` | `[Disabled, Enabled]` | Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled | +| `quarantinePolicyStatus` | string | `disabled` | `[disabled, enabled]` | Optional. The value that indicates whether the quarantine policy is enabled or not. | +| `replications` | _[replications](replications/readme.md)_ array | `[]` | | Optional. All replications to create | +| `retentionPolicyDays` | int | `15` | | Optional. The number of days to retain an untagged manifest after which it gets purged. | +| `retentionPolicyStatus` | string | `enabled` | `[disabled, enabled]` | Optional. The value that indicates whether the retention policy is enabled or not. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `systemAssignedIdentity` | bool | | | Optional. Enables system assigned managed identity on the resource. | +| `systemAssignedIdentity` | bool | `False` | | Optional. Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | -| `trustPolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | +| `trustPolicyStatus` | string | `disabled` | `[disabled, enabled]` | Optional. The value that indicates whether the trust policy is enabled or not. | | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | +| `zoneRedundancy` | string | `Disabled` | `[Disabled, Enabled]` | Optional. Whether or not zone redundancy is enabled for this container registry | + +### Parameter Usage: `keyVaultProperties` + +```json +"keyVaultProperties": { + "value": { + "identity": "string", // The client id of the identity which will be used to access key vault. + "keyIdentifier": "string" // Key vault uri to access the encryption key. + } +} +``` ### Parameter Usage: `roleAssignments` @@ -160,7 +179,8 @@ You can specify multiple user assigned identities to a resource by providing add - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) -- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) - [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) - [Registries](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-09-01/registries) +- [Registries/Replications](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.ContainerRegistry/registries/replications/.bicep/nested_cuaId.bicep b/arm/Microsoft.ContainerRegistry/registries/replications/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/replications/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.ContainerRegistry/registries/replications/deploy.bicep b/arm/Microsoft.ContainerRegistry/registries/replications/deploy.bicep new file mode 100644 index 0000000000..6f20793a4e --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/replications/deploy.bicep @@ -0,0 +1,53 @@ +@description('Required. The name of the registry.') +param registryName string + +@description('Required. The name of the replication.') +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications.') +param regionEndpointEnabled bool = true + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether or not zone redundancy is enabled for this container registry') +param zoneRedundancy string = 'Disabled' + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' existing = { + name: registryName +} + +resource replication 'Microsoft.ContainerRegistry/registries/replications@2021-12-01-preview' = { + name: name + parent: registry + location: location + tags: tags + properties: { + regionEndpointEnabled: regionEndpointEnabled + zoneRedundancy: zoneRedundancy + } +} + +@description('The name of the replication.') +output name string = replication.name + +@description('The resource ID of the replication.') +output resourceId string = replication.id + +@description('The name of the resource group the replication was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.ContainerRegistry/registries/replications/readme.md b/arm/Microsoft.ContainerRegistry/registries/replications/readme.md new file mode 100644 index 0000000000..5fc994b14a --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/replications/readme.md @@ -0,0 +1,50 @@ +# ContainerRegistry Registries Replications `[Microsoft.ContainerRegistry/registries/replications]` + +This module deploys ContainerRegistry Registries Replications. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.ContainerRegistry/registries/replications` | 2021-12-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `name` | string | | | Required. The name of the replication. | +| `regionEndpointEnabled` | bool | `True` | | Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. | +| `registryName` | string | | | Required. The name of the registry. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `zoneRedundancy` | string | `Disabled` | `[Disabled, Enabled]` | Optional. Whether or not zone redundancy is enabled for this container registry | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the replication. | +| `resourceGroupName` | string | The name of the resource group the replication was created in. | +| `resourceId` | string | The resource ID of the replication. | + +## Template references + +- [Registries/Replications](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) diff --git a/arm/Microsoft.ContainerRegistry/registries/replications/version.json b/arm/Microsoft.ContainerRegistry/registries/replications/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/replications/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +}