diff --git a/modules/Microsoft.ContainerRegistry/registries/.test/parameters.json b/modules/Microsoft.ContainerRegistry/registries/.test/parameters.json index 3731d51492..518df211a7 100644 --- a/modules/Microsoft.ContainerRegistry/registries/.test/parameters.json +++ b/modules/Microsoft.ContainerRegistry/registries/.test/parameters.json @@ -23,6 +23,15 @@ "trustPolicyStatus": { "value": "enabled" }, + "azureADAuthenticationAsArmPolicyStatus": { + "value": "enabled" + }, + "softDeletePolicyStatus": { + "value": "disabled" + }, + "softDeletePolicyDays": { + "value": 7 + }, "replications": { "value": [ { diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep index 7226d5f11e..1b04b440ce 100644 --- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -51,6 +51,23 @@ param retentionPolicyStatus string = 'enabled' @description('Optional. The number of days to retain an untagged manifest after which it gets purged.') param retentionPolicyDays int = 15 +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled.') +param azureADAuthenticationAsArmPolicyStatus string = 'enabled' + +@allowed([ + 'disabled' + 'enabled' +]) +@description('Optional. Soft Delete policy status. Default is disabled.') +param softDeletePolicyStatus string = 'disabled' + +@description('Optional. The number of days after which a soft-deleted item is permanently deleted.') +param softDeletePolicyDays int = 7 + @description('Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the \'acrSku\' to be \'Premium\'.') param dataEndpointEnabled bool = false @@ -215,7 +232,7 @@ resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = i scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } -resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = { +resource registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = { name: name location: location identity: identity @@ -233,6 +250,9 @@ resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = { } } : null policies: { + azureADAuthenticationAsArmPolicy: { + status: azureADAuthenticationAsArmPolicyStatus + } exportPolicy: acrSku == 'Premium' ? { status: exportPolicyStatus } : null @@ -247,6 +267,10 @@ resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = { days: retentionPolicyDays status: retentionPolicyStatus } : null + softDeletePolicy: { + retentionDays: softDeletePolicyDays + status: softDeletePolicyStatus + } } dataEndpointEnabled: dataEndpointEnabled publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkRuleSetIpRules) ? 'Disabled' : null) diff --git a/modules/Microsoft.ContainerRegistry/registries/readme.md b/modules/Microsoft.ContainerRegistry/registries/readme.md index 5c4d9ea65c..785a83e5bf 100644 --- a/modules/Microsoft.ContainerRegistry/registries/readme.md +++ b/modules/Microsoft.ContainerRegistry/registries/readme.md @@ -16,9 +16,9 @@ Azure Container Registry is a managed, private Docker registry service based on | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ContainerRegistry/registries` | [2021-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-09-01/registries) | -| `Microsoft.ContainerRegistry/registries/replications` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/webhooks) | +| `Microsoft.ContainerRegistry/registries` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2022-02-01-preview/registries) | +| `Microsoft.ContainerRegistry/registries/replications` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2022-02-01-preview/registries/replications) | +| `Microsoft.ContainerRegistry/registries/webhooks` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2022-02-01-preview/registries/webhooks) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints/privateDnsZoneGroups) | @@ -40,6 +40,7 @@ Azure Container Registry is a managed, private Docker registry service based on | :-- | :-- | :-- | :-- | :-- | | `acrAdminUserEnabled` | bool | `False` | | Enable admin user that have push / pull permission to the registry. | | `acrSku` | string | `'Basic'` | `[Basic, Premium, Standard]` | Tier of your Azure container registry. | +| `azureADAuthenticationAsArmPolicyStatus` | string | `'enabled'` | `[disabled, enabled]` | The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. | | `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | @@ -66,6 +67,8 @@ Azure Container Registry is a managed, private Docker registry service based on | `retentionPolicyDays` | int | `15` | | The number of days to retain an untagged manifest after which it gets purged. | | `retentionPolicyStatus` | string | `'enabled'` | `[disabled, enabled]` | The value that indicates whether the retention policy is enabled or not. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `softDeletePolicyDays` | int | `7` | | The number of days after which a soft-deleted item is permanently deleted. | +| `softDeletePolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | Soft Delete policy status. Default is disabled. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `trustPolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the trust policy is enabled or not. | @@ -470,6 +473,7 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { // Non-required parameters acrAdminUserEnabled: false acrSku: 'Premium' + azureADAuthenticationAsArmPolicyStatus: 'enabled' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' diagnosticLogsRetentionInDays: 7 @@ -509,6 +513,8 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + softDeletePolicyDays: 7 + softDeletePolicyStatus: 'disabled' systemAssignedIdentity: true trustPolicyStatus: 'enabled' userAssignedIdentities: { @@ -547,6 +553,9 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { "acrSku": { "value": "Premium" }, + "azureADAuthenticationAsArmPolicyStatus": { + "value": "enabled" + }, "diagnosticEventHubAuthorizationRuleId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" }, @@ -610,6 +619,12 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { } ] }, + "softDeletePolicyDays": { + "value": 7 + }, + "softDeletePolicyStatus": { + "value": "disabled" + }, "systemAssignedIdentity": { "value": true }, diff --git a/modules/Microsoft.ContainerRegistry/registries/replications/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/replications/deploy.bicep index 515f6da4f9..90da6e1dad 100644 --- a/modules/Microsoft.ContainerRegistry/registries/replications/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/replications/deploy.bicep @@ -35,11 +35,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' existing = { +resource registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = { name: registryName } -resource replication 'Microsoft.ContainerRegistry/registries/replications@2021-12-01-preview' = { +resource replication 'Microsoft.ContainerRegistry/registries/replications@2022-02-01-preview' = { name: name parent: registry location: location diff --git a/modules/Microsoft.ContainerRegistry/registries/replications/readme.md b/modules/Microsoft.ContainerRegistry/registries/replications/readme.md index a032e90e9c..425640b565 100644 --- a/modules/Microsoft.ContainerRegistry/registries/replications/readme.md +++ b/modules/Microsoft.ContainerRegistry/registries/replications/readme.md @@ -13,7 +13,7 @@ This module deploys ContainerRegistry Registries Replications. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ContainerRegistry/registries/replications` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) | +| `Microsoft.ContainerRegistry/registries/replications` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2022-02-01-preview/registries/replications) | ## Parameters diff --git a/modules/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep index a05764cfbe..f58bcf3da6 100644 --- a/modules/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep @@ -52,11 +52,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' existing = { +resource registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = { name: registryName } -resource webhook 'Microsoft.ContainerRegistry/registries/webhooks@2021-12-01-preview' = { +resource webhook 'Microsoft.ContainerRegistry/registries/webhooks@2022-02-01-preview' = { name: name parent: registry location: location diff --git a/modules/Microsoft.ContainerRegistry/registries/webhooks/readme.md b/modules/Microsoft.ContainerRegistry/registries/webhooks/readme.md index fd6fb38fa8..d009a3e881 100644 --- a/modules/Microsoft.ContainerRegistry/registries/webhooks/readme.md +++ b/modules/Microsoft.ContainerRegistry/registries/webhooks/readme.md @@ -13,7 +13,7 @@ This module deploys ContainerRegistry Registries Webhooks. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/webhooks) | +| `Microsoft.ContainerRegistry/registries/webhooks` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2022-02-01-preview/registries/webhooks) | ## Parameters