### Pinning AVM Module Version in Terraform Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/AGENTS.md When using AVM modules, it is crucial to pin to a specific version for predictable deployments. This example shows how to specify the version. ```terraform version = "1.2.3" ``` -------------------------------- ### Using Pessimistic Version Constraints for Providers in Terraform Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/AGENTS.md For providers used with AVM modules, it's recommended to use pessimistic version constraints to avoid unexpected breaking changes. This example shows a common constraint. ```terraform version = "~> 1.0" ``` -------------------------------- ### Terraform Configuration with Container Registry and Scope Maps Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/scope-maps/README.md This configuration deploys the Container Registry module with predefined scope maps for different access levels. Ensure the Premium SKU is used as it is required for scope maps functionality. The 'naming' module is used for CAF compliant resource naming. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name # Create scope maps for different access levels scope_maps = { readonly = { name = "readonly-scope" actions = [ "repositories/*/content/read", "repositories/*/metadata/read" ] description = "Read-only access to all repositories" }, devops = { name = "devops-scope" actions = [ "repositories/*/content/read", "repositories/*/content/write", "repositories/*/content/delete", "repositories/*/metadata/read", "repositories/*/metadata/write" ] description = "Full access for DevOps teams" }, cicd = { name = "cicd-scope" actions = [ "repositories/myapp/content/read", "repositories/myapp/content/write" ] description = "CI/CD pipeline access for specific repositories" } } sku = "Premium" # Premium SKU is required for scope maps } ``` -------------------------------- ### Terraform Configuration for Azure Container Registry Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/low-cost/README.md This Terraform configuration sets up the necessary providers and resources to deploy an Azure Container Registry. It specifically configures the 'Basic' SKU and disables zone redundancy as required. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name retention_policy_in_days = null #ACR retention policy can only be applied when using the Premium Sku. sku = "Basic" # need to override this default setting because zone redundancy isn't supported on Basic SKU. zone_redundancy_enabled = false } ``` -------------------------------- ### Terraform Configuration for Container Registry with Customer-Managed Key Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/cmk-encryption/README.md This configuration deploys an Azure Container Registry with customer-managed key encryption. It requires Terraform version 1.6+ and the AzureRM provider version 4.x. It sets up a resource group, a user-assigned identity, and an Azure Key Vault with specific access policies for the identity and client configuration. A Key Vault key is generated, and then the container registry module is called, referencing the Key Vault and key for encryption. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } key_vault { purge_soft_delete_on_destroy = true recover_soft_deleted_key_vaults = true } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } resource "azurerm_user_assigned_identity" "this" { location = azurerm_resource_group.this.location name = module.naming.user_assigned_identity.name_unique resource_group_name = azurerm_resource_group.this.name } data "azurerm_client_config" "this" {} resource "azurerm_key_vault" "this" { location = azurerm_resource_group.this.location name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name sku_name = "premium" tenant_id = data.azurerm_client_config.this.tenant_id purge_protection_enabled = true soft_delete_retention_days = 7 access_policy { key_permissions = [ "Create", "Delete", "Get", "Purge", "List", "Recover", "Update", "GetRotationPolicy", "SetRotationPolicy" ] object_id = data.azurerm_client_config.this.object_id tenant_id = data.azurerm_client_config.this.tenant_id } access_policy { key_permissions = [ "Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", ] object_id = azurerm_user_assigned_identity.this.principal_id secret_permissions = [ "Get", ] tenant_id = data.azurerm_client_config.this.tenant_id } } resource "azurerm_key_vault_key" "key" { key_opts = [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] key_type = "RSA" key_vault_id = azurerm_key_vault.this.id name = "generated-certificate" key_size = 2048 rotation_policy { expire_after = "P90D" notify_before_expiry = "P29D" automatic { time_before_expiry = "P30D" } } } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name customer_managed_key = { key_vault_resource_id = azurerm_key_vault.this.id key_name = azurerm_key_vault_key.key.name user_assigned_identity = { resource_id = azurerm_user_assigned_identity.this.id } } managed_identities = { system_assigned = true user_assigned_resource_ids = toset([azurerm_user_assigned_identity.this.id]) } } ``` -------------------------------- ### Mapping Telemetry to Root Variable in Terraform Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/AGENTS.md To manage telemetry settings consistently across AVM modules, map the `enable_telemetry` variable to a root-level variable. This ensures centralized control over telemetry. ```terraform enable_telemetry = var.enable_telemetry ``` -------------------------------- ### Terraform Configuration for Container Registry Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/registry-token/README.md This configuration sets up the necessary Terraform providers and modules to deploy an Azure Container Registry with advanced access control features like scope maps and tokens. It utilizes the Azure naming module for resource naming conventions. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name # Create scope maps for different access levels scope_maps = { readonly = { name = "readonly-scope" actions = [ "repositories/*/content/read", "repositories/*/metadata/read" ] description = "Read-only access to all repositories" registry_tokens = { readonly_token = { name = "readonly-token" enabled = true passwords = { password1 = { expiry = "2025-12-31T00:00:00Z" } } } } }, devops = { name = "devops-scope" actions = [ "repositories/*/content/read", "repositories/*/content/write", "repositories/*/content/delete", "repositories/*/metadata/read", "repositories/*/metadata/write" ] description = "Full access for DevOps teams" registry_tokens = { devops_token1 = { name = "devops-token1" enabled = true passwords = { password1 = { expiry = "2025-12-31T00:00:00Z" } password2 = { expiry = "2026-12-31T00:00:00Z" } } } devops_token2 = { name = "devops-token2" enabled = true } } }, cicd = { name = "cicd-scope" actions = [ "repositories/myapp/content/read", "repositories/myapp/content/write" ] description = "CI/CD pipeline access for specific repositories" } } } ``` -------------------------------- ### Terraform Configuration for Container Registry with Private Endpoint Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/private-endpoint/README.md This Terraform configuration deploys an Azure Container Registry with a private endpoint. It sets up the necessary network resources like a virtual network, subnet, and private DNS zone. Ensure the Azure provider is configured correctly and the naming module is available. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } # A vnet is required for the private endpoint. resource "azurerm_virtual_network" "this" { location = azurerm_resource_group.this.location name = module.naming.virtual_network.name_unique resource_group_name = azurerm_resource_group.this.name address_space = ["192.168.0.0/24"] } resource "azurerm_subnet" "this" { address_prefixes = ["192.168.0.0/24"] name = module.naming.subnet.name_unique resource_group_name = azurerm_resource_group.this.name virtual_network_name = azurerm_virtual_network.this.name } resource "azurerm_private_dns_zone" "this" { name = "privatelink.azurecr.io" resource_group_name = azurerm_resource_group.this.name } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name private_endpoints = { primary = { private_dns_zone_resource_ids = [azurerm_private_dns_zone.this.id] subnet_resource_id = azurerm_subnet.this.id } } public_network_access_enabled = false } ``` -------------------------------- ### Default Container Registry Deployment Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/default/README.md This HCL code block configures the Terraform environment, providers, and deploys a Container Registry module with default settings. It ensures unique CAF compliant names for resources. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiaeast" name = module.naming.resource_group.name_unique } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name } ``` -------------------------------- ### Terraform Configuration for Geo-Replicated Container Registry Source: https://github.com/azure/terraform-azurerm-avm-res-containerregistry-registry/blob/main/examples/geo-replication/README.md This HCL code defines the Terraform configuration for deploying a geo-replicated Azure Container Registry. It includes provider requirements, resource group creation, and the main container registry module with geo-replication settings. ```hcl terraform { required_version = "~> 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 4, < 5.0.0" } } } provider "azurerm" { skip_provider_registration = true features { resource_group { prevent_deletion_if_contains_resources = false } } } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = "australiasoutheast" name = module.naming.resource_group.name_unique } # This is the module call module "containerregistry" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-containerregistry-registry/azurerm" name = module.naming.container_registry.name_unique resource_group_name = azurerm_resource_group.this.name georeplications = [ { location = "australiaeast" # zone redundancy is enabled by default, and is supported in australia east tags = { environment = "prod" department = "engineering" } }, { location = "australiacentral" zone_redundancy_enabled = false tags = { environment = "pre-prod" department = "engineering" } } ] # australiasoutheast doesn't support zone redundancy for ACR (https://learn.microsoft.com/en-us/azure/container-registry/zone-redundancy#regional-support) zone_redundancy_enabled = false } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.