Skip to content

Commit

Permalink
fix: Add check to only apply quarantinePolicyStatus and trustPolicySt…
Browse files Browse the repository at this point in the history
…atus on Premium SKUs (#1967)
  • Loading branch information
rodney-almeida authored May 21, 2024
1 parent 17e37ee commit 7954f16
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 77 deletions.
8 changes: 4 additions & 4 deletions avm/res/container-registry/registry/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -611,15 +611,15 @@ module registry 'br/public:avm/res/container-registry/registry:<version>' = {
| [`networkRuleSetIpRules`](#parameter-networkrulesetiprules) | array | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. |
| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. |
| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. |
| [`quarantinePolicyStatus`](#parameter-quarantinepolicystatus) | string | The value that indicates whether the quarantine policy is enabled or not. |
| [`quarantinePolicyStatus`](#parameter-quarantinepolicystatus) | string | The value that indicates whether the quarantine policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'. |
| [`replications`](#parameter-replications) | array | All replications to create. |
| [`retentionPolicyDays`](#parameter-retentionpolicydays) | int | The number of days to retain an untagged manifest after which it gets purged. |
| [`retentionPolicyStatus`](#parameter-retentionpolicystatus) | string | The value that indicates whether the retention policy is enabled or not. |
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
| [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. |
| [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. |
| [`tags`](#parameter-tags) | object | Tags of the resource. |
| [`trustPolicyStatus`](#parameter-trustpolicystatus) | string | The value that indicates whether the trust policy is enabled or not. |
| [`trustPolicyStatus`](#parameter-trustpolicystatus) | string | The value that indicates whether the trust policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'. |
| [`webhooks`](#parameter-webhooks) | array | All webhooks to create. |
| [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. |

Expand Down Expand Up @@ -1362,7 +1362,7 @@ Whether or not public network access is allowed for this resource. For security

### Parameter: `quarantinePolicyStatus`

The value that indicates whether the quarantine policy is enabled or not.
The value that indicates whether the quarantine policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'.

- Required: No
- Type: string
Expand Down Expand Up @@ -1526,7 +1526,7 @@ Tags of the resource.

### Parameter: `trustPolicyStatus`

The value that indicates whether the trust policy is enabled or not.
The value that indicates whether the trust policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'.

- Required: No
- Type: string
Expand Down
109 changes: 54 additions & 55 deletions avm/res/container-registry/registry/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ param exportPolicyStatus string = 'disabled'
'disabled'
'enabled'
])
@description('Optional. The value that indicates whether the quarantine policy is enabled or not.')
@description('Optional. The value that indicates whether the quarantine policy is enabled or not. Note, requires the \'acrSku\' to be \'Premium\'.')
param quarantinePolicyStatus string = 'disabled'

@allowed([
'disabled'
'enabled'
])
@description('Optional. The value that indicates whether the trust policy is enabled or not.')
@description('Optional. The value that indicates whether the trust policy is enabled or not. Note, requires the \'acrSku\' to be \'Premium\'.')
param trustPolicyStatus string = 'disabled'

@allowed([
Expand Down Expand Up @@ -148,8 +148,8 @@ var formattedUserAssignedIdentities = reduce(
var identity = !empty(managedIdentities)
? {
type: (managedIdentities.?systemAssigned ?? false)
? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned')
: (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
: (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None')
userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
}
: null
Expand Down Expand Up @@ -183,47 +183,43 @@ var builtInRoleNames = {
)
}

resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
if (enableTelemetry) {
name: '46d3xbcp.res.containerregistry-registry.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
name: '46d3xbcp.res.containerregistry-registry.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
}
}
}
}

resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing =
if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)

resource cMKKey 'keys@2023-02-01' existing =
if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}
resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)

resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing =
if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/'))
scope: resourceGroup(
split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2],
split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]
)
resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}

resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/'))
scope: resourceGroup(
split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2],
split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]
)
}

resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = {
name: name
Expand Down Expand Up @@ -258,13 +254,17 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' =
status: exportPolicyStatus
}
: null
quarantinePolicy: {
status: quarantinePolicyStatus
}
trustPolicy: {
type: 'Notary'
status: trustPolicyStatus
}
quarantinePolicy: acrSku == 'Premium'
? {
status: quarantinePolicyStatus
}
: null
trustPolicy: acrSku == 'Premium'
? {
type: 'Notary'
status: trustPolicyStatus
}
: null
retentionPolicy: acrSku == 'Premium'
? {
days: retentionPolicyDays
Expand Down Expand Up @@ -341,17 +341,16 @@ module registry_webhooks 'webhook/main.bicep' = [
}
]

resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' =
if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: registry
resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: registry
}

resource registry_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [
for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
Expand Down
31 changes: 13 additions & 18 deletions avm/res/container-registry/registry/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "15445287807627348186"
"version": "0.27.1.19265",
"templateHash": "10889694252440800848"
},
"name": "Azure Container Registries (ACR)",
"description": "This module deploys an Azure Container Registry (ACR).",
Expand Down Expand Up @@ -523,7 +523,7 @@
"enabled"
],
"metadata": {
"description": "Optional. The value that indicates whether the quarantine policy is enabled or not."
"description": "Optional. The value that indicates whether the quarantine policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'."
}
},
"trustPolicyStatus": {
Expand All @@ -534,7 +534,7 @@
"enabled"
],
"metadata": {
"description": "Optional. The value that indicates whether the trust policy is enabled or not."
"description": "Optional. The value that indicates whether the trust policy is enabled or not. Note, requires the 'acrSku' to be 'Premium'."
}
},
"retentionPolicyStatus": {
Expand Down Expand Up @@ -717,7 +717,7 @@
},
"variables": {
"formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
"identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
"identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
"builtInRoleNames": {
"AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]",
"AcrImageSigner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f')]",
Expand Down Expand Up @@ -802,13 +802,8 @@
"status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]"
},
"exportPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('status', parameters('exportPolicyStatus')), null())]",
"quarantinePolicy": {
"status": "[parameters('quarantinePolicyStatus')]"
},
"trustPolicy": {
"type": "Notary",
"status": "[parameters('trustPolicyStatus')]"
},
"quarantinePolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('status', parameters('quarantinePolicyStatus')), null())]",
"trustPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('type', 'Notary', 'status', parameters('trustPolicyStatus')), null())]",
"retentionPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('days', parameters('retentionPolicyDays'), 'status', parameters('retentionPolicyStatus')), null())]",
"softDeletePolicy": {
"retentionDays": "[parameters('softDeletePolicyDays')]",
Expand Down Expand Up @@ -943,8 +938,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "16451316437757175736"
"version": "0.27.1.19265",
"templateHash": "17370607380629293508"
},
"name": "Azure Container Registry (ACR) Replications",
"description": "This module deploys an Azure Container Registry (ACR) Replication.",
Expand Down Expand Up @@ -1091,8 +1086,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "17108035841365544326"
"version": "0.27.1.19265",
"templateHash": "15228477210534278013"
},
"name": "Container Registries Cache",
"description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).",
Expand Down Expand Up @@ -1232,8 +1227,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "10731035117081750792"
"version": "0.27.1.19265",
"templateHash": "12261942841024526503"
},
"name": "Azure Container Registry (ACR) Webhooks",
"description": "This module deploys an Azure Container Registry (ACR) Webhook.",
Expand Down

0 comments on commit 7954f16

Please sign in to comment.