Azure Container Registry

azure-acr

Azure Container Registry with geo-replication, retention/trust policies, private endpoint and AcrPull role wiring for AKS/Container Apps. Works with Terraform and OpenTofu (>= 1.6), AzureRM provider >= 4.0, < 5.0.

Secure defaults:

• Admin account disabled — Entra identities + RBAC only
• Anonymous pull disabled
• Untagged manifests purged after 7 days (Premium retention policy)
• Optional IP network rules (default action Deny) and Private Link endpoint
• Trusted Azure services bypass kept (configurable)
• Premium-only features are guarded by plan-time preconditions, not silent drops

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/azurerm >= 4.0, < 5.0

Notes for integrators:

• The role-assignment maps use static keys so principal IDs may be unknown at plan time (e.g. straight from another module's output).
• For private-endpoint DNS, link privatelink.azurecr.io to your VNet and pass its zone ID in private_endpoint.private_dns_zone_ids.
• Use sku = "Basic" for cheap dev registries — the module blocks Premium-only options at plan time instead of failing mid-apply.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).