Governance Policies Azure Web Container Registry - Azure/az-prototype GitHub Wiki
Governance policies for Container Registry
Domain: azure-web
| Name | Description |
|---|---|
| Container Registry with private endpoint and RBAC | Complete Container Registry deployment with admin disabled, Premium SKU, private endpoint, DNS, and AcrPull/AcrPush role assignments |
| Description | Instead |
|---|---|
| Do not use admin credentials for container registry access | Use managed identity with AcrPull role for pulling and AcrPush role for pushing |
| Do not use Basic or Standard SKU when private endpoints are needed | Use Premium SKU which supports private link, retention policies, and geo-replication |
| Do not store ACR admin password in application configuration | Use identity-based authentication — no credentials needed |
| Check | Severity | Description |
|---|---|---|
| AZ-ACR-001 | Required | Create Container Registry with Premium SKU, admin user disabled, and public access disabled. ALWAYS use Premium SKU — it is required for private endpoints, retention policies, and geo-replication. NEVER use Basic or Standard SKU. |
| AZ-ACR-002 | Required | Use Premium SKU when private endpoints are required |
| AZ-ACR-003 | Recommended | Enable retention policy for untagged manifests |
| AZ-ACR-004 | Recommended | Enable diagnostic settings to Log Analytics workspace |
Create Container Registry with Premium SKU, admin user disabled, and public access disabled. ALWAYS use Premium SKU — it is required for private endpoints, retention policies, and geo-replication. NEVER use Basic or Standard SKU.
Severity: Required
Rationale: Admin credentials are a shared secret that cannot be scoped or audited; public access exposes the registry to the internet; Premium SKU is required for private endpoint support
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerRegistry/registries
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-acr | Private endpoint for Container Registry — required when publicNetworkAccess is Disabled (requires Premium SKU) |
| Microsoft.Network/privateDnsZones | privatelink.azurecr.io | Private DNS zone for Container Registry private endpoint resolution |
| Microsoft.Authorization/roleAssignments | AcrPull | AcrPull role (7f951dda-4ed3-4680-a7ca-43fe172d538d) for pulling images — assign to compute identity |
| Microsoft.Authorization/roleAssignments | AcrPush | AcrPush role (8311e382-0749-4cb8-b61a-304f252e45ec) for pushing images — assign to CI/CD identity |
Use Premium SKU when private endpoints are required
Severity: Required
Rationale: Private endpoints are only available on Premium SKU; Basic and Standard do not support private link
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerRegistry/registries
Enable retention policy for untagged manifests
Severity: Recommended
Rationale: Prevents unbounded storage growth from untagged images; 7-day retention is a good default
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.ContainerRegistry/registries
Enable diagnostic settings to Log Analytics workspace
Severity: Recommended
Rationale: Audit trail for image pull/push operations and repository events
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.ContainerRegistry/registries
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-acr | Diagnostic settings for Container Registry to Log Analytics |