diff --git a/avm/res/container-registry/registry/README.md b/avm/res/container-registry/registry/README.md index ad5dc49119..73b862ec30 100644 --- a/avm/res/container-registry/registry/README.md +++ b/avm/res/container-registry/registry/README.md @@ -1027,13 +1027,138 @@ Array of Cache Rules. - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`sourceRepository`](#parameter-cacherulessourcerepository) | string | Source repository pulled from upstream. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`credentialSetResourceId`](#parameter-cacherulescredentialsetresourceid) | string | The resource ID of the credential store which is associated with the cache rule. | +| [`name`](#parameter-cacherulesname) | string | The name of the cache rule. Will be derived from the source repository name if not defined. | +| [`targetRepository`](#parameter-cacherulestargetrepository) | string | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | + +### Parameter: `cacheRules.sourceRepository` + +Source repository pulled from upstream. + +- Required: Yes +- Type: string + +### Parameter: `cacheRules.credentialSetResourceId` + +The resource ID of the credential store which is associated with the cache rule. + +- Required: No +- Type: string + +### Parameter: `cacheRules.name` + +The name of the cache rule. Will be derived from the source repository name if not defined. + +- Required: No +- Type: string + +### Parameter: `cacheRules.targetRepository` + +Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. + +- Required: No +- Type: string + ### Parameter: `credentialSets` Array of Credential Sets. - Required: No - Type: array -- Default: `[]` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authCredentials`](#parameter-credentialsetsauthcredentials) | array | List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential. | +| [`loginServer`](#parameter-credentialsetsloginserver) | string | The credentials are stored for this upstream or login server. | +| [`name`](#parameter-credentialsetsname) | string | The name of the credential set. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`managedIdentities`](#parameter-credentialsetsmanagedidentities) | object | The managed identity definition for this resource. | + +### Parameter: `credentialSets.authCredentials` + +List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-credentialsetsauthcredentialsname) | string | The name of the credential. | +| [`passwordSecretIdentifier`](#parameter-credentialsetsauthcredentialspasswordsecretidentifier) | string | KeyVault Secret URI for accessing the password. | +| [`usernameSecretIdentifier`](#parameter-credentialsetsauthcredentialsusernamesecretidentifier) | string | KeyVault Secret URI for accessing the username. | + +### Parameter: `credentialSets.authCredentials.name` + +The name of the credential. + +- Required: Yes +- Type: string + +### Parameter: `credentialSets.authCredentials.passwordSecretIdentifier` + +KeyVault Secret URI for accessing the password. + +- Required: Yes +- Type: string + +### Parameter: `credentialSets.authCredentials.usernameSecretIdentifier` + +KeyVault Secret URI for accessing the username. + +- Required: Yes +- Type: string + +### Parameter: `credentialSets.loginServer` + +The credentials are stored for this upstream or login server. + +- Required: Yes +- Type: string + +### Parameter: `credentialSets.name` + +The name of the credential set. + +- Required: Yes +- Type: string + +### Parameter: `credentialSets.managedIdentities` + +The managed identity definition for this resource. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-credentialsetsmanagedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | + +### Parameter: `credentialSets.managedIdentities.systemAssigned` + +Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool ### Parameter: `customerManagedKey` @@ -1825,6 +1950,63 @@ All replications to create. - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-replicationsname) | string | The name of the replication. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`location`](#parameter-replicationslocation) | string | Location for all resources. | +| [`regionEndpointEnabled`](#parameter-replicationsregionendpointenabled) | bool | Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. | +| [`tags`](#parameter-replicationstags) | object | Tags of the resource. | +| [`zoneRedundancy`](#parameter-replicationszoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | + +### Parameter: `replications.name` + +The name of the replication. + +- Required: Yes +- Type: string + +### Parameter: `replications.location` + +Location for all resources. + +- Required: No +- Type: string + +### Parameter: `replications.regionEndpointEnabled` + +Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. + +- Required: No +- Type: bool + +### Parameter: `replications.tags` + +Tags of the resource. + +- Required: No +- Type: object + +### Parameter: `replications.zoneRedundancy` + +Whether or not zone redundancy is enabled for this container registry. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` + ### Parameter: `retentionPolicyDays` The number of days to retain an untagged manifest after which it gets purged. @@ -2050,6 +2232,87 @@ All webhooks to create. - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`serviceUri`](#parameter-webhooksserviceuri) | string | The service URI for the webhook to post notifications. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`action`](#parameter-webhooksaction) | array | The list of actions that trigger the webhook to post notifications. | +| [`customHeaders`](#parameter-webhookscustomheaders) | object | Custom headers that will be added to the webhook notifications. | +| [`location`](#parameter-webhookslocation) | string | Location for all resources. | +| [`name`](#parameter-webhooksname) | string | The name of the registry webhook. | +| [`scope`](#parameter-webhooksscope) | string | The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. | +| [`status`](#parameter-webhooksstatus) | string | The status of the webhook at the time the operation was called. | +| [`tags`](#parameter-webhookstags) | object | Tags of the resource. | + +### Parameter: `webhooks.serviceUri` + +The service URI for the webhook to post notifications. + +- Required: Yes +- Type: string + +### Parameter: `webhooks.action` + +The list of actions that trigger the webhook to post notifications. + +- Required: No +- Type: array + +### Parameter: `webhooks.customHeaders` + +Custom headers that will be added to the webhook notifications. + +- Required: No +- Type: object + +### Parameter: `webhooks.location` + +Location for all resources. + +- Required: No +- Type: string + +### Parameter: `webhooks.name` + +The name of the registry webhook. + +- Required: No +- Type: string + +### Parameter: `webhooks.scope` + +The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. + +- Required: No +- Type: string + +### Parameter: `webhooks.status` + +The status of the webhook at the time the operation was called. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` + +### Parameter: `webhooks.tags` + +Tags of the resource. + +- Required: No +- Type: object + ### Parameter: `zoneRedundancy` Whether or not zone redundancy is enabled for this container registry. diff --git a/avm/res/container-registry/registry/cache-rule/README.md b/avm/res/container-registry/registry/cache-rule/README.md index 28cf73106a..a95aed0ea7 100644 --- a/avm/res/container-registry/registry/cache-rule/README.md +++ b/avm/res/container-registry/registry/cache-rule/README.md @@ -20,9 +20,14 @@ Cache for Azure Container Registry (Preview) feature allows users to cache conta | Parameter | Type | Description | | :-- | :-- | :-- | -| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | | [`sourceRepository`](#parameter-sourcerepository) | string | Source repository pulled from upstream. | +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | + **Optional parameters** | Parameter | Type | Description | @@ -31,16 +36,16 @@ Cache for Azure Container Registry (Preview) feature allows users to cache conta | [`name`](#parameter-name) | string | The name of the cache rule. Will be derived from the source repository name if not defined. | | [`targetRepository`](#parameter-targetrepository) | string | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | -### Parameter: `registryName` +### Parameter: `sourceRepository` -The name of the parent registry. Required if the template is used in a standalone deployment. +Source repository pulled from upstream. - Required: Yes - Type: string -### Parameter: `sourceRepository` +### Parameter: `registryName` -Source repository pulled from upstream. +The name of the parent registry. Required if the template is used in a standalone deployment. - Required: Yes - Type: string diff --git a/avm/res/container-registry/registry/cache-rule/main.bicep b/avm/res/container-registry/registry/cache-rule/main.bicep index 8b42b36da5..248bc96158 100644 --- a/avm/res/container-registry/registry/cache-rule/main.bicep +++ b/avm/res/container-registry/registry/cache-rule/main.bicep @@ -1,7 +1,7 @@ metadata name = 'Container Registries Cache' metadata description = 'Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).' -@description('Required. The name of the parent registry. Required if the template is used in a standalone deployment.') +@description('Conditional. The name of the parent registry. Required if the template is used in a standalone deployment.') param registryName string @description('Optional. The name of the cache rule. Will be derived from the source repository name if not defined.') diff --git a/avm/res/container-registry/registry/cache-rule/main.json b/avm/res/container-registry/registry/cache-rule/main.json index ba47f9da31..6579708c5a 100644 --- a/avm/res/container-registry/registry/cache-rule/main.json +++ b/avm/res/container-registry/registry/cache-rule/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "10966757769768845548" + "version": "0.33.13.18514", + "templateHash": "13450234979206794925" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache))." @@ -15,7 +15,7 @@ "registryName": { "type": "string", "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." } }, "name": { diff --git a/avm/res/container-registry/registry/credential-set/README.md b/avm/res/container-registry/registry/credential-set/README.md index 145af9db50..b27d5299bf 100644 --- a/avm/res/container-registry/registry/credential-set/README.md +++ b/avm/res/container-registry/registry/credential-set/README.md @@ -7,6 +7,7 @@ This module deploys an ACR Credential Set. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types @@ -22,10 +23,20 @@ This module deploys an ACR Credential Set. | :-- | :-- | :-- | | [`authCredentials`](#parameter-authcredentials) | array | List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential. | | [`loginServer`](#parameter-loginserver) | string | The credentials are stored for this upstream or login server. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the credential set. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | | [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | + ### Parameter: `authCredentials` List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential. @@ -69,11 +80,25 @@ The credentials are stored for this upstream or login server. - Required: Yes - Type: string +### Parameter: `name` + +The name of the credential set. + +- Required: Yes +- Type: string + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `managedIdentities` The managed identity definition for this resource. -- Required: Yes +- Required: No - Type: object **Optional parameters** @@ -89,20 +114,6 @@ Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `name` - -The name of the credential set. - -- Required: Yes -- Type: string - -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - ## Outputs | Output | Type | Description | @@ -111,3 +122,11 @@ The name of the parent registry. Required if the template is used in a standalon | `resourceGroupName` | string | The name of the Credential Set. | | `resourceId` | string | The resource ID of the Credential Set. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference | diff --git a/avm/res/container-registry/registry/credential-set/main.bicep b/avm/res/container-registry/registry/credential-set/main.bicep index 625a82c219..6907e11af2 100644 --- a/avm/res/container-registry/registry/credential-set/main.bicep +++ b/avm/res/container-registry/registry/credential-set/main.bicep @@ -1,17 +1,18 @@ metadata name = 'Container Registries Credential Sets' metadata description = 'This module deploys an ACR Credential Set.' -@description('Required. The name of the parent registry. Required if the template is used in a standalone deployment.') +@description('Conditional. The name of the parent registry. Required if the template is used in a standalone deployment.') param registryName string @description('Required. The name of the credential set.') param name string -@description('Required. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType +import { managedIdentityOnlySysAssignedType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentityOnlySysAssignedType? @description('Required. List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential.') -param authCredentials authCredentialsType +param authCredentials authCredentialsType[] @description('Required. The credentials are stored for this upstream or login server.') param loginServer string @@ -52,11 +53,8 @@ output systemAssignedMIPrincipalId string? = credentialSet.?identity.?principalI // Definitions // // =============== // -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? -} - +@export() +@description('The type for auth credentials.') type authCredentialsType = { @description('Required. The name of the credential.') name: string @@ -66,4 +64,4 @@ type authCredentialsType = { @description('Required. KeyVault Secret URI for accessing the password.') passwordSecretIdentifier: string -}[] +} diff --git a/avm/res/container-registry/registry/credential-set/main.json b/avm/res/container-registry/registry/credential-set/main.json index 44fa955cc9..34247710a3 100644 --- a/avm/res/container-registry/registry/credential-set/main.json +++ b/avm/res/container-registry/registry/credential-set/main.json @@ -6,13 +6,40 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "4278923174720771993" + "templateHash": "16839288679507454258" }, "name": "Container Registries Credential Sets", "description": "This module deploys an ACR Credential Set." }, "definitions": { - "managedIdentitiesType": { + "authCredentialsType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the credential." + } + }, + "usernameSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the username." + } + }, + "passwordSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the password." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for auth credentials." + } + }, + "managedIdentityOnlySysAssignedType": { "type": "object", "properties": { "systemAssigned": { @@ -22,31 +49,11 @@ "description": "Optional. Enables system assigned managed identity on the resource." } } - } - }, - "authCredentialsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the credential." - } - }, - "usernameSecretIdentifier": { - "type": "string", - "metadata": { - "description": "Required. KeyVault Secret URI for accessing the username." - } - }, - "passwordSecretIdentifier": { - "type": "string", - "metadata": { - "description": "Required. KeyVault Secret URI for accessing the password." - } - } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if only system-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -55,7 +62,7 @@ "registryName": { "type": "string", "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." } }, "name": { @@ -65,13 +72,17 @@ } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityOnlySysAssignedType", + "nullable": true, "metadata": { - "description": "Required. The managed identity definition for this resource." + "description": "Optional. The managed identity definition for this resource." } }, "authCredentials": { - "$ref": "#/definitions/authCredentialsType", + "type": "array", + "items": { + "$ref": "#/definitions/authCredentialsType" + }, "metadata": { "description": "Required. List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential." } diff --git a/avm/res/container-registry/registry/main.bicep b/avm/res/container-registry/registry/main.bicep index 2acc3c4f5f..0c3e371764 100644 --- a/avm/res/container-registry/registry/main.bicep +++ b/avm/res/container-registry/registry/main.bicep @@ -111,10 +111,10 @@ param privateEndpoints privateEndpointSingleServiceType[]? param zoneRedundancy string = 'Enabled' @description('Optional. All replications to create.') -param replications array? +param replications replicationType[]? @description('Optional. All webhooks to create.') -param webhooks array? +param webhooks webhookType[]? import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The lock settings of the service.') @@ -142,10 +142,10 @@ import { customerManagedKeyWithAutoRotateType } from 'br/public:avm/utl/types/av param customerManagedKey customerManagedKeyWithAutoRotateType? @description('Optional. Array of Cache Rules.') -param cacheRules array? +param cacheRules cacheRuleType[]? @description('Optional. Array of Credential Sets.') -param credentialSets array = [] +param credentialSets credentialSetType[]? @description('Optional. Scope maps setting.') param scopeMaps scopeMapsType[]? @@ -263,7 +263,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = ? cMKUserAssignedIdentity.properties.clientId : null keyIdentifier: !empty(customerManagedKey.?keyVersion) - ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' + ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.?keyVersion}' : (customerManagedKey.?autoRotationEnabled ?? true) ? cMKKeyVault::cMKKey.properties.keyUri : cMKKeyVault::cMKKey.properties.keyUriWithVersion @@ -361,9 +361,9 @@ module registry_cacheRules 'cache-rule/main.bicep' = [ params: { registryName: registry.name sourceRepository: cacheRule.sourceRepository - name: cacheRule.?name ?? replace(replace(replace(cacheRule.sourceRepository, '/', '-'), '.', '-'), '*', '') + name: cacheRule.?name targetRepository: cacheRule.?targetRepository ?? cacheRule.sourceRepository - credentialSetResourceId: !empty(cacheRule.?credentialSetResourceId) ? cacheRule.?credentialSetResourceId : null // Must only be set if condition is set + credentialSetResourceId: cacheRule.?credentialSetResourceId } dependsOn: [ registry_credentialSets @@ -378,13 +378,7 @@ module registry_webhooks 'webhook/main.bicep' = [ name: webhook.name registryName: registry.name location: webhook.?location ?? location - action: webhook.?action ?? [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' - ] + action: webhook.?action customHeaders: webhook.?customHeaders scope: webhook.?scope status: webhook.?status @@ -507,6 +501,9 @@ module registry_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.1 applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } + dependsOn: [ + registry_replications + ] } ] @@ -530,12 +527,12 @@ output location string = registry.location @description('The Principal IDs of the ACR Credential Sets system-assigned identities.') output credentialSetsSystemAssignedMIPrincipalIds array = [ - for index in range(0, length(credentialSets)): registry_credentialSets[index].outputs.systemAssignedMIPrincipalId + for index in range(0, length(credentialSets ?? [])): registry_credentialSets[index].outputs.?systemAssignedMIPrincipalId ] @description('The Resource IDs of the ACR Credential Sets.') output credentialSetsResourceIds array = [ - for index in range(0, length(credentialSets)): registry_credentialSets[index].outputs.resourceId + for index in range(0, length(credentialSets ?? [])): registry_credentialSets[index].outputs.resourceId ] @description('The private endpoints of the Azure container registry.') @@ -578,6 +575,7 @@ type privateEndpointOutputType = { } @export() +@description('The type for a scope map.') type scopeMapsType = { @description('Optional. The name of the scope map.') name: string? @@ -588,3 +586,86 @@ type scopeMapsType = { @description('Optional. The user friendly description of the scope map.') description: string? } + +@export() +@description('The type for a cache rule.') +type cacheRuleType = { + @description('Optional. The name of the cache rule. Will be derived from the source repository name if not defined.') + name: string? + + @description('Required. Source repository pulled from upstream.') + sourceRepository: string + + @description('Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}.') + targetRepository: string? + + @description('Optional. The resource ID of the credential store which is associated with the cache rule.') + credentialSetResourceId: string? +} + +import { managedIdentityOnlySysAssignedType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' +import { authCredentialsType } from 'credential-set/main.bicep' +@export() +@description('The type for a credential set.') +type credentialSetType = { + @description('Required. The name of the credential set.') + name: string + + @description('Optional. The managed identity definition for this resource.') + managedIdentities: managedIdentityOnlySysAssignedType? + + @description('Required. List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential.') + authCredentials: authCredentialsType[] + + @description('Required. The credentials are stored for this upstream or login server.') + loginServer: string +} + +@export() +@description('The type for a replication.') +type replicationType = { + @description('Required. The name of the replication.') + name: string + + @description('Optional. Location for all resources.') + location: string? + + @description('Optional. Tags of the resource.') + tags: object? + + @description('Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications.') + regionEndpointEnabled: bool? + + @description('Optional. Whether or not zone redundancy is enabled for this container registry.') + zoneRedundancy: ('Disabled' | 'Enabled')? +} + +@export() +@description('The type for a webhook.') +type webhookType = { + @description('Optional. The name of the registry webhook.') + @minLength(5) + @maxLength(50) + name: string? + + @description('Required. The service URI for the webhook to post notifications.') + serviceUri: string + + @description('Optional. The status of the webhook at the time the operation was called.') + status: ('enabled' | 'disabled')? + + @description('Optional. The list of actions that trigger the webhook to post notifications.') + action: string[]? + + @description('Optional. Location for all resources.') + location: string? + + @description('Optional. Tags of the resource.') + tags: object? + + @description('Optional. Custom headers that will be added to the webhook notifications.') + customHeaders: object? + + @description('Optional. The scope of repositories where the event can be triggered. For example, \'foo:*\' means events for all tags under repository \'foo\'. \'foo:bar\' means events for \'foo:bar\' only. \'foo\' is equivalent to \'foo:latest\'. Empty means all events.') + scope: string? +} diff --git a/avm/res/container-registry/registry/main.json b/avm/res/container-registry/registry/main.json index 3a69cb9fa4..590026207f 100644 --- a/avm/res/container-registry/registry/main.json +++ b/avm/res/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "10147312156773531656" + "templateHash": "15303055419647729010" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR)." @@ -103,7 +103,201 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for a scope map." + } + }, + "cacheRuleType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the cache rule. Will be derived from the source repository name if not defined." + } + }, + "sourceRepository": { + "type": "string", + "metadata": { + "description": "Required. Source repository pulled from upstream." + } + }, + "targetRepository": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}." + } + }, + "credentialSetResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID of the credential store which is associated with the cache rule." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a cache rule." + } + }, + "credentialSetType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the credential set." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityOnlySysAssignedType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource." + } + }, + "authCredentials": { + "type": "array", + "items": { + "$ref": "#/definitions/authCredentialsType" + }, + "metadata": { + "description": "Required. List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential." + } + }, + "loginServer": { + "type": "string", + "metadata": { + "description": "Required. The credentials are stored for this upstream or login server." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a credential set." + } + }, + "replicationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the replication." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "regionEndpointEnabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications." + } + }, + "zoneRedundancy": { + "type": "string", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "nullable": true, + "metadata": { + "description": "Optional. Whether or not zone redundancy is enabled for this container registry." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a replication." + } + }, + "webhookType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "Optional. The name of the registry webhook." + } + }, + "serviceUri": { + "type": "string", + "metadata": { + "description": "Required. The service URI for the webhook to post notifications." + } + }, + "status": { + "type": "string", + "allowedValues": [ + "disabled", + "enabled" + ], + "nullable": true, + "metadata": { + "description": "Optional. The status of the webhook at the time the operation was called." + } + }, + "action": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The list of actions that trigger the webhook to post notifications." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "customHeaders": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Custom headers that will be added to the webhook notifications." + } + }, + "scope": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a webhook." } }, "_1.privateEndpointCustomDnsConfigType": { @@ -215,6 +409,35 @@ } } }, + "authCredentialsType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the credential." + } + }, + "usernameSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the username." + } + }, + "passwordSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the password." + } + } + }, + "metadata": { + "description": "The type for auth credentials.", + "__bicep_imported_from!": { + "sourceTemplate": "credential-set/main.bicep" + } + } + }, "customerManagedKeyWithAutoRotateType": { "type": "object", "properties": { @@ -439,6 +662,24 @@ } } }, + "managedIdentityOnlySysAssignedType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if only system-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, "privateEndpointSingleServiceType": { "type": "object", "properties": { @@ -852,6 +1093,9 @@ }, "replications": { "type": "array", + "items": { + "$ref": "#/definitions/replicationType" + }, "nullable": true, "metadata": { "description": "Optional. All replications to create." @@ -859,6 +1103,9 @@ }, "webhooks": { "type": "array", + "items": { + "$ref": "#/definitions/webhookType" + }, "nullable": true, "metadata": { "description": "Optional. All webhooks to create." @@ -918,6 +1165,9 @@ }, "cacheRules": { "type": "array", + "items": { + "$ref": "#/definitions/cacheRuleType" + }, "nullable": true, "metadata": { "description": "Optional. Array of Cache Rules." @@ -925,7 +1175,10 @@ }, "credentialSets": { "type": "array", - "defaultValue": [], + "items": { + "$ref": "#/definitions/credentialSetType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of Credential Sets." } @@ -1026,7 +1279,7 @@ "properties": { "anonymousPullEnabled": "[parameters('anonymousPullEnabled')]", "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()), 'keyIdentifier', if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), if(coalesce(tryGet(parameters('customerManagedKey'), 'autoRotationEnabled'), true()), reference('cMKKeyVault::cMKKey').keyUri, reference('cMKKeyVault::cMKKey').keyUriWithVersion)))), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()), 'keyIdentifier', if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, tryGet(parameters('customerManagedKey'), 'keyVersion')), if(coalesce(tryGet(parameters('customerManagedKey'), 'autoRotationEnabled'), true()), reference('cMKKeyVault::cMKKey').keyUri, reference('cMKKeyVault::cMKKey').keyUriWithVersion)))), null())]", "policies": { "azureADAuthenticationAsArmPolicy": { "status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]" @@ -1430,13 +1683,40 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "4278923174720771993" + "templateHash": "16839288679507454258" }, "name": "Container Registries Credential Sets", "description": "This module deploys an ACR Credential Set." }, "definitions": { - "managedIdentitiesType": { + "authCredentialsType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the credential." + } + }, + "usernameSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the username." + } + }, + "passwordSecretIdentifier": { + "type": "string", + "metadata": { + "description": "Required. KeyVault Secret URI for accessing the password." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for auth credentials." + } + }, + "managedIdentityOnlySysAssignedType": { "type": "object", "properties": { "systemAssigned": { @@ -1446,31 +1726,11 @@ "description": "Optional. Enables system assigned managed identity on the resource." } } - } - }, - "authCredentialsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the credential." - } - }, - "usernameSecretIdentifier": { - "type": "string", - "metadata": { - "description": "Required. KeyVault Secret URI for accessing the username." - } - }, - "passwordSecretIdentifier": { - "type": "string", - "metadata": { - "description": "Required. KeyVault Secret URI for accessing the password." - } - } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if only system-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -1479,7 +1739,7 @@ "registryName": { "type": "string", "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." } }, "name": { @@ -1489,13 +1749,17 @@ } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityOnlySysAssignedType", + "nullable": true, "metadata": { - "description": "Required. The managed identity definition for this resource." + "description": "Optional. The managed identity definition for this resource." } }, "authCredentials": { - "$ref": "#/definitions/authCredentialsType", + "type": "array", + "items": { + "$ref": "#/definitions/authCredentialsType" + }, "metadata": { "description": "Required. List of authentication credentials stored for an upstream. Usually consists of a primary and an optional secondary credential." } @@ -1586,12 +1850,14 @@ "value": "[coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository]" }, "name": { - "value": "[coalesce(tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'name'), replace(replace(replace(coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository, '/', '-'), '.', '-'), '*', ''))]" + "value": "[tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'name')]" }, "targetRepository": { "value": "[coalesce(tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'targetRepository'), coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository)]" }, - "credentialSetResourceId": "[if(not(empty(tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'credentialSetResourceId'))), createObject('value', tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'credentialSetResourceId')), createObject('value', null()))]" + "credentialSetResourceId": { + "value": "[tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'credentialSetResourceId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1601,7 +1867,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "6908196239628494570" + "templateHash": "13450234979206794925" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache))." @@ -1610,7 +1876,7 @@ "registryName": { "type": "string", "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." } }, "name": { @@ -1713,7 +1979,7 @@ "value": "[coalesce(tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'location'), parameters('location'))]" }, "action": { - "value": "[coalesce(tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'action'), createArray('chart_delete', 'chart_push', 'delete', 'push', 'quarantine'))]" + "value": "[tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'action')]" }, "customHeaders": { "value": "[tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'customHeaders')]" @@ -1739,7 +2005,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "9919896749023343359" + "templateHash": "14557981877826360902" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook." @@ -1779,6 +2045,9 @@ }, "action": { "type": "array", + "items": { + "type": "string" + }, "defaultValue": [ "chart_delete", "chart_push", @@ -2650,7 +2919,8 @@ } }, "dependsOn": [ - "registry" + "registry", + "registry_replications" ] } }, @@ -2704,8 +2974,8 @@ "description": "The Principal IDs of the ACR Credential Sets system-assigned identities." }, "copy": { - "count": "[length(range(0, length(parameters('credentialSets'))))]", - "input": "[reference(format('registry_credentialSets[{0}]', range(0, length(parameters('credentialSets')))[copyIndex()])).outputs.systemAssignedMIPrincipalId.value]" + "count": "[length(range(0, length(coalesce(parameters('credentialSets'), createArray()))))]", + "input": "[tryGet(tryGet(reference(format('registry_credentialSets[{0}]', range(0, length(coalesce(parameters('credentialSets'), createArray())))[copyIndex()])).outputs, 'systemAssignedMIPrincipalId'), 'value')]" } }, "credentialSetsResourceIds": { @@ -2714,8 +2984,8 @@ "description": "The Resource IDs of the ACR Credential Sets." }, "copy": { - "count": "[length(range(0, length(parameters('credentialSets'))))]", - "input": "[reference(format('registry_credentialSets[{0}]', range(0, length(parameters('credentialSets')))[copyIndex()])).outputs.resourceId.value]" + "count": "[length(range(0, length(coalesce(parameters('credentialSets'), createArray()))))]", + "input": "[reference(format('registry_credentialSets[{0}]', range(0, length(coalesce(parameters('credentialSets'), createArray())))[copyIndex()])).outputs.resourceId.value]" } }, "privateEndpoints": { diff --git a/avm/res/container-registry/registry/replication/main.json b/avm/res/container-registry/registry/replication/main.json index 4a7aac2eee..9badf5a5aa 100644 --- a/avm/res/container-registry/registry/replication/main.json +++ b/avm/res/container-registry/registry/replication/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "43238165429335678" + "version": "0.33.13.18514", + "templateHash": "2771208879484692364" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication." diff --git a/avm/res/container-registry/registry/scope-map/main.json b/avm/res/container-registry/registry/scope-map/main.json index 4ff03f742c..ed203ced74 100644 --- a/avm/res/container-registry/registry/scope-map/main.json +++ b/avm/res/container-registry/registry/scope-map/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "12313465250221246597" + "version": "0.33.13.18514", + "templateHash": "8957375042269792339" }, "name": "Container Registries scopeMaps", "description": "This module deploys an Azure Container Registry (ACR) scopeMap." diff --git a/avm/res/container-registry/registry/webhook/main.bicep b/avm/res/container-registry/registry/webhook/main.bicep index 3e0475af15..21c62ece5d 100644 --- a/avm/res/container-registry/registry/webhook/main.bicep +++ b/avm/res/container-registry/registry/webhook/main.bicep @@ -20,7 +20,7 @@ param serviceUri string param status string = 'enabled' @description('Optional. The list of actions that trigger the webhook to post notifications.') -param action array = [ +param action string[] = [ 'chart_delete' 'chart_push' 'delete' diff --git a/avm/res/container-registry/registry/webhook/main.json b/avm/res/container-registry/registry/webhook/main.json index 36fe27a07b..cbb4e22ae0 100644 --- a/avm/res/container-registry/registry/webhook/main.json +++ b/avm/res/container-registry/registry/webhook/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "2046020077786059291" + "version": "0.33.13.18514", + "templateHash": "14557981877826360902" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook." @@ -46,6 +46,9 @@ }, "action": { "type": "array", + "items": { + "type": "string" + }, "defaultValue": [ "chart_delete", "chart_push",