Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/avinor/terraform-azurerm-container-registry

Terraform module to create a docker container registry in Azure
https://github.com/avinor/terraform-azurerm-container-registry

azure container-registry terraform terraform-module

Last synced: 3 months ago
JSON representation

Terraform module to create a docker container registry in Azure

Awesome Lists containing this project

README 

        
# Azure Container Registry



This module is just a thin wrapper around the `azurerm_container_registry` resource to enforce naming standards and

security policies (no admin user enabled). It can also assign roles for pulling and pushing images.



## Requirements



- Minimum **Contributor** access to create registry

- **Owner** required when using *roles* variable



## Usage



Example of a simple deployment



```terraform

module "simple" {

  source  = "avinor/container-registry/azurerm"

  version = "1.1.0"



  name                = "acr"

  resource_group_name = "simpleacr-rg"

  location            = "westeurope"



  roles = [

    {

      object_id = "0000-0000-0000"

      role      = "AcrPull"

    },

  ]

}

```



## Diagnostics



Diagnostics settings can be sent to either storage account, event hub or Log Analytics workspace. The variable

diagnostics.destination is the id of receiver, ie. storage account id, event namespace authorization rule id or log

analytics resource id. Depending on what id is it will detect where to send. Unless using event namespace the

eventhub_name_log and eventhub_name_metric is not required, just set to null for storage account and log analytics

workspace.



Setting all in logs and metrics will send all possible diagnostics to destination. If not using all type name of

categories to send.



## Roles



Using `roles` input variable it is possible to assign any role to the container registry. It is primarily meant for

assigning Acr* roles though, pulling and pushing images.



## Docker Content Trust



[ACR support content trust](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust)

on registries with Premium sku. This module will enable content trust when `content_trust` variable is set to true. Just

enabling is not enough though. For configuring content trust additional setup needs to be done after.



- Grant temporary role `AcrImageSigner` permission on registry to your user

- Run `az acr login --name `. Run after assigning role to get correct token.

- Set `export DOCKER_CONTENT_TRUST=1`

- Build an image and push to new registry

    - It will ask for root and repository passphrase. Generate a new random strong passphrase

    - Make sure to write down these passphrases somewhere

- Backup private keys for content trust

    - Create

      archive: `umask 077; tar -zcvf docker_private_keys_backup.tar.gz -C $HOME/.docker/trust/private .; umask 022`

    - Store in a secure way

- Remove temporary role `AcrImageSigner` from registry



For using content trust in CI/CD process:



- Create a delegated key pair for signing in pipeline: `docker trust key generate pipeline`

- Find private key file in docker trust folder: `grep pipeline ~/.docker/trust/private/*`

- Add private key, delegated key passphrase and root passphrase as secrets in CI process

- Save the public key generated in repository or anywhere it is required when signing images



When using in pipeline make sure the private key is stored in `$HOME/.docker/trust/private` and define environment

variables `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` and `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`. This allows pipeline

to sign and push images.



Before pushing a new signed image the repository always needs to be initialized first.

Run `docker trust signer add --key pipeline.pub pipeline `, where pipeline.pub is the public key and

pipeline is name of delegated user created earlier.



## References



- 

- 

- 

-