Skip to content

Configure ACR retention policies#

Cost Optimization · Container Registry · Rule · Preview · 2020_12

Use a retention policy to cleanup untagged manifests.

Description#

Retention policy is a configurable option of Premium Azure Container Registry (ACR). When a retention policy is configured, untagged manifests in the registry are automatically deleted. A manifest is untagged when a more recent image is pushed using the same tag. i.e. latest.

The retention policy (in days) can be set to 0-365. The default is 7 days.

To configure a retention policy, the container registry must be using a Premium SKU.

Recommendation#

Consider enabling a retention policy for untagged manifests.

Examples#

Configure with Azure template#

To deploy Container Registries that pass this rule:

  • Set properties.retentionPolicy.status to enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-01-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy Container Registries that pass this rule:

  • Set properties.retentionPolicy.status to enabled.

For example:

Azure Bicep snippet
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Notes#

Retention policies for Azure Container Registry is currently in preview.

Comments