Skip to content

Use ACR soft delete policy#

Reliability · Container Registry · Rule · Preview · 2022_09 · Important

Azure Container Registries should have soft delete policy enabled.

Description#

Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.

This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.

Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.

Current preview limitations:

  • ACR currently doesn't support manually purging soft deleted artifacts.
  • The soft delete policy doesn't support a geo-replicated registry.
  • ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.

Recommendation#

Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.

Examples#

Configure with Azure template#

To deploy an Azure Container Registry that pass this rule:

  • Set the properties.policies.softDeletePolicy.status property to enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-01-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy an Azure Container Registry that pass this rule:

  • Set the properties.policies.softDeletePolicy.status property to enabled.

For example:

Azure Bicep snippet
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax: br/public:avm/res/container-registry/registry:<version>

Configure with Azure CLI#

Azure CLI snippet
az acr config soft-delete update -r '<name>' --days 90 --status enabled

Comments