For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-azure-azure-container-registry-with-no-locks.md. A documentation index is available at /llms.txt.

Azure Container Registry with no locks

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-azure-azure-container-registry-with-no-locks

Provider: Azure

Platform: Ansible

Severity: High

Category: Insecure Configurations

Learn More

Description

Azure Container Registries must be protected by Azure resource locks to prevent accidental or unauthorized deletion or modification of container images and registry configuration.

In Ansible playbooks, tasks that create or manage ACRs using the azure.azcollection.azure_rm_containerregistry or azure_rm_containerregistry modules must be accompanied by a lock task using azure.azcollection.azure_rm_lock or azure_rm_lock. The lock should either target the specific registry—by having managed_resource_id contain the registry’s <register>.id—or be scoped to the same resource_group as the registry (lock resource_group equals registry resource_group). Tasks without a corresponding lock task, or with locks that do not reference the registry by managed_resource_id nor share the same resource_group, are flagged.

Compliant Code Examples

- name: Create an azure container registry
  azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: true
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create a lock for a resource group
  azure_rm_lock:
    resource_group: myResourceGroup
    name: myLock
    level: read_only

- name: Create an azure container registry11
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
  register: acr2
- name: "Create lock for ACR11"
  azure.azcollection.azure_rm_lock:
    managed_resource_id: "{{ acr2.id }}"
    name: "acr_lock"
    level: can_not_delete

Non-Compliant Code Examples

- name: Create an azure container registry
  azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroupFake
    admin_user_enabled: true
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create a lock for a resource group
  azure_rm_lock:
    resource_group: myResourceGroup32
    name: myLock
    level: read_only
- name: Create an azure container registry2
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: someResourceGroup
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production

- name: Create an azure container registryy1
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
  register: acr
- name: "Create lock for ACR1"
  azure.azcollection.azure_rm_lock:
    managed_resource_id: "{{ acr3.id }}"
    name: "acr_lock"
    level: can_not_delete