---
title: Admin user enabled for container registry
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Admin user enabled for container registry
---

# Admin user enabled for container registry

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-azure-admin-user-enabled-for-container-registry` 

**Provider:** Azure

**Platform:** Terraform

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://www.terraform.io/docs/providers/azurerm/r/container_registry.html)

### Description{% #description %}

Enabling the admin user for an Azure Container Registry by setting the `admin_enabled` attribute to `true` in Terraform exposes static credentials that can be used to access and manage the registry. This increases the attack surface, as the admin username and key are global for the registry and can be easily leaked or abused if compromised. To mitigate this risk, the admin user should be disabled by setting `admin_enabled = false`:

```
resource "azurerm_container_registry" "example" {
  // other arguments
  admin_enabled = false
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "azurerm_resource_group" "negative1" {
  name     = "resourceGroup1"
  location = "West US"
}

resource "azurerm_container_registry" "negative2" {
  name                     = "containerRegistry1"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  sku                      = "Premium"
  admin_enabled            = false
  georeplication_locations = ["East US", "West Europe"]
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "azurerm_resource_group" "positive1" {
  name     = "resourceGroup1"
  location = "West US"
}

resource "azurerm_container_registry" "positive2" {
  name                     = "containerRegistry1"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  sku                      = "Premium"
  admin_enabled            = true
  georeplication_locations = ["East US", "West Europe"]
}
```