Create private registry for Bicep modules (Preview)

To share modules within your organization, you can create a private module registry. You publish modules to that registry and give read access to users who need to deploy the modules. After the modules are shared in the registries, you can reference them from your Bicep files.

To work with module registries, you must have Bicep CLI version 0.4.1008 or later.

Configure private registry

A Bicep registry is hosted on Azure Container Registry (ACR). Use the following steps to configure your registry for modules.

  1. If you already have a container registry, you can use it. If you need to create a container registry, see Quickstart: Create a container registry by using a Bicep file.

    You can use any of the available registry SKUs for the module registry. Registry geo-replication provides users with a local presence or as a hot-backup.

  2. Get the login server name. You need this name when linking to the registry from your Bicep files.

    To get the login server name, use Get-AzContainerRegistry.

    Get-AzContainerRegistry -ResourceGroupName "<resource-group-name>" -Name "<registry-name>"  | Select-Object LoginServer
    

    Or, use az acr show.

    az acr show --resource-group <resource-group-name> --name <registry-name> --query loginServer
    

    The format of the login server name is: <registry-name>.azurecr.io.

  • To publish modules to a registry, you must have permission to push an image. To deploy a module from a registry, you must have permission to pull the image. For more information about the roles that grant adequate access, see Azure Container Registry roles and permissions.

  • Depending on the type of account you use to deploy the module, you may need to customize which credentials are used. These credentials are needed to get the modules from the registry. By default, credentials are obtained from Azure CLI or Azure PowerShell. You can customize the precedence for getting the credentials in the bicepconfig.json file. For more information, see Credentials for restoring modules.

Important

The private container registry is only available to users with the required access. However, it's accessed through the public internet. For more security, you can require access through a private endpoint. See Connect privately to an Azure container registry using Azure Private Link.

Publish files to registry

After setting up the container registry, you can publish files to it. Use the publish command and provide any Bicep files you intend to use as modules. Specify the target location for the module in your registry.

az bicep publish storage.bicep --target br:exampleregistry.azurecr.io/bicep/modules/storage:v1

View files in registry

To see the published module in the portal:

  1. Sign in to the Azure portal.

  2. Search for container registries.

  3. Select your registry.

  4. Select Repositories from the left menu.

  5. Select the module path (repository). In the preceding example, the module path name is bicep/modules/storage.

  6. Select the tag. In the preceding example, the tag is v1.

  7. The Artifact reference matches the reference you'll use in the Bicep file.

    Bicep module registry artifact reference

You're now ready to reference the file in the registry from a Bicep file. For examples of the syntax to use for referencing an external module, see Bicep modules.

Next steps