azurerm_container_registry: Support azuread_authentication_as_arm_policy_enabled, role_assignment_mode and network_rule_bypass_allowed_for_tasks#31667
Conversation
…policy_enabled` and `role_assignment_mode`
… also support Standard (per manual test)
…lus no obvious benefit for the users
azurerm_container_registry: Support azuread_authentication_as_arm_policy_enabled and role_assignment_modeazurerm_container_registry: Support azuread_authentication_as_arm_policy_enabled, role_assignment_mode and network_rule_bypass_allowed_for_tasks
|
/test |
|
@magodo - One or more tests failed in this PR. Please review the failures. Total: 19 Test Details
|
|
@catriona-m Thanks for looking into the PR. The two failures seem to be a breaking change/deprecation in the same API version:
As you can see, the same API version used to work for this |
|
@jackofallops Thanks for merging this PR! I've opened a new one to deprecate the |

Community Note
Description
After upgrading the API version of ACR to 2025-11-01, there are a few new properties introduced:
network_rule_bypass_allowed_for_tasks: This is a new policy setting being introduced allowing customers to opt-in to network bypass for tasks. See: https://learn.microsoft.com/en-us/azure/container-registry/manage-network-bypass-policy-for-tasks.Whilst, there is an issue with this attribute ([BUG] ACR 2025-11-01GETwon't returnnetworkRuleBypassAllowedForTasksAzure/azure-rest-api-specs#40126), so I didn't support it in this PR until the issue is resolved.azuread_authentication_as_arm_policy_enabled: Microsoft Entra tokens are used when registry users authenticate with Azure Container Registry (ACR). By default, Azure Container Registry (ACR) accepts Microsoft Entra tokens with an audience scope set for Azure Resource Manager (ARM), a control plane management layer for managing Azure resources. See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-disable-authentication-as-armrole_assignment_mode: See: https://techcommunity.microsoft.com/blog/appsonazureblog/azure-container-registry-repository-permissions-with-attribute-based-access-cont/4467182The default values are set per the API behavior (manually checked) and API spec definition.
Additionally, I've removed the checkNameAvailability API call during the Create function, which has no obvious benefit and is now failing with 503:
PR Checklist
For example: “
resource_name_here- description of change e.g. adding propertynew_property_name_here”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_resource- support for thething1property [GH-00000]This is a (please select all that apply):
Related Issue(s)
Fixes #29599
AI Assistance Disclosure
Rollback Plan
If a change needs to be reverted, we will publish an updated version of the provider.
Changes to Security Controls
Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.
Note
If this PR changes meaningfully during the course of review please update the title and description as required.