As Azure evolves, certain features are deprecated to streamline services and improve security and performance. One such upcoming change is the deprecation of the Docker Content Trust (DCT) feature in Azure Container Registry (ACR) which is ongoing over a three-year period. This change will eventually remove the trustPolicy property from underling APIs.

This blog post explains what is changing, the potential impact on your Azure Policy environment, and steps you can take to mitigate disruption.

What is Changing?

• The Docker Content Trust (DCT) feature in ACR is being deprecated. As part of this process:
  • The trustPolicy property will be removed from ARM APIs in a future version.
  • The Azure Policy aliases referencing this property will eventually be impacted.
• Affected aliases include:
  • Microsoft.ContainerRegistry/registries/trustPolicy
  • Microsoft.ContainerRegistry/registries/trustPolicy.type
  • Microsoft.ContainerRegistry/registries/trustPolicy.status
• Key findings:
  • No built-in policy definitions currently use these aliases, so no built-ins will be deprecated because of this feature deprecation.
  • The alias trustPolicy.status is modifiable, so any active modify policies targeting this property will break when the property is removed. This alias will be removed.

Impacts on Azure Policy

If you have active policy assignments referencing these aliases, you will need to update or remove them during the deprecation period to avoid future compliance issues:

• Existing policies will eventually become non-compliant for any new ACR resources. For example, if a policy assignment requires trustPolicy to be enabled (Microsoft.ContainerRegistry/registries/trustPolicy.status == "enabled"), but the ACR trustPolicy property can no longer be set due to deprecation, then any new ACRs created after that point will automatically be noncompliant with the policy.
• Policies using the modifiable alias (trustPolicy.status) will fail when the alias is deleted or marked non-modifiable at the end of the deprecation period.

Steps to Mitigate the Impact

To ensure a smooth transition:

1. Identify Affected Policies and Assignments: Locate any custom policy definitions in your environment referencing the affected aliases.
2. Update Policy Definitions: Remove or replace references to trustPolicy properties in your policy definitions. If the policy's only purpose is to evaluate the ACR trustPolicy, consider removing the definition altogether.
3. Test and Validate: After updating policies, validate that they enforce compliance as intended without relying on deprecated properties.
4. Monitor for Updates: Stay informed by monitoring Azure Container Registry retirement documentation for more details on transitioning from Docker Content Trust to Notary Project.