feat: Updated Azure.APIM.AvailabilityZone

docs/CHANGELOG-v1.md

@@ -39,6 +39,15 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
       [#2846](https://github.com/Azure/PSRule.Rules.Azure/issues/2846)
     - Check that database accounts have public network access disabled by @BenjaminEngeset.
       [#2702](https://github.com/Azure/PSRule.Rules.Azure/issues/2702)
+- Updated rules:
+  - API Management:
+    - **Important change**: Updated `Azure.APIM.AvailabilityZone` to improve accuracy with non-premium SKUs by @BenjaminEngeset.
+      [#2788](https://github.com/Azure/PSRule.Rules.Azure/issues/2788)
+      - Removed the `If` Premium SKU.
+      - Added check for Premium SKU.
+      - Updated tests.
+      - Updated rule doc.
+      - Bumped rule set to `2024_06`.
 
 ## v1.37.0-B0009 (pre-release)
 

docs/en/rules/Azure.APIM.AvailabilityZone.md

@@ -6,40 +6,37 @@ resource: API Management
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.AvailabilityZone/
 ---
 
-# API management services should use Availability zones in supported regions
+# API management instances should use availability zones in supported regions
 
 ## SYNOPSIS
 
-API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
+ API Management instances should use availability zones in supported regions for high availability.
 
 ## DESCRIPTION
 
-API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region.
-With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.
+API Management supports using availability zones to provide zone redundency for key components.
+Zone redundancy improves resiliency and high availability of the service by deploying scale units across data centers in physically separated zones.
 
-## RECOMMENDATION
+The following are required to deploy a zone redundant configuration:
 
-Consider using availability zones for API management services deployed with Premium SKU.
+- API Management is deployed with the Premium SKU.
+- At least two scale units must be deployed in separate availbility zones.
 
-## NOTES
+Zone redundancy has a different configuration for the primary and additional regions:
 
-This rule applies when analyzing resources deployed to Azure using *pre-flight* and *in-flight* data.
+- In the primary region, all service components are replicated across zones (gateway, management plane, and developer portal).
+- In additional regions, *only* the gateway is replicated across zones.
+  As the management plane/developer portal service components are only deployed to the primary region.
 
-This rule fails when `"zones"` is `null`, `[]` or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.
+## RECOMMENDATION
 
-Configure `AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST` to set additional availability zones that need to be supported which are not in the existing [providers](https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/providers/) for namespace `Microsoft.ApiManagement` and resource type `services`.
-
-```yaml
-# YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
-configuration:
-  AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []
-```
+Consider using at least two (2) scale units and availability zones to improve resiliency of API Management instances to zone failures.
 
 ## EXAMPLES
 
 ### Configure with Azure template
 
-To set availability zones for a API management service
+To set availability zones for a API Management instance:
 
 - Set `zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `sku.capacity`.
 - Set `properties.additionalLocations[*].zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `properties.additionalLocations[*].sku.capacity`. 
@@ -109,7 +106,7 @@ For example:
 
 ### Configure with Bicep
 
-To set availability zones for a API management service
+To set availability zones for a API Management instance:
 
 - Set `zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `sku.capacity`.
 - Set `properties.additionalLocations[*].zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `properties.additionalLocations[*].sku.capacity`. 
@@ -173,6 +170,22 @@ resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2
 }
 ```
 
+## NOTES
+
+This rule applies when analyzing resources deployed to Azure using *pre-flight* and *in-flight* data.
+
+This rule fails when `"zones"` is `null`, `[]` or less than two zones when API Management instance is deployed with Premium SKU and there are supported availability zones for the given region.
+
+Configure `AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST` to set additional availability zones that need to be supported which are not in the existing [providers](https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/providers/) for namespace `Microsoft.ApiManagement` and resource type `services`.
+
+```yaml
+# YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
+configuration:
+  AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []
+```
+
+For developer environments, suppressing the rule might make sense as enabling zone redundancy for an API Management instance requries the `Premium` SKU currently.
+
 ## LINKS
 
 - [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones)

src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1

@@ -193,8 +193,14 @@ Rule 'Azure.APIM.CertificateExpiry' -Ref 'AZR-000051' -Type 'Microsoft.ApiManage
     }
 } -Configure @{ Azure_MinimumCertificateLifetime = 30 }
 
-# Synopsis: API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
-Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -If { IsPremiumAPIM } -Tag @{ release = 'GA'; ruleSet = '2021_12'; 'Azure.WAF/pillar' = 'Reliability'; } {
+# Synopsis: API Management instances should use availability zones in supported regions for high availability.
+Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
+    if ($TargetObject.sku.name -ne 'Premium') {
+        return $Assert.HasFieldValue($TargetObject, 'sku.name', 'Premium') # Availability zones are only supported for the Premium SKU.
+    }
+
+    $Assert.HasFieldValue($TargetObject, 'sku.name', 'Premium')
+
     $apiManagementServiceProvider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.ApiManagement', 'service');
 
     $configurationZoneMappings = $Configuration.AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST;