PSRule.Rules.Azure icon indicating copy to clipboard operation
PSRule.Rules.Azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

Add a rule for API Management to use a SKU that supports AZ and multi-region deployments

Open jtracey93 opened this issue 1 year ago • 2 comments

Existing rule

No response

Description of the issue

The following rules are being skipped in the AVM tests for no apparent reason for this resource, can you please advise:

Error messages

No response

Reproduction

Example AVM Workflows that have ran this for this resource can be seen here:

  • https://github.com/Azure/bicep-registry-modules/actions/runs/8471591476/job/23211999871

Version of PSRule

2.9.0

Version of PSRule for Azure

v1.35.0-B0116

Additional context

No response

jtracey93 avatar Mar 30 '24 18:03 jtracey93

@jtracey93 Multi-region and availability zones only apply to premium SKU it's not supported on any other SKU, so these rules are not run if the resource uses a non-premium SKU. From my understanding e2e tests use the parameter default SKU of Developer.

We could add a rule to suggest that any APIM deployment should use the premium SKU, but it's likely this would not be ideal in a number of customer cases, so we have not so far. Although realistically it's the only option for AZ support currently, although Standard V2 I believe will drop with this at some point.

https://learn.microsoft.com/en-gb/azure/api-management/v2-service-tiers-overview#preview-limitations

BernieWhite avatar Apr 01 '24 13:04 BernieWhite

Agreed. I think the premium being the only way to get AZ support that is the WAF guidance means we should add a rule for it. It can always be suppressed.

jtracey93 avatar Apr 01 '24 13:04 jtracey93

https://github.com/Azure/PSRule.Rules.Azure/pull/2874 covers the Azure.APIM.AvailabilityZone update.

@BernieWhite

Should we also update Azure.APIM.MultiRegion and Azure.APIM.MultiRegionGateway to emit failure when the Premium SKU is not used? Optionally create a separate rule to recommend the use of Premium SKU, but there are several scenarios where this will not be ideal at all. Probably better to remove the If on the rules and rather have them fail if the SKU is not Premium.

BenjaminEngeset avatar May 30 '24 20:05 BenjaminEngeset

Yes @BenjaminEngeset. Let's update Azure.APIM.MultiRegion instead of adding a new rule to remove the -If and add a check so it will flag for SKU. Similar to Azure.APIM.AvailabilityZone.

For Azure.APIM.MultiRegionGateway it's more intended to ensure if you are already multi-region that you haven't disabled the gateways in other regions, so we don't need to change it.

BernieWhite avatar Jun 01 '24 14:06 BernieWhite