Updated Azure.ContainerApp.AvailabilityZone to check for infrastructure subnet Azure#3068 (Azure#3071)

BernieWhite · web-flow · commit a086ba20680d · 2024-10-01T01:07:44.000+10:00
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -31,6 +31,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 What's changed since pre-release v1.39.0-B0118:
 
+- Updated rules:
+  - Container Apps:
+    - Updated `Azure.ContainerApp.AvailabilityZone` to check for infrastructure subnet by @BernieWhite.
+      [#3068](https://github.com/Azure/PSRule.Rules.Azure/issues/3068)
+      - Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
+        Both rule and documentation have been updated to clearly call this out.
 - Engineering:
   - Quality updates to rule documentation by @BernieWhite.
     [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
diff --git a/docs/en/rules/Azure.ContainerApp.AvailabilityZone.md b/docs/en/rules/Azure.ContainerApp.AvailabilityZone.md
@@ -1,5 +1,5 @@
 ---
-reviewed: 2024-04-07
+reviewed: 2024-10-01
 severity: Important
 pillar: Reliability
 category: RE:05 Regions and availability zones
@@ -16,14 +16,21 @@ Use Container Apps environments that are zone redundant to improve reliability.
 ## DESCRIPTION
 
 Container App environments can be configured to be zone redundant in regions that support availability zones.
+Zone redundancy is supported in both the workload profiles and consumption only environments.
 When configured, replicas of each Container App are spread across availability zones automatically.
 A Container App must have multiple replicas to be zone redundant.
 
-For example, if a Container App has three replicas, each replica is placed in a different availability zone.
+For example:
+
+- If a Container App has three replicas, each replica is placed in a different availability zone.
+- If a Container App has one replica, it is only available in a single zone.
+
+Zone redundancy can only be enabled at initial environment creation.
+Additionally, the Container App environment must be deployed with an infrastructure subnet configured.
 
 ## RECOMMENDATION
 
-Consider configuring Container App environments to be zone redundant to improve reliability.
+Consider configuring Container App environments to be zone redundant to improve workload resiliency.
 
 ## EXAMPLES
 
@@ -32,6 +39,7 @@ Consider configuring Container App environments to be zone redundant to improve
 To deploy Container App environments that pass this rule:
 
 - Set the `properties.zoneRedundant` property to `true`.
+- Set the `properties.vnetConfiguration.infrastructureSubnetId` property to reference a valid subnet.
 
 For example:
 
@@ -69,6 +77,7 @@ For example:
 To deploy Container App environments that pass this rule:
 
 - Set the `properties.zoneRedundant` property to `true`.
+- Set the `properties.vnetConfiguration.infrastructureSubnetId` property to reference a valid subnet.
 
 For example:
 
@@ -99,7 +108,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
 }
 ```
 
-<!-- external:avm avm/res/app/managed-environment:0.8.0 zoneRedundant -->
+<!-- external:avm avm/res/app/managed-environment:0.8.0 zoneRedundant,vnetConfiguration.infrastructureSubnetId -->
 
 ## LINKS
 
diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1
@@ -30,6 +30,7 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap
     }
 
     $Assert.HasFieldValue($TargetObject, 'properties.zoneRedundant', $True);
+    $Assert.HasFieldValue($TargetObject, 'properties.vnetConfiguration.infrastructureSubnetId');
 }
 
 #endregion Rules
@@ -38,9 +39,9 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap
 
 function global:HasIngress {
     [CmdletBinding()]
-    param ()    
+    param ()
     process {
-        $Assert.HasField($TargetObject, 'properties.configuration.ingress').Result   
+        $Assert.HasField($TargetObject, 'properties.configuration.ingress').Result
     }
 }
 
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1
@@ -197,7 +197,7 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' {
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult.Length | Should -Be 2;
             $ruleResult.TargetName | Should -BeIn 'capp-env-A', 'capp-env-B';
-            $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.zoneRedundant';
+            $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.zoneRedundant', 'properties.vnetConfiguration.infrastructureSubnetId';
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`$Assert.HasFieldValue($TargetObject, 'properties.zoneRedundant', $True);`
	`33`	`+ $Assert.HasFieldValue($TargetObject, 'properties.vnetConfiguration.infrastructureSubnetId');`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`#endregion Rules`
`@@ -38,9 +39,9 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap`
`38`	`39`
`39`	`40`	`function global:HasIngress {`
`40`	`41`	`[CmdletBinding()]`
`41`		`- param ()`
	`42`	`+ param ()`
`42`	`43`	`process {`
`43`		`- $Assert.HasField($TargetObject, 'properties.configuration.ingress').Result`
	`44`	`+ $Assert.HasField($TargetObject, 'properties.configuration.ingress').Result`
`44`	`45`	`}`
`45`	`46`	`}`
`46`	`47`