Update Azure.LB.Rule.ps1 for PIP Zones Condition (#2756)

* Update Azure.LB.Rule.ps1 * Update Azure.LB.AvailabilityZone.md * update changelog * updates * Updates to check for AZ first * Bump change log * Update docs/en/rules/Azure.LB.AvailabilityZone.md Co-authored-by: Bernie White <bewhite@microsoft.com> * Update tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json Co-authored-by: Bernie White <bewhite@microsoft.com> --------- Co-authored-by: Bernie White <bewhite@microsoft.com>
2024-03-15 16:09:15 +00:00 · 2024-03-15 16:09:15 +00:00 · 8860aee872
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@ -32,6 +32,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers

 ## Unreleased

+- Bug fixes:
+  - Fixed rule `Azure.LB.AvailabilityZone` to remove the passing assertion for null or an empty zones list for the property of `properties.frontendIPConfigurations[*].zones` by @jtracey93.
+    [#2759](https://github.com/Azure/PSRule.Rules.Azure/issues/2759)
+
 ## v1.35.0-B0012 (pre-release)

 What's changed since v1.34.2:
--- a/docs/en/rules/Azure.LB.AvailabilityZone.md
+++ b/docs/en/rules/Azure.LB.AvailabilityZone.md
@ -27,7 +27,7 @@ Consider using zone-redundant load balancers deployed with Standard SKU.

 This rule applies when analyzing resources deployed to Azure using *pre-flight* and *in-flight* data.

-This rule fails when `"zones"` is constrained to a single(zonal) zone, and passes when set to `null`, `[]` or `["1", "2", "3"]`.
+This rule fails when `"zones"` is constrained to a single(zonal) zone or is not configured, and passes when set to `["1", "2", "3"]`.

 ## EXAMPLES

--- a/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1
+++ b/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1
@ -27,13 +27,19 @@ Rule 'Azure.LB.Probe' -Ref 'AZR-000126' -Type 'Microsoft.Network/loadBalancers'

 # Synopsis: Load balancers deployed with Standard SKU should be zone-redundant for high availability.
 Rule 'Azure.LB.AvailabilityZone' -Ref 'AZR-000127' -Type 'Microsoft.Network/loadBalancers' -If { IsStandardLoadBalancer } -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Reliability'; } {
+    # Check for availability zones based on Azure Firewall, because it is not exposed through the provider for load balancers.
+    $provider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.Network', 'azureFirewalls');
+    $availabilityZones = GetAvailabilityZone -Location $TargetObject.Location -Zone $provider.ZoneMappings;
+
+    # Don't flag if the region does not support AZ.
+    if (-not $availabilityZones) {
+        return $Assert.Pass();
+    }
+
    foreach ($ipConfig in $TargetObject.Properties.frontendIPConfigurations) {
-        $Assert.AnyOf(
-            $Assert.NullOrEmpty($ipConfig, 'zones'),
-            $Assert.SetOf($ipConfig, 'zones', @('1', '2', '3'))
-        ).Reason(
+        $Assert.SetOf($ipConfig, 'zones', @('1', '2', '3')).Reason(
            $LocalizedData.LBAvailabilityZone,
-            $TargetObject.name, 
+            $TargetObject.name,
            $ipConfig.name
        )
    }
--- a/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json
+++ b/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json
@ -1533,7 +1533,7 @@
  {
    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes",
    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes",
-    "Location": "region",
+    "Location": "eastus",
    "ManagedBy": null,
    "ResourceName": "kubernetes",
    "Name": "kubernetes",
@ -1560,7 +1560,12 @@
              }
            ],
            "privateIPAddressVersion": "IPv4"
-          }
+          },
+          "zones": [
+            "1",
+            "2",
+            "3"
+          ]
        }
      ],
      "backendAddressPools": [
@ -1704,7 +1709,7 @@
  {
    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-A",
    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-A",
-    "Location": "region",
+    "Location": "eastus",
    "ManagedBy": null,
    "ResourceName": "lb-A",
    "Name": "lb-A",
@ -1878,7 +1883,7 @@
  {
    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-B",
    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-B",
-    "Location": "region",
+    "Location": "east US",
    "ManagedBy": null,
    "ResourceName": "lb-B",
    "Name": "lb-B",
@ -2052,7 +2057,7 @@
  {
    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-C",
    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/lb-C",
-    "Location": "region",
+    "Location": "notRegion",
    "ManagedBy": null,
    "ResourceName": "lb-C",
    "Name": "lb-C",
@ -2079,12 +2084,7 @@
              }
            ],
            "privateIPAddressVersion": "IPv4"
-          },
-          "zones": [
-            "2",
-            "3",
-            "1"
-          ]
+          }
        }
      ],
      "backendAddressPools": [