Add Azure.ServiceBus.ReplicaLocation rule (AZR-000540)

[Copilot]

When Service Bus geo-replication is configured, replica locations should be validated against the organization's allowed regions (AZURE_RESOURCE_ALLOWED_LOCATIONS), consistent with how Azure.EntraDS.ReplicaLocation works for Entra DS replica sets.

Changes

• New rule Azure.ServiceBus.ReplicaLocation (AZR-000536, Security pillar, ruleSet 2026_06) — evaluates each locationName in properties.geoDataReplication.locations[*] against the allowed locations context; skips namespaces without geo-replication configured
• Tests — new With Location Configuration context in Azure.ServiceBus.Tests.ps1 using AZURE_RESOURCE_ALLOWED_LOCATIONS = ['centraluseuap', 'norwayeast']; servicens-E (italynorth/spaincentral) fails, servicens-C/servicens-D pass
• Docs — Azure.ServiceBus.ReplicaLocation.md with Bicep and ARM examples; updated index.md, resource.md (en + es)

Example

resource sb 'Microsoft.ServiceBus/namespaces@2023-01-01-preview' = {
  properties: {
    geoDataReplication: {
      locations: [
        { locationName: primaryLocation, roleType: 'Primary' }
        { locationName: secondaryLocation, roleType: 'Secondary' }
      ]
    }
  }
}

Passes when both primaryLocation and secondaryLocation are in AZURE_RESOURCE_ALLOWED_LOCATIONS; fails otherwise.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[RULE] Check service bus replica locations are within allowed regions</issue_title>
<issue_description>### Existing rule

No response

Suggested rule

When service bus replication is configured any configured locations should be in the allowed location list if configured.

Pillar

Security

Additional context

This is similar to the existing rule Azure.EntraDS.ReplicaLocation.

References:

• https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace/replica?view=azure-cli-latest</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [RULE] Check service bus replica locations are within allowed regions #3381

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[BernieWhite]

@copilot use rule ID AZR-000536 instead.

[Copilot]

@copilot use rule ID AZR-000536 instead.

Updated to AZR-000536 in 190fb5c.