Skip to content

Add Azure.ServiceBus.ReplicaLocation rule (AZR-000540) #3718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BernieWhite merged 6 commits into from
Mar 30, 2026
Merged

Add Azure.ServiceBus.ReplicaLocation rule (AZR-000540) #3718

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0749e14
Initial plan
Copilot Mar 25, 2026
98ae60b
Add Azure.ServiceBus.ReplicaLocation rule (AZR-000535) to check geo-r…
Copilot Mar 25, 2026
190fb5c
Update rule ID to AZR-000536 for Azure.ServiceBus.ReplicaLocation
Copilot Mar 25, 2026
85a734c
Merge branch 'main' into copilot/add-service-bus-replica-location-check
BernieWhite Mar 26, 2026
680c15a
Additional updates
BernieWhite Mar 26, 2026
1359e09
Merge branch 'main' into copilot/add-service-bus-replica-location-check
BernieWhite Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion docs/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,14 @@ What's changed since v1.47.0:
- Container Apps:
- Check that liveness and readiness health probes use HTTP checks for HTTP-based ingress by @BernieWhite.
[#3111](https://github.com/Azure/PSRule.Rules.Azure/issues/3111)
- Service Bus:
- Added `Azure.ServiceBus.ReplicaLocation` to check that geo-replication replica locations are within allowed regions.
[#3343](https://github.com/Azure/PSRule.Rules.Azure/issues/3343)
- Updated rules:
- Azure Kubernetes Service:
- Updated `Azure.AKS.Version` to use `1.33.7` as the minimum version by @BernieWhite.
[#3708](https://github.com/Azure/PSRule.Rules.Azure/issues/3708)
- Improved documentation for expansion internals with a high-level flow diagram and code references by @Copilot.
- Improved documentation for expansion internals with a high-level flow diagram and code references by @BernieWhite.
[#3715](https://github.com/Azure/PSRule.Rules.Azure/issues/3715)

## v1.47.0
Expand Down
3 changes: 3 additions & 0 deletions docs/en/baselines/Azure.All.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2"
"Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1"
"Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-"
"Azure.ACR.AuditLogs","Ensure container registry audit diagnostic logs are enabled.","Important","Security","L1"
"Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-"
"Azure.ACR.ContentTrust","Docker content trust allows images to be signed and verified when pulled from a container registry.","Important","Security","-"
"Azure.ACR.ExportPolicy","Export policy on Azure container registry may allow artifact exfiltration.","Important","Security","-"
Expand Down Expand Up @@ -152,6 +153,7 @@
"Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-"
"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2"
"Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-"
"Azure.ContainerApp.HealthProbe","Container app ingress that uses HTTP should have HTTP health probes configured for liveness and readiness checks.","Important","Reliability","-"
"Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1"
"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2"
"Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1"
Expand Down Expand Up @@ -391,6 +393,7 @@
"Azure.ServiceBus.DisableLocalAuth","Authenticate Service Bus publishers and consumers with Entra ID identities.","Important","Security","L1"
"Azure.ServiceBus.GeoReplica","Enhance resilience to regional outages by replicating namespaces.","Important","Reliability","-"
"Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1"
"Azure.ServiceBus.ReplicaLocation","The replica location determines the country or region where the data is stored and processed.","Important","Security","-"
"Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-"
"Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1"
"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2"
Expand Down
5 changes: 4 additions & 1 deletion docs/en/baselines/Azure.All.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,14 @@ Includes all Azure rules.

The following rules are included within the `Azure.All` baseline.

This baseline includes a total of 531 rules.
This baseline includes a total of 534 rules.

Name | Synopsis | Severity
---- | -------- | --------
[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness
[Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical
[Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important
[Azure.ACR.AuditLogs](../rules/Azure.ACR.AuditLogs.md) | Ensure container registry audit diagnostic logs are enabled. | Important
[Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical
[Azure.ACR.ContentTrust](../rules/Azure.ACR.ContentTrust.md) | Docker content trust allows images to be signed and verified when pulled from a container registry. | Important
[Azure.ACR.ExportPolicy](../rules/Azure.ACR.ExportPolicy.md) | Export policy on Azure container registry may allow artifact exfiltration. | Important
Expand Down Expand Up @@ -167,6 +168,7 @@ Name | Synopsis | Severity
[Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness
[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness
[Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important
[Azure.ContainerApp.HealthProbe](../rules/Azure.ContainerApp.HealthProbe.md) | Container app ingress that uses HTTP should have HTTP health probes configured for liveness and readiness checks. | Important
[Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important
[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness
[Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important
Expand Down Expand Up @@ -406,6 +408,7 @@ Name | Synopsis | Severity
[Azure.ServiceBus.DisableLocalAuth](../rules/Azure.ServiceBus.DisableLocalAuth.md) | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important
[Azure.ServiceBus.GeoReplica](../rules/Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important
[Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important
[Azure.ServiceBus.ReplicaLocation](../rules/Azure.ServiceBus.ReplicaLocation.md) | The replica location determines the country or region where the data is stored and processed. | Important
[Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical
[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness
Expand Down
Loading
Loading