Add Azure.Grafana.AvailabilityZone (#3584)

* Initial plan

* Add Azure.Grafana.AvailabilityZone rule for zone redundancy

Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com>

* Address PR feedback: Update rule ref to AZR-000501, use 'workspaces' terminology, update API version to 2024-10-01, add issue reference, revert index.md changes

Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com>

* Reorder test cases (fail, fail, pass, pass, pass) and add test for missing zoneRedundancy property

Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com>

* Update comment to use 'virtual machine scale set' instead of 'Compute'

Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com>

* api version

* version

* version 10

* Updates

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Bernie White <bewhite@microsoft.com>

Author: 3 people

docs/changelog.md

@@ -40,6 +40,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
   - Data Explorer:
     - Check that public network access is disabled by @BenjaminEngeset.
       [#3114](https://github.com/Azure/PSRule.Rules.Azure/issues/3114)
+  - Managed Grafana:
+    - Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset.
+      [#3294](https://github.com/Azure/PSRule.Rules.Azure/issues/3294)
 - Updated rules:
   - Application Gateway Policy:
     - Updated `Azure.AppGwWAF.RuleGroups` to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset.

docs/en/rules/Azure.Grafana.AvailabilityZone.md

@@ -0,0 +1,101 @@
+---
+reviewed: 2025-11-06
+severity: Important
+pillar: Reliability
+category: RE:05 Regions and availability zones
+resource: Managed Grafana
+resourceType: Microsoft.Dashboard/grafana
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Grafana.AvailabilityZone/
+---
+
+# Use zone redundant Managed Grafana workspaces
+
+## SYNOPSIS
+
+Use zone redundant Grafana workspaces in supported regions to improve reliability.
+
+## DESCRIPTION
+
+Azure Managed Grafana supports zone redundancy to provide enhanced resiliency and high availability.
+When zone redundancy is enabled, Azure Managed Grafana automatically distributes the
+service across multiple availability zones within a region.
+
+Managed Grafana implements this redundancy using active-passive replicas.
+One active replica serves traffic while passive replicas remain on standby in other
+zones and take over if the active replica becomes unavailable.
+
+This configuration ensures that the service remains available even if an entire
+availability zone experiences an outage.
+
+Zone redundancy can only be configured during the initial workspace creation and cannot be modified afterwards.
+Additionally, zone redundancy is only available in regions that support availability zones.
+
+## RECOMMENDATION
+
+Consider enabling zone redundancy for Azure Managed Grafana workspaces deployed in regions that support
+availability zones to improve service reliability and resilience.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy Managed Grafana workspaces that pass this rule:
+
+- Set the `properties.zoneRedundancy` property to `Enabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Dashboard/grafana",
+  "apiVersion": "2024-10-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "sku": {
+    "name": "Standard"
+  },
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "zoneRedundancy": "Enabled"
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy Managed Grafana workspaces that pass this rule:
+
+- Set the `properties.zoneRedundancy` property to `Enabled`.
+
+For example:
+
+```bicep
+resource grafana 'Microsoft.Dashboard/grafana@2024-10-01' = {
+  name: name
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    zoneRedundancy: 'Enabled'
+  }
+}
+```
+
+## NOTES
+
+Zone redundancy must be configured during the initial deployment.
+It is not possible to modify an existing Managed Grafana workspace to enable zone redundancy after it has been deployed.
+
+## LINKS
+
+- [RE:05 Redundancy](https://learn.microsoft.com/azure/well-architected/reliability/redundancy)
+- [Architecture strategies for using availability zones and regions](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones)
+- [Enable zone redundancy in Azure Managed Grafana](https://learn.microsoft.com/azure/managed-grafana/how-to-enable-zone-redundancy)
+- [Azure regions with availability zone support](https://learn.microsoft.com/azure/reliability/availability-zones-service-support)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dashboard/grafana)

src/PSRule.Rules.Azure/rules/Azure.Grafana.Rule.ps1

@@ -0,0 +1,24 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+#
+# Validation rules for Azure Managed Grafana
+#
+
+#region Rules
+
+# Synopsis: Use zone redundant Grafana workspaces in supported regions to improve reliability.
+Rule 'Azure.Grafana.AvailabilityZone' -Ref 'AZR-000501' -Type 'Microsoft.Dashboard/grafana' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Reliability'; } -Labels @{ 'Azure.WAF/maturity' = 'L1'; } {
+    # Check for availability zones based on virtual machine scale set, because it is not exposed through the provider for Grafana.
+    $provider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.Compute', 'virtualMachineScaleSets');
+    $availabilityZones = GetAvailabilityZone -Location $TargetObject.Location -Zone $provider.ZoneMappings;
+
+    # Don't flag if the region does not support AZ.
+    if (-not $availabilityZones) {
+        return $Assert.Pass();
+    }
+
+    $Assert.HasFieldValue($TargetObject, 'properties.zoneRedundancy', 'Enabled');
+}
+
+#endregion Rules

tests/PSRule.Rules.Azure.Tests/Azure.Grafana.Tests.ps1

@@ -48,8 +48,25 @@ Describe 'Azure.Grafana' -Tag 'Grafana' {
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
-            $ruleResult.TargetName | Should -Be 'grafana-b';
-            $ruleResult.Length | Should -Be 1;
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 4;
+            $ruleResult.TargetName | Should -BeIn @('grafana-b', 'grafana-c', 'grafana-d', 'grafana-e');
+        }
+
+        It 'Azure.Grafana.AvailabilityZone' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Grafana.AvailabilityZone' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -BeIn @('grafana-a', 'grafana-b');
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn @('grafana-c', 'grafana-d', 'grafana-e');
         }
     }
 }

tests/PSRule.Rules.Azure.Tests/Resources.Grafana.json

@@ -1,10 +1,10 @@
 [
   {
     "type": "Microsoft.Dashboard/grafana",
-    "apiVersion": "2023-09-01",
+    "apiVersion": "2024-10-01",
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.Dashboard/grafana/grafana-a",
     "name": "grafana-a",
-    "location": "westus",
+    "location": "westus2",
     "tags": {
       "application": "grafana"
     },
@@ -46,12 +46,12 @@
         "{customized property}": {}
       },
       "publicNetworkAccess": "Enabled",
-      "zoneRedundancy": null
+      "zoneRedundancy": "Disabled"
     }
   },
   {
     "type": "Microsoft.Dashboard/grafana",
-    "apiVersion": "2023-09-01",
+    "apiVersion": "2024-10-01",
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.Dashboard/grafana/grafana-b",
     "name": "grafana-b",
     "location": "westeurope",
@@ -64,6 +64,105 @@
     "identity": {
       "type": "SystemAssigned"
     },
+    "properties": {
+      "apiKey": "string",
+      "autoGeneratedDomainNameLabelScope": "TenantReuse",
+      "deterministicOutboundIP": "string",
+      "enterpriseConfigurations": {
+        "marketplaceAutoRenew": "string",
+        "marketplacePlanId": "string"
+      },
+      "grafanaConfigurations": {
+        "smtp": {
+          "enabled": "bool",
+          "fromAddress": "string",
+          "fromName": "string",
+          "host": "string",
+          "password": "string",
+          "skipVerify": "bool",
+          "startTLSPolicy": "string",
+          "user": "string"
+        }
+      },
+      "grafanaIntegrations": {
+        "azureMonitorWorkspaceIntegrations": [
+          {
+            "azureMonitorWorkspaceResourceId": "00000000-0000-0000-0000-000000000000"
+          }
+        ]
+      },
+      "grafanaMajorVersion": "11",
+      "grafanaPlugins": {
+        "{customized property}": {}
+      },
+      "publicNetworkAccess": "Enabled"
+    }
+  },
+  {
+    "type": "Microsoft.Dashboard/grafana",
+    "apiVersion": "2024-10-01",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.Dashboard/grafana/grafana-c",
+    "name": "grafana-c",
+    "location": "westeurope",
+    "tags": {
+      "application": "grafana"
+    },
+    "sku": {
+      "name": "Standard"
+    },
+    "identity": {
+      "type": "SystemAssigned"
+    },
+    "properties": {
+      "apiKey": "string",
+      "autoGeneratedDomainNameLabelScope": "TenantReuse",
+      "deterministicOutboundIP": "string",
+      "enterpriseConfigurations": {
+        "marketplaceAutoRenew": "string",
+        "marketplacePlanId": "string"
+      },
+      "grafanaConfigurations": {
+        "smtp": {
+          "enabled": "bool",
+          "fromAddress": "string",
+          "fromName": "string",
+          "host": "string",
+          "password": "string",
+          "skipVerify": "bool",
+          "startTLSPolicy": "string",
+          "user": "string"
+        }
+      },
+      "grafanaIntegrations": {
+        "azureMonitorWorkspaceIntegrations": [
+          {
+            "azureMonitorWorkspaceResourceId": "00000000-0000-0000-0000-000000000000"
+          }
+        ]
+      },
+      "grafanaMajorVersion": "11",
+      "grafanaPlugins": {
+        "{customized property}": {}
+      },
+      "publicNetworkAccess": "Enabled",
+      "zoneRedundancy": "Enabled"
+    }
+  },
+  {
+    "type": "Microsoft.Dashboard/grafana",
+    "apiVersion": "2024-10-01",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.Dashboard/grafana/grafana-d",
+    "name": "grafana-d",
+    "location": "australiacentral",
+    "tags": {
+      "application": "grafana"
+    },
+    "sku": {
+      "name": "Standard"
+    },
+    "identity": {
+      "type": "SystemAssigned"
+    },
     "properties": {
       "apiKey": "string",
       "autoGeneratedDomainNameLabelScope": "TenantReuse",
@@ -96,7 +195,56 @@
         "{customized property}": {}
       },
       "publicNetworkAccess": "Enabled",
-      "zoneRedundancy": null
+      "zoneRedundancy": "Disabled"
+    }
+  },
+  {
+    "type": "Microsoft.Dashboard/grafana",
+    "apiVersion": "2024-10-01",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-rg/providers/Microsoft.Dashboard/grafana/grafana-e",
+    "name": "grafana-e",
+    "location": "australiacentral",
+    "tags": {
+      "application": "grafana"
+    },
+    "sku": {
+      "name": "Standard"
+    },
+    "identity": {
+      "type": "SystemAssigned"
+    },
+    "properties": {
+      "apiKey": "string",
+      "autoGeneratedDomainNameLabelScope": "TenantReuse",
+      "deterministicOutboundIP": "string",
+      "enterpriseConfigurations": {
+        "marketplaceAutoRenew": "string",
+        "marketplacePlanId": "string"
+      },
+      "grafanaConfigurations": {
+        "smtp": {
+          "enabled": "bool",
+          "fromAddress": "string",
+          "fromName": "string",
+          "host": "string",
+          "password": "string",
+          "skipVerify": "bool",
+          "startTLSPolicy": "string",
+          "user": "string"
+        }
+      },
+      "grafanaIntegrations": {
+        "azureMonitorWorkspaceIntegrations": [
+          {
+            "azureMonitorWorkspaceResourceId": "00000000-0000-0000-0000-000000000000"
+          }
+        ]
+      },
+      "grafanaMajorVersion": "11",
+      "grafanaPlugins": {
+        "{customized property}": {}
+      },
+      "publicNetworkAccess": "Enabled"
     }
   }
 ]