Added Azure.RedisEnterprise.MigrateAMR (#3612)

Author: BenjaminEngeset

docs/changelog.md

@@ -45,6 +45,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
         - `AZURE_REDIS_CACHE_NAME_FORMAT`
         - `AZURE_REDIS_ENTERPRISE_NAME_FORMAT`
     - Added configured name format by @BernieWhite.
+  - Azure Cache for Redis Enterprise and Enterprise Flash:
+    - Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset.
+      [#3606](https://github.com/Azure/PSRule.Rules.Azure/issues/3606)
   - Azure Database for MySQL:
     - Check resources naming matches configured name format by @BernieWhite.
       [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548)

docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md

@@ -0,0 +1,99 @@
+---
+reviewed: 2025-11-28
+severity: Important
+pillar: Operational Excellence
+category: OE:05 Infrastructure as code
+resource: Azure Cache for Redis Enterprise
+resourceType: Microsoft.Cache/redisEnterprise
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.MigrateAMR/
+---
+
+# Migrate to Azure Managed Redis
+
+## SYNOPSIS
+
+Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis.
+
+## DESCRIPTION
+
+Microsoft has announced the retirement timeline for Azure Cache for Redis Enterprise and Enterprise Flash SKUs.
+The recommended replacement going forward is Azure Managed Redis.
+
+Azure Cache for Redis Enterprise (`Enterprise_*`) and Enterprise Flash (`EnterpriseFlash_*`) SKUs will be retired according to the following timeline:
+
+- Creation blocked for all customers: April 1, 2026.
+- Retirement Date: March 31, 2027.
+- Instances will be migrated to Azure Managed Redis starting April 1, 2027.
+
+To avoid service disruption, migrate your workloads to Azure Managed Redis.
+
+## RECOMMENDATION
+
+Plan and execute migration from Azure Cache for Redis Enterprise / Enterprise Flash to Azure Managed Redis before the retirement dates to avoid service disruption.
+
+## EXAMPLES
+
+### Configure with Bicep
+
+To deploy resource that pass this rule:
+
+- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as:
+  - `Balanced_*`
+  - `MemoryOptimized_*`
+  - `ComputeOptimized_*`
+
+For example:
+
+```bicep
+resource primary 'Microsoft.Cache/redisEnterprise@2025-07-01' = {
+  name: name
+  location: location
+  properties: {
+    highAvailability: 'Enabled'
+    publicNetworkAccess: 'Disabled'
+  }
+  sku: {
+    name: 'Balanced_B10'
+  }
+}
+```
+
+### Configure with Azure template
+
+To deploy resource that pass this rule:
+
+- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as:
+  - `Balanced_*`
+  - `MemoryOptimized_*`
+  - `ComputeOptimized_*`
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Cache/redisEnterprise",
+  "apiVersion": "2025-07-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "highAvailability": "Enabled",
+    "publicNetworkAccess": "Disabled"
+  },
+  "sku": {
+    "name": "Balanced_B10"
+  }
+}
+```
+
+## NOTES
+
+Azure Cache for Redis (Basic, Standard, Premium) using the `Microsoft.Cache/redis` resource type is also deprecated and covered by a separate rule.
+
+## LINKS
+
+- [OE:05 Infrastructure as code](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure)
+- [Operational Excellence: Level 4](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level4)
+- [Azure Cache for Redis retirement: What to know and how to prepare](https://techcommunity.microsoft.com/blog/azure-managed-redis/azure-cache-for-redis-retirement-what-to-know-and-how-to-prepare/4458721)
+- [Azure Cache for Redis retirement FAQ](https://learn.microsoft.com/azure/azure-cache-for-redis/retirement-faq)
+- [Azure Managed Redis documentation](https://learn.microsoft.com/azure/azure-cache-for-redis/managed-redis/managed-redis-overview)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise)

src/PSRule.Rules.Azure/en/PSRule-rules.psd1

@@ -132,4 +132,5 @@
     ActiveSecurityAlerts = "There are {0} active security alerts of high or medium severity."
     KeyValueShouldNotContainSecrets = "The key value '{0}' property should not contain secrets."
     CacheRedisMigrateAMR = "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis."
+    RedisEnterpriseMigrateAMR = "Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis."
 }

src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1

@@ -13,3 +13,8 @@ Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/Red
 }
 
 #endregion Naming rules
+
+# Synopsis: Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis.
+Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } {
+    $Assert.NotLike($TargetObject, 'sku.name', @('Enterprise_*', 'EnterpriseFlash_*')).Reason($LocalizedData.RedisEnterpriseMigrateAMR)
+}

tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1

@@ -118,8 +118,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
              # None
              $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
              $ruleResult | Should -Not -BeNullOrEmpty;
-             $ruleResult.Length | Should -Be 8;
-             $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-R', 'redis-S';
+             $ruleResult.Length | Should -Be 11;
+             $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.AvailabilityZone' {
@@ -146,8 +146,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 13;
-            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S';
+            $ruleResult.Length | Should -Be 16;
+            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.RedisEnterprise.Zones' {
@@ -173,8 +173,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 12;
-            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R';
+            $ruleResult.Length | Should -Be 15;
+            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.PublicNetworkAccess' {
@@ -214,8 +214,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 7;
-            $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+            $ruleResult.Length | Should -Be 10;
+            $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.FirewallRuleCount' {
@@ -253,8 +253,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None 
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty
-            $ruleResult.Length | Should -Be 9;
-            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+            $ruleResult.Length | Should -Be 12;
+            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.FirewallIPRange' {
@@ -290,8 +290,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None 
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty
-            $ruleResult.Length | Should -Be 9;
-            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+            $ruleResult.Length | Should -Be 12;
+            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.Version' {
@@ -334,8 +334,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
 
              # None
              $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
-             $ruleResult.Length | Should -Be 7;
-             $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+             $ruleResult.Length | Should -Be 10;
+             $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.LocalAuth' {
@@ -365,6 +365,24 @@ Describe 'Azure.Redis' -Tag 'Redis' {
 
             $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.";
         }
+
+        It 'Azure.RedisEnterprise.MigrateAMR' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.MigrateAMR' };
+
+            # Fail - Enterprise and EnterpriseFlash SKUs should fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 7;
+            $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+
+            $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis.";
+
+            # Pass - Azure Managed Redis SKUs should pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn 'redis-T', 'redis-U', 'redis-V';
+        }
     }
 
     Context 'With Configuration Option' -Tag 'Configuration' {
@@ -421,8 +439,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 13;
-            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S';
+            $ruleResult.Length | Should -Be 16;
+            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.Redis.AvailabilityZone - YAML file option' {
@@ -455,8 +473,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 13;
-            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S';
+            $ruleResult.Length | Should -Be 16;
+            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.RedisEnterprise.Zones - HashTable option' {
@@ -498,8 +516,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 12;
-            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R';
+            $ruleResult.Length | Should -Be 15;
+            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V';
         }
 
         It 'Azure.RedisEnterprise.Zones - YAML file option' {
@@ -530,8 +548,8 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             # None
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 12;
-            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R';
+            $ruleResult.Length | Should -Be 15;
+            $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V';
         }
     }
 

tests/PSRule.Rules.Azure.Tests/Resources.Redis.json

@@ -1121,5 +1121,74 @@
       "capacity": 15
     },
     "zones": []
+  },
+  {
+    "Name": "redis-T",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-T",
+    "ResourceName": "redis-T",
+    "ResourceType": "Microsoft.Cache/redisEnterprise",
+    "ResourceGroupName": "test-rg",
+    "Location": "australiaeast",
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "Tags": {},
+    "Properties": {
+      "minimumTlsVersion": "1.2",
+      "hostName": "redis-T.redis.cache.windows.net"
+    },
+    "sku": {
+      "name": "Balanced_B10",
+      "capacity": 2
+    },
+    "zones": [
+      "1",
+      "2",
+      "3"
+    ]
+  },
+  {
+    "Name": "redis-U",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-U",
+    "ResourceName": "redis-U",
+    "ResourceType": "Microsoft.Cache/redisEnterprise",
+    "ResourceGroupName": "test-rg",
+    "Location": "australiaeast",
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "Tags": {},
+    "Properties": {
+      "minimumTlsVersion": "1.2",
+      "hostName": "redis-U.redis.cache.windows.net"
+    },
+    "sku": {
+      "name": "MemoryOptimized_M10",
+      "capacity": 2
+    },
+    "zones": [
+      "1",
+      "2",
+      "3"
+    ]
+  },
+  {
+    "Name": "redis-V",
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-V",
+    "ResourceName": "redis-V",
+    "ResourceType": "Microsoft.Cache/redisEnterprise",
+    "ResourceGroupName": "test-rg",
+    "Location": "australiaeast",
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "Tags": {},
+    "Properties": {
+      "minimumTlsVersion": "1.2",
+      "hostName": "redis-V.redis.cache.windows.net"
+    },
+    "sku": {
+      "name": "ComputeOptimized_X10",
+      "capacity": 2
+    },
+    "zones": [
+      "1",
+      "2",
+      "3"
+    ]
   }
 ]