From 1e28104a65a3de731cc43557cc9ed17b24412c9c Mon Sep 17 00:00:00 2001 From: Benjamin Engeset <99641908+BenjaminEngeset@users.noreply.github.com> Date: Thu, 30 May 2024 08:20:38 +0200 Subject: [PATCH] feat(new): Added Azure.Azure.VMSS.AutoInstanceRepairs (#2897) * feat(new): Added Azure.Azure.VMSS.AutoInstanceRepairs * fix: Fixed wrong issue reference --------- Co-authored-by: Bernie White --- docs/CHANGELOG-v1.md | 3 + .../rules/Azure.VMSS.AutoInstanceRepairs.md | 94 +++++++++++++++++++ .../rules/Azure.VMSS.Rule.yaml | 28 ++++++ .../Azure.VMSS.Tests.ps1 | 19 ++++ .../Resources.VMSS.json | 20 ++++ 5 files changed, 164 insertions(+) create mode 100644 docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md create mode 100644 src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index 284c5c98a8..25c0d0a80f 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -33,6 +33,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers - Log Analytics: - Check that workspaces have workspace replication enabled by @BenjaminEngeset. [#2893](https://github.com/Azure/PSRule.Rules.Azure/issues/2893) + - Virtual Machine Scale Sets: + - Check that automatic instance repairs are enabled by @BenjaminEngeset. + [#2895](https://github.com/Azure/PSRule.Rules.Azure/issues/2895) ## v1.37.0-B0034 (pre-release) diff --git a/docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md b/docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md new file mode 100644 index 0000000000..2a2c00f5ae --- /dev/null +++ b/docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md @@ -0,0 +1,94 @@ +--- +severity: Important +pillar: Reliability +category: RE:07 Self-preservation +resource: Virtual Machine Scale Sets +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.AutoInstanceRepairs/ +--- + +# Automatic instance repairs + +## SYNOPSIS + +Automatic instance repairs are enabled. + +## DESCRIPTION + +Enabling automatic instance repairs helps to achieve high application availability by automatically detecting and recovering unhealthy VM instances at runtime. + +The automatic instance repair feature relies on health monitoring of individual VM instances in a scale set. +VM Instances in a scale set can be configured to emit application health status using either the Application Health extension or Load balancer health probes. +If an VM instance is found to be unhealthy, the scale set will perform a preconfigured repair action on the unhealthy VM instance. +Automatic instance repairs can be enabled in the Virtual Machine Scale Set model by using the `automaticRepairsPolicy` object. + +See documentation references below for additional limitations and important information. + +## RECOMMENDATION + +Consider enabling automatic instance repairs to achieve high application availability by maintaining a set of healthy VM instances. + +## EXAMPLES + +### Configure with Azure template + +To deploy virtual machine scale sets that pass this rule: + +- Set the `properties.automaticRepairsPolicy.enabled` property to `true`. + +For example: + +```json +{ + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2023-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "b2ms", + "tier": "Standard", + "capacity": 1 + }, + "properties": { + "automaticRepairsPolicy": { + "enabled": true + } + } +} +``` + +### Configure with Bicep + +To deploy virtual machine scale sets that pass this rule: + +- Set the `properties.automaticRepairsPolicy.enabled` property to `true`. + +For example: + +```bicep +resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { + name: name + location: location + sku: { + name: 'b2ms' + tier: 'Standard' + capacity: 1 + } + properties: { + automaticRepairsPolicy: { + enabled: true + } + } +} +``` + +## NOTES + +This feature for virtual machine scale sets is currently in preview. + +In order for automatic repairs policy to work properly, ensure that all the requirements for opting in to this feature are met. + +## LINKS + +- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation) +- [Automatic instance repairs](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs) +- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets#automaticrepairspolicy) diff --git a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml new file mode 100644 index 0000000000..4b7f1c30f0 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml @@ -0,0 +1,28 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Virtual Machine Scale Sets +# + +#region Rules + +--- +# Synopsis: Automatic instance repairs are enabled. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Rule +metadata: + name: Azure.VMSS.AutoInstanceRepairs + ref: AZR-000426 + tags: + release: preview + ruleSet: 2024_06 + Azure.WAF/pillar: Reliability +spec: + type: + - Microsoft.Compute/virtualMachineScaleSets + condition: + field: properties.automaticRepairsPolicy.enabled + equals: true + +#endregion Rules diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1 index ff1719b34d..d7ecfd93fb 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1 @@ -130,6 +130,25 @@ Describe 'Azure.VMSS' -Tag 'VMSS' { $ruleResult.Length | Should -Be 2; $ruleResult.TargetName | Should -BeIn 'vmss-001', 'vmss-003'; } + + It 'Azure.VMSS.AutoInstanceRepairs' { + $dataPath = Join-Path -Path $here -ChildPath 'Resources.VMSS.json'; + $result = Invoke-PSRule @invokeParams -InputPath $dataPath; + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VMSS.AutoInstanceRepairs' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'vmss-001', 'vmss-002'; + + $ruleResult[0].Reason | Should -BeExactly "Path properties.automaticRepairsPolicy.enabled: The field 'properties.automaticRepairsPolicy.enabled' does not exist."; + $ruleResult[1].Reason | Should -BeExactly "Path properties.automaticRepairsPolicy.enabled: Is set to 'False'."; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult.Length | Should -Be 3; + $ruleResult.TargetName | Should -BeIn 'vmss-003', 'vmss-004', 'vmss-005'; + } } Context 'Resource name - Azure.VMSS.Name' { diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json b/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json index 1bd2000971..cd4a747a22 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json @@ -191,6 +191,11 @@ "upgradePolicy": { "mode": "Manual" }, + "automaticRepairsPolicy": { + "enabled": false, + "gracePeriod": "PT10M", + "repairAction": "Replace" + }, "virtualMachineProfile": { "osProfile": { "computerNamePrefix": "vmss-002", @@ -366,6 +371,11 @@ "upgradePolicy": { "mode": "Manual" }, + "automaticRepairsPolicy": { + "enabled": true, + "gracePeriod": "PT10M", + "repairAction": "Replace" + }, "virtualMachineProfile": { "osProfile": { "computerNamePrefix": "vmss-003", @@ -524,6 +534,11 @@ "upgradePolicy": { "mode": "Manual" }, + "automaticRepairsPolicy": { + "enabled": true, + "gracePeriod": "PT10M", + "repairAction": "Replace" + }, "virtualMachineProfile": { "osProfile": { "computerNamePrefix": "vmss-004", @@ -683,6 +698,11 @@ "upgradePolicy": { "mode": "Manual" }, + "automaticRepairsPolicy": { + "enabled": true, + "gracePeriod": "PT10M", + "repairAction": "Replace" + }, "virtualMachineProfile": { "osProfile": { "computerNamePrefix": "vmss-005",