feat(new): Added Azure.VNG.MaintenanceConfig (Azure#2920)

* feat(new): Added Azure.VNG.MaintenanceConfig

* Fix release casing

* Fix test

---------

Co-authored-by: Bernie White <[email protected]>

Author: BenjaminEngeset

docs/CHANGELOG-v1.md

@@ -35,6 +35,9 @@ What's changed since pre-release v1.37.0:
   - Azure Firewall:
     - Verify that firewalls have availability zones configured by @BenjaminEngeset.
       [#2909](https://github.com/Azure/PSRule.Rules.Azure/issues/2909)
+  - Virtual Network Gateway:
+    - Verify that VPN/ExpressRoute gateways have a customer-controlled maintenance configuration configured by @BenjaminEngeset.
+      [#2910](https://github.com/Azure/PSRule.Rules.Azure/issues/2910)
 
 ## v1.37.0
 

docs/en/rules/Azure.VNG.MaintenanceConfig.md

@@ -0,0 +1,83 @@
+---
+severity: Important
+pillar: Reliability
+category: RE:04 Target metrics
+resource: Virtual Network Gateway
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VNG.MaintenanceConfig/
+---
+
+# Associate a customer-controlled maintenance configuration
+
+## SYNOPSIS
+
+Use a customer-controlled maintenance configuration for virtual network gateways.
+
+## DESCRIPTION
+
+Virtual network gateways require regular updates to maintain and enhance their functionality, reliability, performance, and security. These updates include patching software, upgrading networking components, and decommissioning outdated hardware.
+
+By attaching virtual network gateways to a maintenance configuration, customers can schedule these updates to occur during a preferred maintenance window, ideally outside of business hours, to minimize disruptions.
+
+Both the VPN and ExpressRoute virtual network gateway types support customer-controlled maintenance configurations.
+
+## RECOMMENDATION
+
+Consider using a customer-controlled maintenance configuration to efficiently schedule updates and minimize disruptions.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To configure virtual network gateways that pass this rule:
+
+- Deploy a `Microsoft.Maintenance/configurationAssignments` sub-resource (extension resource).
+- Set the `properties.maintenanceConfigurationId` property to the linked maintenance configuration resource Id.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Maintenance/configurationAssignments",
+  "apiVersion": "2023-04-01",
+  "name": "[parameters('assignmentName')]",
+  "location": "[parameters('location')]",
+  "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]",
+  "properties": {
+    "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]"
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]"
+  ]
+}
+```
+
+### Configure with Bicep
+
+To configure virtual network gateways that pass this rule:
+
+- Deploy a `Microsoft.Maintenance/configurationAssignments` sub-resource (extension resource).
+- Set the `properties.maintenanceConfigurationId` property to the linked maintenance configuration resource Id.
+
+For example:
+
+```bicep
+resource config 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
+  name: assignmentName
+  location: location
+  scope: virtualNetworkGateway
+  properties: {
+    maintenanceConfigurationId: maintenanceConfigurationId
+  }
+}
+```
+
+## NOTES
+
+This feature is currently in preview for both the VPN and ExpressRoute virtual network gateway types.
+
+## LINKS
+
+- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
+- [Configure customer-controlled gateway maintenance for VPN Gateway](https://learn.microsoft.com/azure/vpn-gateway/customer-controlled-gateway-maintenance)
+- [Configure customer-controlled gateway maintenance for ExpressRoute](https://learn.microsoft.com/azure/expressroute/customer-controlled-gateway-maintenance)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.maintenance/configurationassignments)

src/PSRule.Rules.Azure/en/PSRule-rules.psd1

@@ -102,6 +102,7 @@
     ArcKubernetesDefender = "The Arc-enabled Kubernetes cluster '{0}' should have a Microsoft Defender for Containers extension configured."
     VMMaintenanceConfig = "The virtual machine '{0}' should have a maintenance configuration associated."
     ArcServerMaintenanceConfig = "The Arc-enabled server '{0}' should have a maintenance configuration associated."
+    VNGMaintenanceConfig = "The virtual network gateway '{0}' should have a customer-controlled maintenance configuration associated."
     SubStorageMalwareScanning = "The Microsoft Defender for Storage plan should have malware scanning configured."
     ResStorageMalwareScanning = "The storage account '{0}' should have malware scanning in Microsoft Defender for Storage configured."
     SubStorageSensitiveDataThreatDetection = "The Microsoft Defender for Storage plan should have sensitive data threat detection configured."

src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1

@@ -16,14 +16,21 @@ Rule 'Azure.VNG.ERLegacySKU' -Ref 'AZR-000271' -Type 'Microsoft.Network/virtualN
 Rule 'Azure.VNG.VPNAvailabilityZoneSKU' -Ref 'AZR-000272' -Type 'Microsoft.Network/virtualNetworkGateways' -With 'Azure.VNG.VPNGateway' -Tag @{ release = 'GA'; ruleSet = '2021_12'; 'Azure.WAF/pillar' = 'Reliability'; } {
     $vpnAvailabilityZoneSKUs = @('VpnGw1AZ', 'VpnGw2AZ', 'VpnGw3AZ', 'VpnGw4AZ', 'VpnGw5AZ');
     $Assert.In($TargetObject, 'Properties.sku.name', $vpnAvailabilityZoneSKUs).
-        Reason($LocalizedData.VPNAvailabilityZoneSKU, $TargetObject.Name, ($vpnAvailabilityZoneSKUs -join ', '));
+    Reason($LocalizedData.VPNAvailabilityZoneSKU, $TargetObject.Name, ($vpnAvailabilityZoneSKUs -join ', '));
 }
 
 # Synopsis: Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type
 Rule 'Azure.VNG.ERAvailabilityZoneSKU' -Ref 'AZR-000273' -Type 'Microsoft.Network/virtualNetworkGateways' -With 'Azure.VNG.ERGateway' -Tag @{ release = 'GA'; ruleSet = '2021_12'; 'Azure.WAF/pillar' = 'Reliability'; } {
     $erAvailabilityZoneSKUs = @('ErGw1AZ', 'ErGw2AZ', 'ErGw3AZ');
     $Assert.In($TargetObject, 'Properties.sku.name', $erAvailabilityZoneSKUs).
-        Reason($LocalizedData.ERAvailabilityZoneSKU, $TargetObject.Name, ($erAvailabilityZoneSKUs -join ', '));
+    Reason($LocalizedData.ERAvailabilityZoneSKU, $TargetObject.Name, ($erAvailabilityZoneSKUs -join ', '));
+}
+
+# Synopsis: Use a customer-controlled maintenance configuration for virtual network gateways.
+Rule 'Azure.VNG.MaintenanceConfig' -Ref 'AZR-000430' -Type 'Microsoft.Network/virtualNetworkGateways' -Tag @{ release = 'preview'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
+    $maintenanceConfig = @(GetSubResources -ResourceType 'Microsoft.Maintenance/configurationAssignments' |
+        Where-Object { $_.properties.maintenanceConfigurationId })
+    $Assert.GreaterOrEqual($maintenanceConfig, '.', 1).Reason($LocalizedData.VNGMaintenanceConfig, $PSRule.TargetName)
 }
 
 #endregion Rules

tests/PSRule.Rules.Azure.Tests/Azure.VNG.Tests.ps1

@@ -125,6 +125,24 @@ Describe 'Azure.VNG' -Tag 'Network', 'VNG', 'VPN', 'ExpressRoute' {
             $ruleResult.Length | Should -Be 2;
             $ruleResult.TargetName | Should -BeIn 'gateway-G', 'gateway-H';
         }
+
+        It 'Azure.VNG.MaintenanceConfig' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VNG.MaintenanceConfig' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn 'gateway-A', 'gateway-B', 'gateway-C';
+
+            $ruleResult[0].Reason | Should -BeExactly "The virtual network gateway 'gateway-A' should have a customer-controlled maintenance configuration associated.";
+            $ruleResult[1].Reason | Should -BeExactly "The virtual network gateway 'gateway-B' should have a customer-controlled maintenance configuration associated.";
+            $ruleResult[2].Reason | Should -BeExactly "The virtual network gateway 'gateway-C' should have a customer-controlled maintenance configuration associated.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 5;
+            $ruleResult.TargetName | Should -BeIn 'gateway-D', 'gateway-E', 'gateway-F', 'gateway-G', 'gateway-H';
+        }
     }
 
     Context 'Resource name - Azure.VNG.Name' {

tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json

@@ -2490,7 +2490,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-B/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-B/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": null
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-C",
@@ -2547,7 +2562,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-C/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-C/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": null
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-D",
@@ -2600,7 +2630,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-D/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-D/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": "00000000-0000-0000-0000-000000000000"
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-E",
@@ -2653,7 +2698,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-E/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-E/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": "00000000-0000-0000-0000-000000000000"
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-F",
@@ -2706,7 +2766,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-F/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-F/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": "00000000-0000-0000-0000-000000000000"
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-G",
@@ -2763,7 +2838,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-G/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-G/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": "00000000-0000-0000-0000-000000000000"
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-H",
@@ -2820,7 +2910,22 @@
     "ExtensionResourceType": null,
     "Sku": null,
     "Tags": null,
-    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resources": [
+      {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providersMicrosoft.Network/virtualNetworkGateways/gateway-H/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworkGateways/gateway-H/providers/Microsoft.Maintenance/configurationAssignments/configurationassignment-a",
+        "ResourceName": "configurationassignment-a",
+        "Name": "configurationassignment-a",
+        "Properties": {
+          "maintenanceConfigurationId": "00000000-0000-0000-0000-000000000000"
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": " Microsoft.Maintenance/configurationAssignments",
+        "ResourceType": "Microsoft.Maintenance/configurationAssignments",
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+      }
+    ]
   },
   {
     "type": "Microsoft.Network/networkSecurityGroups",