feat(new): Added Azure.Azure.VMSS.AutoInstanceRepairs (Azure#2897)

BenjaminEngeset · BernieWhite · web-flow · commit 1e28104a65a3 · 2024-05-30T16:20:38.000+10:00
* feat(new): Added Azure.Azure.VMSS.AutoInstanceRepairs

* fix: Fixed wrong issue reference

---------

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -33,6 +33,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
   - Log Analytics:
     - Check that workspaces have workspace replication enabled by @BenjaminEngeset.
       [#2893](https://github.com/Azure/PSRule.Rules.Azure/issues/2893)
+  - Virtual Machine Scale Sets:
+    - Check that automatic instance repairs are enabled by @BenjaminEngeset.
+      [#2895](https://github.com/Azure/PSRule.Rules.Azure/issues/2895)
 
 ## v1.37.0-B0034 (pre-release)
 
diff --git a/docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md b/docs/en/rules/Azure.VMSS.AutoInstanceRepairs.md
@@ -0,0 +1,94 @@
+---
+severity: Important
+pillar: Reliability
+category: RE:07 Self-preservation
+resource: Virtual Machine Scale Sets
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.AutoInstanceRepairs/
+---
+
+# Automatic instance repairs
+
+## SYNOPSIS
+
+Automatic instance repairs are enabled.
+
+## DESCRIPTION
+
+Enabling automatic instance repairs helps to achieve high application availability by automatically detecting and recovering unhealthy VM instances at runtime.
+
+The automatic instance repair feature relies on health monitoring of individual VM instances in a scale set.
+VM Instances in a scale set can be configured to emit application health status using either the Application Health extension or Load balancer health probes.
+If an VM instance is found to be unhealthy, the scale set will perform a preconfigured repair action on the unhealthy VM instance.
+Automatic instance repairs can be enabled in the Virtual Machine Scale Set model by using the `automaticRepairsPolicy` object.
+
+See documentation references below for additional limitations and important information.
+
+## RECOMMENDATION
+
+Consider enabling automatic instance repairs to achieve high application availability by maintaining a set of healthy VM instances.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy virtual machine scale sets that pass this rule:
+
+- Set the `properties.automaticRepairsPolicy.enabled` property to `true`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Compute/virtualMachineScaleSets",
+  "apiVersion": "2023-09-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "sku": {
+    "name": "b2ms",
+    "tier": "Standard",
+    "capacity": 1
+  },
+  "properties": {
+    "automaticRepairsPolicy": {
+      "enabled": true
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy virtual machine scale sets that pass this rule:
+
+- Set the `properties.automaticRepairsPolicy.enabled` property to `true`.
+
+For example:
+
+```bicep
+resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
+  name: name
+  location: location
+  sku: {
+    name: 'b2ms'
+    tier: 'Standard'
+    capacity: 1
+  }
+  properties: {
+    automaticRepairsPolicy: {
+      enabled: true
+    }
+  }
+}
+```
+
+## NOTES
+
+This feature for virtual machine scale sets is currently in preview.
+
+In order for automatic repairs policy to work properly, ensure that all the requirements for opting in to this feature are met.
+
+## LINKS
+
+- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation)
+- [Automatic instance repairs](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets#automaticrepairspolicy)
diff --git a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.yaml
@@ -0,0 +1,28 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+#
+# Validation rules for Azure Virtual Machine Scale Sets
+#
+
+#region Rules
+
+---
+# Synopsis: Automatic instance repairs are enabled.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.VMSS.AutoInstanceRepairs
+  ref: AZR-000426
+  tags:
+    release: preview
+    ruleSet: 2024_06
+    Azure.WAF/pillar: Reliability
+spec:
+  type:
+    - Microsoft.Compute/virtualMachineScaleSets
+  condition:
+    field: properties.automaticRepairsPolicy.enabled
+    equals: true
+
+#endregion Rules
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.VMSS.Tests.ps1
@@ -130,6 +130,25 @@ Describe 'Azure.VMSS' -Tag 'VMSS' {
             $ruleResult.Length | Should -Be 2;
             $ruleResult.TargetName | Should -BeIn 'vmss-001', 'vmss-003';
         }
+
+        It 'Azure.VMSS.AutoInstanceRepairs' {
+            $dataPath = Join-Path -Path $here -ChildPath 'Resources.VMSS.json';
+            $result = Invoke-PSRule @invokeParams -InputPath $dataPath;
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VMSS.AutoInstanceRepairs' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -BeIn 'vmss-001', 'vmss-002';
+
+            $ruleResult[0].Reason | Should -BeExactly "Path properties.automaticRepairsPolicy.enabled: The field 'properties.automaticRepairsPolicy.enabled' does not exist.";
+            $ruleResult[1].Reason | Should -BeExactly "Path properties.automaticRepairsPolicy.enabled: Is set to 'False'.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn 'vmss-003', 'vmss-004', 'vmss-005';
+        }
     }
 
     Context 'Resource name - Azure.VMSS.Name' {
diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json b/tests/PSRule.Rules.Azure.Tests/Resources.VMSS.json
@@ -191,6 +191,11 @@
       "upgradePolicy": {
         "mode": "Manual"
       },
+      "automaticRepairsPolicy": {
+        "enabled": false,
+        "gracePeriod": "PT10M",
+        "repairAction": "Replace"
+      },
       "virtualMachineProfile": {
         "osProfile": {
           "computerNamePrefix": "vmss-002",
@@ -366,6 +371,11 @@
       "upgradePolicy": {
         "mode": "Manual"
       },
+      "automaticRepairsPolicy": {
+        "enabled": true,
+        "gracePeriod": "PT10M",
+        "repairAction": "Replace"
+      },
       "virtualMachineProfile": {
         "osProfile": {
           "computerNamePrefix": "vmss-003",
@@ -524,6 +534,11 @@
       "upgradePolicy": {
         "mode": "Manual"
       },
+      "automaticRepairsPolicy": {
+        "enabled": true,
+        "gracePeriod": "PT10M",
+        "repairAction": "Replace"
+      },
       "virtualMachineProfile": {
         "osProfile": {
           "computerNamePrefix": "vmss-004",
@@ -683,6 +698,11 @@
       "upgradePolicy": {
         "mode": "Manual"
       },
+      "automaticRepairsPolicy": {
+        "enabled": true,
+        "gracePeriod": "PT10M",
+        "repairAction": "Replace"
+      },
       "virtualMachineProfile": {
         "osProfile": {
           "computerNamePrefix": "vmss-005",
