feat(new): Added Azure.MySQL.MaintenanceWindow (Azure#2923)

BenjaminEngeset · BernieWhite · web-flow · commit 9509df842cf5 · 2024-06-08T16:26:23.000+10:00
Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -32,6 +32,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 What's changed since pre-release v1.37.0:
 
 - New rules:
+  - Azure Database for MySQL:
+    - Verify that Azure Database for MySQL servers have a customer-controlled maintenance window configured by @BenjaminEngeset.
+      [#2916](https://github.com/Azure/PSRule.Rules.Azure/issues/2916)
   - Azure Firewall:
     - Verify that firewalls have availability zones configured by @BenjaminEngeset.
       [#2909](https://github.com/Azure/PSRule.Rules.Azure/issues/2909)
diff --git a/docs/en/rules/Azure.MySQL.MaintenanceWindow.md b/docs/en/rules/Azure.MySQL.MaintenanceWindow.md
@@ -0,0 +1,107 @@
+---
+severity: Important
+pillar: Reliability
+category: RE:04 Target metrics
+resource: Azure Database for MySQL
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.MaintenanceWindow/
+---
+
+# Customer-controlled maintenance window configuration
+
+## SYNOPSIS
+
+Configure a customer-controlled maintenance window for Azure Database for MySQL servers.
+
+## DESCRIPTION
+
+Azure Database for MySQL flexible servers undergo periodic maintenance to ensure your managed database remains secure, stable, and up-to-date. This maintenance includes applying security updates, system upgrades, and software patches.
+
+Maintenance windows can be scheduled in two ways for each flexible server:
+
+- System-Managed Schedule: The system automatically selects a one-hour window between 11 PM and 7 AM in your server’s regional time.
+- Custom Schedule: You can specify a preferred maintenance window by choosing the day of the week and a one-hour time window.
+
+By configuring a customer-controlled maintenance window, you can schedule updates to occur during a preferred time, ideally outside business hours, minimizing disruptions.
+
+Only the flexible server deployment model supports customer-controlled maintenance windows.
+
+## RECOMMENDATION
+
+Consider using a customer-controlled maintenance window to efficiently schedule updates and minimize disruptions.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To configure servers that pass this rule:
+
+- Set the `properties.maintenanceWindow.customWindow` property to `Enabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DBforMySQL/flexibleServers",
+  "apiVersion": "2023-10-01-preview",
+  "name": "[parameters('serverName')]",
+  "location": "[parameters('location')]",
+  "sku": {
+    "name": "Standard_D16as",
+    "tier": "GeneralPurpose"
+  },
+  "properties": {
+    "administratorLogin": "[parameters('administratorLogin')]",
+    "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
+    "createMode": "Default",
+    "version": "[parameters('mysqlVersion')]",
+    "maintenanceWindow": {
+      "customWindow": "Enabled",
+      "dayOfWeek": "0",
+      "startHour": "1",
+      "startMinute": "0"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To configure servers that pass this rule:
+
+- Set the `properties.maintenanceWindow.customWindow` property to `Enabled`.
+
+For example:
+
+```bicep
+resource mysqlDbServer 'Microsoft.DBforMySQL/flexibleServers@2023-10-01-preview' = {
+  name: serverName
+  location: location
+  sku: {
+    name: 'Standard_D16as'
+    tier: 'GeneralPurpose'
+  }
+  properties: {
+    administratorLogin: administratorLogin
+    administratorLoginPassword: administratorLoginPassword
+    createMode: 'Default'
+    version: mysqlVersion
+     maintenanceWindow: {
+      customWindow: 'Enabled'
+      dayOfWeek: 0
+      startHour: 1
+      startMinute: 0
+    }
+  }
+}
+```
+
+## NOTES
+
+The custom schedule maintenance window feature is only available for the flexible server deployment model.
+
+## LINKS
+
+- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
+- [Scheduled maintenance in Azure Database for MySQL](https://learn.microsoft.com/azure/mysql/flexible-server/concepts-maintenance)
+- [Select a maintenance window](https://learn.microsoft.com/azure/mysql/flexible-server/concepts-maintenance#select-a-maintenance-window)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/flexibleservers)
diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml
@@ -47,4 +47,22 @@ spec:
     field: properties.minimalTlsVersion
     equals: TLS1_2
 
+---
+# Synopsis: Configure a customer-controlled maintenance window for Azure Database for MySQL servers.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.MySQL.MaintenanceWindow
+  ref: AZR-000431
+  tags:
+    release: GA
+    ruleSet: 2024_06
+    Azure.WAF/pillar: Reliability
+spec:
+  type:
+  - Microsoft.DBforMySQL/flexibleServers
+  condition:
+    field: properties.maintenanceWindow.customWindow
+    equals: Enabled
+
 #endregion Region
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1
@@ -128,14 +128,14 @@ Describe 'Azure.MySQL' -Tag 'MySql' {
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 4;
-            $ruleResult.TargetName | Should -BeIn 'server-A', 'server-B', 'server-E', 'server-F';
+            $ruleResult.Length | Should -Be 5;
+            $ruleResult.TargetName | Should -BeIn 'server-A', 'server-B', 'server-E', 'server-F', 'server-G';
 
             $ruleResult[0].Reason | Should -BeExactly "The Azure Database for MySQL 'server-B' should have geo-redundant backup configured.";
             $ruleResult[1].Reason | Should -BeExactly "The Azure Database for MySQL 'server-A' should have geo-redundant backup configured.";
             $ruleResult[2].Reason | Should -BeExactly "The Azure Database for MySQL 'server-E' should have geo-redundant backup configured.";
             $ruleResult[3].Reason | Should -BeExactly "The Azure Database for MySQL 'server-F' should have geo-redundant backup configured.";
-           
+
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
@@ -178,8 +178,8 @@ Describe 'Azure.MySQL' -Tag 'MySql' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 3;
-            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E', 'server-F';
+            $ruleResult.Length | Should -Be 4;
+            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E', 'server-F', 'server-G';
         }
 
         It 'Azure.MySQL.AAD' {
@@ -188,8 +188,8 @@ Describe 'Azure.MySQL' -Tag 'MySql' {
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 6;
-            $ruleResult.TargetName | Should -BeIn 'server-A', 'server-B', 'server-D', 'server-E', 'ActiveDirectoryAdmin-A', 'ActiveDirectoryAdmin-C';
+            $ruleResult.Length | Should -Be 7;
+            $ruleResult.TargetName | Should -BeIn 'server-A', 'server-B', 'server-D', 'server-E', 'ActiveDirectoryAdmin-A', 'ActiveDirectoryAdmin-C', 'server-G';
 
             $ruleResult[0].Reason | Should -BeIn 'Path properties.administratorType: Is null or empty.', 'Path properties.login: Is null or empty.', 'Path properties.sid: Is null or empty.';
             $ruleResult[1].Reason | Should -BeIn "A sub-resource of type 'Microsoft.DBforMySQL/servers/administrators' has not been specified.";
@@ -209,19 +209,38 @@ Describe 'Azure.MySQL' -Tag 'MySql' {
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 3;
-            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E', 'aad_auth_only-A';
+            $ruleResult.Length | Should -Be 4;
+            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E', 'server-G', 'aad_auth_only-A';
 
-            $ruleResult[0].Reason | Should -BeIn "A sub-resource of type 'Microsoft.DBforMySQL/flexibleServers/configurations' has not been specified.";
-            $ruleResult[1].Reason | Should -BeIn "Path properties.value: Is set to 'OFF'.";
-            $ruleResult[2].Reason | Should -BeIn "Path properties.value: Is set to 'OFF'.";
+            $ruleResult[0].Reason | Should -BeExactly "A sub-resource of type 'Microsoft.DBforMySQL/flexibleServers/configurations' has not been specified.";
+            $ruleResult[1].Reason | Should -BeExactly "Path properties.value: Is set to 'OFF'.";
+            $ruleResult[2].Reason | Should -BeExactly "A sub-resource of type 'Microsoft.DBforMySQL/flexibleServers/configurations' has not been specified.";
+            $ruleResult[3].Reason | Should -BeExactly "Path properties.value: Is set to 'OFF'.";
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
             $ruleResult.Length | Should -Be 2;
             $ruleResult.TargetName | Should -BeIn 'server-F', 'aad_auth_only-B';
         }
+
+        It 'Azure.MySQL.MaintenanceWindow' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.MaintenanceWindow' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E', 'server-F';
+
+            $ruleResult[0].Reason | Should -BeExactly "Path properties.maintenanceWindow.customWindow: The field 'properties.maintenanceWindow.customWindow' does not exist.";
+            $ruleResult[1].Reason | Should -BeExactly "Path properties.maintenanceWindow.customWindow: Is set to 'notset'.";
+            $ruleResult[2].Reason | Should -BeExactly "Path properties.maintenanceWindow.customWindow: Is set to 'Disabled'.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'server-G';
+        }
     }
 
     Context 'Resource name - Azure.MySQL.ServerName' {
diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.MySQL.json b/tests/PSRule.Rules.Azure.Tests/Resources.MySQL.json
@@ -371,6 +371,12 @@
       "backup": {
         "backupRetentionDays": 7
       },
+      "maintenanceWindow": {
+        "customWindow": "notset",
+        "dayOfWeek": "notset",
+        "startHour": "notset",
+        "startMinute": "notset"
+      },
       "highAvailability": {
         "mode": "Disabled"
       },
@@ -434,6 +440,12 @@
         "backupRetentionDays": 7,
         "geoRedundantBackup": "Disabled"
       },
+      "maintenanceWindow": {
+        "customWindow": "Disabled",
+        "dayOfWeek": 0,
+        "startHour": 1,
+        "startMinute": 0
+      },
       "highAvailability": {
         "mode": "Disabled"
       },
@@ -480,6 +492,45 @@
       }
     ]
   },
+  {
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.DBforMySQL/flexibleServers/server-G",
+    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.DBforMySQL/flexibleServers/server-G",
+    "Location": "region",
+    "ResourceName": "server-G",
+    "Name": "server-G",
+    "Properties": {
+      "administratorLogin": "db-admin",
+      "storage": {
+        "autoGrow": "Enabled",
+        "iops": 360,
+        "storageSizeGB": 20
+      },
+      "backup": {
+        "backupRetentionDays": 7,
+        "geoRedundantBackup": "Disabled"
+      },
+      "maintenanceWindow": {
+        "customWindow": "Enabled",
+        "dayOfWeek": 0,
+        "startHour": 1,
+        "startMinute": 0
+      },
+      "highAvailability": {
+        "mode": "Disabled"
+      },
+      "version": "8.0.21",
+      "createMode": "Default"
+    },
+    "ResourceGroupName": "test-rg",
+    "Type": "Microsoft.DBforMySQL/flexibleServers",
+    "ResourceType": "Microsoft.DBforMySQL/flexibleServers",
+    "Sku": {
+      "Name": "E64",
+      "Tier": "MemoryOptimized"
+    },
+    "Tags": null,
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+  },
   {
     "Name": "ActiveDirectoryAdmin-A",
     "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.DBforMySQL/servers/server-B/administrators/ActiveDirectoryAdmin-A",
