56 lines
2.5 KiB
YAML
56 lines
2.5 KiB
YAML
id: azure-vmss-auto-repairs-disabled
|
|
info:
|
|
name: Azure VMSS Automatic Instance Repairs Not Enabled
|
|
author: princechaddha
|
|
severity: medium
|
|
description: |
|
|
Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
|
|
impact: |
|
|
Not having Automatic Instance Repairs enabled can lead to prolonged downtime and potential service disruption as unhealthy instances may not be promptly replaced.
|
|
remediation: |
|
|
Enable the Automatic Instance Repairs feature for Azure VMSS to ensure high availability and resilience of your applications.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs
|
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let ScaleSetData of iterate(template.scaleSetList)) {
|
|
ScaleSetData = JSON.parse(ScaleSetData);
|
|
set("name", ScaleSetData.name);
|
|
set("resourceGroup", ScaleSetData.resourceGroup);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: scaleSetList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticRepairsPolicyEnabled": automaticRepairsPolicy.enabled}'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '"AutomaticRepairsPolicyEnabled": null'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " in " + resourceGroup + " does not have automatic instance repairs enabled"'
|
|
# digest: 4a0a00473045022067789affe2e331ea09944fc9143746bc7b5b5c0d29d3b832a540f23afcc50878022100b3d862c2c1c3100df78ef8cd605d143a9000fe90b50c3ddc9f620a3bc3c28929:922c64590222798bb761d5b6d8e72950 |